# Tables: (2) table { 2001:5c0:0:2::24 , 3ffe:1200:2000::/36 , 3ffe:1200:2001:1:8000::1 } table { 2001:5c0:0:2::24 , 3ffe:1200:2001:1:8000::1 } # Policy compiler errors and warnings: # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)' below it # firewall-ipv6-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall-ipv6-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it # firewall-ipv6-1:Policy:3: warning: Changing rule direction due to self reference # firewall-ipv6-1:Policy:6: warning: Changing rule direction due to self reference # firewall-ipv6-1:Policy:7: warning: Changing rule direction due to self reference # # Rule 0 (lo) pass quick on lo inet6 from any to any keep state label "RULE 0 -- ACCEPT " # # Rule 1 (global) # this rule shadows the next. # Note that we add command line # flag -xt to the compiler pass quick inet6 proto tcp from fe80::/64 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 1 -- ACCEPT " # # Rule 2 (global) # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '4 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '5 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:2: error: Rule '2 (global)' shadows rule '7 (global)' below it pass quick inet6 proto tcp from 2001:5c0:0:2::24 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 2 -- ACCEPT " # # Rule 3 (global) # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '4 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '5 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '6 (global)' below it # firewall-ipv6-1:Policy:3: error: Rule '3 (global)' shadows rule '7 (global)' below it # firewall-ipv6-1:Policy:3: warning: Changing rule direction due to self reference pass in log quick inet6 proto tcp from 3ffe:1200:2001:1:8000::1 to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 3 -- ACCEPT " # # Rule 4 (global) # firewall-ipv6-1:Policy:4: error: Rule '4 (global)' shadows rule '6 (global)' below it pass log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 4 -- ACCEPT " # # Rule 5 (global) pass log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 5 -- ACCEPT " # # Rule 6 (global) # firewall-ipv6-1:Policy:6: warning: Changing rule direction due to self reference pass in log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 6 -- ACCEPT " # # Rule 7 (global) # firewall-ipv6-1:Policy:7: warning: Changing rule direction due to self reference pass in log quick inet6 proto tcp from to fe80::21d:9ff:fe8b:8e94 port 22 keep state label "RULE 7 -- ACCEPT " # # Rule 8 (global) pass in log quick inet6 from any to fe80::21d:9ff:fe8b:8e94 keep state label "RULE 8 -- ACCEPT " # # Rule 9 (global) pass log quick inet6 from fe80::/64 to any keep state label "RULE 9 -- ACCEPT " # # Rule 10 (global) # firewall-ipv6-1:Policy:10: error: Rule '10 (global)' shadows rule '11 (global)' below it pass log quick inet6 from to any keep state label "RULE 10 -- ACCEPT " # # Rule 11 (global) pass log quick inet6 from to any keep state label "RULE 11 -- ACCEPT " # # Rule fallback rule # fallback rule block quick inet6 from any to any label "RULE 10000 -- DROP " load anchor Policy_ipv4 from "/etc/firewall-ipv6-1-Policy_ipv4.conf"