Hi Miika, I changed network configuration on bridged (I use vmware) and now with 3ffe::xx/64 addresses IPv6 connectivity seems ok (I can reach the other host), but if I try to ping6 the HIT of the responder I still get I1 packet only. What else can I do? Thanks for your help, Paola Il giorno 14/ott/2013 16:38, "Miika Komu" <mkomu@xxxxxxxxx> ha scritto: > Hi Paolo, > > it seems so. If you're using e.g. virtualbox, there seems to be some > advice available at various forums: > > https://www.google.com/search?**client=ubuntu&channel=fs&q=** > ipv6+virtualbox+destination+**unreachable+error&ie=utf-8&oe=**utf-8<https://www.google.com/search?client=ubuntu&channel=fs&q=ipv6+virtualbox+destination+unreachable+error&ie=utf-8&oe=utf-8> > > On 10/14/2013 05:28 PM, Paola Venuso wrote: > >> Hi, >> I've just tried this and I've got destination unreachable error. So is >> this a problem concernig only IPv6? >> >> Il giorno 14/ott/2013 16:13, "Miika Komu" <mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx>> ha scritto: >> >> Hi, >> >> why don't try plain IPv6 connectivity locally (without Teredo) with >> 3ffe::x/64 addresses? So that we know if it's about IPv6 or >> something HIP related. >> >> On 10/14/2013 05:09 PM, Paola Venuso wrote: >> >> Sorry, HIP over IPv6 didn't work. >> >> Il giorno 14/ott/2013 16:04, "Miika Komu" <mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>> ha scritto: >> >> Hi Paola, >> >> what didn't work? Directly IPv6 or HIP-over-IPv6? >> >> On 10/14/2013 04:58 PM, Paola Venuso wrote: >> >> Hi Miika, >> >> Yes, I did. But it didn't work. >> >> Il giorno 14/ott/2013 15:40, "Miika Komu" >> <mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>>> ha scritto: >> >> Hi Paola, >> >> it seems that you got HIP working with IPv4 >> locators. Did >> you try >> with two locally configured IPv6 locators >> (3ffe::x/64)? >> >> On 10/14/2013 02:13 PM, Paola Venuso wrote: >> >> Hi Miika, >> >> I checked and I think my site firewall isn't >> blocking >> Teredo >> traffic. >> Anyway this is the output: >> >> paola@ubuntu:~$ dig -t aaaa www.google.com >> <http://www.google.com> >> <http://www.google.com> >> <http://www.google.com> <http://www.google.com> >> >> ; <<>> DiG 9.8.1-P1 <<>> -t aaaa >> www.google.com <http://www.google.com> >> <http://www.google.com> >> <http://www.google.com> <http://www.google.com> >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: >> NOERROR, id: 27694 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, >> AUTHORITY: 0, >> ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;www.google.com <http://www.google.com> >> <http://www.google.com> >> <http://www.google.com> <http://www.google.com>. >> IN AAAA >> >> ;; ANSWER SECTION: >> www.google.com <http://www.google.com> <http://www.google.com> >> <http://www.google.com> >> <http://www.google.com>. >> 300 IN AAAA >> 2a00:1450:4002:804::1010 >> >> ;; Query time: 165 msec >> ;; SERVER: 127.0.0.53#53(127.0.0.53) >> ;; WHEN: Mon Oct 14 03:22:40 2013 >> ;; MSG SIZE rcvd: 60 >> >> >> paola@ubuntu:~$ ping6 2a00:1450:4010:c04::68 >> PING >> 2a00:1450:4010:c04::68(2a00:__**____1450:4010:c04::68) >> 56 data bytes >> 64 bytes from 2a00:1450:4010:c04::68: >> icmp_seq=1 ttl=55 >> time=371 ms >> 64 bytes from 2a00:1450:4010:c04::68: >> icmp_seq=2 ttl=55 >> time=110 ms >> 64 bytes from 2a00:1450:4010:c04::68: >> icmp_seq=3 ttl=55 >> time=110 ms >> ^C >> --- 2a00:1450:4010:c04::68 ping statistics --- >> 3 packets transmitted, 3 received, 0% packet >> loss, time >> 2004ms >> rtt min/avg/max/mdev = >> 110.529/197.440/371.075/122.__**____778 ms >> >> >> >> paola@ubuntu:~$ ip route get >> 2a00:1450:4010:c04::68 >> 2a00:1450:4010:c04::68 from :: via >> 2a00:1450:4010:c04::68 dev teredo >> src 2001:0:53aa:64c:2cb6:3c14:____**__4367:467f >> metric 0 >> cache >> >> >> I also tried with your test machine: >> >> paola@ubuntu:~$ ping6 >> 2001:0:53aa:64c:3026:52b2:____**__ad4a:8b91 >> PING >> >> >> 2001:0:53aa:64c:3026:52b2:____**__ad4a:8b91(2001:0:53aa:64c:__** >> ____3026:52b2:ad4a:8b91) >> 56 data bytes >> 64 bytes from >> 2001:0:53aa:64c:3026:52b2:____**__ad4a:8b91: >> icmp_seq=1 >> ttl=64 >> time=243 ms >> 64 bytes from >> 2001:0:53aa:64c:3026:52b2:____**__ad4a:8b91: >> icmp_seq=2 >> ttl=64 >> time=112 ms >> ^C >> --- 2001:0:53aa:64c:3026:52b2:____**__ad4a:8b91 >> ping >> statistics --- >> 2 packets transmitted, 2 received, 0% packet >> loss, time >> 1000ms >> rtt min/avg/max/mdev = >> 112.229/177.819/243.410/65.591 ms >> >> >> >> >> Then I tried in my network: >> >> - with eth0 I got only I1 packet >> - with Teredo I got "destination unreachable" >> error >> >> And when I stopped ping6 there was 100% of >> packet loss. >> I also >> tried to >> edit manually the hosts files with different >> configuration but >> the same >> happened. >> >> Thanks, >> >> Paola >> >> >> >> 2013/10/12 Miika Komu <mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>> >> <mailto:mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx> <mailto:mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx>> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>>>> >> >> Hi Paola, >> >> initially, Teredo traffic is forwarded >> through a >> Teredo >> server to >> guaranteee NAT traversal and then miredo >> software >> tries to >> pinhole >> the NAT. My guess is that your *site* >> firewall is >> blocking the >> inital messages with the Teredo server. >> You can double >> check this as >> follows: >> >> mkomu@bling:~$ dig -t aaaa www.google.com >> <http://www.google.com> >> <http://www.google.com> >> <http://www.google.com> <http://www.google.com> >> >> ; <<>> DiG 9.8.1-P1 <<>> -t aaaa >> www.google.com <http://www.google.com> >> <http://www.google.com> >> <http://www.google.com> <http://www.google.com> >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: >> NOERROR, >> id: 12399 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, >> AUTHORITY: 0, >> ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;www.google.com <http://www.google.com> >> <http://www.google.com> >> <http://www.google.com> >> <http://www.google.com>. >> IN >> AAAA >> >> ;; ANSWER SECTION: >> www.google.com <http://www.google.com> <http://www.google.com> >> <http://www.google.com> >> <http://www.google.com>. >> 214 IN AAAA >> 2a00:1450:4010:c03::93 >> >> ;; Query time: 333 msec >> ;; SERVER: 193.229.0.40#53(193.229.0.40) >> ;; WHEN: Sat Oct 12 14:20:35 2013 >> ;; MSG SIZE rcvd: 60 >> >> mkomu@bling:~$ ping6 >> 2a00:1450:4010:c04::68 >> PING >> 2a00:1450:4010:c04::68(2a00:__**______1450:4010:c04::68) >> 56 >> data bytes >> 64 bytes from 2a00:1450:4010:c04::68: >> icmp_seq=1 >> ttl=55 >> time=1363 ms >> 64 bytes from 2a00:1450:4010:c04::68: >> icmp_seq=2 >> ttl=55 >> time=441 ms >> ^C >> --- 2a00:1450:4010:c04::68 ping >> statistics --- >> 2 packets transmitted, 2 received, 0% >> packet loss, >> time 1000ms >> rtt min/avg/max/mdev = >> 441.913/902.595/1363.277/460._**_______682 >> ms, pipe 2 >> mkomu@bling:~$ ip route get >> 2a00:1450:4010:c04::68 >> 2a00:1450:4010:c04::68 from :: via >> 2a00:1450:4010:c04::68 >> dev teredo >> src >> 2001:0:53aa:64c:473:6a2c:ab19:**________60e3 metric 0 >> >> If this does not work for you, it >> probably means >> that the >> firewall >> your site is blocking Teredo. You can >> contact your >> site >> administrator to open the UDP port 3544. >> >> You can also try the >> 2001:0:53aa:64c:3026:52b2:____**____ad4a:8b91 >> (my test >> machine) which is actually behind a real >> NAT >> unlike the google >> server. If you can reach google server, >> but not >> mine, it >> most likely >> means that either of us is using a >> p2p-incompatible NAT. >> >> You can also try e.g. 3ffe::x/64 address >> space for >> local >> experiments >> in your local LAN (or WLAN). Just >> configure it to >> the eth0 >> (or other >> device) for two machines and try pinging >> each other. >> >> >> On 10/11/2013 09:03 PM, Paola Venuso wrote: >> >> Hi Miika, >> >> I uncommented the line "Bindport >> 3545" in file >> miredo.conf as I >> read on >> the man page of miredo and checked >> ufw files >> for rules >> blocking IPv6 >> traffic (I uncommented two about >> forwarding, >> the others >> about >> enabling >> this traffic were already >> uncommented). Then I >> tried >> ping6 the >> locators >> and I got the message: unknown host. >> Also I tried manual set up with >> IPv4-based >> locators, as you >> wrote me, >> and my host exchanged HIP UPDATE and >> I1, R1, >> I2, R2 >> packets with >> another >> host, with address193.167.187.149, >> that I >> don't know >> but I guess >> maybe >> it's one of infrahip servers. >> Anyway, I am not sure I checked >> correctly for >> rules >> about IPv6 >> traffic. >> What should I do about this? Could >> all this >> problems be >> connected also >> with virtual machine net >> configuration? It is >> NAT by >> default, >> but there >> are some other options. >> >> Thanks for all the help you're giving >> to me. >> >> Paola >> >> >> 2013/10/11 Miika Komu >> <mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>> >> <mailto:mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx> <mailto:mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx>>> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>> >> <mailto:mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx> <mailto:mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx>>>> >> <mailto:mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>> >> <mailto:mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx> <mailto:mkomu@xxxxxxxxx >> <mailto:mkomu@xxxxxxxxx>> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx> >> <mailto:mkomu@xxxxxxxxx <mailto:mkomu@xxxxxxxxx>>>>>> >> >> >> Hi Paola, >> >> it seems your installation is >> fine. Base >> on my own >> experiences, I >> think that a middlebox (firewall) >> is >> blocking your >> IPv6 >> traffic (in >> the case of Teredo it's UDP port >> 3544). >> Did you try to >> ping6 the >> routable addresses (locators)? >> >> I also recommend trying a manual >> set up with >> IPv4-based >> locators as >> follows: >> >> hipconf daemon rst all >> hipconf daemon add map PEER_HIT >> PEER_IPV4_ADDRESS >> ping6 PEER_HIT >> >> >> On 10/10/2013 12:42 AM, Paola >> Venuso wrote: >> >> Hi Miika, >> >> hipd is running at the >> responder, the >> firewall >> is not >> blocking HIP >> traffic and I don't use >> redhat-based >> distro. >> This is the output of the >> commands >> from the >> manual: >> >> paola@ubuntu:~$ dpkg -l >> 'hipl*' >> >> Desired=Unknown/Install/______**____Remove/Purge/Hold >> | >> >> >> >> >> Status=Not/Inst/Conf-files/___**_______Unpacked/halF-conf/** >> Half-____inst/______trig-**aWait/Trig-____pend >> >> |/ Err?=(none)/Reinst-required >> (Status,Err: >> uppercase=bad) >> ||/ Nome Versione >> Descrizione >> >> >> >> >> +++-==============-===========**__________===-================** >> ==__==__==__==__==__==========**====__==== >> >> ii hipl-all >> 1.0.8-6429 HIP for >> Linux full >> software bundle >> ii hipl-daemon >> 1.0.8-6429 HIP for >> Linux IPsec key >> management and >> mobil >> ii hipl-dnsproxy >> 1.0.8-6429 HIP for >> Linux name >> lookup proxy >> ii hipl-doc >> 1.0.8-6429 HIP >> for Linux >> documentation >> ii hipl-firewall >> 1.0.8-6429 HIP >> for Linux >> multi-purpose >> firewall >> daemon >> un hipl-minimal <nessuna> >> (nessuna >> descrizione >> disponibile) >> un hipl-tools <nessuna> >> (nessuna >> descrizione >> disponibile) >> paola@ubuntu:~$ hipconf >> daemon get ha all >> Sending user message 22 to >> HIPD on >> socket 3 >> Sent 40 bytes >> Waiting to receive daemon >> info. >> 240 bytes received from HIP >> daemon. >> HA is I1-SENT >> Shotgun mode is off. >> Broadcast mode is off. >> Local HIT: >> 2001:0012:421d:99a0:005d:d60f:** >> __________73b0:4407 >> Peer HIT: >> 2001:001a:2a72:f01c:d98e:311c:** >> __________c76a:57c4 >> >> Local LSI: 1.0.0.1 >> Peer LSI: 1.0.0.2 >> Local IP: >> 2001:0000:53aa:064c:2cde:3e12:** >> __________4367:467f >> >> Local NAT traversal UDP >> port: 10500 >> Peer IP: >> 2001:0708:0140:0220:0000:0000:** >> __________0000:0016 >> >> Peer NAT traversal UDP >> port: 10500 >> Peer hostname: >> >> >> >> >> >> ------------------------------**__________--------------------** >> --__--__--__--__--__----------**----__----__----__----__----__** >> ------__------__------__------**__------ >> >> >> paola@ubuntu:~$ uname -a >> Linux ubuntu 3.5.0-41-generic >> #64~precise1-Ubuntu SMP >> Thu Sep 12 >> 17:01:55 UTC 2013 i686 i686 >> i386 >> GNU/Linux >> paola@ubuntu:~$ lsb_release >> -a >> No LSB modules are available. >> Distributor ID: Ubuntu >> Description: Ubuntu >> 12.04.3 LTS >> Release: 12.04 >> Codename: precise >> >> >> >> >> >> ------------------------------**__________--------------------** >> --__--__--__--__--__----------**----__----__----__----__----__** >> ------__------__------__------**__------ >> >> >> paola@ubuntu:~$ cat >> /etc/hip/hipd.conf >> # Format of this file is as >> with >> hipconf, but >> without >> "hipconf >> daemon" >> prefix >> # add hi default # add >> all four >> HITs (see >> bug id 592127) >> # add map HIT IP # >> preload some >> HIT-to-IP >> mappings >> to hipd >> # add service rvs # the >> host acts >> as HIP >> rendezvous >> (also see >> relay.conf) >> # add server rvs [RVS-HIT] >> <RVS-IP-OR-HOSTNAME> >> <lifetime-secs> # >> register to rendezvous server >> # add server relay [RELAY-HIT] >> <RVS-IP-OR-HOSTNAME> >> <lifetime-secs> # >> register to relay server >> # add server full-relay >> [RELAY-HIT] >> <RVS-IP-OR-HOSTNAME> >> <lifetime-secs> >> # register to relay server >> hit-to-ip on # resolve HITs to >> locators in >> dynamic DNS zone >> # hit-to-ip set >> hit-to-ip.infrahip.net <http://hit-to-ip.infrahip.net**> >> <http://hit-to-ip.infrahip.**net__<http://hit-to-ip.infrahip.net__> >> > >> <http://hit-to-ip.infrahip.__**net__ >> <http://hit-to-ip.infrahip.**net__<http://hit-to-ip.infrahip.net__> >> >> >> <http://hit-to-ip.infrahip.___**_net__ >> <http://hit-to-ip.infrahip.__**net__ >> <http://hit-to-ip.infrahip.**net__<http://hit-to-ip.infrahip.net__> >> >>> >> >> <http://hit-to-ip.infrahip.___**___net__ >> <http://hit-to-ip.infrahip.___**_net__ >> <http://hit-to-ip.infrahip.__**net__ >> <http://hit-to-ip.infrahip.**net__<http://hit-to-ip.infrahip.net__> >> >>>> >> <http://hit-to-ip.infrahip.___** >> _____net__ >> <http://hit-to-ip.infrahip.___** >> ___net__ >> <http://hit-to-ip.infrahip.___**_net__ >> <http://hit-to-ip.infrahip.__**net__ >> <http://hit-to-ip.infrahip.**net__<http://hit-to-ip.infrahip.net__> >> >>>>>. >> >> >> # resolve HITs to locators >> in dynamic >> DNS zone >> nsupdate on # send dynamic >> DNS updates >> # add server rvs >> hiprvs.infrahip.net <http://hiprvs.infrahip.net> >> <http://hiprvs.infrahip.net> >> <http://hiprvs.infrahip.net> >> <http://hiprvs.infrahip.net> >> <http://hiprvs.infrahip.net> >> <http://hiprvs.infrahip.net> 50000 >> >> >> # Register to free RVS at >> infrahip >> # heartbeat 10 # send ICMPv6 >> messages >> inside >> HIP tunnels >> # locator on # host >> sends all >> of its >> locators in >> base >> exchange >> # shotgun on # use all >> possible >> src/dst IP >> combinations >> to send >> I1/UPDATE >> # broadcast on # broadcast >> to LAN if no >> matching IP >> address found >> # opp normal|advanced|none >> # transform order 213 # >> crypto preference >> order (1=AES, >> 2=3DES, >> 3=NULL) >> nat plain-udp # use UDP >> capsulation (for >> NATted >> environments) >> #nat port local 11111 # >> change local >> default >> UDP port >> #nat port peer 22222 # >> change local >> peer UDP port >> debug medium # debug >> verbosity: all, >> medium, low >> or none >> default-hip-version 1 # >> default HIP >> version >> number for >> the I1 >> message. >> (1=HIPv1, 2=HIPv2) >> >> >> >> >> >> ------------------------------**__________--------------------** >> --__--__--__--__--__----------**----__----__----__----__----__** >> ------__------__------__------**__------ >> >> >> paola@ubuntu:~$ sudo >> iptables -L -n >> Chain INPUT (policy ACCEPT) >> target prot opt source >> destination >> HIPFW-INPUT all -- >> 0.0.0.0/0 <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> ACCEPT 139 -- 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> ACCEPT 139 -- 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> ACCEPT udp -- 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> udp >> spt:10500 >> ACCEPT esp -- 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> ACCEPT icmpv6-- >> 0.0.0.0/0 <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> ACCEPT all -- 1.0.0.0/8 >> <http://1.0.0.0/8> >> <http://1.0.0.0/8> >> <http://1.0.0.0/8> <http://1.0.0.0/8> >> <http://1.0.0.0/8> >> <http://1.0.0.0/8> 1.0.0.0/8 >> <http://1.0.0.0/8> >> <http://1.0.0.0/8> >> <http://1.0.0.0/8> <http://1.0.0.0/8> >> <http://1.0.0.0/8> >> <http://1.0.0.0/8> >> >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source >> destination >> HIPFW-FORWARD all -- >> 0.0.0.0/0 <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source >> destination >> HIPFW-OUTPUT all -- >> 0.0.0.0/0 <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> ACCEPT 139 -- 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> ACCEPT udp -- 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> udp >> dpt:10500 >> ACCEPT esp -- 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> ACCEPT icmpv6-- >> 0.0.0.0/0 <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> 0.0.0.0/0 >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> >> <http://0.0.0.0/0> <http://0.0.0.0/0> >> > > ...