pf NAT function with IPv6
Pyun YongHyeon
yongari at kt-is.co.kr
Wed Jan 5 03:23:59 GMT 2005
On Thu, Dec 30, 2004 at 11:23:05PM +0900, Hideki Yamamoto wrote:
>
> Hi,
>
> I tried to use pf to change source address of IPv6 UDP packet, but it does not go well.
> As the output of 'pfctl' command seems no problem.
> I wonder if pf on FreeBSD does not support IPv6 now.
>
AFAIK, No. pf is the only firewall that supports (almost) full
IPv6 in BSDs.
>
> ---------- /etc/pf.conf ------------- start
> ext_if="bge2"
> int_if="bge0"
> internal_net="fec0:0:0:d::0/32"
> nat on bge2 inet6 from fec0:0:0:d::1 to any -> 2001:b90:ee00:ff0b::1:3
> ---------- /etc/pf.conf ------------- end
>
> tsrmldgw3# pfctl -s state
> No ALTQ support in kernel
> ALTQ related functions disabled
> self udp fec0:0:0:d::1[15001] -> 2001:b90:ee00:ff0b::1:3[52925] -> 2001:b90:ee00:51b:208:4ff:fe28:a1d2[8001]
> SINGLE:NO_TRAFFIC
>
Works here. Tested on FreeBSD-CURRENT sparc64
mars# pfctl -ss
self tcp fec0:0:0:d::1[49152] -> 2001:b90:ee00:ff0b::1[51223] -> 2001:b90:ee00:ff0b::10[22] ESTABLISHED:ESTABLISHED
self tcp fec0:0:0:d::1[22] <- 2001:b90:ee00:ff0b::1[22] <- 2001:b90:ee00:ff0b::10[49154] ESTABLISHED:ESTABLISHED
mars# pfctl -sr
pass in on hme0 inet6 proto tcp all flags S/SA keep state
pass out on hme0 inet6 proto tcp all flags S/SA keep state
mars# pfctl -sn
nat on hme0 inet6 proto tcp from ! (hme0) to any -> 2001:b90:ee00:ff0b::1
rdr on hme0 inet6 proto tcp from any to any port = ssh -> fec0:0:0:d::1 port 22
Due to lack of hardware and IPv6 setup I tested ssh connection. But
there is no reason UDP don't work.
--
Regards,
Pyun YongHyeon
http://www.kr.freebsd.org/~yongari | yongari at freebsd.org
More information about the freebsd-pf
mailing list