Re: IPv6 and IPv4 combined rules in pf.conf

Reply: Dirk-Willem van Gulik : "Re: IPv6 and IPv4 combined rules in pf.conf"
In reply to: Dirk-Willem van Gulik : "IPv6 and IPv4 combined rules in pf.conf"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Lexi Winter <lexi_at_le-fay.org>
Date: Wed, 08 May 2024 20:14:27 UTC

Dirk-Willem van Gulik:
> For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are
> listening to - is there a recommended way to setup pf.conf to avoid
> mistakes/duplication ?
 
> To avoid duplication in constructs such as:
 
> 	# Foo app servers
> 	foobarserver_host4=231.17.X.Y
> 	foobarserver_host6=fe80::5246:…
> 
> 	# Load balancers  - direct or via tun0 in post/fail-back 
> 	bar_net=X.Y.Z.Z # 
> 	bar_net6=fe80::5246:… # 
> 	…
> 
> 	pass in on { tun0, $ext_if }  proto udp from $bar_net  to $foobarserver_host4 port 2194 keep state
> 	pass in on { tun0, $ext_if }  proto udp6 from bar_net6 $var to $foobarserver_host6 port 2194 keep state
 
> Is there some recommended way of doing this in stock FreeBSD ? Or does
> one usually end up with some sort of macro/generate style solution ?

i would suggest something like this:

	table <foobarserver> {
		231.17.X.Y
		fe80::5246:...
	}

	table <bar-net> {
		...
	}

	pass on { tun0, $ext_if } proto udp from <bar-net> \
		to <foobarserver> port 2194

alternatively, if 'foobarserver' is the local host, you can simply do:

	pass in on { tun0, $ext_if } proto udp from <bar-net> \
		to self port 2194

note that in either case pf doesn't need 'keep state'.