Re: IPv6 and IPv4 combined rules in pf.conf
- Reply: Dirk-Willem van Gulik : "Re: IPv6 and IPv4 combined rules in pf.conf"
- In reply to: Lexi Winter : "Re: IPv6 and IPv4 combined rules in pf.conf"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 08 May 2024 20:41:56 UTC
> On 8 May 2024, at 22:14, Lexi Winter <lexi@le-fay.org> wrote:
>
> Dirk-Willem van Gulik:
>> For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are
>> listening to - is there a recommended way to setup pf.conf to avoid
>> mistakes/duplication ?
>
>> To avoid duplication in constructs such as:
>
>> # Foo app servers
>> foobarserver_host4=231.17.X.Y
>> foobarserver_host6=fe80::5246:…
>>
>> # Load balancers - direct or via tun0 in post/fail-back
>> bar_net=X.Y.Z.Z #
>> bar_net6=fe80::5246:… #
>> …
>>
>> pass in on { tun0, $ext_if } proto udp from $bar_net to $foobarserver_host4 port 2194 keep state
>> pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to $foobarserver_host6 port 2194 keep state
>
>> Is there some recommended way of doing this in stock FreeBSD ? Or does
>> one usually end up with some sort of macro/generate style solution ?
>
> i would suggest something like this:
>
> table <foobarserver> {
> 231.17.X.Y
> fe80::5246:...
> }
>
> table <bar-net> {
> ...
> }
>
> pass on { tun0, $ext_if } proto udp from <bar-net> \
> to <foobarserver> port 2194
Ok - excellent - șo one can mix IPv4 and IPv6 in a list - and ‘udp’ no longer needs to be ‘udp6’ (and same for tcp6 and icmp6 v.s. tcp/icmp_— pf guesses this right based on the address ?
> note that in either case pf doesn't need 'keep state’.
Sorry :) cut and paste of a actual TCP rule edited to protect the innocent.
Dw