docs/112579: No ipv6 related pf examples in /usr/share/examples/pf
Janos Mohacsi
mohacsi at niif.hu
Thu May 10 18:00:18 UTC 2007
>Number: 112579
>Category: docs
>Synopsis: No ipv6 related pf examples in /usr/share/examples/pf
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu May 10 18:00:11 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Janos Mohacsi
>Release: FreeBSD 6.2-STABLE i386
>Organization:
NIIF/HUNGARNET
>Environment:
System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9 18:23:24 CEST 2007 root at scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386
>Description:
There is no ipv6 related examples in /usr/share/examples/pf however pf support
ipv6 since the beginning. Filtering icmpv6 packets should be considered more
carefully therefore I enclose 3 sample configuration to be included in
/usr/share/examples/pf.
>How-To-Repeat:
Look at /usr/share/examples/pf
Test attached sample configs.
>Fix:
--- pf_ipv6host.conf.txt begins here ---
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# CHANGE to your network interface card!!!
ext_if="fxp0"
#block everything
block in log all
block out log all
#allow everything for loopback
pass in quick on lo0 all
pass out quick on lo0 all
#allow all outgoing packets
pass out quick proto tcp from $ext_if to any keep state
pass out quick proto udp from $ext_if to any keep state
pass out quick inet proto icmp from $ext_if to any keep state
pass out quick proto ipv6-icmp from any to any keep state
# ICMPv6 is less auxiliary in IPv6 than ICMP in IPv4.
# See RFC 4890 about more detailed treatment.
# supported icmp6-types:
# unreach 1 Destination unreachable
# toobig 2 Packet too big
# timex 3 Time Exceeded
# paramprob 4 Parameter problem
# echoreq 128 Echo Request
# echorep 129 Echo Reply
# groupqry 130 ICMPv6 Membership query
# listqry 130 MLD listener query
# grouprep 131 ICMPv6 membership report
# listenrep 131 MLD listener report
# groupterm 132 ICMPv6 membership termination
# listendone 132 MLD listener done
# routersol 133 ND router solicitation
# routeradv 134 ND router advertisement
# neighbrsol 135 ND neighbor solicitation
# neighbradv 136 ND neighbor advertisement
# redir 137 ND redirection
# routerrenum 138 ICMPv6 router renumbering
# wrureq 139 Who are you request
# wrurep 140 Who are you reply
# fqdnreq 139 ICMPv6 Fully Qualified Domain Name Query
# fqdnrep 140 ICMPv6 Fully Qualified Domain Name Reply
# nireq 139 Neighbor Information Query
# nirep 140 Neighbor Information Reply
# mtraceresp 200 MLD Multicast trace response
# mtrace 201 MLD Multicast trace
#
# Allow all incoming icmpv6 packee
pass in quick proto ipv6-icmp from any to any
# Allow only bare essential icmpv6 packets (NS, NA, and RA)
#pass in quick inet6 proto ipv6-icmp from any to any icmp6-type {neighbradv,neighbrsol,routeradv}
#enable to ssh access
pass in quick proto tcp from any to any port = 22
--- pf_ipv6host.conf.txt ends here ---
--- pf_noserver_ipv6.conf.txt begins here ---
#external interface
EXT = "bge0"
#internal LAN interface
LAN = "bge1"
#IPv4 address of LAN interface
LANip4 = "192.168.1.1"
#IPv6 address of LAN interface
LANip6 = "2001:db8:1:1::1"
#IPv4 address of external interface
EXTip4 = "192.168.2.1
#IPv6 address of external interface
EXTip6 = "2001:db8:1:2::1"
#IPv4 prefix on LAN interface
LANnet4 = "192.168.1.0/24"
#IPv6 prefix on LAN interface
LANnet6 = "2001:db8:1:1::1/64"
#loopback interfaces
Lo4 = "127.0.0.1"
Lo6 = "::1"
# expire state connections early
set optimization aggressive
block in log all
# allow DNS requests to go out
pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state
pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state
# all TCP request allowed out
pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state
pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state
# all ping request allowed out
pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state
pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state
# ND solicitation out
pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
# ND advertisement in
pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
#router advertisement out
pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv
# router solicitation in
pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol
# DNS request inside
pass in on $LAN inet proto from $LANnet4 to any port domain
pass in on $LAN inet6 proto from $LANnet6 to any port domain
# TCP request inside
pass in on $LAN inet proto tcp from $LANnet4 to any
pass in on $LAN inet6 proto tcp from $LANnet6 to any
# ICMP request inside
pass in on $LAN inet proto icmp all icmp-type 8 code
pass in on $LAN inet6 proto icmp6 all icmp6-type
--- pf_noserver_ipv6.conf.txt ends here ---
--- pf_www_ssh_server_ipv6.conf.txt begins here ---
#external interface
EXT = "bge0"
#internal LAN interface
LAN = "bge1"
#IPv4 address of LAN interface
LANip4 = "192.168.1.1"
#IPv6 address of LAN interface
LANip6 = "2001:db8:1:1::1"
#IPv4 address of external interface
EXTip4 = "192.168.2.1
#IPv6 address of external interface
EXTip6 = "2001:db8:1:2::1"
#IPv4 prefix on LAN interface
LANnet4 = "192.168.1.0/24"
#IPv6 prefix on LAN interface
LANnet6 = "2001:db8:1:1::1/64"
#loopback interfaces
Lo4 = "127.0.0.1"
Lo6 = "::1"
#internal server address
LANSRV6="2001:db8:1:2::2"
LANSRV4="192.168.1.2"
# expire state connections early
set optimization aggressive
block in log all
# allow DNS requests to go out
pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state
pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state
# all TCP request allowed out
pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state
pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state
# all ping request allowed out
pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state
pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state
# ND solicitation out
pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
# ND advertisement in
pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
#router advertisement out
pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv
# router solicitation in
pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol
# DNS request inside
pass in on $LAN inet proto from $LANnet4 to any port domain
pass in on $LAN inet6 proto from $LANnet6 to any port domain
# TCP request inside
pass in on $LAN inet proto tcp from $LANnet4 to any
pass in on $LAN inet6 proto tcp from $LANnet6 to any
# ICMP request inside
pass in on $LAN inet proto icmp all icmp-type 8 code
pass in on $LAN inet6 proto icmp6 all icmp6-type
#allow incoming connection to SSH server
pass in on $EXT inet6 proto tcp from any to $LANSRV6 port=22 keep-state
pass in on $EXT inet proto tcp from any to $LANSRV4 port=22 keep-state
#all reply from SSH server (does not really necessary)
pass in on $LAN inet6 proto tcp from $LANSRV6 port=22 to any keep-state
pass in on $LAN inet proto tcp from $LANSRV4 port=22 to any keep-state
#allow incoming connection to WWW server
pass in on $EXT inet6 proto tcp from any to $LANSRV6 port=www keep-state
pass in on $EXT inet proto tcp from any to $LANSRV4 port=www keep-state
#all reply from WWW server (does not really necessary)
pass in on $LAN inet6 proto tcp from $LANSRV6 port=www to any keep-state
pass in on $LAN inet proto tcp from $LANSRV4 port=www to any
--- pf_www_ssh_server_ipv6.conf.txt ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-doc
mailing list