IPv6 fragments firewall support?
list_freebsd at bluerosetech.com
list_freebsd at bluerosetech.com
Sun Jun 10 03:45:39 UTC 2012
On 2012-06-09 14:40, Bjoern A. Zeeb wrote:
> You can however unconditionally allow all fragments and trust a (bad)
> end host system:
>
> pass log quick inet6 proto ipv6-frag all
Does ipv6-frag require explicit rules? My rules passing Internet<->LAN
traffic intentionally omit protocol specificiations, so in theory
ipv6-frag should be covered. For example:
pass quick on $lanif from <lan_local> to <lan_local>
pass in quick on $lanif from <lan_global> to any tag LanOut
pass out quick on { $extif4, $extif6 } tagged LanOut
block in quick on $extif6 inet6 from any to <me6>
pass in quick on $extif6 inet6 from any to <lan_global> tag LanIn
pass out quick on $lanif tagged LanIn
More information about the freebsd-pf
mailing list