Firewall for IPv6 for ISP PPP connection

CyberLeo Kitsana cyberleo at cyberleo.net
Thu Apr 10 17:23:00 UTC 2014 

On 04/09/2014 11:07 PM, Khairil Yusof wrote:
> I have a home server that also acts as a router/firewall home network.
> 
> re0 is the main network interface connected to the rest of the network
> tun0 is the ipv4/ipv6 ppp tunnel connected to ISP via ppp.
> fxp0 is spare unused interface.
> 
> With ipv4, the rules were straight forward.
> 
> tun0 the ppp interface had an external ip and is easily identifiable as the
> external if.
> 
> The rules would nat non-local IP's going out via tun0, block incoming tcp
> via tun0 and set state for all outgoing tcp via tun0.
> 
> With ipv6 however, there is no external IPv6 address except link local on
> the tun0. All the IPv6 assigned addresses including the one on re0 are now
> also "external" too.
> 
> So  I can't block re0 in, as that would block all my internal ipv6 network
> too.
> 
> In this ipv6 case, what would be the simplest rule possible, where I would
> block all incoming ipv6 traffic (except key ones like route discovery) not
> from local network, set state for all outgoing and pass in all with state?
> 
> Most of the examples I see on the Internet show a dedicated external
> network interface for their IPv6 connection, which isn't too different from
> my ipv4 setup with ext ip on tun0.
> 
> I'm guessing, that something like?
> 
> block in all inet6 from !$ipv6addr_/64
> pass out all inet6 from !$ipv6addr_/64  keep state
> 
> Any pointers would be helpful, I can figure out how to right the rules
> myself later, but would like to be pointed to the right approach.

Should be able to be handled in pretty much the same way; especially if
you have native v6 routing from your ISP: just filter on tun0 instead of
gif0.

I have a /48 from TunnelBroker, and have assigned the routing subnet to
the gif0 interface and distributed the /48 amongst my various internal
networks.

Here are the simplified rules I have set up on my gif interface are as
follows:

----8<----
# Block v6 inbound by default, unless otherwise stated
block return quick on gif0 from !$my_nets_v6 to !$my_nets_v6
block return in on gif0 from any to !(gif0)
pass in on gif0 from any to (gif0)
pass out on gif0 from any to any keep state tag Q_DFLT
----8<----

And then individual rules loaded into anchors control arbitrary inbound
access to specific hosts:

----8<----
pass in on gif0 proto tcp from any to $sshgateway_v6 port 22 keep state
tag Q_SSH
...
pass in on gif0 proto tcp from any to $loadbalancer_v6 port { 80, 443 }
keep state tag Q_BULK
----8<----

Hope this helps!

-- 
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo at CyberLeo.Net>

Furry Peace! - http://www.fur.com/peace/

More information about the freebsd-pf mailing list