Firewall for IPv6 for ISP PPP connection
CyberLeo Kitsana
cyberleo at cyberleo.net
Thu Apr 10 17:23:00 UTC 2014
On 04/09/2014 11:07 PM, Khairil Yusof wrote:
> I have a home server that also acts as a router/firewall home network.
>
> re0 is the main network interface connected to the rest of the network
> tun0 is the ipv4/ipv6 ppp tunnel connected to ISP via ppp.
> fxp0 is spare unused interface.
>
> With ipv4, the rules were straight forward.
>
> tun0 the ppp interface had an external ip and is easily identifiable as the
> external if.
>
> The rules would nat non-local IP's going out via tun0, block incoming tcp
> via tun0 and set state for all outgoing tcp via tun0.
>
> With ipv6 however, there is no external IPv6 address except link local on
> the tun0. All the IPv6 assigned addresses including the one on re0 are now
> also "external" too.
>
> So I can't block re0 in, as that would block all my internal ipv6 network
> too.
>
> In this ipv6 case, what would be the simplest rule possible, where I would
> block all incoming ipv6 traffic (except key ones like route discovery) not
> from local network, set state for all outgoing and pass in all with state?
>
> Most of the examples I see on the Internet show a dedicated external
> network interface for their IPv6 connection, which isn't too different from
> my ipv4 setup with ext ip on tun0.
>
> I'm guessing, that something like?
>
> block in all inet6 from !$ipv6addr_/64
> pass out all inet6 from !$ipv6addr_/64 keep state
>
> Any pointers would be helpful, I can figure out how to right the rules
> myself later, but would like to be pointed to the right approach.
Should be able to be handled in pretty much the same way; especially if
you have native v6 routing from your ISP: just filter on tun0 instead of
gif0.
I have a /48 from TunnelBroker, and have assigned the routing subnet to
the gif0 interface and distributed the /48 amongst my various internal
networks.
Here are the simplified rules I have set up on my gif interface are as
follows:
----8<----
# Block v6 inbound by default, unless otherwise stated
block return quick on gif0 from !$my_nets_v6 to !$my_nets_v6
block return in on gif0 from any to !(gif0)
pass in on gif0 from any to (gif0)
pass out on gif0 from any to any keep state tag Q_DFLT
----8<----
And then individual rules loaded into anchors control arbitrary inbound
access to specific hosts:
----8<----
pass in on gif0 proto tcp from any to $sshgateway_v6 port 22 keep state
tag Q_SSH
...
pass in on gif0 proto tcp from any to $loadbalancer_v6 port { 80, 443 }
keep state tag Q_BULK
----8<----
Hope this helps!
--
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo at CyberLeo.Net>
Furry Peace! - http://www.fur.com/peace/
More information about the freebsd-pf
mailing list