From owner-freebsd-ipfw@freebsd.org Thu Jun 20 09:56:06 2019 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E144B15B41D2 for ; Thu, 20 Jun 2019 09:56:06 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [IPv6:2a01:4f8:171:f902::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D8C2B731F6 for ; Thu, 20 Jun 2019 09:56:05 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from crest.bultmann.eu (unknown [IPv6:2a00:c380:c0d5:1:4a9:5b73:3a26:c73e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id 5418D6B82 for ; Thu, 20 Jun 2019 09:55:55 +0000 (UTC) Subject: Re: Look for an ipfw example using NPTv6 To: freebsd-ipfw@freebsd.org References: From: Jan Bramkamp Message-ID: <3629aeba-61ef-2cce-4971-c3a0ed973765@rlwinm.de> Date: Thu, 20 Jun 2019 11:55:54 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Rspamd-Queue-Id: D8C2B731F6 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of crest@rlwinm.de designates 2a01:4f8:171:f902::5 as permitted sender) smtp.mailfrom=crest@rlwinm.de X-Spamd-Result: default: False [-3.91 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.989,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-ipfw@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; DMARC_NA(0.00)[rlwinm.de]; MX_GOOD(-0.01)[mail.rlwinm.de]; NEURAL_HAM_SHORT(-0.84)[-0.837,0]; IP_SCORE(-0.77)[ipnet: 2a01:4f8::/29(-2.08), asn: 24940(-1.78), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Jun 2019 09:56:07 -0000 On 18.06.19 22:00, Michael Sierchio wrote: > I'm looking for a simple firewall example using nptv6 to translate > link-local addresses to match the prefix assigned by my ISP. I'll be using > stateful rules and allowing only outbound traffic. > > If you have a snippet, I'l be grateful. Thanks. > This sounds like you're trying to force IPv6 to behave like IPv4 with longer addresses and just replaced RFC1918 addresses with link local addresses. This isn't going to work because the differences are larger than just the addresses length. Link local addresses are just what the name says: they are local to the link. A link local address isn't even unique within a host e.g. you can have fe80::1234%em0 and fe80::1234%em1 on the same host. In theory you can get very close to NAT between global unicast addresses and private addresses by configuring NPTv6 between global unicast addresses and unique local addresses, but that would be a terrible choice. One of the great advantages of IPv6 it removes the address scarcity that forced NAT upon us. Each IPv6 device have as many global IPv6 unicast addresses as required. Would you feel comfortable to describe the constrains shaping your design to us?