Date: Sat, 09 Jun 2012 20:45:27 -0700 From: list_freebsd@bluerosetech.com To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 fragments firewall support? Message-ID: <4FD41857.4010003@bluerosetech.com> In-Reply-To: <65AD7414-BE0E-486A-8FF4-E31E5EFF5B5F@lists.zabbadoz.net> References: <4FD30582.90506@bluerosetech.com> <65AD7414-BE0E-486A-8FF4-E31E5EFF5B5F@lists.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2012-06-09 14:40, Bjoern A. Zeeb wrote:
> You can however unconditionally allow all fragments and trust a (bad)
> end host system:
>
> pass log quick inet6 proto ipv6-frag all
Does ipv6-frag require explicit rules? My rules passing Internet<->LAN
traffic intentionally omit protocol specificiations, so in theory
ipv6-frag should be covered. For example:
pass quick on $lanif from <lan_local> to <lan_local>
pass in quick on $lanif from <lan_global> to any tag LanOut
pass out quick on { $extif4, $extif6 } tagged LanOut
block in quick on $extif6 inet6 from any to <me6>
pass in quick on $extif6 inet6 from any to <lan_global> tag LanIn
pass out quick on $lanif tagged LanIn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FD41857.4010003>