From owner-freebsd-pf@FreeBSD.ORG  Sun Jun 10 03:45:39 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 54EDC106566C
	for <freebsd-pf@freebsd.org>; Sun, 10 Jun 2012 03:45:39 +0000 (UTC)
	(envelope-from list_freebsd@bluerosetech.com)
Received: from rush.bluerosetech.com (rush.bluerosetech.com [199.48.134.58])
	by mx1.freebsd.org (Postfix) with ESMTP id 2FDFF8FC0A
	for <freebsd-pf@freebsd.org>; Sun, 10 Jun 2012 03:45:39 +0000 (UTC)
Received: from vivi.cat.pdx.edu (vivi.cat.pdx.edu [IPv6:2610:10:20:214::6])
	by rush.bluerosetech.com (Postfix) with ESMTPSA id E80661142E;
	Sat,  9 Jun 2012 20:45:32 -0700 (PDT)
Received: from [IPv6:2001:470:8643:970:211:43ff:fe70:5826] (unknown
	[IPv6:2001:470:8643:970:211:43ff:fe70:5826])
	by vivi.cat.pdx.edu (Postfix) with ESMTPSA id 06E5D24C5B;
	Sat,  9 Jun 2012 20:45:29 -0700 (PDT)
Message-ID: <4FD41857.4010003@bluerosetech.com>
Date: Sat, 09 Jun 2012 20:45:27 -0700
From: list_freebsd@bluerosetech.com
User-Agent: Mozilla/5.0 (Windows NT 6.1;
	rv:10.0.4) Gecko/20120421 Thunderbird/10.0.4
MIME-Version: 1.0
To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
References: <4FD30582.90506@bluerosetech.com>
	<65AD7414-BE0E-486A-8FF4-E31E5EFF5B5F@lists.zabbadoz.net>
In-Reply-To: <65AD7414-BE0E-486A-8FF4-E31E5EFF5B5F@lists.zabbadoz.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-pf@freebsd.org
Subject: Re: IPv6 fragments firewall support?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jun 2012 03:45:39 -0000

On 2012-06-09 14:40, Bjoern A. Zeeb wrote:
> You can however unconditionally allow all fragments and trust a (bad)
> end host system:
>
> pass log quick inet6 proto ipv6-frag all

Does ipv6-frag require explicit rules?  My rules passing Internet<->LAN 
traffic intentionally omit protocol specificiations, so in theory 
ipv6-frag should be covered.  For example:

pass quick on $lanif from <lan_local> to <lan_local>
pass in quick on $lanif from <lan_global> to any tag LanOut
pass out quick on { $extif4, $extif6 } tagged LanOut

block in quick on $extif6 inet6 from any to <me6>
pass in quick on $extif6 inet6 from any to <lan_global> tag LanIn
pass out quick on $lanif tagged LanIn