Date: Thu, 10 Apr 2014 12:07:25 +0800 From: Khairil Yusof <khairil.yusof@gmail.com> To: freebsd-pf@freebsd.org Subject: Firewall for IPv6 for ISP PPP connection Message-ID: <CAMkFsdmhf%2BBNN=XfRW8A%2B9c72Jm5B-NkC9xa5kOzexR4iVWjUQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I have a home server that also acts as a router/firewall home network. re0 is the main network interface connected to the rest of the network tun0 is the ipv4/ipv6 ppp tunnel connected to ISP via ppp. fxp0 is spare unused interface. With ipv4, the rules were straight forward. tun0 the ppp interface had an external ip and is easily identifiable as the external if. The rules would nat non-local IP's going out via tun0, block incoming tcp via tun0 and set state for all outgoing tcp via tun0. With ipv6 however, there is no external IPv6 address except link local on the tun0. All the IPv6 assigned addresses including the one on re0 are now also "external" too. So I can't block re0 in, as that would block all my internal ipv6 network too. In this ipv6 case, what would be the simplest rule possible, where I would block all incoming ipv6 traffic (except key ones like route discovery) not from local network, set state for all outgoing and pass in all with state? Most of the examples I see on the Internet show a dedicated external network interface for their IPv6 connection, which isn't too different from my ipv4 setup with ext ip on tun0. I'm guessing, that something like? block in all inet6 from !$ipv6addr_/64 pass out all inet6 from !$ipv6addr_/64 keep state Any pointers would be helpful, I can figure out how to right the rules myself later, but would like to be pointed to the right approach. Regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMkFsdmhf%2BBNN=XfRW8A%2B9c72Jm5B-NkC9xa5kOzexR4iVWjUQ>