Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Apr 2014 12:07:25 +0800
From:      Khairil Yusof <khairil.yusof@gmail.com>
To:        freebsd-pf@freebsd.org
Subject:   Firewall for IPv6 for ISP PPP connection
Message-ID:  <CAMkFsdmhf%2BBNN=XfRW8A%2B9c72Jm5B-NkC9xa5kOzexR4iVWjUQ@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
I have a home server that also acts as a router/firewall home network.

re0 is the main network interface connected to the rest of the network
tun0 is the ipv4/ipv6 ppp tunnel connected to ISP via ppp.
fxp0 is spare unused interface.

With ipv4, the rules were straight forward.

tun0 the ppp interface had an external ip and is easily identifiable as the
external if.

The rules would nat non-local IP's going out via tun0, block incoming tcp
via tun0 and set state for all outgoing tcp via tun0.

With ipv6 however, there is no external IPv6 address except link local on
the tun0. All the IPv6 assigned addresses including the one on re0 are now
also "external" too.

So  I can't block re0 in, as that would block all my internal ipv6 network
too.

In this ipv6 case, what would be the simplest rule possible, where I would
block all incoming ipv6 traffic (except key ones like route discovery) not
from local network, set state for all outgoing and pass in all with state?

Most of the examples I see on the Internet show a dedicated external
network interface for their IPv6 connection, which isn't too different from
my ipv4 setup with ext ip on tun0.

I'm guessing, that something like?

block in all inet6 from !$ipv6addr_/64
pass out all inet6 from !$ipv6addr_/64  keep state

Any pointers would be helpful, I can figure out how to right the rules
myself later, but would like to be pointed to the right approach.

Regards



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMkFsdmhf%2BBNN=XfRW8A%2B9c72Jm5B-NkC9xa5kOzexR4iVWjUQ>