From owner-freebsd-pf@FreeBSD.ORG Thu Apr 10 04:07:28 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 434D0243 for ; Thu, 10 Apr 2014 04:07:28 +0000 (UTC) Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CE4341B27 for ; Thu, 10 Apr 2014 04:07:27 +0000 (UTC) Received: by mail-wi0-f171.google.com with SMTP id q5so9987145wiv.16 for ; Wed, 09 Apr 2014 21:07:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=fhzRcdy62X6E1ZgYtMbMN+oCjrE1E5KKrAaIy2VolqY=; b=GEr+FOwdY2MnujePuF6pZIXtvKi6yU8vP6HbBi0M5tPq/R11R42eBYdPSVzAv94QFC +xu46hB1XnVnTjBj1jwyYODM+fVT1ulwQVQjoVd3/DPpJqSGK8SbMdx0X/T+o3kxRLYg EIwW4VrlaEEM0ElLO8ZYxU1gKuoZR0WF1KUNCQ1fQ81guOld07qSnO0ZeFkzSnFkw6Sa wOf7tnFnVdc/4M14hs0YXsK2qVXYCjZAzWAe4lgauyzt3bFKuvBzsuV8Jx2/SC1r0S+t joKeguTZ3pbbq7A/alvAMg0moD/f6GQ9HHvqwkLEoKVqY7B4ll3s5CvORnZNKcOTPRFr FoYQ== MIME-Version: 1.0 X-Received: by 10.180.101.166 with SMTP id fh6mr13049637wib.2.1397102845143; Wed, 09 Apr 2014 21:07:25 -0700 (PDT) Received: by 10.194.36.193 with HTTP; Wed, 9 Apr 2014 21:07:25 -0700 (PDT) Date: Thu, 10 Apr 2014 12:07:25 +0800 Message-ID: Subject: Firewall for IPv6 for ISP PPP connection From: Khairil Yusof To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 04:07:28 -0000 I have a home server that also acts as a router/firewall home network. re0 is the main network interface connected to the rest of the network tun0 is the ipv4/ipv6 ppp tunnel connected to ISP via ppp. fxp0 is spare unused interface. With ipv4, the rules were straight forward. tun0 the ppp interface had an external ip and is easily identifiable as the external if. The rules would nat non-local IP's going out via tun0, block incoming tcp via tun0 and set state for all outgoing tcp via tun0. With ipv6 however, there is no external IPv6 address except link local on the tun0. All the IPv6 assigned addresses including the one on re0 are now also "external" too. So I can't block re0 in, as that would block all my internal ipv6 network too. In this ipv6 case, what would be the simplest rule possible, where I would block all incoming ipv6 traffic (except key ones like route discovery) not from local network, set state for all outgoing and pass in all with state? Most of the examples I see on the Internet show a dedicated external network interface for their IPv6 connection, which isn't too different from my ipv4 setup with ext ip on tun0. I'm guessing, that something like? block in all inet6 from !$ipv6addr_/64 pass out all inet6 from !$ipv6addr_/64 keep state Any pointers would be helpful, I can figure out how to right the rules myself later, but would like to be pointed to the right approach. Regards