Date: Thu, 10 Apr 2014 12:22:52 -0500 From: CyberLeo Kitsana <cyberleo@cyberleo.net> To: Khairil Yusof <khairil.yusof@gmail.com>, freebsd-pf@freebsd.org Subject: Re: Firewall for IPv6 for ISP PPP connection Message-ID: <5346D36C.6050700@cyberleo.net> In-Reply-To: <CAMkFsdmhf%2BBNN=XfRW8A%2B9c72Jm5B-NkC9xa5kOzexR4iVWjUQ@mail.gmail.com> References: <CAMkFsdmhf%2BBNN=XfRW8A%2B9c72Jm5B-NkC9xa5kOzexR4iVWjUQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/09/2014 11:07 PM, Khairil Yusof wrote:
> I have a home server that also acts as a router/firewall home network.
>
> re0 is the main network interface connected to the rest of the network
> tun0 is the ipv4/ipv6 ppp tunnel connected to ISP via ppp.
> fxp0 is spare unused interface.
>
> With ipv4, the rules were straight forward.
>
> tun0 the ppp interface had an external ip and is easily identifiable as the
> external if.
>
> The rules would nat non-local IP's going out via tun0, block incoming tcp
> via tun0 and set state for all outgoing tcp via tun0.
>
> With ipv6 however, there is no external IPv6 address except link local on
> the tun0. All the IPv6 assigned addresses including the one on re0 are now
> also "external" too.
>
> So I can't block re0 in, as that would block all my internal ipv6 network
> too.
>
> In this ipv6 case, what would be the simplest rule possible, where I would
> block all incoming ipv6 traffic (except key ones like route discovery) not
> from local network, set state for all outgoing and pass in all with state?
>
> Most of the examples I see on the Internet show a dedicated external
> network interface for their IPv6 connection, which isn't too different from
> my ipv4 setup with ext ip on tun0.
>
> I'm guessing, that something like?
>
> block in all inet6 from !$ipv6addr_/64
> pass out all inet6 from !$ipv6addr_/64 keep state
>
> Any pointers would be helpful, I can figure out how to right the rules
> myself later, but would like to be pointed to the right approach.
Should be able to be handled in pretty much the same way; especially if
you have native v6 routing from your ISP: just filter on tun0 instead of
gif0.
I have a /48 from TunnelBroker, and have assigned the routing subnet to
the gif0 interface and distributed the /48 amongst my various internal
networks.
Here are the simplified rules I have set up on my gif interface are as
follows:
----8<----
# Block v6 inbound by default, unless otherwise stated
block return quick on gif0 from !$my_nets_v6 to !$my_nets_v6
block return in on gif0 from any to !(gif0)
pass in on gif0 from any to (gif0)
pass out on gif0 from any to any keep state tag Q_DFLT
----8<----
And then individual rules loaded into anchors control arbitrary inbound
access to specific hosts:
----8<----
pass in on gif0 proto tcp from any to $sshgateway_v6 port 22 keep state
tag Q_SSH
...
pass in on gif0 proto tcp from any to $loadbalancer_v6 port { 80, 443 }
keep state tag Q_BULK
----8<----
Hope this helps!
--
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
<CyberLeo@CyberLeo.Net>
Furry Peace! - http://www.fur.com/peace/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5346D36C.6050700>