From owner-freebsd-pf@FreeBSD.ORG Thu Apr 10 17:23:00 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A324E977 for ; Thu, 10 Apr 2014 17:23:00 +0000 (UTC) Received: from mail.cyberleo.net (mtumishi.cyberleo.net [216.226.128.201]) by mx1.freebsd.org (Postfix) with ESMTP id 804D41C51 for ; Thu, 10 Apr 2014 17:23:00 +0000 (UTC) Received: from [172.16.44.4] (vitani.den.cyberleo.net [216.80.73.130]) by mail.cyberleo.net (Postfix) with ESMTPSA id 6A3CF2059; Thu, 10 Apr 2014 13:22:51 -0400 (EDT) Message-ID: <5346D36C.6050700@cyberleo.net> Date: Thu, 10 Apr 2014 12:22:52 -0500 From: CyberLeo Kitsana User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Khairil Yusof , freebsd-pf@freebsd.org Subject: Re: Firewall for IPv6 for ISP PPP connection References: In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 17:23:00 -0000 On 04/09/2014 11:07 PM, Khairil Yusof wrote: > I have a home server that also acts as a router/firewall home network. > > re0 is the main network interface connected to the rest of the network > tun0 is the ipv4/ipv6 ppp tunnel connected to ISP via ppp. > fxp0 is spare unused interface. > > With ipv4, the rules were straight forward. > > tun0 the ppp interface had an external ip and is easily identifiable as the > external if. > > The rules would nat non-local IP's going out via tun0, block incoming tcp > via tun0 and set state for all outgoing tcp via tun0. > > With ipv6 however, there is no external IPv6 address except link local on > the tun0. All the IPv6 assigned addresses including the one on re0 are now > also "external" too. > > So I can't block re0 in, as that would block all my internal ipv6 network > too. > > In this ipv6 case, what would be the simplest rule possible, where I would > block all incoming ipv6 traffic (except key ones like route discovery) not > from local network, set state for all outgoing and pass in all with state? > > Most of the examples I see on the Internet show a dedicated external > network interface for their IPv6 connection, which isn't too different from > my ipv4 setup with ext ip on tun0. > > I'm guessing, that something like? > > block in all inet6 from !$ipv6addr_/64 > pass out all inet6 from !$ipv6addr_/64 keep state > > Any pointers would be helpful, I can figure out how to right the rules > myself later, but would like to be pointed to the right approach. Should be able to be handled in pretty much the same way; especially if you have native v6 routing from your ISP: just filter on tun0 instead of gif0. I have a /48 from TunnelBroker, and have assigned the routing subnet to the gif0 interface and distributed the /48 amongst my various internal networks. Here are the simplified rules I have set up on my gif interface are as follows: ----8<---- # Block v6 inbound by default, unless otherwise stated block return quick on gif0 from !$my_nets_v6 to !$my_nets_v6 block return in on gif0 from any to !(gif0) pass in on gif0 from any to (gif0) pass out on gif0 from any to any keep state tag Q_DFLT ----8<---- And then individual rules loaded into anchors control arbitrary inbound access to specific hosts: ----8<---- pass in on gif0 proto tcp from any to $sshgateway_v6 port 22 keep state tag Q_SSH ... pass in on gif0 proto tcp from any to $loadbalancer_v6 port { 80, 443 } keep state tag Q_BULK ----8<---- Hope this helps! -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://www.fur.com/peace/