From owner-freebsd-doc@FreeBSD.ORG  Thu May 10 18:00:18 2007
Return-Path: <owner-freebsd-doc@FreeBSD.ORG>
X-Original-To: freebsd-doc@hub.freebsd.org
Delivered-To: freebsd-doc@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 390B716A404
	for <freebsd-doc@hub.freebsd.org>; Thu, 10 May 2007 18:00:18 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id 1A7E113C45E
	for <freebsd-doc@hub.freebsd.org>; Thu, 10 May 2007 18:00:18 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4AI0CnW025869
	for <freebsd-doc@freefall.freebsd.org>; Thu, 10 May 2007 18:00:12 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4AI0BIj025865;
	Thu, 10 May 2007 18:00:12 GMT (envelope-from gnats)
Resent-Date: Thu, 10 May 2007 18:00:12 GMT
Resent-Message-Id: <200705101800.l4AI0BIj025865@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-doc@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Janos Mohacsi <janos.mohacsi@bsd.hu>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 1CBA516A403
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 10 May 2007 17:50:32 +0000 (UTC)
	(envelope-from mohacsi@scone.ki.iif.hu)
Received: from scone.ki.iif.hu (scone.ki.iif.hu [193.6.222.31])
	by mx1.freebsd.org (Postfix) with ESMTP id 8794613C458
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 10 May 2007 17:50:31 +0000 (UTC)
	(envelope-from mohacsi@scone.ki.iif.hu)
Received: (from mohacsi@localhost)
	by scone.ki.iif.hu (8.14.1/8.14.1) id l4AHZvkh003374;
	Thu, 10 May 2007 19:35:57 +0200 (CEST) (envelope-from mohacsi)
Message-Id: <200705101735.l4AHZvkh003374@scone.ki.iif.hu>
Date: Thu, 10 May 2007 19:35:57 +0200 (CEST)
From: Janos Mohacsi <mohacsi@niif.hu>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: docs/112579: No ipv6 related pf examples in /usr/share/examples/pf
X-BeenThere: freebsd-doc@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Janos Mohacsi <janos.mohacsi@bsd.hu>
List-Id: Documentation project <freebsd-doc.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-doc>
List-Post: <mailto:freebsd-doc@freebsd.org>
List-Help: <mailto:freebsd-doc-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2007 18:00:18 -0000


>Number:         112579
>Category:       docs
>Synopsis:       No ipv6 related pf examples in /usr/share/examples/pf
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 10 18:00:11 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Janos Mohacsi
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
NIIF/HUNGARNET
>Environment:
System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9 18:23:24 CEST 2007 root@scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386

>Description:

There is no ipv6 related examples in /usr/share/examples/pf however pf support 
ipv6 since the beginning. Filtering icmpv6 packets should be considered more
carefully therefore I enclose 3 sample configuration to be included in 
/usr/share/examples/pf.

>How-To-Repeat:
	Look at /usr/share/examples/pf
	Test attached sample configs.
>Fix:

	

--- pf_ipv6host.conf.txt begins here ---
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# CHANGE to your network interface card!!!
ext_if="fxp0"

#block everything
block in log all
block out log all
#allow everything for loopback
pass in quick on lo0 all
pass out quick on lo0 all
#allow all outgoing packets
pass out quick proto tcp from $ext_if to any keep state
pass out quick proto udp from $ext_if to any keep state
pass out quick inet proto icmp from $ext_if to any keep state
pass out quick proto ipv6-icmp from any to any keep state
# ICMPv6 is less auxiliary in IPv6 than ICMP in IPv4.
# See RFC 4890 about more detailed treatment.
# supported icmp6-types:
# unreach    1   Destination unreachable
# toobig     2   Packet too big
# timex      3   Time Exceeded
# paramprob  4   Parameter problem
# echoreq    128 Echo Request
# echorep    129 Echo Reply
# groupqry   130 ICMPv6 Membership query
# listqry    130 MLD listener query
# grouprep   131 ICMPv6 membership report
# listenrep  131 MLD listener report
# groupterm  132 ICMPv6 membership termination
# listendone 132 MLD listener done
# routersol  133 ND router solicitation
# routeradv  134 ND router advertisement
# neighbrsol 135 ND neighbor solicitation
# neighbradv 136 ND neighbor advertisement
# redir      137 ND redirection
# routerrenum 138 ICMPv6 router renumbering
# wrureq     139 Who are you request
# wrurep     140 Who are you reply
# fqdnreq    139 ICMPv6 Fully Qualified Domain Name Query
# fqdnrep    140 ICMPv6 Fully Qualified Domain Name Reply
# nireq      139 Neighbor Information Query
# nirep      140 Neighbor Information Reply
# mtraceresp 200 MLD Multicast trace response
# mtrace     201 MLD Multicast trace
#
# Allow all incoming icmpv6 packee
pass in quick proto ipv6-icmp from any to any
# Allow only bare essential icmpv6 packets (NS, NA, and RA)
#pass in quick inet6 proto ipv6-icmp from any to any icmp6-type {neighbradv,neighbrsol,routeradv}
#enable to ssh access
pass in quick proto tcp from any to any port = 22 
--- pf_ipv6host.conf.txt ends here ---

--- pf_noserver_ipv6.conf.txt begins here ---
#external interface 
EXT = "bge0"
#internal LAN interface
LAN = "bge1"
#IPv4 address of LAN interface
LANip4 = "192.168.1.1"
#IPv6 address of LAN interface
LANip6 = "2001:db8:1:1::1"
#IPv4 address of external interface
EXTip4 = "192.168.2.1
#IPv6 address of external interface
EXTip6 = "2001:db8:1:2::1"
#IPv4 prefix on LAN interface
LANnet4 = "192.168.1.0/24"
#IPv6 prefix on LAN interface
LANnet6 = "2001:db8:1:1::1/64"
#loopback interfaces
Lo4 = "127.0.0.1"
Lo6 = "::1"
# expire state connections early
set optimization aggressive
block in log all
# allow DNS requests to go out
pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state
pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state
# all TCP request allowed out
pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state
pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state
# all ping request allowed out
pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state
pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state
# ND solicitation out
pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
# ND advertisement in
pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
#router advertisement out
pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv
# router solicitation in
pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol
# DNS request inside
pass in on $LAN inet proto from $LANnet4 to any port domain
pass in on $LAN inet6 proto from $LANnet6 to any port domain
# TCP request inside
pass in on $LAN inet proto tcp from $LANnet4 to any
pass in on $LAN inet6 proto tcp from $LANnet6 to any
# ICMP request inside
pass in on $LAN inet proto icmp all icmp-type 8 code
pass in on $LAN inet6 proto icmp6 all icmp6-type
--- pf_noserver_ipv6.conf.txt ends here ---

--- pf_www_ssh_server_ipv6.conf.txt begins here ---
#external interface 
EXT = "bge0"
#internal LAN interface
LAN = "bge1"
#IPv4 address of LAN interface
LANip4 = "192.168.1.1"
#IPv6 address of LAN interface
LANip6 = "2001:db8:1:1::1"
#IPv4 address of external interface
EXTip4 = "192.168.2.1
#IPv6 address of external interface
EXTip6 = "2001:db8:1:2::1"
#IPv4 prefix on LAN interface
LANnet4 = "192.168.1.0/24"
#IPv6 prefix on LAN interface
LANnet6 = "2001:db8:1:1::1/64"
#loopback interfaces
Lo4 = "127.0.0.1"
Lo6 = "::1"
#internal server address
LANSRV6="2001:db8:1:2::2"
LANSRV4="192.168.1.2"
# expire state connections early
set optimization aggressive
block in log all
# allow DNS requests to go out
pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state
pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state
# all TCP request allowed out
pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state
pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state
# all ping request allowed out
pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state
pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state
# ND solicitation out
pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
# ND advertisement in
pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
#router advertisement out
pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv
# router solicitation in
pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol
# DNS request inside
pass in on $LAN inet proto from $LANnet4 to any port domain
pass in on $LAN inet6 proto from $LANnet6 to any port domain
# TCP request inside
pass in on $LAN inet proto tcp from $LANnet4 to any
pass in on $LAN inet6 proto tcp from $LANnet6 to any
# ICMP request inside
pass in on $LAN inet proto icmp all icmp-type 8 code
pass in on $LAN inet6 proto icmp6 all icmp6-type
#allow incoming connection to SSH server
pass in on $EXT inet6 proto tcp from any to $LANSRV6 port=22 keep-state
pass in on $EXT inet proto tcp from any to $LANSRV4 port=22 keep-state
#all reply from SSH server (does not really necessary)
pass in on $LAN inet6 proto tcp from $LANSRV6 port=22 to any keep-state
pass in on $LAN inet proto tcp from $LANSRV4 port=22 to any keep-state
#allow incoming connection to WWW server
pass in on $EXT inet6 proto tcp from any to $LANSRV6 port=www keep-state
pass in on $EXT inet proto tcp from any to $LANSRV4 port=www keep-state
#all reply from WWW server (does not really necessary)
pass in on $LAN inet6 proto tcp from $LANSRV6 port=www to any keep-state
pass in on $LAN inet proto tcp from $LANSRV4 port=www to any
--- pf_www_ssh_server_ipv6.conf.txt ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: