Date: Thu, 10 May 2007 19:35:57 +0200 (CEST) From: Janos Mohacsi <mohacsi@niif.hu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: docs/112579: No ipv6 related pf examples in /usr/share/examples/pf Message-ID: <200705101735.l4AHZvkh003374@scone.ki.iif.hu> Resent-Message-ID: <200705101800.l4AI0BIj025865@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 112579 >Category: docs >Synopsis: No ipv6 related pf examples in /usr/share/examples/pf >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu May 10 18:00:11 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Janos Mohacsi >Release: FreeBSD 6.2-STABLE i386 >Organization: NIIF/HUNGARNET >Environment: System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9 18:23:24 CEST 2007 root@scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386 >Description: There is no ipv6 related examples in /usr/share/examples/pf however pf support ipv6 since the beginning. Filtering icmpv6 packets should be considered more carefully therefore I enclose 3 sample configuration to be included in /usr/share/examples/pf. >How-To-Repeat: Look at /usr/share/examples/pf Test attached sample configs. >Fix: --- pf_ipv6host.conf.txt begins here --- # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # CHANGE to your network interface card!!! ext_if="fxp0" #block everything block in log all block out log all #allow everything for loopback pass in quick on lo0 all pass out quick on lo0 all #allow all outgoing packets pass out quick proto tcp from $ext_if to any keep state pass out quick proto udp from $ext_if to any keep state pass out quick inet proto icmp from $ext_if to any keep state pass out quick proto ipv6-icmp from any to any keep state # ICMPv6 is less auxiliary in IPv6 than ICMP in IPv4. # See RFC 4890 about more detailed treatment. # supported icmp6-types: # unreach 1 Destination unreachable # toobig 2 Packet too big # timex 3 Time Exceeded # paramprob 4 Parameter problem # echoreq 128 Echo Request # echorep 129 Echo Reply # groupqry 130 ICMPv6 Membership query # listqry 130 MLD listener query # grouprep 131 ICMPv6 membership report # listenrep 131 MLD listener report # groupterm 132 ICMPv6 membership termination # listendone 132 MLD listener done # routersol 133 ND router solicitation # routeradv 134 ND router advertisement # neighbrsol 135 ND neighbor solicitation # neighbradv 136 ND neighbor advertisement # redir 137 ND redirection # routerrenum 138 ICMPv6 router renumbering # wrureq 139 Who are you request # wrurep 140 Who are you reply # fqdnreq 139 ICMPv6 Fully Qualified Domain Name Query # fqdnrep 140 ICMPv6 Fully Qualified Domain Name Reply # nireq 139 Neighbor Information Query # nirep 140 Neighbor Information Reply # mtraceresp 200 MLD Multicast trace response # mtrace 201 MLD Multicast trace # # Allow all incoming icmpv6 packee pass in quick proto ipv6-icmp from any to any # Allow only bare essential icmpv6 packets (NS, NA, and RA) #pass in quick inet6 proto ipv6-icmp from any to any icmp6-type {neighbradv,neighbrsol,routeradv} #enable to ssh access pass in quick proto tcp from any to any port = 22 --- pf_ipv6host.conf.txt ends here --- --- pf_noserver_ipv6.conf.txt begins here --- #external interface EXT = "bge0" #internal LAN interface LAN = "bge1" #IPv4 address of LAN interface LANip4 = "192.168.1.1" #IPv6 address of LAN interface LANip6 = "2001:db8:1:1::1" #IPv4 address of external interface EXTip4 = "192.168.2.1 #IPv6 address of external interface EXTip6 = "2001:db8:1:2::1" #IPv4 prefix on LAN interface LANnet4 = "192.168.1.0/24" #IPv6 prefix on LAN interface LANnet6 = "2001:db8:1:1::1/64" #loopback interfaces Lo4 = "127.0.0.1" Lo6 = "::1" # expire state connections early set optimization aggressive block in log all # allow DNS requests to go out pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state # all TCP request allowed out pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state # all ping request allowed out pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state # ND solicitation out pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} # ND advertisement in pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} #router advertisement out pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv # router solicitation in pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol # DNS request inside pass in on $LAN inet proto from $LANnet4 to any port domain pass in on $LAN inet6 proto from $LANnet6 to any port domain # TCP request inside pass in on $LAN inet proto tcp from $LANnet4 to any pass in on $LAN inet6 proto tcp from $LANnet6 to any # ICMP request inside pass in on $LAN inet proto icmp all icmp-type 8 code pass in on $LAN inet6 proto icmp6 all icmp6-type --- pf_noserver_ipv6.conf.txt ends here --- --- pf_www_ssh_server_ipv6.conf.txt begins here --- #external interface EXT = "bge0" #internal LAN interface LAN = "bge1" #IPv4 address of LAN interface LANip4 = "192.168.1.1" #IPv6 address of LAN interface LANip6 = "2001:db8:1:1::1" #IPv4 address of external interface EXTip4 = "192.168.2.1 #IPv6 address of external interface EXTip6 = "2001:db8:1:2::1" #IPv4 prefix on LAN interface LANnet4 = "192.168.1.0/24" #IPv6 prefix on LAN interface LANnet6 = "2001:db8:1:1::1/64" #loopback interfaces Lo4 = "127.0.0.1" Lo6 = "::1" #internal server address LANSRV6="2001:db8:1:2::2" LANSRV4="192.168.1.2" # expire state connections early set optimization aggressive block in log all # allow DNS requests to go out pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state # all TCP request allowed out pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state # all ping request allowed out pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state # ND solicitation out pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} # ND advertisement in pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} #router advertisement out pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv # router solicitation in pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol # DNS request inside pass in on $LAN inet proto from $LANnet4 to any port domain pass in on $LAN inet6 proto from $LANnet6 to any port domain # TCP request inside pass in on $LAN inet proto tcp from $LANnet4 to any pass in on $LAN inet6 proto tcp from $LANnet6 to any # ICMP request inside pass in on $LAN inet proto icmp all icmp-type 8 code pass in on $LAN inet6 proto icmp6 all icmp6-type #allow incoming connection to SSH server pass in on $EXT inet6 proto tcp from any to $LANSRV6 port=22 keep-state pass in on $EXT inet proto tcp from any to $LANSRV4 port=22 keep-state #all reply from SSH server (does not really necessary) pass in on $LAN inet6 proto tcp from $LANSRV6 port=22 to any keep-state pass in on $LAN inet proto tcp from $LANSRV4 port=22 to any keep-state #allow incoming connection to WWW server pass in on $EXT inet6 proto tcp from any to $LANSRV6 port=www keep-state pass in on $EXT inet proto tcp from any to $LANSRV4 port=www keep-state #all reply from WWW server (does not really necessary) pass in on $LAN inet6 proto tcp from $LANSRV6 port=www to any keep-state pass in on $LAN inet proto tcp from $LANSRV4 port=www to any --- pf_www_ssh_server_ipv6.conf.txt ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705101735.l4AHZvkh003374>