Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 4 Aug 2011 15:47:21 +0200 (CEST)
From:      Mohacsi Janos <mohacsi@niif.hu>
To:        Michael Proto <mike@jellydonut.org>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: IPv6 config for PF
Message-ID:  <alpine.BSF.2.00.1108041546240.92591@mignon.ki.iif.hu>
In-Reply-To: <CAGAnWo2LKWZ8hizQEE6nSye6ouJLLiC7CtbFhTBeOG=jbD0uEg@mail.gmail.com>
References:  <CAFYLaXP9_7ssKeDUN1dnvFGA3K0bDAWhvQ1oskGvH4W9jQLgWQ@mail.gmail.com> <CAGAnWo2LKWZ8hizQEE6nSye6ouJLLiC7CtbFhTBeOG=jbD0uEg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 




On Mon, 1 Aug 2011, Michael Proto wrote:

> On Fri, Jul 29, 2011 at 8:11 PM, Chris <behrnetworks@gmail.com> wrote:
>> Hello,
>>
>> I'm having a heck of a time trying to get PF to work with IPv6 on a
>> few FreeBSD machines, mainly regarding NDP and RAs. Does anyone have a
>> sample ruleset they can share
>> for a server system that has a few services exposed?
>>
>
> I'm running pf w/ IPv6 on a FreeBSD gateway, not an actual server, but
> these rules might help you with your server as well (I also had a heck
> of a time getting all RA/NDP services working until I fixed this
> ruleset). The biggest gotcha for me was ensuring that link-local and
> multicast was allowed to/from hosts on my LAN.
>
> Here's a subset of what I had to apply in my ruleset:
>
> 6lan = "2001:1111:2222::1/64"
> table <v6local> { fe80::/10, ff01::/8, ff02::/8 }
>
> pass  in  quick on $lan inet6 from { $6lan, <v6local> }
> pass  out quick on $lan inet6 to { $6lan, <v6local> }
>
>
> As this my internal network, I allow all traffic here and then filter
> incoming/outgoing ports and whatnot on my WAN interface, but hopefully
> you get the general idea.

It can be slightly more strict: RA/NDP is using ICMPv6.
 	Regards,
 		Janos Mohacsi

>
>
> -Proto
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1108041546240.92591>