From owner-freebsd-pf@FreeBSD.ORG Thu Aug 4 13:47:26 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC7D11065689 for ; Thu, 4 Aug 2011 13:47:26 +0000 (UTC) (envelope-from mohacsi@niif.hu) Received: from mail.ki.iif.hu (mail.ki.iif.hu [IPv6:2001:738:0:411::241]) by mx1.freebsd.org (Postfix) with ESMTP id 4B64A8FC12 for ; Thu, 4 Aug 2011 13:47:26 +0000 (UTC) Received: from bolha.lvs.iif.hu (bolha.lvs.iif.hu [193.225.14.181]) by mail.ki.iif.hu (Postfix) with ESMTP id D036187648; Thu, 4 Aug 2011 15:47:24 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at bolha.lvs.iif.hu Received: from mail.ki.iif.hu ([IPv6:::ffff:193.6.222.241]) by bolha.lvs.iif.hu (bolha.lvs.iif.hu [::ffff:193.225.14.72]) (amavisd-new, port 10024) with ESMTP id aMAyak85weaQ; Thu, 4 Aug 2011 15:47:22 +0200 (CEST) Received: by mail.ki.iif.hu (Postfix, from userid 9002) id 1074C87646; Thu, 4 Aug 2011 15:47:22 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 0922787644; Thu, 4 Aug 2011 15:47:21 +0200 (CEST) Date: Thu, 4 Aug 2011 15:47:21 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Michael Proto In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: IPv6 config for PF X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2011 13:47:26 -0000 On Mon, 1 Aug 2011, Michael Proto wrote: > On Fri, Jul 29, 2011 at 8:11 PM, Chris wrote: >> Hello, >> >> I'm having a heck of a time trying to get PF to work with IPv6 on a >> few FreeBSD machines, mainly regarding NDP and RAs. Does anyone have a >> sample ruleset they can share >> for a server system that has a few services exposed? >> > > I'm running pf w/ IPv6 on a FreeBSD gateway, not an actual server, but > these rules might help you with your server as well (I also had a heck > of a time getting all RA/NDP services working until I fixed this > ruleset). The biggest gotcha for me was ensuring that link-local and > multicast was allowed to/from hosts on my LAN. > > Here's a subset of what I had to apply in my ruleset: > > 6lan = "2001:1111:2222::1/64" > table { fe80::/10, ff01::/8, ff02::/8 } > > pass in quick on $lan inet6 from { $6lan, } > pass out quick on $lan inet6 to { $6lan, } > > > As this my internal network, I allow all traffic here and then filter > incoming/outgoing ports and whatnot on my WAN interface, but hopefully > you get the general idea. It can be slightly more strict: RA/NDP is using ICMPv6. Regards, Janos Mohacsi > > > -Proto > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >