From owner-freebsd-pf@freebsd.org Sun Aug 14 18:18:47 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B0ABABB92C4 for ; Sun, 14 Aug 2016 18:18:47 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8B55B1C57 for ; Sun, 14 Aug 2016 18:18:47 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 910672032C for ; Sun, 14 Aug 2016 14:18:40 -0400 (EDT) Received: from web2 ([10.202.2.212]) by compute6.internal (MEProxy); Sun, 14 Aug 2016 14:18:40 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=zyxst.net; h= content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=yrU sKQdOYZ7aYRf6eVQ5xzmdQo0=; b=K6QCpCwAF2mFcrzlvho7n8KoA53ADHn5kVZ u+Heec/Zv144TbtNbD1OtFyVfMupVMSo/O11Q3B0ZjDsAQUT8VZVicbNkNhuQDrN lMEpwO6tK03Ls8NKYOJgrcznxhwql1SPMjPFiJqhVKubUcaIXV7YvGf9xYEpLB1C FMJd+joo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-sasl-enc :x-sasl-enc; s=smtpout; bh=yrUsKQdOYZ7aYRf6eVQ5xzmdQo0=; b=Ty1RN ozS83SvRMYpUTo9jIrbFthWOG5YrZm6ULx7ls+LaEOSldWIX586Thn3/IIPffq8u t3xwxfFaHoZh0Zz6iFbnz0a6KcZ+QIOzVC5wj/xITZ1ndUggmRgAd3fTSshMuVYh hLcZKnm+fz9bIH/3+WI4Vyfv0xAb6MZoUoND3Q= Received: by mailuser.nyi.internal (Postfix, from userid 99) id 57564D05E4; Sun, 14 Aug 2016 14:18:40 -0400 (EDT) Message-Id: <1471198720.1262751.695015513.1B57B0B9@webmail.messagingengine.com> X-Sasl-Enc: VfDpFdTX1D0O9wbloWS924cuCmBitWb1pOqzAKLxvS9X 1471198720 From: John To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-71d1d584 Subject: PF advice for IPv6-only machine (freebsd-12) Date: Sun, 14 Aug 2016 19:18:40 +0100 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Aug 2016 18:18:47 -0000 Hello list, This is my first attempt creating a PF ipv6-only firewall. Please can anyone look at it and offer any suggestions? It seems to work (in that if services are removed from the macro, they're no longer accessible from the outside), but I'm not sure that I've done Everything Right (tm) and that there aren't some silly mistakes, like redundant statements. I'd like to silently drop connection attempts to ports where there are no services, like one can do on ip4 with blackhole(4) but I haven't a clue how to do it on ipv6 with PF - is there a way? ### begins # macros ext_if = msk0 services = "{ 22, 3022 }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ unreach, toobig, timex, paramprob, echoreq, echorep, neighbradv, neighbrsol,\ routeradv, routersol }" set skip on lo set block-policy return set state-policy if-bound set loginterface $ext_if scrub in on ext_if all fragment reassemble # filter rules block in log all pass out all # keep alive rules pass out log quick proto 41 from ($ext_if) to any keep state pass in log quick proto 41 from any to ($ext_if) keep state # allow heartbeat ping pass in log quick on $ext_if inet6 proto { ipv6-icmp } from any to \ any keep state # pass tcp services pass in quick on $ext_if inet6 proto tcp from any to any port $services ### ends many thanks, -- J.