Date: Mon, 1 Aug 2011 12:12:20 -0400 From: Michael Proto <mike@jellydonut.org> To: freebsd-pf@freebsd.org Subject: Re: IPv6 config for PF Message-ID: <CAGAnWo2LKWZ8hizQEE6nSye6ouJLLiC7CtbFhTBeOG=jbD0uEg@mail.gmail.com> In-Reply-To: <CAFYLaXP9_7ssKeDUN1dnvFGA3K0bDAWhvQ1oskGvH4W9jQLgWQ@mail.gmail.com> References: <CAFYLaXP9_7ssKeDUN1dnvFGA3K0bDAWhvQ1oskGvH4W9jQLgWQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 29, 2011 at 8:11 PM, Chris <behrnetworks@gmail.com> wrote:
> Hello,
>
> I'm having a heck of a time trying to get PF to work with IPv6 on a
> few FreeBSD machines, mainly regarding NDP and RAs. Does anyone have a
> sample ruleset they can share
> for a server system that has a few services exposed?
>
I'm running pf w/ IPv6 on a FreeBSD gateway, not an actual server, but
these rules might help you with your server as well (I also had a heck
of a time getting all RA/NDP services working until I fixed this
ruleset). The biggest gotcha for me was ensuring that link-local and
multicast was allowed to/from hosts on my LAN.
Here's a subset of what I had to apply in my ruleset:
6lan = "2001:1111:2222::1/64"
table <v6local> { fe80::/10, ff01::/8, ff02::/8 }
pass in quick on $lan inet6 from { $6lan, <v6local> }
pass out quick on $lan inet6 to { $6lan, <v6local> }
As this my internal network, I allow all traffic here and then filter
incoming/outgoing ports and whatnot on my WAN interface, but hopefully
you get the general idea.
-Proto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGAnWo2LKWZ8hizQEE6nSye6ouJLLiC7CtbFhTBeOG=jbD0uEg>