From owner-freebsd-pf@FreeBSD.ORG  Mon Aug  1 16:40:01 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6ED22106566B
	for <freebsd-pf@freebsd.org>; Mon,  1 Aug 2011 16:40:01 +0000 (UTC)
	(envelope-from mike@jellydonut.org)
Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com
	[209.85.161.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 0A3278FC20
	for <freebsd-pf@freebsd.org>; Mon,  1 Aug 2011 16:40:00 +0000 (UTC)
Received: by fxe4 with SMTP id 4so6528329fxe.13
	for <freebsd-pf@freebsd.org>; Mon, 01 Aug 2011 09:40:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.16.140 with SMTP id o12mr2276658faa.89.1312215141015; Mon,
	01 Aug 2011 09:12:21 -0700 (PDT)
Received: by 10.223.118.79 with HTTP; Mon, 1 Aug 2011 09:12:20 -0700 (PDT)
In-Reply-To: <CAFYLaXP9_7ssKeDUN1dnvFGA3K0bDAWhvQ1oskGvH4W9jQLgWQ@mail.gmail.com>
References: <CAFYLaXP9_7ssKeDUN1dnvFGA3K0bDAWhvQ1oskGvH4W9jQLgWQ@mail.gmail.com>
Date: Mon, 1 Aug 2011 12:12:20 -0400
Message-ID: <CAGAnWo2LKWZ8hizQEE6nSye6ouJLLiC7CtbFhTBeOG=jbD0uEg@mail.gmail.com>
From: Michael Proto <mike@jellydonut.org>
To: freebsd-pf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: IPv6 config for PF
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2011 16:40:01 -0000

On Fri, Jul 29, 2011 at 8:11 PM, Chris <behrnetworks@gmail.com> wrote:
> Hello,
>
> I'm having a heck of a time trying to get PF to work with IPv6 on a
> few FreeBSD machines, mainly regarding NDP and RAs. Does anyone have a
> sample ruleset they can share
> for a server system that has a few services exposed?
>

I'm running pf w/ IPv6 on a FreeBSD gateway, not an actual server, but
these rules might help you with your server as well (I also had a heck
of a time getting all RA/NDP services working until I fixed this
ruleset). The biggest gotcha for me was ensuring that link-local and
multicast was allowed to/from hosts on my LAN.

Here's a subset of what I had to apply in my ruleset:

6lan = "2001:1111:2222::1/64"
table <v6local> { fe80::/10, ff01::/8, ff02::/8 }

pass  in  quick on $lan inet6 from { $6lan, <v6local> }
pass  out quick on $lan inet6 to { $6lan, <v6local> }


As this my internal network, I allow all traffic here and then filter
incoming/outgoing ports and whatnot on my WAN interface, but hopefully
you get the general idea.


-Proto