Date: Wed, 8 May 2024 21:14:27 +0100 From: Lexi Winter <lexi@le-fay.org> To: Dirk-Willem van Gulik <dirkx@webweaving.org> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: IPv6 and IPv4 combined rules in pf.conf Message-ID: <ZjvdI2LzAYEIMjCy@ilythia.eden.le-fay.org> In-Reply-To: <0C18B410-E90B-4295-B09E-43B48F9191A4@webweaving.org> References: <0C18B410-E90B-4295-B09E-43B48F9191A4@webweaving.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--UIAKpieOOX7RD9VB
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Dirk-Willem van Gulik:
> For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are
> listening to - is there a recommended way to setup pf.conf to avoid
> mistakes/duplication ?
=20
> To avoid duplication in constructs such as:
=20
> # Foo app servers
> foobarserver_host4=3D231.17.X.Y
> foobarserver_host6=3Dfe80::5246:=E2=80=A6
>=20
> # Load balancers - direct or via tun0 in post/fail-back=20
> bar_net=3DX.Y.Z.Z #=20
> bar_net6=3Dfe80::5246:=E2=80=A6 #=20
> =E2=80=A6
>=20
> pass in on { tun0, $ext_if } proto udp from $bar_net to $foobarserver_=
host4 port 2194 keep state
> pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to $foobarse=
rver_host6 port 2194 keep state
=20
> Is there some recommended way of doing this in stock FreeBSD ? Or does
> one usually end up with some sort of macro/generate style solution ?
i would suggest something like this:
table <foobarserver> {
231.17.X.Y
fe80::5246:...
}
table <bar-net> {
...
}
pass on { tun0, $ext_if } proto udp from <bar-net> \
to <foobarserver> port 2194
alternatively, if 'foobarserver' is the local host, you can simply do:
pass in on { tun0, $ext_if } proto udp from <bar-net> \
to self port 2194
note that in either case pf doesn't need 'keep state'.
--UIAKpieOOX7RD9VB
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQGzBAABCAAdFiEEuwt6MaPcv/+Mo+ftDHqbqZ41x5kFAmY73SAACgkQDHqbqZ41
x5lCVQv/c5UQ0eY0WwkRQki/5hZfME2DFwF7Q/hVTLmeprW+IjNZf5Ufn3bJLeoz
walPBYuf0iEuQiSOnDAbk93rMAZO4arts8zIN6VtlnuJ8t2hKkIdaO9hqdae5y7d
X7I3Y315Goetjcuqxnn9QaHT7LKTvEGfv58CB0oFtXT4YmoFtmooPSsq6Gps8o4j
Aar57QmEBUyoFoqy6x2WdJzyHiolKO1RmpKWQereZJVF/WuJ9W2ljSP9h38XfhyG
jszwxmMF26XpPYb7FBhxisrSEyVq9yVOoJ4pNkAC9ysSr14mvoFMcgTyszkwIDGu
qnyc2Net45ipIFfEkD3HsHPuAnK2rDIhgj9VaIq+cz6v1KiefMyB1QcmOQ3atS33
D3vclDUahXUk6rpFDqmvGiIgcGvxRNbCxBNP7pFJgRhSpcIhxqB5+oTguVXO/5Ed
6RSMQINdZQJiIqTnxdtLmnYX9inv7qS+j4I4+lRdJgvKqQOdNOwutZMwy3xROdYZ
wxHo3BCm
=Pijn
-----END PGP SIGNATURE-----
--UIAKpieOOX7RD9VB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZjvdI2LzAYEIMjCy>