Date: Wed, 8 May 2024 21:14:27 +0100 From: Lexi Winter <lexi@le-fay.org> To: Dirk-Willem van Gulik <dirkx@webweaving.org> Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: IPv6 and IPv4 combined rules in pf.conf Message-ID: <ZjvdI2LzAYEIMjCy@ilythia.eden.le-fay.org> In-Reply-To: <0C18B410-E90B-4295-B09E-43B48F9191A4@webweaving.org> References: <0C18B410-E90B-4295-B09E-43B48F9191A4@webweaving.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--UIAKpieOOX7RD9VB Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dirk-Willem van Gulik: > For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are > listening to - is there a recommended way to setup pf.conf to avoid > mistakes/duplication ? =20 > To avoid duplication in constructs such as: =20 > # Foo app servers > foobarserver_host4=3D231.17.X.Y > foobarserver_host6=3Dfe80::5246:=E2=80=A6 >=20 > # Load balancers - direct or via tun0 in post/fail-back=20 > bar_net=3DX.Y.Z.Z #=20 > bar_net6=3Dfe80::5246:=E2=80=A6 #=20 > =E2=80=A6 >=20 > pass in on { tun0, $ext_if } proto udp from $bar_net to $foobarserver_= host4 port 2194 keep state > pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to $foobarse= rver_host6 port 2194 keep state =20 > Is there some recommended way of doing this in stock FreeBSD ? Or does > one usually end up with some sort of macro/generate style solution ? i would suggest something like this: table <foobarserver> { 231.17.X.Y fe80::5246:... } table <bar-net> { ... } pass on { tun0, $ext_if } proto udp from <bar-net> \ to <foobarserver> port 2194 alternatively, if 'foobarserver' is the local host, you can simply do: pass in on { tun0, $ext_if } proto udp from <bar-net> \ to self port 2194 note that in either case pf doesn't need 'keep state'. --UIAKpieOOX7RD9VB Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAABCAAdFiEEuwt6MaPcv/+Mo+ftDHqbqZ41x5kFAmY73SAACgkQDHqbqZ41 x5lCVQv/c5UQ0eY0WwkRQki/5hZfME2DFwF7Q/hVTLmeprW+IjNZf5Ufn3bJLeoz walPBYuf0iEuQiSOnDAbk93rMAZO4arts8zIN6VtlnuJ8t2hKkIdaO9hqdae5y7d X7I3Y315Goetjcuqxnn9QaHT7LKTvEGfv58CB0oFtXT4YmoFtmooPSsq6Gps8o4j Aar57QmEBUyoFoqy6x2WdJzyHiolKO1RmpKWQereZJVF/WuJ9W2ljSP9h38XfhyG jszwxmMF26XpPYb7FBhxisrSEyVq9yVOoJ4pNkAC9ysSr14mvoFMcgTyszkwIDGu qnyc2Net45ipIFfEkD3HsHPuAnK2rDIhgj9VaIq+cz6v1KiefMyB1QcmOQ3atS33 D3vclDUahXUk6rpFDqmvGiIgcGvxRNbCxBNP7pFJgRhSpcIhxqB5+oTguVXO/5Ed 6RSMQINdZQJiIqTnxdtLmnYX9inv7qS+j4I4+lRdJgvKqQOdNOwutZMwy3xROdYZ wxHo3BCm =Pijn -----END PGP SIGNATURE----- --UIAKpieOOX7RD9VB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZjvdI2LzAYEIMjCy>