There is no ipv6 related examples in /usr/share/examples/pf however pf support ipv6 since the beginning. Filtering icmpv6 packets should be considered more carefully therefore I enclose 3 sample configuration to be included in /usr/share/examples/pf. Fix: #external interface EXT = "bge0" #internal LAN interface LAN = "bge1" #IPv4 address of LAN interface LANip4 = "192.168.1.1" #IPv6 address of LAN interface LANip6 = "2001:db8:1:1::1" #IPv4 address of external interface EXTip4 = "192.168.2.1 #IPv6 address of external interface EXTip6 = "2001:db8:1:2::1" #IPv4 prefix on LAN interface LANnet4 = "192.168.1.0/24" #IPv6 prefix on LAN interface LANnet6 = "2001:db8:1:1::1/64" #loopback interfaces Lo4 = "127.0.0.1" Lo6 = "::1" # expire state connections early set optimization aggressive block in log all # allow DNS requests to go out pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state # all TCP request allowed out pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state # all ping request allowed out pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state # ND solicitation out pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} # ND advertisement in pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} #router advertisement out pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv # router solicitation in pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol # DNS request inside pass in on $LAN inet proto from $LANnet4 to any port domain pass in on $LAN inet6 proto from $LANnet6 to any port domain # TCP request inside pass in on $LAN inet proto tcp from $LANnet4 to any pass in on $LAN inet6 proto tcp from $LANnet6 to any # ICMP request inside pass in on $LAN inet proto icmp all icmp-type 8 code pass in on $LAN inet6 proto icmp6 all icmp6-type --- pf_noserver_ipv6.conf.txt ends here --- How-To-Repeat: Look at /usr/share/examples/pf Test attached sample configs.
The examples are mostly assuming the new openbsd default (also pf 4.1 in 7.0-current) of keep-state. The doc group should take care of it or freebsd-pf working group? Regards, Janos Mohacsi
Responsible Changed From-To: freebsd-doc->mlaier PF in FreeBSD is a Max thing. :)
State Changed From-To: open->open commit bit has been taken in for safekeeping.
Responsible Changed From-To: mlaier->freebsd-doc
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped