Bug 112579 - [request] No ipv6 related pf examples in /usr/share/examples/pf
Summary: [request] No ipv6 related pf examples in /usr/share/examples/pf
Status: Open
Alias: None
Product: Documentation
Classification: Unclassified
Component: Books & Articles (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-doc (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-10 19:00 UTC by Mohacsi Janos
Modified: 2018-01-03 05:12 UTC (History)
0 users

See Also:


Attachments
pf_ipv6host.conf.txt (2.09 KB, text/plain)
2007-05-10 19:00 UTC, Mohacsi Janos
no flags Details
pf_www_ssh_server_ipv6.conf.txt (2.65 KB, text/plain)
2007-05-10 19:00 UTC, Mohacsi Janos
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mohacsi Janos 2007-05-10 19:00:11 UTC
There is no ipv6 related examples in /usr/share/examples/pf however pf support 
ipv6 since the beginning. Filtering icmpv6 packets should be considered more
carefully therefore I enclose 3 sample configuration to be included in 
/usr/share/examples/pf.

Fix: #external interface 
EXT = "bge0"
#internal LAN interface
LAN = "bge1"
#IPv4 address of LAN interface
LANip4 = "192.168.1.1"
#IPv6 address of LAN interface
LANip6 = "2001:db8:1:1::1"
#IPv4 address of external interface
EXTip4 = "192.168.2.1
#IPv6 address of external interface
EXTip6 = "2001:db8:1:2::1"
#IPv4 prefix on LAN interface
LANnet4 = "192.168.1.0/24"
#IPv6 prefix on LAN interface
LANnet6 = "2001:db8:1:1::1/64"
#loopback interfaces
Lo4 = "127.0.0.1"
Lo6 = "::1"
# expire state connections early
set optimization aggressive
block in log all
# allow DNS requests to go out
pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state
pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state
# all TCP request allowed out
pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state
pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state
# all ping request allowed out
pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state
pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state
# ND solicitation out
pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
# ND advertisement in
pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
#router advertisement out
pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv
# router solicitation in
pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol
# DNS request inside
pass in on $LAN inet proto from $LANnet4 to any port domain
pass in on $LAN inet6 proto from $LANnet6 to any port domain
# TCP request inside
pass in on $LAN inet proto tcp from $LANnet4 to any
pass in on $LAN inet6 proto tcp from $LANnet6 to any
# ICMP request inside
pass in on $LAN inet proto icmp all icmp-type 8 code
pass in on $LAN inet6 proto icmp6 all icmp6-type
--- pf_noserver_ipv6.conf.txt ends here ---
How-To-Repeat: 	Look at /usr/share/examples/pf
	Test attached sample configs.
Comment 1 Mohacsi Janos 2007-10-10 10:31:51 UTC
The examples are mostly assuming the new openbsd default (also pf 4.1 in
7.0-current) of keep-state.

The doc group should take care of it or freebsd-pf working group?

Regards,
             Janos Mohacsi
Comment 2 Tom Rhodes freebsd_committer freebsd_triage 2008-01-26 09:18:52 UTC
Responsible Changed
From-To: freebsd-doc->mlaier

PF in FreeBSD is a Max thing.  :)
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2013-07-03 01:50:32 UTC
State Changed
From-To: open->open

commit bit has been taken in for safekeeping. 


Comment 4 Mark Linimon freebsd_committer freebsd_triage 2013-07-03 01:50:32 UTC
Responsible Changed
From-To: mlaier->freebsd-doc
Comment 5 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:58:58 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped