On Mon, 1 Aug 2011, Michael Proto wrote:
On Fri, Jul 29, 2011 at 8:11 PM, Chris <[email protected]> wrote:
Hello,
I'm having a heck of a time trying to get PF to work with IPv6 on a
few FreeBSD machines, mainly regarding NDP and RAs. Does anyone have a
sample ruleset they can share
for a server system that has a few services exposed?
I'm running pf w/ IPv6 on a FreeBSD gateway, not an actual server, but
these rules might help you with your server as well (I also had a heck
of a time getting all RA/NDP services working until I fixed this
ruleset). The biggest gotcha for me was ensuring that link-local and
multicast was allowed to/from hosts on my LAN.
Here's a subset of what I had to apply in my ruleset:
6lan = "2001:1111:2222::1/64"
table <v6local> { fe80::/10, ff01::/8, ff02::/8 }
pass in quick on $lan inet6 from { $6lan, <v6local> }
pass out quick on $lan inet6 to { $6lan, <v6local> }
As this my internal network, I allow all traffic here and then filter
incoming/outgoing ports and whatnot on my WAN interface, but hopefully
you get the general idea.
It can be slightly more strict: RA/NDP is using ICMPv6.
Regards,
Janos Mohacsi
-Proto
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
