On 2012-06-09 14:40, Bjoern A. Zeeb wrote:
You can however unconditionally allow all fragments and trust a (bad)
end host system:
pass log quick inet6 proto ipv6-frag all
Does ipv6-frag require explicit rules? My rules passing Internet<->LAN
traffic intentionally omit protocol specificiations, so in theory
ipv6-frag should be covered. For example:
pass quick on $lanif from <lan_local> to <lan_local>
pass in quick on $lanif from <lan_global> to any tag LanOut
pass out quick on { $extif4, $extif6 } tagged LanOut
block in quick on $extif6 inet6 from any to <me6>
pass in quick on $extif6 inet6 from any to <lan_global> tag LanIn
pass out quick on $lanif tagged LanIn
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
