Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 Jul 2020 19:57:08 +0200
From:      <l.m.v.breda@xs4all.nl>
To:        <pf@FreeBsd.org>
Subject:   =?utf-8?Q?The_best_of_both_worlds_=E2=80=9Cusing_m?= =?utf-8?Q?ac_filtering_in_pf=E2=80=9D?=
Message-ID:  <!&!AAAAAAAAAAAYAAAAAAAAACYbCWzhrJhCgyrjLq4Ik8vCgAAAEAAAAL4ruAj5hLlBvrT0M4EEcEEBAAAAAA==@xs4all.nl>

Next in thread | Raw E-Mail | Index | Archive | Help
Hello,

I am using pfSense, build on top of pf. And of course pfSense/pf is a =
terrific firewall, however the world is changing in the direction of =
IPV6 and that leads to new issues and related new requirements.

One of the major issues is that IPV6 does not provide a stable source =
address you can use to filter in your firewall.=20

Many firewalls =E2=80=9Cout there=E2=80=9D are *using the level-2 mac as =
a way around this issue*. =EF=BF=BD However =E2=80=A6.. pfSense cannot =
provide that functionality, since it is built on top of =
=E2=80=A6=E2=80=A6 pf.

Tja, and then there is a =E2=80=9Cstriking=E2=80=9D issue =E2=80=A6.. =
suppose that pfSense would have been built on top of OpenBSD, still =
using pf =E2=80=A6=E2=80=A6=E2=80=A6. That had been possible =
=E2=80=A6=E2=80=A6.

So as user I would be very pleased if there could be a joined =
=E2=80=9Cpf-release=E2=80=9D having *best of both worlds* !!!!

Assume we were running OpenBSD =E2=80=A6=E2=80=A6 things like =EF=BF=BD =
=EF=BF=BD=20

step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag =
<sometag>
step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy =
based rule)

would have been an option, =E2=80=A6. not saying it is the best option =
=E2=80=A6..  =EF=BF=BDbetter option would be if pf could set the tag =
itself

Whatever please consider adding this functionality to pf preferable on =
short term, since IPV6 is fast becoming very important!

Sincerely,

 =EF=BF=BD

Louis

PS =E2=80=A6 should I raise an feature request for this?

 =EF=BF=BD




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?!&!AAAAAAAAAAAYAAAAAAAAACYbCWzhrJhCgyrjLq4Ik8vCgAAAEAAAAL4ruAj5hLlBvrT0M4EEcEEBAAAAAA==>