From owner-freebsd-pf@freebsd.org Fri Jul 10 17:57:14 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8769836F64B for ; Fri, 10 Jul 2020 17:57:14 +0000 (UTC) (envelope-from l.m.v.breda@xs4all.nl) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3LNB2Q78z3RZx for ; Fri, 10 Jul 2020 17:57:14 +0000 (UTC) (envelope-from l.m.v.breda@xs4all.nl) Received: by mailman.nyi.freebsd.org (Postfix) id 50B0B36F64A; Fri, 10 Jul 2020 17:57:14 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5077736F3F1 for ; Fri, 10 Jul 2020 17:57:14 +0000 (UTC) (envelope-from l.m.v.breda@xs4all.nl) Received: from lb1-smtp-cloud9.xs4all.net (lb1-smtp-cloud9.xs4all.net [194.109.24.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.xs4all.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B3LN70Klcz3RdD for ; Fri, 10 Jul 2020 17:57:10 +0000 (UTC) (envelope-from l.m.v.breda@xs4all.nl) Received: from cust-f904f3c0 ([IPv6:fc0c:c196:282b:f540:9d4d:c9e0:ed11:38c0]) by smtp-cloud9.xs4all.net with ESMTPSA id txGmjvVi15flqtxGnjp4Ei; Fri, 10 Jul 2020 19:57:09 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xs4all.nl; s=s1; t=1594403829; bh=5U+Uy8qJPidnQEgElUEXpBTgrhqQsDvMNrKSqvvsWB4=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:From: Subject; b=Q1fHX8MIqLw6uEek/8xUpLfVtxor0tsdwkvrj50oWPw2KwB7J4Fy34c3Mn5r2KTma TCzj42RQnAbAejM27rWJzGmYJl0zQBOk78mCv3rCIGOXeVA+TqlBxrV0VCkZ5/LiJa to1Tl0Q86zs7vSZm6zR+jGAB8207EmOR3GpHq+kra66gez2jqO9Dsobfh+e4KOcknE 04TDWCCaf/LSkd80qRCo+UL+vgj6o83hz9WUghqwSc7JNBNCqsy52YKs+jN8yZytpQ D/A55TwThLUXNNqjY3aocSEV9+di2j6E/vrD+8La0VqfBFXnRrCGZUENXOVo+5r9uX GCy1msXhOHaUw== From: To: Subject: =?utf-8?Q?The_best_of_both_worlds_=E2=80=9Cusing_m?= =?utf-8?Q?ac_filtering_in_pf=E2=80=9D?= Date: Fri, 10 Jul 2020 19:57:08 +0200 Message-ID: MIME-Version: 1.0 X-Priority: 1 (Highest) X-MSMail-Priority: High X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdZW43sVTQSgFO5lSlGn1PE+e9eNMQ== Content-Language: nl Importance: High X-CMAE-Envelope: MS4wfOFFLYAXZC33HxyMm2NjKLzzNd75fv/UyFXdRE/meHDFik8FYhu5Xv+MGa4zU5KE2708NjXcG2nvJkVNEb6CFtNkDce9uOLEw2AF85CsPoc7rTxjQeJl GMUzOB/OYmhk0qPYPJaebC4T/6FXMSIzvMg= X-Rspamd-Queue-Id: 4B3LN70Klcz3RdD X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=xs4all.nl header.s=s1 header.b=Q1fHX8MI; dmarc=none; spf=pass (mx1.freebsd.org: domain of l.m.v.breda@xs4all.nl designates 194.109.24.22 as permitted sender) smtp.mailfrom=l.m.v.breda@xs4all.nl X-Spamd-Result: default: False [-2.34 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[194.109.24.22:from]; R_SPF_ALLOW(-0.20)[+ip4:194.109.24.0/24:c]; FREEMAIL_FROM(0.00)[xs4all.nl]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[xs4all.nl:+]; NEURAL_HAM_SHORT(-0.01)[-0.012]; RCVD_IN_DNSWL_LOW(-0.10)[194.109.24.22:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[xs4all.nl]; ASN(0.00)[asn:3265, ipnet:194.109.0.0/16, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[xs4all.nl:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.77)[-0.774]; R_DKIM_ALLOW(-0.20)[xs4all.nl:s=s1]; HAS_X_PRIO_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-0.95)[-0.951]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[xs4all.nl]; RCPT_COUNT_ONE(0.00)[1]; FROM_NO_DN(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 17:57:14 -0000 Hello, I am using pfSense, build on top of pf. And of course pfSense/pf is a = terrific firewall, however the world is changing in the direction of = IPV6 and that leads to new issues and related new requirements. One of the major issues is that IPV6 does not provide a stable source = address you can use to filter in your firewall.=20 Many firewalls =E2=80=9Cout there=E2=80=9D are *using the level-2 mac as = a way around this issue*. =EF=BF=BD However =E2=80=A6.. pfSense cannot = provide that functionality, since it is built on top of = =E2=80=A6=E2=80=A6 pf. Tja, and then there is a =E2=80=9Cstriking=E2=80=9D issue =E2=80=A6.. = suppose that pfSense would have been built on top of OpenBSD, still = using pf =E2=80=A6=E2=80=A6=E2=80=A6. That had been possible = =E2=80=A6=E2=80=A6. So as user I would be very pleased if there could be a joined = =E2=80=9Cpf-release=E2=80=9D having *best of both worlds* !!!! Assume we were running OpenBSD =E2=80=A6=E2=80=A6 things like =EF=BF=BD = =EF=BF=BD=20 step-1: ifconfig bridge0 rule pass in on fxp0 src tag = step-2: And then in pf.conf: pass in on fxp0 tagged (policy = based rule) would have been an option, =E2=80=A6. not saying it is the best option = =E2=80=A6.. =EF=BF=BDbetter option would be if pf could set the tag = itself Whatever please consider adding this functionality to pf preferable on = short term, since IPV6 is fast becoming very important! Sincerely, =EF=BF=BD Louis PS =E2=80=A6 should I raise an feature request for this? =EF=BF=BD From owner-freebsd-pf@freebsd.org Fri Jul 10 20:26:41 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B2196372C8D for ; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3Phd4L5Lz3cjN for ; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by mailman.nyi.freebsd.org (Postfix) id 94B4C372B3B; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 947C0372A62 for ; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B3Phd3P2mz3cTd; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 2A0FE108A7; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 936EA1269F; Fri, 10 Jul 2020 22:26:39 +0200 (CEST) From: "Kristof Provost" To: l.m.v.breda@xs4all.nl Cc: pf@FreeBsd.org Subject: Re: The best of both worlds =?utf-8?q?=E2=80=9Cusing?= mac filtering in =?utf-8?q?pf=E2=80=9D?= Date: Fri, 10 Jul 2020 22:26:38 +0200 X-Mailer: MailMate (1.13.1r5671) Message-ID: <13D8D0CF-3C18-4FE6-B501-62B042099004@FreeBSD.org> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 20:26:41 -0000 On 10 Jul 2020, at 19:57, l.m.v.breda@xs4all.nl wrote: > Hello, > > I am using pfSense, build on top of pf. And of course pfSense/pf is a > terrific firewall, however the world is changing in the direction of > IPV6 and that leads to new issues and related new requirements. > > One of the major issues is that IPV6 does not provide a stable source > address you can use to filter in your firewall. > > Many firewalls “out there” are *using the level-2 mac as a way > around this issue*. � However ….. pfSense cannot provide that > functionality, since it is built on top of …… pf. > > Tja, and then there is a “striking” issue ….. suppose that > pfSense would have been built on top of OpenBSD, still using pf > ………. That had been possible ……. > > So as user I would be very pleased if there could be a joined > “pf-release” having *best of both worlds* !!!! > > Assume we were running OpenBSD …… things like � � > > step-1: ifconfig bridge0 rule pass in on fxp0 src tag > > step-2: And then in pf.conf: pass in on fxp0 tagged (policy > based rule) > > would have been an option, …. not saying it is the best option ….. > �better option would be if pf could set the tag itself > > Whatever please consider adding this functionality to pf preferable on > short term, since IPV6 is fast becoming very important! > > Sincerely, > > � > > Louis > > PS … should I raise an feature request for this? > You can, but adding L2 filtering functionality to pf isn’t even on my long-term todo list. It is essentially out of the question that it’d be added in the short term (or even in the next year or two, unless someone decides it’s worth contracting me for several months to do it). I don’t personally see the use case for it either, but perhaps I’m missing something. Can you explain what exactly you’d like to accomplish with L2 filtering? (It’s already possible to use pf on top of a bridge in bump-in-the-wire mode. Given the gotchas in that code I **strongly** recommend people don’t use that functionality.) Best regards, Kristof From owner-freebsd-pf@freebsd.org Fri Jul 10 20:30:46 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 23E25372B69 for ; Fri, 10 Jul 2020 20:30:46 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3PnK6Vbgz3cvm for ; Fri, 10 Jul 2020 20:30:45 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mailman.nyi.freebsd.org (Postfix) id DF16E37287A; Fri, 10 Jul 2020 20:30:45 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DEDF9372E17 for ; Fri, 10 Jul 2020 20:30:45 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B3PnJ6mPwz3ct9 for ; Fri, 10 Jul 2020 20:30:44 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-il1-x12f.google.com with SMTP id t18so6186704ilh.2 for ; Fri, 10 Jul 2020 13:30:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tJ7xMO8y+zSC1CyDgRvmoyhrHn1cRhpnXoakuRe2Bf4=; b=Qruv6DF8lbZ7ARBcnNb1+Y1pgEbK6sdtSNbrkiGP+0vUV5+ZZij5vhqtY7+Fsn40zE Au2guXXaoUxYIsOI1i/F15PRqZlPBj8SPPvTYn/KCvy0vlc9MxvBrL5It7RjCOR5OeWT F7lok/sSkoVNDhDzE/7/MWWUliM6bAwOBgp89hU/U/D9b1c6n3OxoHKm9WyzCy7Fee0W M5wMKYEk8k9f0DhWr3TGOO9P399P8aa5tq6QT8Yn/p1KfNLvR9F7LaYBlIM9Hv8jLbQr TvG1J3XDwwH1L1TURn/iGczih1VkI9ZJOjGKzL9L+L0xF2cN6uLcr/8xtn2JIOYddffj 9tmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tJ7xMO8y+zSC1CyDgRvmoyhrHn1cRhpnXoakuRe2Bf4=; b=SCOR7aXyz4x0jQcGjqDJOwWgEIl15zwucNvGsqt8W/ctrbdNP5uS/5+g66+uCmg/QC 9Xc5Fg5YAC5YIbNiyEhzUOR9hbxbqn07kMGjE3lMy0yIL6t5jMkTqdubj/jpydifKQlN WEjAGA93s6SwGEkIZz9+6uNkx+aucp22Zb7M7Yy9Tg2SmM771eZYPDOsk1e/ld1mZdim nfP1lZDusSJ0cne+5TgjeRSYZZgY1JHsxDYp6bjGDXrAauDqt4g5F/cGzrvyNKe5FVd1 7QLclWPe1ltMq74LEGWjYeOrOC0RATQ7L5TS6xm/7YIA16XZYFB1j3n1qp7SrMWjmRJy 2bDw== X-Gm-Message-State: AOAM532SpClEITT30Zkiy34b0tkBt+Y2xqSOwzrVmYIrAaG/COsj3nRq uK0f08+YY1nRj4bpWsxMeHsmLTtHwNlu5ZIl6ck= X-Google-Smtp-Source: ABdhPJyB0J4lY6RHGb81ZxrlNVHPTYUgOJ1uo5+MbHPkmUxfOUcFl69ItoQteiqyvZ2UrbSsNwtb8KMg7yF8Q28GeKs= X-Received: by 2002:a92:d086:: with SMTP id h6mr53948505ilh.8.1594413042526; Fri, 10 Jul 2020 13:30:42 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ultima Date: Fri, 10 Jul 2020 13:30:31 -0700 Message-ID: Subject: =?UTF-8?Q?Re=3A_The_best_of_both_worlds_=E2=80=9Cusing_mac_filtering_i?= =?UTF-8?Q?n_pf=E2=80=9D?= To: l.m.v.breda@xs4all.nl Cc: pf@freebsd.org X-Rspamd-Queue-Id: 4B3PnJ6mPwz3ct9 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=Qruv6DF8; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ultima1252@gmail.com designates 2607:f8b0:4864:20::12f as permitted sender) smtp.mailfrom=ultima1252@gmail.com X-Spamd-Result: default: False [-3.34 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.95)[-0.946]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.03)[-1.030]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::12f:from]; NEURAL_HAM_SHORT(-0.36)[-0.363]; FREEMAIL_TO(0.00)[xs4all.nl]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 20:30:46 -0000 Please go in detail about this issue on why you would need to filter layer 2. I see very little benefit to having the ability to filter on layer 2 except in some very special cases and IPv6 isn't one of them that I'm aware of. Best regards, Richard Gallamore On Fri, Jul 10, 2020 at 10:57 AM wrote: > Hello, > > I am using pfSense, build on top of pf. And of course pfSense/pf is a > terrific firewall, however the world is changing in the direction of IPV6 > and that leads to new issues and related new requirements. > > One of the major issues is that IPV6 does not provide a stable source > address you can use to filter in your firewall. > > Many firewalls =E2=80=9Cout there=E2=80=9D are *using the level-2 mac as = a way around this > issue*. =EF=BF=BD However =E2=80=A6.. pfSense cannot provide that functio= nality, since it > is built on top of =E2=80=A6=E2=80=A6 pf. > > Tja, and then there is a =E2=80=9Cstriking=E2=80=9D issue =E2=80=A6.. sup= pose that pfSense would > have been built on top of OpenBSD, still using pf =E2=80=A6=E2=80=A6=E2= =80=A6. That had been > possible =E2=80=A6=E2=80=A6. > > So as user I would be very pleased if there could be a joined =E2=80=9Cpf= -release=E2=80=9D > having *best of both worlds* !!!! > > Assume we were running OpenBSD =E2=80=A6=E2=80=A6 things like =EF=BF=BD = =EF=BF=BD > > step-1: ifconfig bridge0 rule pass in on fxp0 src tag > > step-2: And then in pf.conf: pass in on fxp0 tagged (policy > based rule) > > would have been an option, =E2=80=A6. not saying it is the best option = =E2=80=A6.. > =EF=BF=BDbetter option would be if pf could set the tag itself > > Whatever please consider adding this functionality to pf preferable on > short term, since IPV6 is fast becoming very important! > > Sincerely, > > =EF=BF=BD > > Louis > > PS =E2=80=A6 should I raise an feature request for this? > > =EF=BF=BD > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@freebsd.org Fri Jul 10 20:37:16 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 47B10373197 for ; Fri, 10 Jul 2020 20:37:16 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3Pwq1rzFz3dNn for ; Fri, 10 Jul 2020 20:37:15 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mailman.nyi.freebsd.org (Postfix) id 3DE19373196; Fri, 10 Jul 2020 20:37:15 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3DA56373195 for ; Fri, 10 Jul 2020 20:37:15 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B3Pwp3cC2z3dfd; Fri, 10 Jul 2020 20:37:14 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-io1-xd2a.google.com with SMTP id q8so7378858iow.7; Fri, 10 Jul 2020 13:37:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VmhZ2z8i5PUkxCTUIDzhnvq/Ua36mRdIzUOWOM7SIt8=; b=f2nSeOc+28rnl+foM6DCQ3lzhaAsTItvLdaFgw7OKLNFGhx7CtDRVTLYHP7HmdZ927 rSeBIOuSPccVbLUEWhm7E2YSr0+BSwRUEpWvpbrC2cjrcjbVmNccxCIUKfn/KXPXKxri Z0F7aP/HOzQIOZ6Z+IwyIPmjU+3I0f5nOKfOVRK0ibyx7GnGQKEqs9Ii/9Uh1EtxHUlO Ff/h1AcpmWy/UbYggG5HgFjDlnYRhPsJLLmf2y2IIGPDMXS+4fHa6zx5hr9f4Fs8l8ar bhzPZlkFHezklzQ4JmeWZLtThub+0Svhx2JJV8t5OKOscew751HAK3aXfFKmDSE5it9O GGuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VmhZ2z8i5PUkxCTUIDzhnvq/Ua36mRdIzUOWOM7SIt8=; b=b0HG49/9S5YX0J1fichk6rhhK+ItvpSK5Ib68C2EipdYwSndyh2hWclNI+b6u/RwKL TMTPUWpC5HMMfh3kUf5/UYZZTB3b10IIPBqqjAZqrdCekk2EMYlMPMjwuH3g2wlBXpuh gbv8lhI4mqQt7xat16fSnwNXf9Ym/P60MUe2LoYtBE68l7xz1xt+TnLnuY+XbusZBhlH UjcQmZvveDFh4S0sKU4sKOTRAAmBSBimr7V5BCZkp4MB1CqqNZdSFyX+erriMEzL8UXE 65u/4pzLw7xfOMlK93yvdIGmx6cC98GOaeHtn+0J+R1FLl1zPDCghSokOCjdAUVNkntK szIw== X-Gm-Message-State: AOAM53359PUTi4sFeEZoYnIZ/GHrmoowrHYZazUbffKl1yQutVflD62A JqD73qTeHREDERl+kUtshBN+zomE9IyfUM437pD7Fopg X-Google-Smtp-Source: ABdhPJzLHFaX1TqhUHPX5k6WT/x4TLfFQEt6EvmspK7e5prPQNwx+sMFM9IuROXc09ropdsxM8Sa873MkMUeBj1K1rg= X-Received: by 2002:a02:c7cc:: with SMTP id s12mr81770570jao.79.1594413433127; Fri, 10 Jul 2020 13:37:13 -0700 (PDT) MIME-Version: 1.0 References: <13D8D0CF-3C18-4FE6-B501-62B042099004@FreeBSD.org> In-Reply-To: <13D8D0CF-3C18-4FE6-B501-62B042099004@FreeBSD.org> From: Ultima Date: Fri, 10 Jul 2020 13:37:02 -0700 Message-ID: Subject: =?UTF-8?Q?Re=3A_The_best_of_both_worlds_=E2=80=9Cusing_mac_filtering_i?= =?UTF-8?Q?n_pf=E2=80=9D?= To: Kristof Provost Cc: pf@freebsd.org X-Rspamd-Queue-Id: 4B3Pwp3cC2z3dfd X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 20:37:16 -0000 Hey Kristof, > (It=E2=80=99s already possible to use pf on top of a bridge in > bump-in-the-wire mode. Given the gotchas in that code I **strongly** > recommend people don=E2=80=99t use that functionality.) > > Do you mind going into details on the gotchas or providing links? Thanks and best regards, Richard Gallamore From owner-freebsd-pf@freebsd.org Fri Jul 10 20:44:18 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CE3363732A7 for ; Fri, 10 Jul 2020 20:44:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3Q4y59cyz3fLq for ; Fri, 10 Jul 2020 20:44:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by mailman.nyi.freebsd.org (Postfix) id AF3E33731D6; Fri, 10 Jul 2020 20:44:18 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AF074372F3E for ; Fri, 10 Jul 2020 20:44:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B3Q4y498wz3dwb; Fri, 10 Jul 2020 20:44:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 580A91062E; Fri, 10 Jul 2020 20:44:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 41B94123DF; Fri, 10 Jul 2020 22:44:14 +0200 (CEST) From: "Kristof Provost" To: Ultima Cc: pf@freebsd.org Subject: Re: The best of both worlds =?utf-8?q?=E2=80=9Cusing?= mac filtering in =?utf-8?q?pf=E2=80=9D?= Date: Fri, 10 Jul 2020 22:44:12 +0200 X-Mailer: MailMate (1.13.1r5671) Message-ID: In-Reply-To: References: <13D8D0CF-3C18-4FE6-B501-62B042099004@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 20:44:18 -0000 On 10 Jul 2020, at 22:37, Ultima wrote: > Hey Kristof, > > >> (It’s already possible to use pf on top of a bridge in >> bump-in-the-wire mode. Given the gotchas in that code I **strongly** >> recommend people don’t use that functionality.) >> >> > Do you mind going into details on the gotchas or providing links? > I am reluctant to, because people will delude themselves into believing they can avoid the landmines. The entire way this feature is implemented is wrong, and you cannot reliably avoid the landmines. If you use it at some point you will find yourself spread out over the landscape. That said, very briefly, (and understand that it **will** blow up in your face when it’s most annoying): the way this feature works is by stripping off the ethernet header, passing the IP packet to pf, and then re-adding the ethernet header once pf is done with it. This explodes spectacularly if you do something that causes the packet to not be returned by pf, such as a route-to/reply-to rule, or anytime IPv6 fragmentation is involved. Best regards, Kristof From owner-freebsd-pf@freebsd.org Fri Jul 10 21:04:41 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 20967373A51 for ; Fri, 10 Jul 2020 21:04:41 +0000 (UTC) (envelope-from l.m.v.breda@xs4all.nl) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3QXS5F6jz3g3L for ; Fri, 10 Jul 2020 21:04:40 +0000 (UTC) (envelope-from l.m.v.breda@xs4all.nl) Received: by mailman.nyi.freebsd.org (Postfix) id B3D7E373A50; Fri, 10 Jul 2020 21:04:40 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B39B8373A4F for ; Fri, 10 Jul 2020 21:04:40 +0000 (UTC) (envelope-from l.m.v.breda@xs4all.nl) Received: from lb3-smtp-cloud9.xs4all.net (lb3-smtp-cloud9.xs4all.net [194.109.24.30]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.xs4all.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B3QXQ5sJ0z3fvC for ; Fri, 10 Jul 2020 21:04:38 +0000 (UTC) (envelope-from l.m.v.breda@xs4all.nl) Received: from cust-f904f3c0 ([IPv6:fc0c:c196:282b:f540:9d4d:c9e0:ed11:38c0]) by smtp-cloud9.xs4all.net with ESMTPSA id u0CBjwPYQ5flqu0CCjpZu7; Fri, 10 Jul 2020 23:04:37 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xs4all.nl; s=s1; t=1594415077; bh=s4QCCTlsCOpMJacfbIbSMftHarO0xenBJZelnFxw1Vk=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:From: Subject; b=tite40aMCZSTx437iKn4FXuf4PNEP0/Y8OkOesMhyw0KmUg6AsdoyYCuOiYIiOZnl 609jDHf5yPhmrky/bN+edXfoYWevTGEcAQFsSct8N/L3F1yp370JPhfnLH1/TWugVI 7FLNS65LTaA9LF9YS0W15FF7FJeOqKxLDnAOsmKdHsq8kj2rscC5DqpZxtEtRyIbSb 4wTGlr9eqr9iAIvGxXhehKnlNH78LCNs87lLSNwmrcsda7ALGLsJHZXUOP8RMBChti TSDO0v1AD9RayCLz4fmWZuCC2l/8hIxdIgOJfq2w9FcpwO7OhrWGWeDAR3DDGYWyFM xIyiCO+Nw74pA== From: To: "'Ultima'" Cc: References: In-Reply-To: Subject: =?utf-8?Q?RE:_The_best_of_both_worlds_=E2=80=9Cusi?= =?utf-8?Q?ng_mac_filtering_in_pf=E2=80=9D?= Date: Fri, 10 Jul 2020 23:04:35 +0200 Message-ID: <000601d656fd$b7d17340$277459c0$@xs4all.nl> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQLxiL30rSTlD6vmnNREx5jEu2X24gJG2oc+privb1A= Content-Language: nl X-CMAE-Envelope: MS4wfFXa04jWXSr3XNncKZ5hzZhxenDERl4tYV3CvgiaAIuaInmUQD9iM90CaP2tEvxhEjEgIDUOOVORrAkuAUhJDGvpx0Uvux1OYXe2VQo9rG9/AaAZDqH0 BS41KFShxvKmCQU7z1vB8PU28eoEikVHdEcCdf65CZWQgHPdjpNPflmN83jlGFVYrnHOhoD92nr2lvwtFarnoY8waftsmVRdz7oorv0t4SYywFnvU5NmnriH ZXQY2fdktDD5wPZ96EIBpA== X-Rspamd-Queue-Id: 4B3QXQ5sJ0z3fvC X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=xs4all.nl header.s=s1 header.b=tite40aM; dmarc=none; spf=pass (mx1.freebsd.org: domain of l.m.v.breda@xs4all.nl designates 194.109.24.30 as permitted sender) smtp.mailfrom=l.m.v.breda@xs4all.nl X-Spamd-Result: default: False [-3.08 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:194.109.24.0/24:c]; FREEMAIL_FROM(0.00)[xs4all.nl]; RWL_MAILSPIKE_GOOD(0.00)[194.109.24.30:from]; DKIM_TRACE(0.00)[xs4all.nl:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.57)[-0.567]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_IN_DNSWL_LOW(-0.10)[194.109.24.30:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[xs4all.nl]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[xs4all.nl:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.90)[-0.899]; R_DKIM_ALLOW(-0.20)[xs4all.nl:s=s1]; ASN(0.00)[asn:3265, ipnet:194.109.0.0/16, country:NL]; NEURAL_HAM_LONG(-1.01)[-1.013]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[xs4all.nl]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_NO_DN(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 21:04:41 -0000 Hello, =EF=BF=BD Seeing the reactions, I think did not describe my problem good enough. = So here a better problem description. =EF=BF=BD =EF=BF=BD An IPV6-device has many IPV6 addresses. Among them temporary addresses = and autogenerated addresses. This partly because of privacy concerns. =EF=BF=BD So if an IPV6-device starts an connection with e.g. a temporary address = the firewall does not know that address. As a consequence filtering the = outgoing traffic of that specific device is not possible. =EF=BF=BD So given that situation you / the firewall need something else to filter = on. And the intention is to use the device mac-address for that. That is = not that special. Other firewalls can do that as well (to a certain = extend even the OpenBSD pf version). =EF=BF=BD So the intention is not to do level-2 filtering, the intention is just = to use the level-2 address as alternative for the unknown IPV6-address, = for level-3 filtering. =EF=BF=BD Not different from IPV4-firewall rules using an IPV4-address to block or = pass incoming or outgoing traffic. =EF=BF=BD Hope this clarify thinks. =EF=BF=BD =EF=BF=BD Louis =20 =EF=BF=BD From: Ultima =20 Sent: Friday, July 10, 2020 10:31 PM To: l.m.v.breda@xs4all.nl Cc: pf@freebsd.org Subject: Re: The best of both worlds =E2=80=9Cusing mac filtering in = pf=E2=80=9D =EF=BF=BD Please go in detail about this issue on why you would need to filter = layer 2. =EF=BF=BD I see very little benefit to having the ability to filter on layer 2 = except in some very special cases and IPv6 isn't one of them that I'm = aware of. =EF=BF=BD Best regards, Richard Gallamore =EF=BF=BD On Fri, Jul 10, 2020 at 10:57 AM > wrote: Hello, I am using pfSense, build on top of pf. And of course pfSense/pf is a = terrific firewall, however the world is changing in the direction of = IPV6 and that leads to new issues and related new requirements. One of the major issues is that IPV6 does not provide a stable source = address you can use to filter in your firewall.=20 Many firewalls =E2=80=9Cout there=E2=80=9D are *using the level-2 mac as = a way around this issue*. =EF=BF=BD However =E2=80=A6.. pfSense cannot = provide that functionality, since it is built on top of = =E2=80=A6=E2=80=A6 pf. Tja, and then there is a =E2=80=9Cstriking=E2=80=9D issue =E2=80=A6.. = suppose that pfSense would have been built on top of OpenBSD, still = using pf =E2=80=A6=E2=80=A6=E2=80=A6. That had been possible = =E2=80=A6=E2=80=A6. So as user I would be very pleased if there could be a joined = =E2=80=9Cpf-release=E2=80=9D having *best of both worlds* !!!! Assume we were running OpenBSD =E2=80=A6=E2=80=A6 things like =EF=BF=BD = =EF=BF=BD=20 step-1: ifconfig bridge0 rule pass in on fxp0 src tag = step-2: And then in pf.conf: pass in on fxp0 tagged (policy = based rule) would have been an option, =E2=80=A6. not saying it is the best option = =E2=80=A6.. =EF=BF=BD =EF=BF=BDbetter option would be if pf could set = the tag itself Whatever please consider adding this functionality to pf preferable on = short term, since IPV6 is fast becoming very important! Sincerely, =EF=BF=BD=EF=BF=BD Louis PS =E2=80=A6 should I raise an feature request for this? =EF=BF=BD=EF=BF=BD _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org = "