Date: Sun, 14 Aug 2016 19:18:40 +0100 From: John <tech-lists@zyxst.net> To: freebsd-pf@freebsd.org Subject: PF advice for IPv6-only machine (freebsd-12) Message-ID: <1471198720.1262751.695015513.1B57B0B9@webmail.messagingengine.com>
next in thread | raw e-mail | index | archive | help
Hello list, This is my first attempt creating a PF ipv6-only firewall. Please can anyone look at it and offer any suggestions? It seems to work (in that if services are removed from the macro, they're no longer accessible from the outside), but I'm not sure that I've done Everything Right (tm) and that there aren't some silly mistakes, like redundant statements. I'd like to silently drop connection attempts to ports where there are no services, like one can do on ip4 with blackhole(4) but I haven't a clue how to do it on ipv6 with PF - is there a way? ### begins # macros ext_if = msk0 services = "{ 22, 3022 }" icmp_types = "{ echoreq, unreach }" icmp6_types = "{ unreach, toobig, timex, paramprob, echoreq, echorep, neighbradv, neighbrsol,\ routeradv, routersol }" set skip on lo set block-policy return set state-policy if-bound set loginterface $ext_if scrub in on ext_if all fragment reassemble # filter rules block in log all pass out all # keep alive rules pass out log quick proto 41 from ($ext_if) to any keep state pass in log quick proto 41 from any to ($ext_if) keep state # allow heartbeat ping pass in log quick on $ext_if inet6 proto { ipv6-icmp } from any to \ any keep state # pass tcp services pass in quick on $ext_if inet6 proto tcp from any to any port $services ### ends many thanks, -- J.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1471198720.1262751.695015513.1B57B0B9>