From owner-freebsd-pf@freebsd.org Fri Jul 10 20:26:41 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B2196372C8D for ; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3Phd4L5Lz3cjN for ; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by mailman.nyi.freebsd.org (Postfix) id 94B4C372B3B; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 947C0372A62 for ; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B3Phd3P2mz3cTd; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 2A0FE108A7; Fri, 10 Jul 2020 20:26:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 936EA1269F; Fri, 10 Jul 2020 22:26:39 +0200 (CEST) From: "Kristof Provost" To: l.m.v.breda@xs4all.nl Cc: pf@FreeBsd.org Subject: Re: The best of both worlds =?utf-8?q?=E2=80=9Cusing?= mac filtering in =?utf-8?q?pf=E2=80=9D?= Date: Fri, 10 Jul 2020 22:26:38 +0200 X-Mailer: MailMate (1.13.1r5671) Message-ID: <13D8D0CF-3C18-4FE6-B501-62B042099004@FreeBSD.org> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 20:26:41 -0000 On 10 Jul 2020, at 19:57, l.m.v.breda@xs4all.nl wrote: > Hello, > > I am using pfSense, build on top of pf. And of course pfSense/pf is a > terrific firewall, however the world is changing in the direction of > IPV6 and that leads to new issues and related new requirements. > > One of the major issues is that IPV6 does not provide a stable source > address you can use to filter in your firewall. > > Many firewalls “out there” are *using the level-2 mac as a way > around this issue*. � However ….. pfSense cannot provide that > functionality, since it is built on top of …… pf. > > Tja, and then there is a “striking” issue ….. suppose that > pfSense would have been built on top of OpenBSD, still using pf > ………. That had been possible ……. > > So as user I would be very pleased if there could be a joined > “pf-release” having *best of both worlds* !!!! > > Assume we were running OpenBSD …… things like � � > > step-1: ifconfig bridge0 rule pass in on fxp0 src tag > > step-2: And then in pf.conf: pass in on fxp0 tagged (policy > based rule) > > would have been an option, …. not saying it is the best option ….. > �better option would be if pf could set the tag itself > > Whatever please consider adding this functionality to pf preferable on > short term, since IPV6 is fast becoming very important! > > Sincerely, > > � > > Louis > > PS … should I raise an feature request for this? > You can, but adding L2 filtering functionality to pf isn’t even on my long-term todo list. It is essentially out of the question that it’d be added in the short term (or even in the next year or two, unless someone decides it’s worth contracting me for several months to do it). I don’t personally see the use case for it either, but perhaps I’m missing something. Can you explain what exactly you’d like to accomplish with L2 filtering? (It’s already possible to use pf on top of a bridge in bump-in-the-wire mode. Given the gotchas in that code I **strongly** recommend people don’t use that functionality.) Best regards, Kristof From owner-freebsd-pf@freebsd.org Fri Jul 10 20:30:46 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 23E25372B69 for ; Fri, 10 Jul 2020 20:30:46 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4B3PnK6Vbgz3cvm for ; Fri, 10 Jul 2020 20:30:45 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mailman.nyi.freebsd.org (Postfix) id DF16E37287A; Fri, 10 Jul 2020 20:30:45 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DEDF9372E17 for ; Fri, 10 Jul 2020 20:30:45 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B3PnJ6mPwz3ct9 for ; Fri, 10 Jul 2020 20:30:44 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-il1-x12f.google.com with SMTP id t18so6186704ilh.2 for ; Fri, 10 Jul 2020 13:30:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tJ7xMO8y+zSC1CyDgRvmoyhrHn1cRhpnXoakuRe2Bf4=; b=Qruv6DF8lbZ7ARBcnNb1+Y1pgEbK6sdtSNbrkiGP+0vUV5+ZZij5vhqtY7+Fsn40zE Au2guXXaoUxYIsOI1i/F15PRqZlPBj8SPPvTYn/KCvy0vlc9MxvBrL5It7RjCOR5OeWT F7lok/sSkoVNDhDzE/7/MWWUliM6bAwOBgp89hU/U/D9b1c6n3OxoHKm9WyzCy7Fee0W M5wMKYEk8k9f0DhWr3TGOO9P399P8aa5tq6QT8Yn/p1KfNLvR9F7LaYBlIM9Hv8jLbQr TvG1J3XDwwH1L1TURn/iGczih1VkI9ZJOjGKzL9L+L0xF2cN6uLcr/8xtn2JIOYddffj 9tmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tJ7xMO8y+zSC1CyDgRvmoyhrHn1cRhpnXoakuRe2Bf4=; b=SCOR7aXyz4x0jQcGjqDJOwWgEIl15zwucNvGsqt8W/ctrbdNP5uS/5+g66+uCmg/QC 9Xc5Fg5YAC5YIbNiyEhzUOR9hbxbqn07kMGjE3lMy0yIL6t5jMkTqdubj/jpydifKQlN WEjAGA93s6SwGEkIZz9+6uNkx+aucp22Zb7M7Yy9Tg2SmM771eZYPDOsk1e/ld1mZdim nfP1lZDusSJ0cne+5TgjeRSYZZgY1JHsxDYp6bjGDXrAauDqt4g5F/cGzrvyNKe5FVd1 7QLclWPe1ltMq74LEGWjYeOrOC0RATQ7L5TS6xm/7YIA16XZYFB1j3n1qp7SrMWjmRJy 2bDw== X-Gm-Message-State: AOAM532SpClEITT30Zkiy34b0tkBt+Y2xqSOwzrVmYIrAaG/COsj3nRq uK0f08+YY1nRj4bpWsxMeHsmLTtHwNlu5ZIl6ck= X-Google-Smtp-Source: ABdhPJyB0J4lY6RHGb81ZxrlNVHPTYUgOJ1uo5+MbHPkmUxfOUcFl69ItoQteiqyvZ2UrbSsNwtb8KMg7yF8Q28GeKs= X-Received: by 2002:a92:d086:: with SMTP id h6mr53948505ilh.8.1594413042526; Fri, 10 Jul 2020 13:30:42 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ultima Date: Fri, 10 Jul 2020 13:30:31 -0700 Message-ID: Subject: =?UTF-8?Q?Re=3A_The_best_of_both_worlds_=E2=80=9Cusing_mac_filtering_i?= =?UTF-8?Q?n_pf=E2=80=9D?= To: l.m.v.breda@xs4all.nl Cc: pf@freebsd.org X-Rspamd-Queue-Id: 4B3PnJ6mPwz3ct9 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=Qruv6DF8; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ultima1252@gmail.com designates 2607:f8b0:4864:20::12f as permitted sender) smtp.mailfrom=ultima1252@gmail.com X-Spamd-Result: default: False [-3.34 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.95)[-0.946]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.03)[-1.030]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::12f:from]; NEURAL_HAM_SHORT(-0.36)[-0.363]; FREEMAIL_TO(0.00)[xs4all.nl]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2020 20:30:46 -0000 Please go in detail about this issue on why you would need to filter layer 2. I see very little benefit to having the ability to filter on layer 2 except in some very special cases and IPv6 isn't one of them that I'm aware of. Best regards, Richard Gallamore On Fri, Jul 10, 2020 at 10:57 AM wrote: > Hello, > > I am using pfSense, build on top of pf. And of course pfSense/pf is a > terrific firewall, however the world is changing in the direction of IPV6 > and that leads to new issues and related new requirements. > > One of the major issues is that IPV6 does not provide a stable source > address you can use to filter in your firewall. > > Many firewalls =E2=80=9Cout there=E2=80=9D are *using the level-2 mac as = a way around this > issue*. =EF=BF=BD However =E2=80=A6.. pfSense cannot provide that functio= nality, since it > is built on top of =E2=80=A6=E2=80=A6 pf. > > Tja, and then there is a =E2=80=9Cstriking=E2=80=9D issue =E2=80=A6.. sup= pose that pfSense would > have been built on top of OpenBSD, still using pf =E2=80=A6=E2=80=A6=E2= =80=A6. That had been > possible =E2=80=A6=E2=80=A6. > > So as user I would be very pleased if there could be a joined =E2=80=9Cpf= -release=E2=80=9D > having *best of both worlds* !!!! > > Assume we were running OpenBSD =E2=80=A6=E2=80=A6 things like =EF=BF=BD = =EF=BF=BD > > step-1: ifconfig bridge0 rule pass in on fxp0 src tag > > step-2: And then in pf.conf: pass in on fxp0 tagged (policy > based rule) > > would have been an option, =E2=80=A6. not saying it is the best option = =E2=80=A6.. > =EF=BF=BDbetter option would be if pf could set the tag itself > > Whatever please consider adding this functionality to pf preferable on > short term, since IPV6 is fast becoming very important! > > Sincerely, > > =EF=BF=BD > > Louis > > PS =E2=80=A6 should I raise an feature request for this? > > =EF=BF=BD > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >