Date: Thu, 20 Jun 2019 11:55:54 +0200 From: Jan Bramkamp <crest@rlwinm.de> To: freebsd-ipfw@freebsd.org Subject: Re: Look for an ipfw example using NPTv6 Message-ID: <3629aeba-61ef-2cce-4971-c3a0ed973765@rlwinm.de> In-Reply-To: <CAHu1Y72ezsU-f7WbYpH3h0Qcj1uttCsnQHqFue9F9xJmOtZd=w@mail.gmail.com> References: <CAHu1Y72ezsU-f7WbYpH3h0Qcj1uttCsnQHqFue9F9xJmOtZd=w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18.06.19 22:00, Michael Sierchio wrote: > I'm looking for a simple firewall example using nptv6 to translate > link-local addresses to match the prefix assigned by my ISP. I'll be using > stateful rules and allowing only outbound traffic. > > If you have a snippet, I'l be grateful. Thanks. > This sounds like you're trying to force IPv6 to behave like IPv4 with longer addresses and just replaced RFC1918 addresses with link local addresses. This isn't going to work because the differences are larger than just the addresses length. Link local addresses are just what the name says: they are local to the link. A link local address isn't even unique within a host e.g. you can have fe80::1234%em0 and fe80::1234%em1 on the same host. In theory you can get very close to NAT between global unicast addresses and private addresses by configuring NPTv6 between global unicast addresses and unique local addresses, but that would be a terrible choice. One of the great advantages of IPv6 it removes the address scarcity that forced NAT upon us. Each IPv6 device have as many global IPv6 unicast addresses as required. Would you feel comfortable to describe the constrains shaping your design to us?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3629aeba-61ef-2cce-4971-c3a0ed973765>