Re: IPv6 & PF

[Ryan McBride <mcbride@countersiege.com>]

On Sat, Feb 09, 2002 at 06:19:39PM +0100, Rob Sessink wrote:
> # Pass ipv6 traffic in and out to tunnel server
> pass in quick on $ext_if proto 41 from 206.123.31.114 to any
> pass out quick on $ext_if proto 41 from any to 206.123.31.114

Really, you only need to allow protocol 41 traffic from the tunnel
server to your firewall. 

> # Filter some ipv6 traffic
> 
> block in on gif0 inet6 all
> block out on gif0 inet6 all
> pass out quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type 128
> pass in quick on gif0 inet6 proto ipv6-icmp all ipv6-icmp-type 129

Looks OK. You can replace the icmp type numbers with keywords
("echoreq" and "echorep") to make things more readable if you want.

Of course eventually you'll want to pass more than just ICMP packets
echo request and reply packets :-) In particular if you're going to
have "pass" rules without "keep state", you'll want to look carefully
at allowing other icmp types through, such as Destination Unreachable
("unreach"), Packet Too Big ("toobig"), Time Exceeded ("timex"), and
Parameter Problem ("paramprob").

Note that except for the case of IPv6 only protocols like ipv6-icmp,
you don't have to specify inet6 specifically. (If you write a rule
with an IP address it'll only pass the appropriate version of the
protocol, of course.) So the following will work:

block in on gif0 all
block out on gif0 all

And you can do something like the following:

# allow outbound SSH connections
pass out on gif0 proto tcp from any to any port = 22 keep state

-Ryan

-- 
Ryan T. McBride, CISSP - mcbride@countersiege.com
Countersiege Systems Corporation - http://www.countersiege.com
PGP key fingerprint = 645D 30F3 6A3A A4FD 2B95  3EF3 10AD D8C8 834B 6CEE