• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

OpenBSD pf IPv6

Started by maschwar77, September 05, 2010, 08:23:55 PM

Previous topic - Next topic

maschwar77

Does anyone know how to configure pf for IPv6?  It seems like nothing I do works.  I need a simple example that will allow ssh.  Thanks in advance

Matt

theultramage

Depends on what you're doing... the simplest rule would be "pass quick on gif0". However there's tons of other issues that need to be addressed too - having a public ip address, configuring a tunnel, setting ipv6 address and default route...

x25

Here's my pf.conf which works on OpenBSD 4.7. The ruleset allows incoming ICMP echo requests, It also includes some priority queue'ing to queue ACKs. Hope it helps.

# pf.conf - 20100916
ext_if="em0"
gif_if="gif0"

# services
pub_ssh_tcp="{ ssh, https }"
res_www_tcp="www"
res_mx_tcp="smtp"

hurrelec="66.220.x.y"
v6_www="2001:470:x:y::1"
v4_www="174.a.b.c"
v6_mx="2001:470:x:y::8"

nonroutedv4 = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32 }"
set loginterface $ext_if
set skip on lo
set timeout       { interval 10, frag 30 }
set limit         { frags 1000, states 15000 }
set optimization  normal
set block-policy  return

# queue
altq on $ext_if priq bandwidth 20Mb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

match in all scrub (no-df max-mss 1440)
antispoof log for { $ext_if, $gif_if }
block in quick from urpf-failed
block in from no-route to any
block return-rst log proto tcp all flags /S
block return-rst log proto tcp all flags A/A
block in log quick proto tcp from any to any flags FUP/FUP
block drop in   log (all) quick from $nonroutedv4 to any
block drop out log (all) quick from any to $nonroutedv4
block return-rst  in quick on $ext_if proto tcp from any to any \
        port { 111, 443, 445, 1080, 6000 }
block return-icmp in quick on $ext_if proto udp from any to any \
        port { 137, 138, 139, 1434 }
block log

pass out quick proto tcp to any flags S/SA modulate state queue (q_def, q_pri)
pass out quick proto udp from any to any modulate state queue (q_def, q_pri)
pass out quick inet proto icmp from any to any keep state queue (q_def, q_pri)
pass out quick inet6 proto ipv6-icmp from any to any keep state queue (q_def, q_pri)

# he.net tunnel - 20100916EP
pass in proto 41 from $hurrelec to $ext_if  keep state (other.multiple 86400) queue (q_def)
pass out proto 41 from $ext_if to $hurrelec keep state (other.multiple 86400) queue (q_def)

# ICMP
pass out inet6 proto ipv6-icmp from any to any icmp6-type echoreq keep state queue (q_pri) allow-opts
pass in inet6 proto ipv6-icmp from any to any icmp6-type echoreq keep state (max 32) queue (q_def, q_pri)
pass in inet  proto icmp from any to any icmp-type 8 code 0 keep state (max 32) queue (q_def)

# ssh services
pass in proto tcp from any to any port $pub_ssh_tcp flags S/SA synproxy state (max 1024, tcp.first 20, tcp.opening 20) queue (q_def, q_pri)

# http
pass in inet proto tcp from any  to $v4_www port $res_www_tcp flags S/SA synproxy state (max 1024, tcp.first 20, tcp.opening 20) queue (q_def)
pass in inet6 proto tcp from any to $v6_www port $res_www_tcp flags S/SA synproxy state (max 1024, tcp.first 20, tcp.opening 20) queue (q_def)
pass in inet6 proto tcp from any to $v6_mx  port $res_mx_tcp flags S/SA synproxy state (max 1024, tcp.first 20, tcp.opening 20) queue (q_def)