From mohacsi@scone.ki.iif.hu  Thu May 10 17:50:32 2007
Return-Path: <mohacsi@scone.ki.iif.hu>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 1CBA516A403
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 10 May 2007 17:50:32 +0000 (UTC)
	(envelope-from mohacsi@scone.ki.iif.hu)
Received: from scone.ki.iif.hu (scone.ki.iif.hu [193.6.222.31])
	by mx1.freebsd.org (Postfix) with ESMTP id 8794613C458
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 10 May 2007 17:50:31 +0000 (UTC)
	(envelope-from mohacsi@scone.ki.iif.hu)
Received: (from mohacsi@localhost)
	by scone.ki.iif.hu (8.14.1/8.14.1) id l4AHZvkh003374;
	Thu, 10 May 2007 19:35:57 +0200 (CEST)
	(envelope-from mohacsi)
Message-Id: <200705101735.l4AHZvkh003374@scone.ki.iif.hu>
Date: Thu, 10 May 2007 19:35:57 +0200 (CEST)
From: Janos Mohacsi <mohacsi@niif.hu>
Reply-To: Janos Mohacsi <janos.mohacsi@bsd.hu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: No ipv6 related pf examples in /usr/share/examples/pf
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         112579
>Category:       docs
>Synopsis:       [request] No ipv6 related pf examples in /usr/share/examples/pf
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 10 18:00:11 GMT 2007
>Closed-Date:    
>Last-Modified:  Wed Jul 03 01:33:57 UTC 2013
>Originator:     Janos Mohacsi
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
NIIF/HUNGARNET
>Environment:
System: FreeBSD scone.ki.iif.hu 6.2-STABLE FreeBSD 6.2-STABLE #23: Wed May 9 18:23:24 CEST 2007 root@scone.ki.iif.hu:/usr/obj/usr/src/sys/SCONE i386

>Description:

There is no ipv6 related examples in /usr/share/examples/pf however pf support 
ipv6 since the beginning. Filtering icmpv6 packets should be considered more
carefully therefore I enclose 3 sample configuration to be included in 
/usr/share/examples/pf.

>How-To-Repeat:
	Look at /usr/share/examples/pf
	Test attached sample configs.
>Fix:

	

--- pf_ipv6host.conf.txt begins here ---
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# CHANGE to your network interface card!!!
ext_if="fxp0"

#block everything
block in log all
block out log all
#allow everything for loopback
pass in quick on lo0 all
pass out quick on lo0 all
#allow all outgoing packets
pass out quick proto tcp from $ext_if to any keep state
pass out quick proto udp from $ext_if to any keep state
pass out quick inet proto icmp from $ext_if to any keep state
pass out quick proto ipv6-icmp from any to any keep state
# ICMPv6 is less auxiliary in IPv6 than ICMP in IPv4.
# See RFC 4890 about more detailed treatment.
# supported icmp6-types:
# unreach    1   Destination unreachable
# toobig     2   Packet too big
# timex      3   Time Exceeded
# paramprob  4   Parameter problem
# echoreq    128 Echo Request
# echorep    129 Echo Reply
# groupqry   130 ICMPv6 Membership query
# listqry    130 MLD listener query
# grouprep   131 ICMPv6 membership report
# listenrep  131 MLD listener report
# groupterm  132 ICMPv6 membership termination
# listendone 132 MLD listener done
# routersol  133 ND router solicitation
# routeradv  134 ND router advertisement
# neighbrsol 135 ND neighbor solicitation
# neighbradv 136 ND neighbor advertisement
# redir      137 ND redirection
# routerrenum 138 ICMPv6 router renumbering
# wrureq     139 Who are you request
# wrurep     140 Who are you reply
# fqdnreq    139 ICMPv6 Fully Qualified Domain Name Query
# fqdnrep    140 ICMPv6 Fully Qualified Domain Name Reply
# nireq      139 Neighbor Information Query
# nirep      140 Neighbor Information Reply
# mtraceresp 200 MLD Multicast trace response
# mtrace     201 MLD Multicast trace
#
# Allow all incoming icmpv6 packee
pass in quick proto ipv6-icmp from any to any
# Allow only bare essential icmpv6 packets (NS, NA, and RA)
#pass in quick inet6 proto ipv6-icmp from any to any icmp6-type {neighbradv,neighbrsol,routeradv}
#enable to ssh access
pass in quick proto tcp from any to any port = 22 
--- pf_ipv6host.conf.txt ends here ---

--- pf_noserver_ipv6.conf.txt begins here ---
#external interface 
EXT = "bge0"
#internal LAN interface
LAN = "bge1"
#IPv4 address of LAN interface
LANip4 = "192.168.1.1"
#IPv6 address of LAN interface
LANip6 = "2001:db8:1:1::1"
#IPv4 address of external interface
EXTip4 = "192.168.2.1
#IPv6 address of external interface
EXTip6 = "2001:db8:1:2::1"
#IPv4 prefix on LAN interface
LANnet4 = "192.168.1.0/24"
#IPv6 prefix on LAN interface
LANnet6 = "2001:db8:1:1::1/64"
#loopback interfaces
Lo4 = "127.0.0.1"
Lo6 = "::1"
# expire state connections early
set optimization aggressive
block in log all
# allow DNS requests to go out
pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state
pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state
# all TCP request allowed out
pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state
pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state
# all ping request allowed out
pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state
pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state
# ND solicitation out
pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
# ND advertisement in
pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
#router advertisement out
pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv
# router solicitation in
pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol
# DNS request inside
pass in on $LAN inet proto from $LANnet4 to any port domain
pass in on $LAN inet6 proto from $LANnet6 to any port domain
# TCP request inside
pass in on $LAN inet proto tcp from $LANnet4 to any
pass in on $LAN inet6 proto tcp from $LANnet6 to any
# ICMP request inside
pass in on $LAN inet proto icmp all icmp-type 8 code
pass in on $LAN inet6 proto icmp6 all icmp6-type
--- pf_noserver_ipv6.conf.txt ends here ---

--- pf_www_ssh_server_ipv6.conf.txt begins here ---
#external interface 
EXT = "bge0"
#internal LAN interface
LAN = "bge1"
#IPv4 address of LAN interface
LANip4 = "192.168.1.1"
#IPv6 address of LAN interface
LANip6 = "2001:db8:1:1::1"
#IPv4 address of external interface
EXTip4 = "192.168.2.1
#IPv6 address of external interface
EXTip6 = "2001:db8:1:2::1"
#IPv4 prefix on LAN interface
LANnet4 = "192.168.1.0/24"
#IPv6 prefix on LAN interface
LANnet6 = "2001:db8:1:1::1/64"
#loopback interfaces
Lo4 = "127.0.0.1"
Lo6 = "::1"
#internal server address
LANSRV6="2001:db8:1:2::2"
LANSRV4="192.168.1.2"
# expire state connections early
set optimization aggressive
block in log all
# allow DNS requests to go out
pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state
pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state
# all TCP request allowed out
pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state
pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state
# all ping request allowed out
pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state
pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state
# ND solicitation out
pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
# ND advertisement in
pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
#router advertisement out
pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv
# router solicitation in
pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol
# DNS request inside
pass in on $LAN inet proto from $LANnet4 to any port domain
pass in on $LAN inet6 proto from $LANnet6 to any port domain
# TCP request inside
pass in on $LAN inet proto tcp from $LANnet4 to any
pass in on $LAN inet6 proto tcp from $LANnet6 to any
# ICMP request inside
pass in on $LAN inet proto icmp all icmp-type 8 code
pass in on $LAN inet6 proto icmp6 all icmp6-type
#allow incoming connection to SSH server
pass in on $EXT inet6 proto tcp from any to $LANSRV6 port=22 keep-state
pass in on $EXT inet proto tcp from any to $LANSRV4 port=22 keep-state
#all reply from SSH server (does not really necessary)
pass in on $LAN inet6 proto tcp from $LANSRV6 port=22 to any keep-state
pass in on $LAN inet proto tcp from $LANSRV4 port=22 to any keep-state
#allow incoming connection to WWW server
pass in on $EXT inet6 proto tcp from any to $LANSRV6 port=www keep-state
pass in on $EXT inet proto tcp from any to $LANSRV4 port=www keep-state
#all reply from WWW server (does not really necessary)
pass in on $LAN inet6 proto tcp from $LANSRV6 port=www to any keep-state
pass in on $LAN inet proto tcp from $LANSRV4 port=www to any
--- pf_www_ssh_server_ipv6.conf.txt ends here ---


>Release-Note:
>Audit-Trail:

From: Janos Mohacsi <mohacsi@niif.hu>
To: bug-followup@FreeBSD.org,  janos.mohacsi@bsd.hu, 
 freebsd-pf@freebsd.org
Cc:  
Subject: Re: docs/112579: No ipv6 related pf examples in /usr/share/examples/pf
Date: Wed, 10 Oct 2007 11:31:51 +0200

 The examples are mostly assuming the new openbsd default (also pf 4.1 in
 7.0-current) of keep-state.
 
 The doc group should take care of it or freebsd-pf working group?
 
 Regards,
              Janos Mohacsi
Responsible-Changed-From-To: freebsd-doc->mlaier 
Responsible-Changed-By: trhodes 
Responsible-Changed-When: Sat Jan 26 09:18:52 UTC 2008 
Responsible-Changed-Why:  
PF in FreeBSD is a Max thing.  :) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112579 
State-Changed-From-To: open->open 
State-Changed-By: linimon 
State-Changed-When: Wed Jul 3 00:50:32 UTC 2013 
State-Changed-Why:  
commit bit has been taken in for safekeeping. 


Responsible-Changed-From-To: mlaier->freebsd-doc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jul 3 00:50:32 UTC 2013 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=112579 
>Unformatted:
