In message <20050405153408.GA1678@NetBSD.org>, Darren Reed writes:
>
>For those that use IPFilter with IPv6 on NetBSD, does the current
>configuration cause any problems for you?
>
>Do you edit ipf.conf and forget to edit ipf6.conf or vice verssa?
>
>Are there interaction issues or reporting problems needing to
>remember -6?
>
>If there was just a single configuration file, ipf.conf, that
>contained all IP (IPv4/6) firewall rules, would this make like
>easier or harder?
>
>If you were forced to manually transition your current system
>layout with both ipf.conf and ipf6.conf, would this be a serious
>issue?
>


Let me answer the questions a bit differently.

Most packet filters use the same basic style of configuration file as 
IPfilter -- an ordered set of rules that block or permit access to 
various services to or from various IP addresses.  In my opinion, 
that's very much the wrong way to do it.  As you imply, that causes 
problems with people update one part of the rules but not another.

The proper way to do it, in my opinion, is to separate topology from 
policy.  For example -- and this is *not* a suggestion about proper 
syntax, though I think it's close -- you might want to say something like:


allow service any from localhost;
allow service smtp from any to mailhost;
allow service netbios from roadwarriors to fileserver;

localhost = {if:lo0};
mailhost = {smtp.example.com, ipv4:192.168.0.0/24, ipv6:2004::0102:0304:0506};
fileserver = { ipv4:10.1.1.1};

netbios = {udp:135-139};



		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb