On Tue, Apr 05, 2005 at 15:34:08 +0000, Darren Reed wrote:

> For those that use IPFilter with IPv6 on NetBSD, does the current
> configuration cause any problems for you?

Possibly one. I have this for IPv4:
block return-icmp(filter-prohib) in log quick on ppp0 all

I've tried
block return-icmp(13) in log quick on gif0 all
for IPv6, but it didn't seem to work.

> Do you edit ipf.conf and forget to edit ipf6.conf or vice verssa?

I generate both of them from a template. In this template I tried to
create a syntax to simplify the rules when both v4 and v6 are used.
I did not succeed well :-)

> Are there interaction issues or reporting problems needing to
> remember -6?
> 
> If there was just a single configuration file, ipf.conf, that
> contained all IP (IPv4/6) firewall rules, would this make like
> easier or harder?

I would prefer a single config file.

> If you were forced to manually transition your current system
> layout with both ipf.conf and ipf6.conf, would this be a serious
> issue?

No.

> One other question, if NAT were to support IPv6 also, would you
> expect a ipnat6.conf or for it to all fit in ipnat.conf?
> 
> Consider, with this, that with ippool, I've decided to use the same
> pool to hold both IPv4/6 addresses.

I have not seen a convincing reason for IPv6 NAT. There are better ways
to do what people would try do do with NAT.

	rvdp