Subject: Re: IPFilter IPv6 configuration
To: Darren Reed <darrenr@netbsd.org>
From: Ronald van der Pol <Ronald.vanderPol@rvdp.org>
List: tech-net
Date: 04/06/2005 14:20:37
On Wed, Apr 06, 2005 at 10:17:26 +0000, Darren Reed wrote:

> But really, the difference is the above is about service definition, not
> access control.  I spent some time with a group of guys at Usenix about
> 10 years ago exploring this in the pursuit of making it easier.  I don't
> recall exactly what fell out of that...

I think it is another way of representing ACL's.

I think many have lines like:

# allow HTTP from any to kirk.rvdp.org
pass in quick on ppp0 proto tcp from any to 10.0.0.2 port = http keep frags
pass in quick on gif0 proto tcp from any to 2001:888:1777::2 port = http keep frags
pass in quick on gif0 proto tcp from any to 2001:888:1777::200:c5ff:fe0d:e597 port = http keep frags

It would be nice to be able to have just one (service description) line
saying: allow HTTP from anywhere to webhost. This should be expanded into
the three lines above. Maybe this could be implemented as a sort of
preprocessor.

Just to give an idea of what my template tried to do (but failed):

# Generate firewall rules. Each line begins with a {B,4,6} with meaning:
# B: rule applies to both IPv4 and IPv6
# 4: rule applies to IPv4 only
# 6: rule applies to IPv6 only
#
# Rules are run through sed(1) with regexp substitutions (see below).
# The style for substitution strings is CAPITALS with a % prepended and
# appended.
#

R4 %PASS-IN%=pass in quick on ppp0
R6 %PASS-IN%=pass in quick on gif0

R4 %KIRK%=10.0.0.2
R6 %KIRK%=2001:888:1777::2
R6 %KIRK2%=2001:888:1777::200:c5ff:fe0d:e597
R6 %BONES%=2001:888:1777::202:2dff:fe0f:7d1
R6 %BONESLABS%=2001:7b8:206:1:260:8ff:fed1:a403

B # allow HTTP from any to kirk.rvdp.org
B %PASS-IN% proto tcp from any to %KIRK% port = http keep frags
6 %PASS-IN% proto tcp from any to %KIRK2% port = http keep frags

	rvdp