Darren Reed <darrenr@NetBSD.org> writes:

> For those that use IPFilter with IPv6 on NetBSD, does the current
> configuration cause any problems for you?

not really, except that blocking a new service for machines in "block
only ports on which local services that might not be safe" mode
requires editing two files.

> Do you edit ipf.conf and forget to edit ipf6.conf or vice verssa?

Occasionally.

> Are there interaction issues or reporting problems needing to
> remember -6?

No - I use /etc/rc.d/ipfilter reload which runs both, and I use
ipfstat -inh or ipfstat -inh6 without trouble.

> If there was just a single configuration file, ipf.conf, that
> contained all IP (IPv4/6) firewall rules, would this make like
> easier or harder?

Slightly easier, perhaps.  What would really be nice is a way to write
a rule that applies to both v4 and v6.  This might require first
implementing Steve Bellovin's suggestion first defining symbolic names
for address regions.

> If you were forced to manually transition your current system
> layout with both ipf.conf and ipf6.conf, would this be a serious
> issue?

no - seems pretty minor.  etcupdate would notice ipf6.conf, cat it
onto ipf.conf, and remove ipf6.conf, I'd hope (but not expect).

-- 
        Greg Troxel <gdt@ir.bbn.com>