tech-net: Re: Example rules for IPv6 with IPFilter

Subject: Re: Example rules for IPv6 with IPFilter
To: Klaus Heinz <k.heinz.jan.sechs@onlinehome.de>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: tech-net
Date: 01/24/2006 23:40:02
--liOOAslEiF7prFVr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Jan 24, 2006 at 11:50:51PM +0100, Klaus Heinz wrote:
> Hi,
> 
> I just started to experiment with IPv6 and do not want to open up
> completely the machine to the IPv6 world, so I tried to find some examples
> how to implement basic IPv6 filtering with IPFilter.
> 
> /usr/share/examples/ipf/* does not mention ipv6 and my Google-fu seems
> to be too weak to find something usable.
> 
> Peter Postma has a page at http://www.pointless.nl/~peter/docs/ipf6.html
> but the "Example" section still needs work.
> 
> How do people filter IPv6 traffic? Anyone care to share their
> configuration?

Sure, here's the file I use on my gateway at home

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--

--liOOAslEiF7prFVr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipf6.conf"

block in log quick from any to ::1 head 10
pass in quick on lo0 from any to any group 10
block in log quick from ::1 to any head 11
pass in quick on lo0 from any to any group 11

block in log from any to any

pass in quick on le0 from fe80::/16 to any
pass in quick on vlan0 from fe80::/16 to any

#A group for the local network
block in log quick from any to 2001:7a8:242c::/48 head 100
block in log quick from 2001:7a8:242c::/64 to any head 101
pass in log first quick on le0 proto udp from any to any keep state group 101
pass in quick on le0 from any to any group 101
pass in log first quick on vlan0 proto udp from any to any keep state group 101
pass in quick on vlan0 from any to any group 101
block in log quick from 2001:7a8:242c:1::/64 to any head 102
block in log quick from 2001:7a8:242c:2::/64 to any head 103
pass in log first quick on le0 proto udp from any to any keep state group 103
pass in quick on le0 from any to any group 103
pass in log first quick on vlan0 proto udp from any to any keep state group 103
pass in quick on vlan0 from any to any group 103
#from local network: pass all
pass in quick on le0 from any to any group 100
pass in quick on vlan0 from any to any group 100
# TCP to ouside. TCP from outside to running serices and dynamic ports
# UDP from outside to dynamic ports for DNS
pass in log quick proto tcp from any to 2001:7a8:242c:0:a00:20ff:fe1c:276e port = 21 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:2:a00:20ff:fe1c:276e port = 21 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:1::1 port = 21 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:0:a00:20ff:fe1c:276e port = 22 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:2:a00:20ff:fe1c:276e port = 22 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:1::1 port = 22 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:0:a00:20ff:fe1c:276e port = 25 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:2:a00:20ff:fe1c:276e port = 25 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:1::1 port = 25 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:0:a00:20ff:fe1c:276e port = 53 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:2:a00:20ff:fe1c:276e port = 53 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:1::1 port = 53 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:0:a00:20ff:fe1c:276e port = 80 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:2:a00:20ff:fe1c:276e port = 80 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:1::1 port = 80 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:0:a00:20ff:fe1c:276e port = 8888 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:2:a00:20ff:fe1c:276e port = 8888 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:1::1 port = 8888 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:0:a00:20ff:fe1c:276e port = 8889 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:2:a00:20ff:fe1c:276e port = 8889 flags S/SA group 100
pass in log quick proto tcp from any to 2001:7a8:242c:1::1 port = 8889 flags S/SA group 100
pass in log quick proto tcp from any to any port > 49151 flags S/SA group 100
pass in log quick proto tcp from any to any port 599 >< 1024 flags S/SA group 100
# special-case ident (for sendmail)
block return-rst in log quick proto tcp from any to any port = 113 flags S/SA group 100
block in log quick proto tcp from any to any flags S/SA group 100
pass in quick proto tcp from any to any group 100
pass in quick proto udp from any port = 53 to 2001:7a8:242c:0:a00:20ff:fe1c:276e port > 49151 group 100
pass in quick proto udp from any port = 53 to 2001:7a8:242c:2:a00:20ff:fe1c:276e port > 49151 group 100
pass in quick proto udp from any port = 53 to 2001:7a8:242c:1::1 port > 49151 group 100
pass in log quick proto udp from any to 2001:7a8:242c:0:a00:20ff:fe1c:276e port = 53 group 100
pass in log quick proto udp from any to 2001:7a8:242c:2:a00:20ff:fe1c:276e port = 53 group 100
pass in log quick proto udp from any to 2001:7a8:242c:1::1 port = 53 group 100
pass in log quick proto udp from any to any port > 49151 group 100
pass in log quick proto udp from any to any port 599 >< 1024 group 100
pass in quick proto ipv6-icmp from any to any group 100
pass in quick proto 44 from any to any group 100

--liOOAslEiF7prFVr--