Re: IPFilter 5 and IPv4-mapped IPv6 adresses

Subject: Re: IPFilter 5 and IPv4-mapped IPv6 adresses
From: Mike Pumford <mpumford%mudcovered.org.uk@localhost>
Date: Wed, 24 Jul 2019 23:27:53 +0100

On 22/07/2019 12:08, Greg Troxel wrote:

I heard that the v4/v6 rules were unified, but I still see a -6 flag to
ipfstat.

v4 and v6 rules are unified. They have been since NetBSD 7. I had todeal with this when I migrated from 6-7 a long time ago. You can nolonger have an ipf.conf and an ipf6.conf you have to bring the 2 filestogether into one.

I can't speak for ipfilter in 8 as my 8.x firewall is based on NPF butin 7.x I've got IPv4 and IPv6 rules coexisting in the same group with nospecific logic to deal with ipv4 mapped addresses.

Looking at my config I've got 2 groups on the firewall interface. The ingroup which starts:


# Group 205 incoming packets on Internet (currently pppoe0)
block in log on pppoe0 all head 205
block in log quick from 127.0.0.0/8 to any group 205
block in log quick from 10.0.0.0/8 to any group 205
block in log quick from 192.168.0.0/16 to any group 205
block in log quick from 172.16.0.0/12 to any group 205

Followed by pass in quick tcp and udp state rules to allow the inboundconnections I want. In most cases I have 2 rules for each inbound port.One for the hosts v4 address and one for the v6 address. e.g

pass in quick proto tcp from any to <internal_v4_address> port = 993flags S keep state group 205pass in quick proto tcp from any to <v6_address> flags S keep stategroup 205




On the outbound side I have:

block out on pppoe0 all head 255
block out from 127.0.0.0/8 to any group 255
block out from any to 127.0.0.0/8 group 255

# Then a few specific rules blocking all outbound traffic on a fewtcp/udp ports to prevent credential leaking I then have:

pass out quick proto tcp all flags S keep state keep frag group 255
pass out quick proto udp all keep state keep frag group 255
pass out quick proto icmp all keep state group 255
pass out quick proto ipv6-icmp all keep state group 255

To allow any remaining ipv4 and ipv6 traffic to pass out of thefirewall. I've not noticed any oddities with ipv4 mapped addresses. Ifyou are using NAT use the inside addresses in the ipf rules. as the NATis applied to input frames before the rules are applied on input. TheNAT is applied after filtering for outbound frames.



Hope this helps you puzzle out your config.

Follow-Ups:
- Re: IPFilter 5 and IPv4-mapped IPv6 adresses
  - From: Edgar Fuß

References:
- IPFilter 5 and IPv4-mapped IPv6 adresses
  - From: Edgar Fuß
- Re: IPFilter 5 and IPv4-mapped IPv6 adresses
  - From: Greg Troxel

Prev by Date: re: hangs with awge(4) on pine64 rock64 board
Next by Date: Re: IPFilter 5 and IPv4-mapped IPv6 adresses
Previous by Thread: Re: IPFilter 5 and IPv4-mapped IPv6 adresses
Next by Thread: Re: IPFilter 5 and IPv4-mapped IPv6 adresses
Indexes:

Home | Main Index | Thread Index | Old Index