OpenBSD pf IPv6

[maschwar77]

Does anyone know how to configure pf for IPv6?  It seems like nothing I do works.  I need a simple example that will allow ssh.  Thanks in advance

Matt

[theultramage]

Depends on what you're doing... the simplest rule would be "pass quick on gif0". However there's tons of other issues that need to be addressed too - having a public ip address, configuring a tunnel, setting ipv6 address and default route...

[x25]

Here's my pf.conf which works on OpenBSD 4.7. The ruleset allows incoming ICMP echo requests, It also includes some priority queue'ing to queue ACKs. Hope it helps.

# pf.conf - 20100916
ext_if="em0"
gif_if="gif0"

# services
pub_ssh_tcp="{ ssh, https }"
res_www_tcp="www"
res_mx_tcp="smtp"

hurrelec="66.220.x.y"
v6_www="2001:470:x:y::1"
v4_www="174.a.b.c"
v6_mx="2001:470:x:y::8"

nonroutedv4 = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32 }"
set loginterface $ext_if
set skip on lo
set timeout       { interval 10, frag 30 }
set limit         { frags 1000, states 15000 }
set optimization  normal
set block-policy  return

# queue
altq on $ext_if priq bandwidth 20Mb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

match in all scrub (no-df max-mss 1440)
antispoof log for { $ext_if, $gif_if }
block in quick from urpf-failed
block in from no-route to any
block return-rst log proto tcp all flags /S
block return-rst log proto tcp all flags A/A
block in log quick proto tcp from any to any flags FUP/FUP
block drop in   log (all) quick from $nonroutedv4 to any
block drop out log (all) quick from any to $nonroutedv4
block return-rst  in quick on $ext_if proto tcp from any to any \
        port { 111, 443, 445, 1080, 6000 }
block return-icmp in quick on $ext_if proto udp from any to any \
        port { 137, 138, 139, 1434 }
block log

pass out quick proto tcp to any flags S/SA modulate state queue (q_def, q_pri)
pass out quick proto udp from any to any modulate state queue (q_def, q_pri)
pass out quick inet proto icmp from any to any keep state queue (q_def, q_pri)
pass out quick inet6 proto ipv6-icmp from any to any keep state queue (q_def, q_pri)

# he.net tunnel - 20100916EP
pass in proto 41 from $hurrelec to $ext_if  keep state (other.multiple 86400) queue (q_def)
pass out proto 41 from $ext_if to $hurrelec keep state (other.multiple 86400) queue (q_def)

# ICMP
pass out inet6 proto ipv6-icmp from any to any icmp6-type echoreq keep state queue (q_pri) allow-opts
pass in inet6 proto ipv6-icmp from any to any icmp6-type echoreq keep state (max 32) queue (q_def, q_pri)
pass in inet  proto icmp from any to any icmp-type 8 code 0 keep state (max 32) queue (q_def)

# ssh services
pass in proto tcp from any to any port $pub_ssh_tcp flags S/SA synproxy state (max 1024, tcp.first 20, tcp.opening 20) queue (q_def, q_pri)

# http
pass in inet proto tcp from any  to $v4_www port $res_www_tcp flags S/SA synproxy state (max 1024, tcp.first 20, tcp.opening 20) queue (q_def)
pass in inet6 proto tcp from any to $v6_www port $res_www_tcp flags S/SA synproxy state (max 1024, tcp.first 20, tcp.opening 20) queue (q_def)
pass in inet6 proto tcp from any to $v6_mx  port $res_mx_tcp flags S/SA synproxy state (max 1024, tcp.first 20, tcp.opening 20) queue (q_def)