PF.conf(5) for FreeBSD + IPv6 tunnel

Speak
Clear All
My server runs on FreeBSD 10 and the services are provided by the jails under Debian GNU/kFreeBSD. I have enabled pf, the firewall on the host with a few rules of filtering for roughly all allow output, but block input which is not desired. These rules act only on the IPv6 portion because I’m resting on the NAT for the box and the port redirections to filter between the IPv4.
Example

In the example below we will consider the following addresses:

Server IPv6 Address: 2001:470:c851:1
Client IPv6 Address: 2001:470:c851:2
www jail: 2001:470:c851:1001 (we will open ports 80 and 443)
mail jail: 2001:470:c851:1002 (we will open the ports 25 and 143 587)

Configuration

Note: I based on this documentation at SixXs.
/etc/rc.CONF.local

# PF
pf_enable = “YES”
pflog_enable = “YES”

/etc/pf.conf/

# Macros
Sendpoint = “2001:470:c851:1” # your Server IPv6 Address
cendpoint = “2001:470:c851:2” # your Client IPv6 Address
www = “2001:470:c851:1001” # ip of the www jail
mail = “2001:470:c851:1002” # ip of the mail jail
ext_inf = “gif0” # my tunnel interface

# don’t filter l0
set skip on l0

# scrub incomming packets
scrub in all

# in/out block on $tun_if
block in log on $ext_inf inet6
block out log on $ext_inf inet6

# allow heartbeat ping
pass in quick on $ext_inf inet6 proto {ipv6-icmp} from $sendpoint to $cendpoin
t keep state

# pass tcp, udp, and out icmp6 on the ipv6 tunnel interface.
pass out quick on $ext_inf inet6 proto {tcp udp ipv6-icmp} keep state

# www jail
pass in quick on $ext_inf inet6 proto tcp from any to $www port {80 443}

# mail jail
pass in quick on $ext_inf inet6 proto tcp from any to $mail port {25 143 587}

Check

PF has a command to check a configuration file:

# pfctl – BNS /etc/pf.conf

Load

When the check is OK, can load:

# service pf restart

Online test

Some sites offer you to scan your ports online, including this site. It supports text-mode browsers so you can do the scan directly from your server 😉