Re: IPv6 and IPv4 combined rules in pf.conf
Date: Wed, 08 May 2024 20:14:27 UTC
Dirk-Willem van Gulik: > For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are > listening to - is there a recommended way to setup pf.conf to avoid > mistakes/duplication ? > To avoid duplication in constructs such as: > # Foo app servers > foobarserver_host4=231.17.X.Y > foobarserver_host6=fe80::5246:… > > # Load balancers - direct or via tun0 in post/fail-back > bar_net=X.Y.Z.Z # > bar_net6=fe80::5246:… # > … > > pass in on { tun0, $ext_if } proto udp from $bar_net to $foobarserver_host4 port 2194 keep state > pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to $foobarserver_host6 port 2194 keep state > Is there some recommended way of doing this in stock FreeBSD ? Or does > one usually end up with some sort of macro/generate style solution ? i would suggest something like this: table <foobarserver> { 231.17.X.Y fe80::5246:... } table <bar-net> { ... } pass on { tun0, $ext_if } proto udp from <bar-net> \ to <foobarserver> port 2194 alternatively, if 'foobarserver' is the local host, you can simply do: pass in on { tun0, $ext_if } proto udp from <bar-net> \ to self port 2194 note that in either case pf doesn't need 'keep state'.