Re: IPv6 and IPv4 combined rules in pf.conf
- Reply: Dirk-Willem van Gulik : "Re: IPv6 and IPv4 combined rules in pf.conf"
- In reply to: Lexi Winter : "Re: IPv6 and IPv4 combined rules in pf.conf"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 08 May 2024 20:41:56 UTC
> On 8 May 2024, at 22:14, Lexi Winter <lexi@le-fay.org> wrote: > > Dirk-Willem van Gulik: >> For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are >> listening to - is there a recommended way to setup pf.conf to avoid >> mistakes/duplication ? > >> To avoid duplication in constructs such as: > >> # Foo app servers >> foobarserver_host4=231.17.X.Y >> foobarserver_host6=fe80::5246:… >> >> # Load balancers - direct or via tun0 in post/fail-back >> bar_net=X.Y.Z.Z # >> bar_net6=fe80::5246:… # >> … >> >> pass in on { tun0, $ext_if } proto udp from $bar_net to $foobarserver_host4 port 2194 keep state >> pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to $foobarserver_host6 port 2194 keep state > >> Is there some recommended way of doing this in stock FreeBSD ? Or does >> one usually end up with some sort of macro/generate style solution ? > > i would suggest something like this: > > table <foobarserver> { > 231.17.X.Y > fe80::5246:... > } > > table <bar-net> { > ... > } > > pass on { tun0, $ext_if } proto udp from <bar-net> \ > to <foobarserver> port 2194 Ok - excellent - șo one can mix IPv4 and IPv6 in a list - and ‘udp’ no longer needs to be ‘udp6’ (and same for tcp6 and icmp6 v.s. tcp/icmp_— pf guesses this right based on the address ? > note that in either case pf doesn't need 'keep state’. Sorry :) cut and paste of a actual TCP rule edited to protect the innocent. Dw