Discussion:
IPv6 and IPv4 combined rules in pf.conf
(too old to reply)
Dirk-Willem van Gulik
2024-05-08 16:57:17 UTC
Permalink
For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are listening to - is there a recommended way to setup pf.conf to avoid mistakes/duplication ?

To avoid duplication in constructs such as:

# Foo app servers
foobarserver_host4=231.17.X.Y
foobarserver_host6=fe80::5246:…

# Load balancers - direct or via tun0 in post/fail-back
bar_net=X.Y.Z.Z #
bar_net6=fe80::5246:… #


pass in on { tun0, $ext_if } proto udp from $bar_net to $foobarserver_host4 port 2194 keep state
pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to $foobarserver_host6 port 2194 keep state

Is there some recommended way of doing this in stock FreeBSD ? Or does one usually end up with some sort of macro/generate style solution ?

Dw



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Lexi Winter
2024-05-08 20:14:27 UTC
Permalink
Post by Dirk-Willem van Gulik
For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are
listening to - is there a recommended way to setup pf.conf to avoid
mistakes/duplication ?
# Foo app servers
foobarserver_host4=231.17.X.Y
foobarserver_host6=fe80::5246:

# Load balancers - direct or via tun0 in post/fail-back
bar_net=X.Y.Z.Z #
bar_net6=fe80::5246:
 #


pass in on { tun0, $ext_if } proto udp from $bar_net to $foobarserver_host4 port 2194 keep state
pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to $foobarserver_host6 port 2194 keep state
Is there some recommended way of doing this in stock FreeBSD ? Or does
one usually end up with some sort of macro/generate style solution ?
i would suggest something like this:

table <foobarserver> {
231.17.X.Y
fe80::5246:...
}

table <bar-net> {
...
}

pass on { tun0, $ext_if } proto udp from <bar-net> \
to <foobarserver> port 2194

alternatively, if 'foobarserver' is the local host, you can simply do:

pass in on { tun0, $ext_if } proto udp from <bar-net> \
to self port 2194

note that in either case pf doesn't need 'keep state'.
Dirk-Willem van Gulik
2024-05-08 21:19:59 UTC
Permalink
Post by Dirk-Willem van Gulik
Post by Lexi Winter
Post by Dirk-Willem van Gulik
For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are
listening to - is there a recommended way to setup pf.conf to avoid
mistakes/duplication ?
# Foo app servers
foobarserver_host4=231.17.X.Y
foobarserver_host6=fe80::5246:

# Load balancers - direct or via tun0 in post/fail-back
bar_net=X.Y.Z.Z #
bar_net6=fe80::5246:
 #


pass in on { tun0, $ext_if } proto udp from $bar_net to $foobarserver_host4 port 2194 keep state
pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to $foobarserver_host6 port 2194 keep state
Is there some recommended way of doing this in stock FreeBSD ? Or does
one usually end up with some sort of macro/generate style solution ?
table <foobarserver> {
231.17.X.Y
fe80::5246:...
}
table <bar-net> {
...
}
pass on { tun0, $ext_if } proto udp from <bar-net> \
to <foobarserver> port 2194
Ok - excellent - șo one can mix IPv4 and IPv6 in a list - and ‘udp’ no longer needs to be ‘udp6’ (and same for tcp6 and icmp6 v.s. tcp/icmp_— pf guesses this right based on the address ?
Ignore - that works perfectly - with inet/inet6 thrown in where I need to make the distinction.

Thanks !

Dw.

Dirk-Willem van Gulik
2024-05-08 20:41:56 UTC
Permalink
Post by Lexi Winter
Post by Dirk-Willem van Gulik
For dual stack hosts; with both an IPv4 and IPv6 CIDR that they are
listening to - is there a recommended way to setup pf.conf to avoid
mistakes/duplication ?
# Foo app servers
foobarserver_host4=231.17.X.Y
foobarserver_host6=fe80::5246:

# Load balancers - direct or via tun0 in post/fail-back
bar_net=X.Y.Z.Z #
bar_net6=fe80::5246:
 #


pass in on { tun0, $ext_if } proto udp from $bar_net to $foobarserver_host4 port 2194 keep state
pass in on { tun0, $ext_if } proto udp6 from bar_net6 $var to $foobarserver_host6 port 2194 keep state
Is there some recommended way of doing this in stock FreeBSD ? Or does
one usually end up with some sort of macro/generate style solution ?
table <foobarserver> {
231.17.X.Y
fe80::5246:...
}
table <bar-net> {
...
}
pass on { tun0, $ext_if } proto udp from <bar-net> \
to <foobarserver> port 2194
Ok - excellent - șo one can mix IPv4 and IPv6 in a list - and ‘udp’ no longer needs to be ‘udp6’ (and same for tcp6 and icmp6 v.s. tcp/icmp_— pf guesses this right based on the address ?
Post by Lexi Winter
note that in either case pf doesn't need 'keep state’.
Sorry :) cut and paste of a actual TCP rule edited to protect the innocent.

Dw
Loading...