[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

rtsol with 'pf=YES'



ok, so we have a set of rules that are alot more restrictive than
'pass { in out } inet6 proto ipv6-icmp all' .. I'm not sure what a
'PMTUD' message would look like and how to allow it, but here's what
this all boils down to in terms of /etc/rc and /etc/netstart's rtsol rules:
The below lines are for ipv6 DAD (look for duplicate ipv6 ip on the local
link).
/etc/rc:
	RULES="block in all\nblock out all"
+	RULES="$RULES\npass out inet6 proto ipv6-icmp from { :: fe80::/16 } to ff02::/16 ipv6-icmp-type grouprep code 0"
+	RULES="$RULES\npass out inet6 proto ipv6-icmp all ipv6-icmp-type neighbrsol code 0"
+	RULES="$RULES\npass in  inet6 proto ipv6-icmp all ipv6-icmp-type neighbradv code 0"
There _may_ be room to make the above more restrictive if we want to restrict
things to/from interface addresses and/or multicast addresses, but that is all.
The below four lines are for ipv6 rtsol (autodiscovery/router solicitation):
/etc/netstart:
	if [ "x$fw" = "x0" -a "x$ra" = "x1" ]; then
+		RULES="$RULES\npass out on $rtif inet6 proto ipv6-icmp from fe80::/16 to ff02::2 ipv6-icmp-type routersol code 0"
+		RULES="$RULES\npass in  on $rtif inet6 proto ipv6-icmp from fe80::/16 to ff02::1 ipv6-icmp-type routeradv code 0"
+		RULES="$RULES\npass in  on $rtif inet6 proto ipv6-icmp from fe80::/16 to fe80::/16 ipv6-icmp-type routeradv code 0"
+		echo $RULES | pfctl -f -
--and/or--
I can try to add code in netstart to add lines that expand just to the ipv6
addresses on the specific interfaces just before they are brought up.  Does
that sound more sane?
Aka something like (in /etc/netstart instead of the /etc/rc lines above):
	ifconfig $if > /dev/null 2>&1
	if [ "$?" != "0" ]; then
		return
	fi
+       RULES="$RULES\npass out on $if inet6 proto ipv6-icmp from { :: fe80::/16 } to ff02::/16 ipv6-icmp-type grouprep code 0"
+       RULES="$RULES\npass out on $if inet6 proto ipv6-icmp from ($if) to any ipv6-icmp-type neighbrsol code 0"
+       RULES="$RULES\npass in  on $if inet6 proto ipv6-icmp from any to ($if) ipv6-icmp-type neighbradv code 0"
+	echo $RULES | pfctl -f -
-- 
Todd Fries .. [email protected]
(last updated $ToddFries: signature.p,v 1.2 2002/03/19 15:10:18 todd Exp $)