OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: mahescho on January 06, 2019, 01:59:53 pm

Title: Better understanding PF in a dual stack environment
Post by: mahescho on January 06, 2019, 01:59:53 pm
Hi,

I've a few comprehension questions about "pf" in general and with dual stack in particular.


What I miss most is a real, generic "internet object" which addresse "all non local" traffic. I know the workaround with aliases but with more than one or two internal interfaces (12 in my case ...) it's real pain as I've to create an "internet" alias for every interface wich excludes all the others.

TIA
Title: Re: Better understanding PF in a dual stack environment
Post by: franco on January 06, 2019, 09:10:50 pm
Hi,

It's /tmp/rules.debug -- I think you can use mixed IP tables and let the rule decide which ones you want to filter, so IPv4 only, IPv6 only or both.

I'm not entirely sure about 3. depending on the truthfulness of my statement regarding 2. ;)

"Internet object" is difficult as that estimation might not be true and requires manual setup and transient breakage during network extension and redesign. Normally dump all into an alias and use inversion to catch everything else. It's still dangerous as you give access to Internet but then if you forget a new internal resource you yield access... worst case for a DMZ so this is overly error prone in my opinion.

I have no real solution to offer here. ;(


Cheers,
Franco
Title: Re: Better understanding PF in a dual stack environment
Post by: mahescho on January 07, 2019, 08:57:44 am
Thanks. I've tried the following and for now it seems to work for me:

For the "Internet object" I've created an alias containing all RFC1918 addresses an my complete list of local IPv6 prefixes. When I negate it in rules I get what I want: No access to local systems but to the rest of the world.

One minor drawback of this is that this also matches the firewall external parts (between external router and the firewall) of my IPv6 prefixes but for my current use cases this is no show stopper.

The goal of this is to minimize the amount of necessary rules.