Better understanding PF in a dual stack environment

[mahescho]

Hi,

I've a few comprehension questions about "pf" in general and with dual stack in particular.

• Is there a file containing the pf configuration in Opnsense like /etc/pf.conf in FreeBSSD?
• I found that I can create an alias containing IPv4 and IPv6 addresses and then use it in a IPv4+IPv6 rule. Is this correct?
• If 2. is correct: How does this work pf internally?

What I miss most is a real, generic "internet object" which addresse "all non local" traffic. I know the workaround with aliases but with more than one or two internal interfaces (12 in my case ...) it's real pain as I've to create an "internet" alias for every interface wich excludes all the others.

TIA

[franco]

Hi,

It's /tmp/rules.debug -- I think you can use mixed IP tables and let the rule decide which ones you want to filter, so IPv4 only, IPv6 only or both.

I'm not entirely sure about 3. depending on the truthfulness of my statement regarding 2. ;)

"Internet object" is difficult as that estimation might not be true and requires manual setup and transient breakage during network extension and redesign. Normally dump all into an alias and use inversion to catch everything else. It's still dangerous as you give access to Internet but then if you forget a new internal resource you yield access... worst case for a DMZ so this is overly error prone in my opinion.

I have no real solution to offer here. ;(


Cheers,
Franco

[mahescho]

Thanks. I've tried the following and for now it seems to work for me:

For the "Internet object" I've created an alias containing all RFC1918 addresses an my complete list of local IPv6 prefixes. When I negate it in rules I get what I want: No access to local systems but to the rest of the world.

One minor drawback of this is that this also matches the firewall external parts (between external router and the firewall) of my IPv6 prefixes but for my current use cases this is no show stopper.

The goal of this is to minimize the amount of necessary rules.