Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
Better understanding PF in a dual stack environment
« previous
next »
Print
Pages: [
1
]
Author
Topic: Better understanding PF in a dual stack environment (Read 3330 times)
mahescho
Jr. Member
Posts: 63
Karma: 2
Better understanding PF in a dual stack environment
«
on:
January 06, 2019, 01:59:53 pm »
Hi,
I've a few comprehension questions about "pf" in general and with dual stack in particular.
Is there a file containing the pf configuration in Opnsense like /etc/pf.conf in FreeBSSD?
I found that I can create an alias containing IPv4 and IPv6 addresses and then use it in a IPv4+IPv6 rule. Is this correct?
If 2. is correct: How does this work pf internally?
What I miss most is a real, generic "internet object" which addresse "all non local" traffic. I know the workaround with aliases but with more than one or two internal interfaces (12 in my case ...) it's real pain as I've to create an "internet" alias for every interface wich excludes all the others.
TIA
Logged
OPNsense 24.1.6-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Better understanding PF in a dual stack environment
«
Reply #1 on:
January 06, 2019, 09:10:50 pm »
Hi,
It's /tmp/rules.debug -- I think you can use mixed IP tables and let the rule decide which ones you want to filter, so IPv4 only, IPv6 only or both.
I'm not entirely sure about 3. depending on the truthfulness of my statement regarding 2.
"Internet object" is difficult as that estimation might not be true and requires manual setup and transient breakage during network extension and redesign. Normally dump all into an alias and use inversion to catch everything else. It's still dangerous as you give access to Internet but then if you forget a new internal resource you yield access... worst case for a DMZ so this is overly error prone in my opinion.
I have no real solution to offer here. ;(
Cheers,
Franco
Logged
mahescho
Jr. Member
Posts: 63
Karma: 2
Re: Better understanding PF in a dual stack environment
«
Reply #2 on:
January 07, 2019, 08:57:44 am »
Thanks. I've tried the following and for now it seems to work for me:
For the "Internet object" I've created an alias containing all RFC1918 addresses an my complete list of local IPv6 prefixes. When I negate it in rules I get what I want: No access to local systems but to the rest of the world.
One minor drawback of this is that this also matches the firewall external parts (between external router and the firewall) of my IPv6 prefixes but for my current use cases this is no show stopper.
The goal of this is to minimize the amount of necessary rules.
Logged
OPNsense 24.1.6-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
18.7 Legacy Series
»
Better understanding PF in a dual stack environment