Campus IPv6 WikiAttachment 'pf_simple_firewall_noserver.conf.txt'
Download 1 #external interface
2 EXT = "bge0"
3 #internal LAN interface
4 LAN = "bge1"
5 #IPv4 address of LAN interface
6 LANip4 = "192.168.1.1"
7 #IPv6 address of LAN interface
8 LANip6 = "2001:db8:1:1::1"
9 #IPv4 address of external interface
10 EXTip4 = "192.168.2.1
11 #IPv6 address of external interface
12 EXTip6 = "2001:db8:1:2::1"
13 #IPv4 prefix on LAN interface
14 LANnet4 = "192.168.1.0/24"
15 #IPv6 prefix on LAN interface
16 LANnet6 = "2001:db8:1:1::1/64"
17 #loopback interfaces
18 Lo4 = "127.0.0.1"
19 Lo6 = "::1"
20 # expire state connections early
21 set optimization aggressive
22 block in log all
23 # allow DNS requests to go out
24 pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state
25 pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state
26 # all TCP request allowed out
27 pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state
28 pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state
29 # all ping request allowed out
30 pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state
31 pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state
32 # ND solicitation out
33 pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
34 # ND advertisement in
35 pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol}
36 #router advertisement out
37 pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv
38 # router solicitation in
39 pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol
40 # DNS request inside
41 pass in on $LAN inet proto from $LANnet4 to any port domain
42 pass in on $LAN inet6 proto from $LANnet6 to any port domain
43 # TCP request inside
44 pass in on $LAN inet proto tcp from $LANnet4 to any
45 pass in on $LAN inet6 proto tcp from $LANnet6 to any
46 # ICMP request inside
47 pass in on $LAN inet proto icmp all icmp-type 8 code
48 pass in on $LAN inet6 proto icmp6 all icmp6-type
Attached Files
To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.You are not allowed to attach a file to this page.
Supported by GVOP AKF