Are there any caveats for [NAT-less]IPv6 floating rules?
I just was redoing my IPv6 ruleset for the millionth time when it hit me that I could very easily replicate it and expand/shrink it full interfaces at a time with floating.
My idea is: (1) pfBlockerNG's blanket
rejectblocks, then (2) port-, dst-, port+dst-based
passrules and (3) a wildcard
pass. That's it! I still can restrict traffic out on the remote firewall that tunnels in/out IPv6. Currently I have a ton of these rules per interface, it would really help out.
Except for blocks, I avoid floatings because they the lack of reply-to for NAT but there's no such thing in IPv6, kinda. And it only took me a few years realize that. That's progress.
Is there anything to look out for doing the v6 floating set? For instance, where do the predefined locations point to, like
This Firewall, would that be each interface's address or something generalized like a link local address, e.g;
fe80::1? I'm a little fuzzy on link local addressing still, that's why I avoid it at all costs in favor of global addresses.
Thanks for your help -- I'll start aliasing /64s in the exit firewall in the meantime--hosts are already done bc of inbound rules.