IPv6 - Open Firewall… despite some rules, it cannot be closed...?!



  • Hi,

    after Setting up IPv6 by 6to4 and German Telekom works for my subnets, I recognized that every IPv6 Address is directly reachable from the internet…
    So, I tried to set up some rules (for the VDSL Trunk + for my three (Sub)-Networks) as that...:

    So, everything should be blocked.  Later, I'd punch some holes in the firewall to access some IPv6 Clients ony by port 22  and so on…

    But: It does not work!  Even Those "dumb" reject all from everywhere what is IPv6 is not filtered at all... First I thought that are the lockout rules (22 + 80) which
    are valid to pass at least Port 22 - but no, on another host nmap -6 found Port 53 open (and working) as well...

    [Edit]

    The above happened even IPv6 Support was yet disabled in advanced config…:

     Allow IPv6
    All IPv6 traffic will be blocked by the firewall unless this box is checked.
    NOTE: This does not disable any IPv6 features on the firewall, it only blocks traffic.
    
    

    I thought enabling it, might give the possibility to  make some "reject" firewall rules… but no.... The IPv6 part is totally open und absolutely unfiltered!

    So, for now, I can only disable the IPv6 part in my PPPoE Settings, since the firewall renders itself totally useless.......

    What's happening here?

    Cheers,

    4920441



  • Hmm, I remember a discussion about this over in the 2.1 forums. It ended with jimp pushing a fix for this IIRC.
    Can you try to override that problem with a floating rule that has the Quick option set?
    Could you post your rule set? It's in /tmp/rules.debug



  • It would be interesting to confirm what is in /tmp/rules.debug - does it have lines about "block in drop quick inet6"? Those should be in there when IPv6 Allow in unchecked. I fully expect they will be (always have been when I looked recently)
    It sounds like IPv6 packets arriving on VDSLTRUNK are not passing through pf at all. The special thing about this configuration is that the pppoe WAN is not given a public IPv6 by the ISP. The packets with global IPv6 source and destination addresses must be passed across the hop from ISP router to pfSense WAN interface in packets that use the link-local addresses assigned on either end of the pppoe interface.
    Maybe it will turn out to be some issue with these link-local packets not being handed to pf for processing?



  • You said you're using a 6to4 tunnel; if that's the case, are you sure you're using the correct interface for the rule? From your WAN interface's point of view, the IPv6 traffic is encapsulated in IPv4, so a rule like that wouldn't match (assuming VDSLTRUNK is in fact your WAN).



  • As far as I know, German T-Com's IPv6 capable lines are dual-stack, not 6to4. I think the OP means IA-PD. Here's a link to the other topic regarding his setup:
    http://forum.pfsense.org/index.php/topic,65123.0.html



  • @athurdent:

    As far as I know, German T-Com's IPv6 capable lines are dual-stack, not 6to4. I think the OP means IA-PD. Here's a link to the other topic regarding his setup:
    http://forum.pfsense.org/index.php/topic,65123.0.html

    I got two German Telekom Lines, the newer one is really a dual stack capable access with "real" IPv6 Address beginning with 2003❌x:…

    The other (older one), mentioned here is really a  6to4 tunnel which embeds the IPv4 Address in the IPv6 Address, configured like this...

    So it makes perfectly sense that  the IPv6 rule on my VDSLTRUNK Interface does not match, because at this Interface the IPv6 packets are encapsulated in IPv4…
    What does not make sense is, that nothing is blocked even "Allow IPv6 traffic" wasn't checked in the advanced config tab.
    What does not make sense, too, is that even If I deny any IPv6 Traffic from internal Lan to anywhere it is getting through, though....
    Despite it is encapsulated in the VDSLTRUNK Interface it is not encapsulated yet in the LAN Interface Section - or is it?

    Here is my /tmp/rules.debug
    The Interface I'd like to use is the VDSLTRUNK Interface. The Box gets another Interface named "FRITZ" which is connected to another Telekom Line with "real" IPv6 Dual Stack - so ignore that, i do ignore it as well...:-)

    [2.1-RC1][root@rotorouter-3.intra]/root(1): cat /tmp/rules.debug
    set limit tables 3000
    set optimization normal
    set timeout { adaptive.start 0, adaptive.end 0 }
    set limit states 198000
    set limit src-nodes 198000
    
    #System aliases
    
    loopback = "{ lo0 }"
    VDSLTRUNK = "{ pppoe0 wan_stf }"
    FAMILYLAN = "{ bce0 }"
    SOFTCELLINTRA = "{ bce1_vlan10 }"
    SOFTCELLMAIL = "{ bce1_vlan20 }"
    SOFTCELLWEB = "{ bce1_vlan30 }"
    VLAN7_VDSLTRNK = "{ em0_vlan7 }"
    FRITZ = "{ vr0 }"
    OpenVPN = "{ openvpn }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot>table <bogons>persist file "/etc/bogons"
    table <bogonsv6>persist file "/etc/bogonsv6"
    table <vpn_networks>{ 10.6.75.0/24 10.4.5.0/24 }
    table <negate_networks>{ 10.6.75.0/24 10.4.5.0/24 }
    
    # User Aliases 
    
    # Gateways
    GWVDSLTRUNK_PPPOE = " route-to ( pppoe080.80.80.80 ) "
    GWFRITZ_DHCP = " route-to ( vr0 192.168.49.1 ) "
    GWVDSLTRUNK_6TO4 = " route-to ( wan_stf 2002:ccd8:d3d1:: ) "
    GWFRITZ_DHCP6 = " route-to ( vr0 fe80::c225:6ff:feaf:b255 ) "
    
    set loginterface bce0
    
    set skip on pfsync0
    
    scrub on $VDSLTRUNK all    fragment reassemble
    scrub on $FAMILYLAN all    fragment reassemble
    scrub on $SOFTCELLINTRA all    fragment reassemble
    scrub on $SOFTCELLMAIL all    fragment reassemble
    scrub on $SOFTCELLWEB all    fragment reassemble
    scrub on $VLAN7_VDSLTRNK all    fragment reassemble
    scrub on $FRITZ all    fragment reassemble
    
     altq on  bce1_vlan10 hfsc queue {  qInternet  } 
     queue qInternet on bce1_vlan10 bandwidth 500000Kb hfsc (  ecn  , linkshare 500000Kb  , upperlimit 500000Kb  )  {  qACK,  qP2P,  qVoIP,  qOthersHigh,  qOthersLow  } 
     queue qACK on bce1_vlan10 bandwidth 17.994% hfsc (  ecn  , linkshare 17.994%  )  
     queue qP2P on bce1_vlan10 bandwidth 10% qlimit 500 hfsc (  ecn  , default  , linkshare 10%  , upperlimit 10%  )  
     queue qVoIP on bce1_vlan10 bandwidth 32Kb hfsc (  ecn  ,  realtime 128Kb )  
     queue qOthersHigh on bce1_vlan10 bandwidth 8.997% hfsc (  ecn  , linkshare 8.997%  )  
     queue qOthersLow on bce1_vlan10 bandwidth 4.4985% hfsc (  ecn  , linkshare 4.4985%  )  
    
     altq on  bce1_vlan20 hfsc queue {  qInternet  } 
     queue qInternet on bce1_vlan20 bandwidth 500000Kb hfsc (  ecn  , linkshare 500000Kb  , upperlimit 500000Kb  )  {  qACK,  qP2P,  qVoIP,  qOthersHigh,  qOthersLow  } 
     queue qACK on bce1_vlan20 bandwidth 17.994% hfsc (  ecn  , linkshare 17.994%  )  
     queue qP2P on bce1_vlan20 bandwidth 10% qlimit 500 hfsc (  ecn  , default  , linkshare 10%  , upperlimit 10%  )  
     queue qVoIP on bce1_vlan20 bandwidth 32Kb hfsc (  ecn  ,  realtime 128Kb )  
     queue qOthersHigh on bce1_vlan20 bandwidth 8.997% hfsc (  ecn  , linkshare 8.997%  )  
     queue qOthersLow on bce1_vlan20 bandwidth 4.4985% hfsc (  ecn  , linkshare 4.4985%  )  
    
     altq on  bce1_vlan30 hfsc queue {  qInternet  } 
     queue qInternet on bce1_vlan30 bandwidth 500000Kb hfsc (  ecn  , linkshare 500000Kb  , upperlimit 500000Kb  )  {  qACK,  qP2P,  qVoIP,  qOthersHigh,  qOthersLow  } 
     queue qACK on bce1_vlan30 bandwidth 17.994% hfsc (  ecn  , linkshare 17.994%  )  
     queue qP2P on bce1_vlan30 bandwidth 10% qlimit 500 hfsc (  ecn  , default  , linkshare 10%  , upperlimit 10%  )  
     queue qVoIP on bce1_vlan30 bandwidth 32Kb hfsc (  ecn  ,  realtime 128Kb )  
     queue qOthersHigh on bce1_vlan30 bandwidth 8.997% hfsc (  ecn  , linkshare 8.997%  )  
     queue qOthersLow on bce1_vlan30 bandwidth 4.4985% hfsc (  ecn  , linkshare 4.4985%  )  
    
     altq on  vr0 hfsc queue {  qInternet  } 
     queue qInternet on vr0 bandwidth 500000Kb hfsc (  ecn  , linkshare 500000Kb  , upperlimit 500000Kb  )  {  qACK,  qP2P,  qVoIP,  qOthersHigh,  qOthersLow  } 
     queue qACK on vr0 bandwidth 17.994% hfsc (  ecn  , linkshare 17.994%  )  
     queue qP2P on vr0 bandwidth 10% qlimit 500 hfsc (  ecn  , default  , linkshare 10%  , upperlimit 10%  )  
     queue qVoIP on vr0 bandwidth 32Kb hfsc (  ecn  ,  realtime 128Kb )  
     queue qOthersHigh on vr0 bandwidth 8.997% hfsc (  ecn  , linkshare 8.997%  )  
     queue qOthersLow on vr0 bandwidth 4.4985% hfsc (  ecn  , linkshare 4.4985%  )  
    
     altq on  pppoe0 hfsc bandwidth 10000Kb queue {  qACK,  qOthersDefault,  qP2P,  qVoIP,  qOthersHigh,  qOthersLow  } 
     queue qACK on pppoe0 bandwidth 17.938% hfsc (  ecn  , linkshare 17.938%  )  
     queue qOthersDefault on pppoe0 bandwidth 8.969% hfsc (  ecn  )  
     queue qP2P on pppoe0 bandwidth 10% hfsc (  ecn  , default  , linkshare 10%  , upperlimit 10%  )  
     queue qVoIP on pppoe0 bandwidth 32Kb hfsc (  ecn  ,  realtime 128Kb )  
     queue qOthersHigh on pppoe0 bandwidth 8.969% hfsc (  ecn  , linkshare 8.969%  )  
     queue qOthersLow on pppoe0 bandwidth 4.4845% hfsc (  ecn  , linkshare 4.4845%  )  
    
    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    # Outbound NAT rules
    nat on $VDSLTRUNK  from 192.168.128.0/24 to any port 500 -> 90.90.90.90/32  static-port
    nat on $VDSLTRUNK  from 192.168.128.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 127.0.0.0/8 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 10.6.75.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 10.4.5.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 192.168.64.0/24 to any port 500 -> 90.90.90.90/32  static-port
    nat on $VDSLTRUNK  from 192.168.64.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 127.0.0.0/8 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 10.6.75.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 10.4.5.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 192.168.65.0/24 to any port 500 -> 90.90.90.90/32  static-port
    nat on $VDSLTRUNK  from 192.168.65.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 127.0.0.0/8 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 10.6.75.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 10.4.5.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 192.168.66.0/24 to any port 500 -> 90.90.90.90/32  static-port
    nat on $VDSLTRUNK  from 192.168.66.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 127.0.0.0/8 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 10.6.75.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $VDSLTRUNK  from 10.4.5.0/24 to any -> 90.90.90.90/32 port 1024:65535  
    nat on $FRITZ  from any to any -> 192.168.49.29/32 port 1024:65535  
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    # NAT Inbound Redirects
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    anchor "openvpn/*"
    anchor "ipsec/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log inet all label "Default deny rule IPv4"
    block out log inet all label "Default deny rule IPv4"
    block in log inet6 all label "Default deny rule IPv6"
    block out log inet6 all label "Default deny rule IPv6"
    
    # IPv6 ICMP is not auxilary, it is required for operation
    # See man icmp6(4)
    # 1    unreach         Destination unreachable
    # 2    toobig          Packet too big
    # 128  echoreq         Echo service request
    # 129  echorep         Echo service reply
    # 133  routersol       Router solicitation
    # 134  routeradv       Router advertisement
    # 135  neighbrsol      Neighbor solicitation
    # 136  neighbradv      Neighbor advertisement
    pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state
    
    # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
    
    # We use the mighty pf, we cannot be fooled.
    block quick inet proto { tcp, udp } from any port = 0 to any
    block quick inet proto { tcp, udp } from any to any port = 0
    block quick inet6 proto { tcp, udp } from any port = 0 to any
    block quick inet6 proto { tcp, udp } from any to any port = 0
    
    # Snort package
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
    block in log quick on $VDSLTRUNK from <bogons>to any label "block bogon IPv4 networks from VDSLTRUNK"
    block in log quick on $VDSLTRUNK from <bogonsv6>to any label "block bogon IPv6 networks from VDSLTRUNK"
    antispoof for pppoe0
    # block anything from private networks on interfaces with the option set
    antispoof for $VDSLTRUNK
    block in log quick on $VDSLTRUNK from 10.0.0.0/8 to any label "Block private networks from VDSLTRUNK block 10/8"
    block in log quick on $VDSLTRUNK from 127.0.0.0/8 to any label "Block private networks from VDSLTRUNK block 127/8"
    block in log quick on $VDSLTRUNK from 100.64.0.0/10 to any label "Block private networks from VDSLTRUNK block 100.64/10"
    block in log quick on $VDSLTRUNK from 172.16.0.0/12 to any label "Block private networks from VDSLTRUNK block 172.16/12"
    block in log quick on $VDSLTRUNK from 192.168.0.0/16 to any label "Block private networks from VDSLTRUNK block 192.168/16"
    block in log quick on $VDSLTRUNK from fc00::/7 to any label "Block ULA networks from VDSLTRUNK block fc00::/7"
    # allow our proto 41 traffic from the 6to4 border relay in
    pass in on $VDSLTRUNK proto 41 from any to 90.90.90.90 label "Allow 6in4 traffic in for 6to4 on VDSLTRUNK"
    pass out on $VDSLTRUNK proto 41 from 90.90.90.90 to any label "Allow 6in4 traffic out for 6to4 on VDSLTRUNK"
    pass in on $VDSLTRUNK inet6 from any to 2002:5555:ffff::/16 label "Allow 6in4 traffic in for 6to4 on VDSLTRUNK"
    pass out on $VDSLTRUNK inet6 from 2002:5555:ffff::/16 to any label "Allow 6in4 traffic out for 6to4 on VDSLTRUNK"
    antispoof for bce0
    # allow access to DHCP server on FAMILYLAN
    pass in quick on $FAMILYLAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in quick on $FAMILYLAN proto udp from any port = 68 to 192.168.128.254 port = 67 label "allow access to DHCP server"
    pass out quick on $FAMILYLAN proto udp from 192.168.128.254 port = 67 to any port = 68 label "allow access to DHCP server"
    # allow access to DHCPv6 server on FAMILYLAN
    # We need inet6 icmp for stateless autoconfig and dhcpv6
    pass quick on $FAMILYLAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server"
    pass quick on $FAMILYLAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
    pass quick on $FAMILYLAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
    pass quick on $FAMILYLAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server"
    pass in quick on $FAMILYLAN inet6 proto udp from fe80::/10 to 2002:ff11:2ff1:234::1 port = 546 label "allow access to DHCPv6 server"
    pass out quick on $FAMILYLAN inet6 proto udp from 2002:5555:ffff:128::1 port = 547 to fe80::/10 label "allow access to DHCPv6 server"
    antispoof for bce1_vlan10
    # allow access to DHCP server on SOFTCELLINTRA
    pass in quick on $SOFTCELLINTRA proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in quick on $SOFTCELLINTRA proto udp from any port = 68 to 192.168.64.254 port = 67 label "allow access to DHCP server"
    pass out quick on $SOFTCELLINTRA proto udp from 192.168.64.254 port = 67 to any port = 68 label "allow access to DHCP server"
    # allow access to DHCPv6 server on SOFTCELLINTRA
    # We need inet6 icmp for stateless autoconfig and dhcpv6
    pass quick on $SOFTCELLINTRA inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server"
    pass quick on $SOFTCELLINTRA inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
    pass quick on $SOFTCELLINTRA inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
    pass quick on $SOFTCELLINTRA inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server"
    pass in quick on $SOFTCELLINTRA inet6 proto udp from fe80::/10 to 2002:0000:0000:64::1 port = 546 label "allow access to DHCPv6 server"
    pass out quick on $SOFTCELLINTRA inet6 proto udp from 2002:5555:ffff:64::1 port = 547 to fe80::/10 label "allow access to DHCPv6 server"
    antispoof for bce1_vlan20
    # allow access to DHCPv6 server on SOFTCELLMAIL
    # We need inet6 icmp for stateless autoconfig and dhcpv6
    pass quick on $SOFTCELLMAIL inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server"
    pass quick on $SOFTCELLMAIL inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
    pass quick on $SOFTCELLMAIL inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
    pass quick on $SOFTCELLMAIL inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server"
    pass in quick on $SOFTCELLMAIL inet6 proto udp from fe80::/10 to 2002:000:000::1 port = 546 label "allow access to DHCPv6 server"
    pass out quick on $SOFTCELLMAIL inet6 proto udp from 2002:5555:ffff::1 port = 547 to fe80::/10 label "allow access to DHCPv6 server"
    antispoof for bce1_vlan30
    antispoof for vr0
    # allow our DHCP client out to the FRITZ
    pass in on $FRITZ proto udp from any port = 67 to any port = 68 label "allow dhcp client out FRITZ"
    pass out on $FRITZ proto udp from any port = 68 to any port = 67 label "allow dhcp client out FRITZ"
    # Not installing DHCP server firewall rules for FRITZ which is configured for DHCP.
    # allow our DHCPv6 client out to the FRITZ
    pass in quick on $FRITZ proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 label "allow dhcpv6 client in FRITZ"
    pass in quick on $FRITZ proto udp from any port = 547 to any port = 546 label "allow dhcpv6 client in FRITZ"
    pass out quick on $FRITZ proto udp from any port = 546 to any port = 547 label "allow dhcpv6 client out FRITZ"
    
    # loopback
    pass in on $loopback inet all label "pass IPv4 loopback"
    pass out on $loopback inet all label "pass IPv4 loopback"
    pass in on $loopback inet6 all label "pass IPv6 loopback"
    pass out on $loopback inet6 all label "pass IPv6 loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to ( pppoe080.80.80.80 ) from 90.90.90.90 to !90.90.90.90/32 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( wan_stf 2002:0000:0000:: ) inet6 from 2002:0000:0000:: to !2002:0000:000::/48 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( vr0 192.168.49.1 ) from 192.168.49.29 to !192.168.49.0/24 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( vr0 fe80::c225:6cf:ceaf:cccc ) inet6 from 2003:57:ccc7:6ff0:ff0:ffff:ff54:3454 to !2003:57:ccc7:6ff0:ff0:ffff:ff54:3454/64 keep state allow-opts label "let out anything from firewall host itself"
    # make sure the user cannot lock himself out of the webConfigurator or SSH
    pass in quick on bce0 proto tcp from any to (bce0) port { 80 22 } keep state label "anti-lockout rule"
    
    # User-defined rules follow
    
    anchor "userrules/*"
    match    on {  pppoe0  }  proto udp  from any to any  queue (qVoIP)  label "USER_RULE: DiffServ/Lowdelay/Upload"
    match    on {  pppoe0  }  proto tcp  from any to any port 3389 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other MSRDP outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 5899 >< 5931 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other VNC outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 3283 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other AppleRemoteDesktop1 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 5900 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other AppleRemoteDesktop2 outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 3283  queue (qOthersHigh)  label "USER_RULE: m_Other AppleRemoteDesktop3 outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 5900  queue (qOthersHigh)  label "USER_RULE: m_Other AppleRemoteDesktop4 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 5631 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other pcany1 outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 5632  queue (qOthersDefault)  label "USER_RULE: m_Other pcany2 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 6666 >< 6671 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other IRC outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 5222 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other IRC outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 5223 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other IRC outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 5269 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other IRC outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 5190 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other ICQ1 outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 5190  queue (qOthersDefault)  label "USER_RULE: m_Other ICQ2 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 5190 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other AIM outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 1863 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other MSN1 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 6890 >< 6901 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other MSN2 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 6901 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other MSN3 outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 6901  queue (qOthersDefault)  label "USER_RULE: m_Other MSN4 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 14534 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other teamspeak1 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 51234 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other teamspeak2 outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 8766 >< 8769  queue (qOthersHigh)  label "USER_RULE: m_Other teamspeak3 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 1723 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other PPTP outbound"
    match    on {  pppoe0  }  proto gre  from any to any  queue (qOthersDefault)  label "USER_RULE: m_Other PPTPGRE outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 500  queue (qOthersDefault)  label "USER_RULE: m_Other IPSEC outbound"
    match    on {  pppoe0  }  proto ah  from any to any  queue (qOthersDefault)  label "USER_RULE: m_Other IPSEC outbound"
    match    on {  pppoe0  }  proto esp  from any to any  queue (qOthersDefault)  label "USER_RULE: m_Other IPSEC outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 7999 >< 8101 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other STREAMINGMP3 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 554 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other RTSP1 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 80 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other HTTP outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 443 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other HTTPS outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 25 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other SMTP outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 110 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other POP3 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 143 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other IMAP outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 1352 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other LotusNotes1 outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 1352  queue (qOthersDefault)  label "USER_RULE: m_Other LotusNotes2 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 53 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other DNS1 outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 53  queue (qOthersHigh)  label "USER_RULE: m_Other DNS2 outbound"
    match    on {  pppoe0  }  proto icmp  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other ICMP outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 445 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other SMB1 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 136 >< 140 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other SMB2 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 161 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other SNMP outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 161  queue (qOthersDefault)  label "USER_RULE: m_Other SNMP2 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 3306 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other MySQL1 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 119 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other NNTP1 outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 119  queue (qOthersHigh)  label "USER_RULE: m_Other NNTP2 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 5999 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other cvsup outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 5001 flags S/SA  queue (qOthersDefault,qACK)  label "USER_RULE: m_Other Slingbox1 outbound"
    match    on {  pppoe0  }  proto udp  from any to any port 5001  queue (qOthersDefault)  label "USER_RULE: m_Other Slingbox2 outbound"
    match    on {  pppoe0  }  proto tcp  from any to any port 3000 flags S/SA  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other HBCI outbound"
    pass  in  quick  on $OpenVPN  from any to any  label "USER_RULE: OpenVPN  wizard"
    pass  in  quick  on $VDSLTRUNK reply-to ( pppoe080.80.80.80 )  proto tcp  from any to 192.168.64.117 port 993 flags S/SA keep state  label "USER_RULE: NAT IMAP to softcell.shacknet.nu  -.intra"
    pass  in  quick  on $VDSLTRUNK reply-to ( pppoe080.80.80.80 )  proto udp  from any to 90.90.90.90 port 1195 keep state  label "USER_RULE: OpenVPN  wizard"
    pass  in  quick  on $VDSLTRUNK reply-to ( pppoe080.80.80.80 )  proto udp  from any to 90.90.90.90 port 1194 keep state  label "USER_RULE: OpenVPN  wizard"
    pass  in  quick  on $VDSLTRUNK reply-to ( pppoe080.80.80.80 )  proto tcp  from any to 192.168.64.117 port 25 flags S/SA keep state  label "USER_RULE: NAT smtp to mailserver softcell.shacknet.nu"
    block return  in  quick  on $VDSLTRUNK reply-to ( wan_stf 2002:0000:0000:: ) inet6 from any to 2002:xxxx:xxxe:64:ea40:x2xf:fx0x:ef24  label "USER_RULE: Block incoming IPv6"
    block return  in  quick  on $FAMILYLAN inet6 from any to any  label "USER_RULE: Block all IPv6 Incoming"
    pass  in  quick  on $FAMILYLAN  from 192.168.128.131 to 192.168.164.35  label "USER_RULE"
    block  in  quick  on $FAMILYLAN  from any to 192.168.164.35  label "USER_RULE"
    pass  in  quick  on $FAMILYLAN  from 192.168.128.0/24 to any  label "USER_RULE: Default allow LAN to any rule"
    pass  in  quick  on $SOFTCELLINTRA  from 192.168.64.254/24 to any  label "USER_RULE"
    
    # VPN Rules
    anchor "tftp-proxy/*"</bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></vpn_networks></bogonsv6></bogons></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
    

    BTW: After I dumped the "rules.dump"  I tried to make a "floating rule" (I don't get it what's the difference to any other rule?)
    But despite everything, it has no effect at all - All internal Hosts which have an IPv6 Address from the 6to4 VDSLTRUNK Interface are directly
    reachable, though.

    Cheers,

    4920441



  • @athurdent:

    As far as I know, German T-Com's IPv6 capable lines are dual-stack, not 6to4. I think the OP means IA-PD. Here's a link to the other topic regarding his setup:
    http://forum.pfsense.org/index.php/topic,65123.0.html

    Right, but that is another access I use.  German Telekom does not equip every access with dual stack, the older ones are only IPv6 by 6to4.

    Cheers,

    4920441


Log in to reply