# PF IPv6



## vivek (Jan 22, 2009)

I've working /etc/pf.conf for IPv4. Recently, our ISP gave us free native /64 block. I've assigned IPv6 IPs by updating /etc/rc.conf file. But deploying IPv6 firewall giving out problem. It is not working. There is not good tutorial and pf man pages or OpenBSD pf guide also lacks details. Can anyone share working pf.conf script? Here is my current script...

```
pass in on $int_if inet6 from $adminrange6 to any

pass in on $ext_if inet6 proto udp from any to $dns_servers6 port 53
pass in on $ext_if inet6 proto tcp from any to $dns_servers6 port 53 flags S/SA synproxy state
pass in on $ext_if inet6 proto tcp from any to $http_servers6 port 80 flags S/SA synproxy state
pass in on $ext_if inet6 proto tcp from any to $mail_servers6 port $mail_ports flags S/SA synproxy state

pass in proto icmp6 all
pass out proto icmp6 all

pass out on $ext_if inet6 proto tcp from any to any port 21
pass out on $ext_if inet6 proto tcp from any to any port >1023
```

Only IPv4 part is working and IPv6 is not working at all and I'm now lost...


----------



## vivek (Jan 22, 2009)

Already I fixed this after reading pf and pf.conf man page again. You need to add one more rule to fix this mess 

```
pass quick on $ext_if proto ipv6
```


----------



## rmh (Jan 24, 2009)

That does work, but it has the effect of allowing all IPv6 traffic due to the "quick" statement.  

I think you have your PF rules backwards.  My understanding of PF is that the most general rules come first and then the more specific ones.  

An excerpt from my pf.conf looks like:


```
scrub in all

block in log all

block quick from <bad_ssh_hosts>

## Enable ICMP for IPv4 and IPv6

pass proto icmp6 all

pass proto icmp all

## Allow all traffic initiated from an inside subnet or router external interface

pass from { $dmz_add, $dmz_add6, $int_net, $int_net6, $dmz_net, $dmz_net6, $gif_add6} to any keep state

## Allow SSH from outside to inside subnets

pass in proto tcp from any to { $int_net, $dmz_net, $int_net6 $dmz_net6} port 22 keep state \
     (max-src-conn 15, max-src-conn-rate 5/3, overload <bad_ssh_hosts> flush global)

## Allow SSH from outside to inside router external interfaces

pass  in proto tcp from any to { $dmz_add, $dmz_add6, $int_add6} port 22 keep state \
     (max-src-conn 15, max-src-conn-rate 5/3, overload <bad_ssh_hosts> flush global)
```

I can email you the complete file if want to take a look.


----------

