add explanation
[ikiwiki.git] / docs / docs / howtos / HowToPF6and4 / index.mdwn
CommitLineData
6fef3eea 1I have a small LAN running services, an IPv6 tunnel and a VoIP phone. Its router was a Linksys running DD-WRT, but the router stopped displaying the list of forwarded ports, and eventually wouldn't even change the forwarded ports when told to do so on the command line. I decided to replace it with a DragonFly box called "zyxomma" (the last word in dragonflies) using pf.
2
3What I'd like to do is:
4
5* Several ports are forwarded to the same port on one of the machines behind the firewall. I'd like those ports to be accessible on IPv6 as well.
6* Some ports are redirected to a different port on the LAN. They should be accessible via IPv6 at the inside port.
7* All other ports on IPv6 should be blocked. They should also be blocked on IPv4 as well, in case some malware running on zyxomma opens a port, but I couldn't get that to work.
8* The tunnel should come up, regardless of what IP address I get from DHCP.
9* The phone should get its allocated bandwidth at a higher priority so that phone conversations won't have dropouts. Next highest priority is DNS.
10* One of my boxes watches SSH connections and blocks all access from IP addresses that make too many password guesses. All access to all my boxes should be blocked from those IP addresses. This isn't set up yet, but the table is there.
386182ec 11
386182ec 12##rc.conf
13 gif_interfaces="gif0"
14 ifconfig_em0="DHCP"
15 ifconfig_em1="inet 192.168.7.2 netmask 255.255.255.0"
16 ifconfig_em1_alias0="inet6 2001:470:deaf:beef::2 prefixlen 64"
17 #gifconfig_gif0="69.132.98.107 216.66.22.2"
18 gifconfig_gif0="75.176.126.216 216.66.22.2"
19 ifconfig_gif0="inet6 2001:470:dead:beef::2 2001:470:dead:beef::1 prefixlen 128"
20 #defaultrouter="192.168.7.1"
21 ipv6_enable=YES
22 ipv6_network_interfaces="gif0 em1"
23 ipv6_gateway_enable=YES
24 ipv6_defaultrouter="2001:470:dead:beef::1"
25 rtadvd_enable=YES
26 rtadvd_interfaces="em1"
27 pf=YES # rcrun enable pf
28 isc_dhcpd=YES # rcrun enable isc_dhcpd
29
6fef3eea 30The tunnel setup should be done with an rc.d script, since the IP address isn't known until dhcpcd gets it. I have written it, and it works when run after booting, but I haven't booted it yet. It does not delete the tunnel device because doing so would crash the machine (http://bugs.dragonflybsd.org/issues/2425).
386182ec 31##pf.conf
32 ext_if="em0"
33 ext_if6="gif0"
34 int_if="em1"
35 int_if6="em1"
6fef3eea 36 fwd_darner="{ 14159, 9030 }"
386182ec 37 fwd_chausie="{ ftp, http, smtp, ssh }"
6fef3eea 38 fwd_leopard="{ rsync, ntp, 8333 }"
386182ec 39 forwarded_ports="{ 110, 2222 }"
40 allow_all6="{ http ssh }"
41 darner="192.168.7.5"
42 darner6="2001:470:deaf:beef:d5aa:96ff:fede:aaeb"
43 chausie="192.168.7.4"
44 chausie6="2001:470:deaf:beef:bead:edff:feca:5c05"
45 leopard="192.168.7.10"
46 leopard6="2001:470:deaf:beef:2a3:a0ff:fefd:5c5f"
47 sipura="192.168.7.99"
48
49 table <bruteforce> persist
50
51 scrub in
52
53 #Phone conversation takes 10 kB/s each way
54 #Bandwidth out is 123 kB/s
55 altq on $int_if cbq bandwidth 984Kb queue { voip,dnsq,rest }
56 queue voip bandwidth 84Kb priority 3
57 queue dnsq bandwidth 32Kb priority 2
58 queue rest bandwidth 868Kb cbq(default,borrow)
59
60 nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
61
62 rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_darner -> $darner
63 rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_chausie -> $chausie
64 rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_leopard -> $leopard
6fef3eea 65 rdr on $ext_if inet proto {tcp udp} from !($ext_if) to ($ext_if) port 110 -> $darner port 6561
386182ec 66 rdr on $ext_if inet proto {tcp udp} from !($ext_if) to ($ext_if) port 2222 -> $darner port ssh
67 nat on $int_if inet proto {tcp udp} from $int_if:network to $darner port $fwd_darner -> $int_if
68 nat on $int_if inet proto {tcp udp} from $int_if:network to $chausie port $fwd_chausie -> $int_if
69 nat on $int_if inet proto {tcp udp} from $int_if:network to $leopard port $fwd_leopard -> $int_if
70 block quick from <bruteforce>
71
72 block in on $ext_if6
73 pass out on $ext_if6 keep state
74 #block in on $ext_if
75 #pass out on $ext_if keep state
76
77 pass quick on { lo $int_if $int_if6 } keep state
78 antispoof for { lo $int_if $int_if6 $ext_if $ext_if6 }
79
80 pass in on $ext_if6 inet6 proto {tcp udp} to $darner6 port $fwd_darner keep state
81 pass in on $ext_if6 inet6 proto {tcp udp} to $chausie6 port $fwd_chausie keep state
82 pass in on $ext_if6 inet6 proto {tcp udp} to $leopard6 port $fwd_leopard keep state
83 pass in on $ext_if6 inet6 proto {tcp udp} to any port $allow_all6 keep state
84 pass in on $ext_if inet proto {tcp udp} to any port $fwd_darner keep state
85 pass in on $ext_if inet proto {tcp udp} to any port $fwd_chausie keep state
86 pass in on $ext_if inet proto {tcp udp} to any port $fwd_leopard keep state
87 pass in on $ext_if inet proto {tcp udp} to any port $forwarded_ports keep state
88 pass in on $int_if from $sipura to any queue voip keep state
89 pass in on $int_if proto {tcp udp} from any to any port 53 queue dnsq keep state
90
91##dhclient.conf
92 # option definitions common to all supported networks...
93 option domain-name "ixazon.lan";
94 option domain-name-servers leopard.ixazon.lan, chausie.ixazon.lan;
95
96 default-lease-time 600;
97 max-lease-time 7200;
98
99 subnet 192.168.7.0 netmask 255.255.255.0 {
100 range 192.168.7.100 192.168.7.255;
101 option routers 192.168.7.2;
102 }
103
104 host sipura {
105 hardware ethernet fa:de:db:ed:fa:ce;
106 fixed-address 192.168.7.99;
107 }