add explanation

[ikiwiki.git] / docs / docs / howtos / HowToPF6and4 / index.mdwn

I have a small LAN running services, an IPv6 tunnel and a VoIP phone. Its router was a Linksys running DD-WRT, but the router stopped displaying the list of forwarded ports, and eventually wouldn't even change the forwarded ports when told to do so on the command line. I decided to replace it with a DragonFly box called "zyxomma" (the last word in dragonflies) using pf.

What I'd like to do is:

* Several ports are forwarded to the same port on one of the machines behind the firewall. I'd like those ports to be accessible on IPv6 as well.
* Some ports are redirected to a different port on the LAN. They should be accessible via IPv6 at the inside port.
* All other ports on IPv6 should be blocked. They should also be blocked on IPv4 as well, in case some malware running on zyxomma opens a port, but I couldn't get that to work.
* The tunnel should come up, regardless of what IP address I get from DHCP.
* The phone should get its allocated bandwidth at a higher priority so that phone conversations won't have dropouts. Next highest priority is DNS.
* One of my boxes watches SSH connections and blocks all access from IP addresses that make too many password guesses. All access to all my boxes should be blocked from those IP addresses. This isn't set up yet, but the table is there.

##rc.conf
        gif_interfaces="gif0"
        ifconfig_em0="DHCP"
        ifconfig_em1="inet 192.168.7.2 netmask 255.255.255.0"
        ifconfig_em1_alias0="inet6 2001:470:deaf:beef::2 prefixlen 64"
        #gifconfig_gif0="69.132.98.107 216.66.22.2"
        gifconfig_gif0="75.176.126.216 216.66.22.2"
        ifconfig_gif0="inet6 2001:470:dead:beef::2 2001:470:dead:beef::1 prefixlen 128"
        #defaultrouter="192.168.7.1"
        ipv6_enable=YES
        ipv6_network_interfaces="gif0 em1"
        ipv6_gateway_enable=YES
        ipv6_defaultrouter="2001:470:dead:beef::1"
        rtadvd_enable=YES
        rtadvd_interfaces="em1"
        pf=YES  # rcrun enable pf
        isc_dhcpd=YES   # rcrun enable isc_dhcpd

The tunnel setup should be done with an rc.d script, since the IP address isn't known until dhcpcd gets it. I have written it, and it works when run after booting, but I haven't booted it yet. It does not delete the tunnel device because doing so would crash the machine (http://bugs.dragonflybsd.org/issues/2425).
##pf.conf
        ext_if="em0"
        ext_if6="gif0"
        int_if="em1"
        int_if6="em1"
        fwd_darner="{ 14159, 9030 }"
        fwd_chausie="{ ftp, http, smtp, ssh }"
        fwd_leopard="{ rsync, ntp, 8333 }"
        forwarded_ports="{ 110, 2222 }"
        allow_all6="{ http ssh }"
        darner="192.168.7.5"
        darner6="2001:470:deaf:beef:d5aa:96ff:fede:aaeb"
        chausie="192.168.7.4"
        chausie6="2001:470:deaf:beef:bead:edff:feca:5c05"
        leopard="192.168.7.10"
        leopard6="2001:470:deaf:beef:2a3:a0ff:fefd:5c5f"
        sipura="192.168.7.99"

        table <bruteforce> persist

        scrub in

        #Phone conversation takes 10 kB/s each way
        #Bandwidth out is 123 kB/s
        altq on $int_if cbq bandwidth 984Kb queue { voip,dnsq,rest }
        queue voip bandwidth 84Kb priority 3
        queue dnsq bandwidth 32Kb priority 2
        queue rest bandwidth 868Kb cbq(default,borrow)

        nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

        rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_darner -> $darner
        rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_chausie -> $chausie
        rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_leopard -> $leopard
        rdr on $ext_if inet proto {tcp udp} from !($ext_if) to ($ext_if) port 110 -> $darner port 6561
        rdr on $ext_if inet proto {tcp udp} from !($ext_if) to ($ext_if) port 2222 -> $darner port ssh
        nat on $int_if inet proto {tcp udp} from $int_if:network to $darner port $fwd_darner -> $int_if
        nat on $int_if inet proto {tcp udp} from $int_if:network to $chausie port $fwd_chausie -> $int_if
        nat on $int_if inet proto {tcp udp} from $int_if:network to $leopard port $fwd_leopard -> $int_if
        block quick from <bruteforce>

        block in on $ext_if6
        pass out on $ext_if6 keep state
        #block in on $ext_if
        #pass out on $ext_if keep state

        pass quick on { lo $int_if  $int_if6 } keep state
        antispoof for { lo $int_if $int_if6 $ext_if $ext_if6 }

        pass in on $ext_if6 inet6 proto {tcp udp} to $darner6 port $fwd_darner keep state
        pass in on $ext_if6 inet6 proto {tcp udp} to $chausie6 port $fwd_chausie keep state
        pass in on $ext_if6 inet6 proto {tcp udp} to $leopard6 port $fwd_leopard keep state
        pass in on $ext_if6 inet6 proto {tcp udp} to any port $allow_all6 keep state
        pass in on $ext_if inet proto {tcp udp} to any port $fwd_darner keep state
        pass in on $ext_if inet proto {tcp udp} to any port $fwd_chausie keep state
        pass in on $ext_if inet proto {tcp udp} to any port $fwd_leopard keep state
        pass in on $ext_if inet proto {tcp udp} to any port $forwarded_ports keep state
        pass in on $int_if from $sipura to any queue voip keep state
        pass in on $int_if proto {tcp udp} from any to any port 53 queue dnsq keep state

##dhclient.conf
        # option definitions common to all supported networks...
        option domain-name "ixazon.lan";
        option domain-name-servers leopard.ixazon.lan, chausie.ixazon.lan;

        default-lease-time 600;
        max-lease-time 7200;

        subnet 192.168.7.0 netmask 255.255.255.0 {
          range 192.168.7.100 192.168.7.255;
          option routers 192.168.7.2;
        }

        host sipura {
          hardware ethernet fa:de:db:ed:fa:ce;
          fixed-address 192.168.7.99;
        }