1 I have a small LAN running services, an IPv6 tunnel and a VoIP phone. Its router was a Linksys running DD-WRT, but the router stopped displaying the list of forwarded ports, and eventually wouldn't even change the forwarded ports when told to do so on the command line. I decided to replace it with a DragonFly box called "zyxomma" (the last word in dragonflies) using pf.
3 What I'd like to do is:
5 * Several ports are forwarded to the same port on one of the machines behind the firewall. I'd like those ports to be accessible on IPv6 as well.
6 * Some ports are redirected to a different port on the LAN. They should be accessible via IPv6 at the inside port.
7 * All other ports on IPv6 should be blocked. They should also be blocked on IPv4 as well, in case some malware running on zyxomma opens a port, but I couldn't get that to work.
8 * The tunnel should come up, regardless of what IP address I get from DHCP.
9 * The phone should get its allocated bandwidth at a higher priority so that phone conversations won't have dropouts. Next highest priority is DNS.
10 * One of my boxes watches SSH connections and blocks all access from IP addresses that make too many password guesses. All access to all my boxes should be blocked from those IP addresses. This isn't set up yet, but the table is there.
15 ifconfig_em1="inet 192.168.7.2 netmask 255.255.255.0"
16 ifconfig_em1_alias0="inet6 2001:470:deaf:beef::2 prefixlen 64"
17 #gifconfig_gif0="69.132.98.107 216.66.22.2"
18 gifconfig_gif0="75.176.126.216 216.66.22.2"
19 ifconfig_gif0="inet6 2001:470:dead:beef::2 2001:470:dead:beef::1 prefixlen 128"
20 #defaultrouter="192.168.7.1"
22 ipv6_network_interfaces="gif0 em1"
23 ipv6_gateway_enable=YES
24 ipv6_defaultrouter="2001:470:dead:beef::1"
26 rtadvd_interfaces="em1"
27 pf=YES # rcrun enable pf
28 isc_dhcpd=YES # rcrun enable isc_dhcpd
30 The tunnel setup should be done with an rc.d script, since the IP address isn't known until dhcpcd gets it. I have written it, and it works when run after booting, but I haven't booted it yet. It does not delete the tunnel device because doing so would crash the machine (http://bugs.dragonflybsd.org/issues/2425).
36 fwd_darner="{ 14159, 9030 }"
37 fwd_chausie="{ ftp, http, smtp, ssh }"
38 fwd_leopard="{ rsync, ntp, 8333 }"
39 forwarded_ports="{ 110, 2222 }"
40 allow_all6="{ http ssh }"
42 darner6="2001:470:deaf:beef:d5aa:96ff:fede:aaeb"
44 chausie6="2001:470:deaf:beef:bead:edff:feca:5c05"
45 leopard="192.168.7.10"
46 leopard6="2001:470:deaf:beef:2a3:a0ff:fefd:5c5f"
49 table <bruteforce> persist
53 #Phone conversation takes 10 kB/s each way
54 #Bandwidth out is 123 kB/s
55 altq on $int_if cbq bandwidth 984Kb queue { voip,dnsq,rest }
56 queue voip bandwidth 84Kb priority 3
57 queue dnsq bandwidth 32Kb priority 2
58 queue rest bandwidth 868Kb cbq(default,borrow)
60 nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
62 rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_darner -> $darner
63 rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_chausie -> $chausie
64 rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_leopard -> $leopard
65 rdr on $ext_if inet proto {tcp udp} from !($ext_if) to ($ext_if) port 110 -> $darner port 6561
66 rdr on $ext_if inet proto {tcp udp} from !($ext_if) to ($ext_if) port 2222 -> $darner port ssh
67 nat on $int_if inet proto {tcp udp} from $int_if:network to $darner port $fwd_darner -> $int_if
68 nat on $int_if inet proto {tcp udp} from $int_if:network to $chausie port $fwd_chausie -> $int_if
69 nat on $int_if inet proto {tcp udp} from $int_if:network to $leopard port $fwd_leopard -> $int_if
70 block quick from <bruteforce>
73 pass out on $ext_if6 keep state
75 #pass out on $ext_if keep state
77 pass quick on { lo $int_if $int_if6 } keep state
78 antispoof for { lo $int_if $int_if6 $ext_if $ext_if6 }
80 pass in on $ext_if6 inet6 proto {tcp udp} to $darner6 port $fwd_darner keep state
81 pass in on $ext_if6 inet6 proto {tcp udp} to $chausie6 port $fwd_chausie keep state
82 pass in on $ext_if6 inet6 proto {tcp udp} to $leopard6 port $fwd_leopard keep state
83 pass in on $ext_if6 inet6 proto {tcp udp} to any port $allow_all6 keep state
84 pass in on $ext_if inet proto {tcp udp} to any port $fwd_darner keep state
85 pass in on $ext_if inet proto {tcp udp} to any port $fwd_chausie keep state
86 pass in on $ext_if inet proto {tcp udp} to any port $fwd_leopard keep state
87 pass in on $ext_if inet proto {tcp udp} to any port $forwarded_ports keep state
88 pass in on $int_if from $sipura to any queue voip keep state
89 pass in on $int_if proto {tcp udp} from any to any port 53 queue dnsq keep state
92 # option definitions common to all supported networks...
93 option domain-name "ixazon.lan";
94 option domain-name-servers leopard.ixazon.lan, chausie.ixazon.lan;
96 default-lease-time 600;
99 subnet 192.168.7.0 netmask 255.255.255.0 {
100 range 192.168.7.100 192.168.7.255;
101 option routers 192.168.7.2;
105 hardware ethernet fa:de:db:ed:fa:ce;
106 fixed-address 192.168.7.99;