I have a small LAN running services, an IPv6 tunnel and a VoIP phone. Its router was a Linksys running DD-WRT, but the router stopped displaying the list of forwarded ports, and eventually wouldn't even change the forwarded ports when told to do so on the command line. I decided to replace it with a DragonFly box called "zyxomma" (the last word in dragonflies) using pf. What I'd like to do is: * Several ports are forwarded to the same port on one of the machines behind the firewall. I'd like those ports to be accessible on IPv6 as well. * Some ports are redirected to a different port on the LAN. They should be accessible via IPv6 at the inside port. * All other ports on IPv6 should be blocked. They should also be blocked on IPv4 as well, in case some malware running on zyxomma opens a port, but I couldn't get that to work. * The tunnel should come up, regardless of what IP address I get from DHCP. * The phone should get its allocated bandwidth at a higher priority so that phone conversations won't have dropouts. Next highest priority is DNS. * One of my boxes watches SSH connections and blocks all access from IP addresses that make too many password guesses. All access to all my boxes should be blocked from those IP addresses. This isn't set up yet, but the table is there. ##rc.conf gif_interfaces="gif0" ifconfig_em0="DHCP" ifconfig_em1="inet 192.168.7.2 netmask 255.255.255.0" ifconfig_em1_alias0="inet6 2001:470:deaf:beef::2 prefixlen 64" #gifconfig_gif0="69.132.98.107 216.66.22.2" gifconfig_gif0="75.176.126.216 216.66.22.2" ifconfig_gif0="inet6 2001:470:dead:beef::2 2001:470:dead:beef::1 prefixlen 128" #defaultrouter="192.168.7.1" ipv6_enable=YES ipv6_network_interfaces="gif0 em1" ipv6_gateway_enable=YES ipv6_defaultrouter="2001:470:dead:beef::1" rtadvd_enable=YES rtadvd_interfaces="em1" pf=YES # rcrun enable pf isc_dhcpd=YES # rcrun enable isc_dhcpd The tunnel setup should be done with an rc.d script, since the IP address isn't known until dhcpcd gets it. I have written it, and it works when run after booting, but I haven't booted it yet. It does not delete the tunnel device because doing so would crash the machine (http://bugs.dragonflybsd.org/issues/2425). ##pf.conf ext_if="em0" ext_if6="gif0" int_if="em1" int_if6="em1" fwd_darner="{ 14159, 9030 }" fwd_chausie="{ ftp, http, smtp, ssh }" fwd_leopard="{ rsync, ntp, 8333 }" forwarded_ports="{ 110, 2222 }" allow_all6="{ http ssh }" darner="192.168.7.5" darner6="2001:470:deaf:beef:d5aa:96ff:fede:aaeb" chausie="192.168.7.4" chausie6="2001:470:deaf:beef:bead:edff:feca:5c05" leopard="192.168.7.10" leopard6="2001:470:deaf:beef:2a3:a0ff:fefd:5c5f" sipura="192.168.7.99" table persist scrub in #Phone conversation takes 10 kB/s each way #Bandwidth out is 123 kB/s altq on $int_if cbq bandwidth 984Kb queue { voip,dnsq,rest } queue voip bandwidth 84Kb priority 3 queue dnsq bandwidth 32Kb priority 2 queue rest bandwidth 868Kb cbq(default,borrow) nat on $ext_if inet from !($ext_if) -> ($ext_if:0) rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_darner -> $darner rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_chausie -> $chausie rdr inet proto {tcp udp} from !($ext_if) to ($ext_if) port $fwd_leopard -> $leopard rdr on $ext_if inet proto {tcp udp} from !($ext_if) to ($ext_if) port 110 -> $darner port 6561 rdr on $ext_if inet proto {tcp udp} from !($ext_if) to ($ext_if) port 2222 -> $darner port ssh nat on $int_if inet proto {tcp udp} from $int_if:network to $darner port $fwd_darner -> $int_if nat on $int_if inet proto {tcp udp} from $int_if:network to $chausie port $fwd_chausie -> $int_if nat on $int_if inet proto {tcp udp} from $int_if:network to $leopard port $fwd_leopard -> $int_if block quick from block in on $ext_if6 pass out on $ext_if6 keep state #block in on $ext_if #pass out on $ext_if keep state pass quick on { lo $int_if $int_if6 } keep state antispoof for { lo $int_if $int_if6 $ext_if $ext_if6 } pass in on $ext_if6 inet6 proto {tcp udp} to $darner6 port $fwd_darner keep state pass in on $ext_if6 inet6 proto {tcp udp} to $chausie6 port $fwd_chausie keep state pass in on $ext_if6 inet6 proto {tcp udp} to $leopard6 port $fwd_leopard keep state pass in on $ext_if6 inet6 proto {tcp udp} to any port $allow_all6 keep state pass in on $ext_if inet proto {tcp udp} to any port $fwd_darner keep state pass in on $ext_if inet proto {tcp udp} to any port $fwd_chausie keep state pass in on $ext_if inet proto {tcp udp} to any port $fwd_leopard keep state pass in on $ext_if inet proto {tcp udp} to any port $forwarded_ports keep state pass in on $int_if from $sipura to any queue voip keep state pass in on $int_if proto {tcp udp} from any to any port 53 queue dnsq keep state ##dhclient.conf # option definitions common to all supported networks... option domain-name "ixazon.lan"; option domain-name-servers leopard.ixazon.lan, chausie.ixazon.lan; default-lease-time 600; max-lease-time 7200; subnet 192.168.7.0 netmask 255.255.255.0 { range 192.168.7.100 192.168.7.255; option routers 192.168.7.2; } host sipura { hardware ethernet fa:de:db:ed:fa:ce; fixed-address 192.168.7.99; }