Look for an ipfw example using NPTv6

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Look for an ipfw example using NPTv6

Michael Sierchio
I'm looking for a simple firewall example using nptv6 to translate
link-local addresses to match the prefix assigned by my ISP.  I'll be using
stateful rules and allowing only outbound traffic.

If you have a snippet, I'l be grateful.  Thanks.

--

"Well," Brahmā said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mahābhārata
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Look for an ipfw example using NPTv6

Andrey V. Elsukov
On 18.06.2019 23:00, Michael Sierchio wrote:
> I'm looking for a simple firewall example using nptv6 to translate
> link-local addresses to match the prefix assigned by my ISP.  I'll be using
> stateful rules and allowing only outbound traffic.
>
> If you have a snippet, I'l be grateful.  Thanks.

NPTv6 module is targeted to translate routed traffic. IPv6 link-local
addresses are not forward-able. Thus you can not configure nptv6
instance with such prefix.

--
WBR, Andrey V. Elsukov


signature.asc (566 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Look for an ipfw example using NPTv6

Michael Sierchio
Are you saying NPTv6 cannot rewrite a LL prefix to a public prefix, such as
the one held on the external interface?

On Wed, Jun 19, 2019 at 4:26 AM Andrey V. Elsukov <[hidden email]> wrote:

> On 18.06.2019 23:00, Michael Sierchio wrote:
> > I'm looking for a simple firewall example using nptv6 to translate
> > link-local addresses to match the prefix assigned by my ISP.  I'll be
> using
> > stateful rules and allowing only outbound traffic.
> >
> > If you have a snippet, I'l be grateful.  Thanks.
>
> NPTv6 module is targeted to translate routed traffic. IPv6 link-local
> addresses are not forward-able. Thus you can not configure nptv6
> instance with such prefix.
>
> --
> WBR, Andrey V. Elsukov
>
>

--

"Well," Brahmā said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mahābhārata
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Look for an ipfw example using NPTv6

Andrey V. Elsukov
On 19.06.2019 20:03, Michael Sierchio wrote:

>     On 18.06.2019 23:00, Michael Sierchio wrote:
>     > I'm looking for a simple firewall example using nptv6 to translate
>     > link-local addresses to match the prefix assigned by my ISP.  I'll
>     be using
>     > stateful rules and allowing only outbound traffic.
>     >
>     > If you have a snippet, I'l be grateful.  Thanks.
>
>     NPTv6 module is targeted to translate routed traffic. IPv6 link-local
>     addresses are not forward-able. Thus you can not configure nptv6
>     instance with such prefix.
> Are you saying NPTv6 cannot rewrite a LL prefix to a public prefix, such
> as the one held on the external interface?
Yes. Link-local address must belong to the single "link",
IPv6 scoped addresses architecture doesn't allow forward packets with
link-local addresses from one link to another.

--
WBR, Andrey V. Elsukov


signature.asc (566 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Look for an ipfw example using NPTv6

Jan Bramkamp-2
In reply to this post by Michael Sierchio
On 18.06.19 22:00, Michael Sierchio wrote:
> I'm looking for a simple firewall example using nptv6 to translate
> link-local addresses to match the prefix assigned by my ISP.  I'll be using
> stateful rules and allowing only outbound traffic.
>
> If you have a snippet, I'l be grateful.  Thanks.
>
This sounds like you're trying to force IPv6 to behave like IPv4 with
longer addresses and just replaced RFC1918 addresses with link local
addresses. This isn't going to work because the differences are larger
than just the addresses length. Link local addresses are just what the
name says: they are local to the link. A link local address isn't even
unique within a host e.g. you can have fe80::1234%em0 and fe80::1234%em1
on the same host.

In theory you can get very close to NAT between global unicast addresses
and private addresses by configuring NPTv6 between global unicast
addresses and unique local addresses, but that would be a terrible
choice. One of the great advantages of IPv6 it removes the address
scarcity that forced NAT upon us. Each IPv6 device have as many global
IPv6 unicast addresses as required.

Would you feel comfortable to describe the constrains shaping your
design to us?

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Look for an ipfw example using NPTv6

Michael Sierchio
Oh, the problem is simply that my ISP assigns me a ::/64 but there is no
guarantee that it's mine for the duration.

I'm in the process of securing my own IPv6 block, but was hoping for an
interim solution.

One that occurred to me is to use a public ::/56 that's allocated (but
unused) to me in an AWS VPC.  Route advertisements from them would make
them unusable directly, but then NPTv6 would work.

Open to any suggestions.... ;-)

– M

On Thu, Jun 20, 2019 at 2:57 AM Jan Bramkamp <[hidden email]> wrote:

> On 18.06.19 22:00, Michael Sierchio wrote:
> > I'm looking for a simple firewall example using nptv6 to translate
> > link-local addresses to match the prefix assigned by my ISP.  I'll be
> using
> > stateful rules and allowing only outbound traffic.
> >
> > If you have a snippet, I'l be grateful.  Thanks.
> >
> This sounds like you're trying to force IPv6 to behave like IPv4 with
> longer addresses and just replaced RFC1918 addresses with link local
> addresses. This isn't going to work because the differences are larger
> than just the addresses length. Link local addresses are just what the
> name says: they are local to the link. A link local address isn't even
> unique within a host e.g. you can have fe80::1234%em0 and fe80::1234%em1
> on the same host.
>
> In theory you can get very close to NAT between global unicast addresses
> and private addresses by configuring NPTv6 between global unicast
> addresses and unique local addresses, but that would be a terrible
> choice. One of the great advantages of IPv6 it removes the address
> scarcity that forced NAT upon us. Each IPv6 device have as many global
> IPv6 unicast addresses as required.
>
> Would you feel comfortable to describe the constrains shaping your
> design to us?
>
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "[hidden email]"
>


--

"Well," Brahmā said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mahābhārata
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Look for an ipfw example using NPTv6

Rodney W. Grimes-6
> Oh, the problem is simply that my ISP assigns me a ::/64 but there is no
> guarantee that it's mine for the duration.
>
> I'm in the process of securing my own IPv6 block, but was hoping for an
> interim solution.
>
> One that occurred to me is to use a public ::/56 that's allocated (but
> unused) to me in an AWS VPC.  Route advertisements from them would make
> them unusable directly, but then NPTv6 would work.
>
> Open to any suggestions.... ;-)

Go to the he.net tunnel broker (https://tunnelbroker.net/),
get a tunnel, get a /48, put that behind your NPTv6.  Be Happy.  :-)

> ? M
>
> On Thu, Jun 20, 2019 at 2:57 AM Jan Bramkamp <[hidden email]> wrote:
>
> > On 18.06.19 22:00, Michael Sierchio wrote:
> > > I'm looking for a simple firewall example using nptv6 to translate
> > > link-local addresses to match the prefix assigned by my ISP.  I'll be
> > using
> > > stateful rules and allowing only outbound traffic.
> > >
> > > If you have a snippet, I'l be grateful.  Thanks.
> > >
> > This sounds like you're trying to force IPv6 to behave like IPv4 with
> > longer addresses and just replaced RFC1918 addresses with link local
> > addresses. This isn't going to work because the differences are larger
> > than just the addresses length. Link local addresses are just what the
> > name says: they are local to the link. A link local address isn't even
> > unique within a host e.g. you can have fe80::1234%em0 and fe80::1234%em1
> > on the same host.
> >
> > In theory you can get very close to NAT between global unicast addresses
> > and private addresses by configuring NPTv6 between global unicast
> > addresses and unique local addresses, but that would be a terrible
> > choice. One of the great advantages of IPv6 it removes the address
> > scarcity that forced NAT upon us. Each IPv6 device have as many global
> > IPv6 unicast addresses as required.
> >
> > Would you feel comfortable to describe the constrains shaping your
> > design to us?
> >
> > _______________________________________________
> > [hidden email] mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "[hidden email]"
> >
>
>
> --
>
> "Well," Brahm? said, "even after ten thousand explanations, a fool is no
> wiser, but an intelligent person requires only two thousand five hundred."
>
> - The Mah?bh?rata
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "[hidden email]"
>
>

--
Rod Grimes                                                 [hidden email]
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Look for an ipfw example using NPTv6

Mel Pilgrim
In reply to this post by Michael Sierchio
On 2019-06-20 7:35, Michael Sierchio wrote:
> Oh, the problem is simply that my ISP assigns me a ::/64 but there is no
> guarantee that it's mine for the duration.

You can work around this by using link-local addresses in your local DNS
horizon, and just let devices on your network autoconf out of the
dynamic /64.

I have a similar arrangement with Comcast, and dhcp6+rtadvd handles
allocation changes flawlessly.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Look for an ipfw example using NPTv6

Andrey V. Elsukov
In reply to this post by Michael Sierchio
On 20.06.2019 17:35, Michael Sierchio wrote:

> Oh, the problem is simply that my ISP assigns me a ::/64 but there is no
> guarantee that it's mine for the duration.
>
> I'm in the process of securing my own IPv6 block, but was hoping for an
> interim solution.
>
> One that occurred to me is to use a public ::/56 that's allocated (but
> unused) to me in an AWS VPC.  Route advertisements from them would make
> them unusable directly, but then NPTv6 would work.
>
> Open to any suggestions.... ;-)
You can use some own prefix with global IPv6 addresses in the internal
network, and use NPTv6 with "ext_if external_ifname" option. It will
automatically use configured on the external interface prefix.
This feature is available in stable/12+.

--
WBR, Andrey V. Elsukov


signature.asc (566 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Look for an ipfw example using NPTv6

Michael Sierchio
In reply to this post by Rodney W. Grimes-6
I'm currently running 11.2.  What's the recommended dhcpd for ipv6 (or both
ipv4 and ipv6)?

On Thu, Jun 20, 2019 at 7:51 AM Rodney W. Grimes <
[hidden email]> wrote:

> > Oh, the problem is simply that my ISP assigns me a ::/64 but there is no
> > guarantee that it's mine for the duration.
> >
> > I'm in the process of securing my own IPv6 block, but was hoping for an
> > interim solution.
> >
> > One that occurred to me is to use a public ::/56 that's allocated (but
> > unused) to me in an AWS VPC.  Route advertisements from them would make
> > them unusable directly, but then NPTv6 would work.
> >
> > Open to any suggestions.... ;-)
>
> Go to the he.net tunnel broker (https://tunnelbroker.net/),
> get a tunnel, get a /48, put that behind your NPTv6.  Be Happy.  :-)
>
> > ? M
> >
> > On Thu, Jun 20, 2019 at 2:57 AM Jan Bramkamp <[hidden email]> wrote:
> >
> > > On 18.06.19 22:00, Michael Sierchio wrote:
> > > > I'm looking for a simple firewall example using nptv6 to translate
> > > > link-local addresses to match the prefix assigned by my ISP.  I'll be
> > > using
> > > > stateful rules and allowing only outbound traffic.
> > > >
> > > > If you have a snippet, I'l be grateful.  Thanks.
> > > >
> > > This sounds like you're trying to force IPv6 to behave like IPv4 with
> > > longer addresses and just replaced RFC1918 addresses with link local
> > > addresses. This isn't going to work because the differences are larger
> > > than just the addresses length. Link local addresses are just what the
> > > name says: they are local to the link. A link local address isn't even
> > > unique within a host e.g. you can have fe80::1234%em0 and
> fe80::1234%em1
> > > on the same host.
> > >
> > > In theory you can get very close to NAT between global unicast
> addresses
> > > and private addresses by configuring NPTv6 between global unicast
> > > addresses and unique local addresses, but that would be a terrible
> > > choice. One of the great advantages of IPv6 it removes the address
> > > scarcity that forced NAT upon us. Each IPv6 device have as many global
> > > IPv6 unicast addresses as required.
> > >
> > > Would you feel comfortable to describe the constrains shaping your
> > > design to us?
> > >
> > > _______________________________________________
> > > [hidden email] mailing list
> > > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > > To unsubscribe, send any mail to "[hidden email]
> "
> > >
> >
> >
> > --
> >
> > "Well," Brahm? said, "even after ten thousand explanations, a fool is no
> > wiser, but an intelligent person requires only two thousand five
> hundred."
> >
> > - The Mah?bh?rata
> > _______________________________________________
> > [hidden email] mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "[hidden email]"
> >
> >
>
> --
> Rod Grimes
> [hidden email]
>


--

"Well," Brahmā said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."

- The Mahābhārata
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[hidden email]"