Hello, �
Seeing the reactions, I think did not describe my problem good enough. So here a better problem description. � � An IPV6-device has many IPV6 addresses. Among them temporary addresses and autogenerated addresses. This partly because of privacy concerns. � So if an IPV6-device starts an connection with e.g. a temporary address the firewall does not know that address. As a consequence filtering the outgoing traffic of that specific device is not possible. � So given that situation you / the firewall need something else to filter on. And the intention is to use the device mac-address for that. That is not that special. Other firewalls can do that as well (to a certain extend even the OpenBSD pf version). � So the intention is not to do level-2 filtering, the intention is just to use the level-2 address as alternative for the unknown IPV6-address, for level-3 filtering. � Not different from IPV4-firewall rules using an IPV4-address to block or pass incoming or outgoing traffic. � Hope this clarify thinks. � � Louis � From: Ultima <[email protected]> Sent: Friday, July 10, 2020 10:31 PM To: [email protected] Cc: [email protected] Subject: Re: The best of both worlds “using mac filtering in pf” � Please go in detail about this issue on why you would need to filter layer 2. � I see very little benefit to having the ability to filter on layer 2 except in some very special cases and IPv6 isn't one of them that I'm aware of. � Best regards, Richard Gallamore � On Fri, Jul 10, 2020 at 10:57 AM <[email protected] <mailto:[email protected]> > wrote: Hello, I am using pfSense, build on top of pf. And of course pfSense/pf is a terrific firewall, however the world is changing in the direction of IPV6 and that leads to new issues and related new requirements. One of the major issues is that IPV6 does not provide a stable source address you can use to filter in your firewall. Many firewalls “out there” are *using the level-2 mac as a way around this issue*. � However ….. pfSense cannot provide that functionality, since it is built on top of …… pf. Tja, and then there is a “striking” issue ….. suppose that pfSense would have been built on top of OpenBSD, still using pf ………. That had been possible ……. So as user I would be very pleased if there could be a joined “pf-release” having *best of both worlds* !!!! Assume we were running OpenBSD …… things like � � step-1: ifconfig bridge0 rule pass in on fxp0 src <mac-address> tag <sometag> step-2: And then in pf.conf: pass in on fxp0 tagged <sometag> (policy based rule) would have been an option, …. not saying it is the best option ….. � �better option would be if pf could set the tag itself Whatever please consider adding this functionality to pf preferable on short term, since IPV6 is fast becoming very important! Sincerely, �� Louis PS … should I raise an feature request for this? �� _______________________________________________ [email protected] <mailto:[email protected]> mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected] <mailto:[email protected]> " _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
