Project

General

Profile

Actions

Todo #13634

open

Update default DHCPv6 rules to follow RFC8415

Added by Marcos M 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
DHCP (IPv6)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

The reason for updating these is to have "correct" rules by default. Anything that breaks RFC would potentially need its own user-created rule when the default rules have been changed.

  1. Following the previous commits, there rules were included as is seemingly as a precaution at best.
  2. There were no references to examples of devices not following the basic RFC guidelines of ports.
  3. Other multicast addresses are used for things like DHCPv6 failover which we have not implemented.
  4. Ultimately, there are the default allow all rules for in/out so at worst the changes wouldn't break any default setups.

Current rules are:

# for the DHCPv6 client
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" 
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" 
# Add Priority to dhcp6c packets if enabled
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" {$vlantag}

# if DHCPv6 server or relay is enabled
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" 
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" 
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" 
pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" 

# if an IPv6 address exists on the interface either from track-interface or statically assigned
pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" 
pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" 

Actions #1

Updated by Marcos M 3 months ago

Proposed rules:

# for the DHCPv6 client
pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" 
# Add Priority to dhcp6c packets if enabled
pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" {$vlantag}

# if DHCPv6 server or relay is enabled
pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::1:2 port = 547 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" 
pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 port = 547 to fe80::/10 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" 

# if an IPv6 address exists on the interface either from track-interface or statically assigned
pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 547 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" 
pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" 

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/921

Actions

Also available in: Atom PDF