Actions
Todo #13634
openUpdate default DHCPv6 rules to follow RFC8415
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Default
Description
The reason for updating these is to have "correct" rules by default. Anything that breaks RFC would potentially need its own user-created rule when the default rules have been changed.
- Following the previous commits, there rules were included as is seemingly as a precaution at best.
- There were no references to examples of devices not following the basic RFC guidelines of ports.
- Other multicast addresses are used for things like DHCPv6 failover which we have not implemented.
- Ultimately, there are the default allow all rules for in/out so at worst the changes wouldn't break any default setups.
Current rules are:
# for the DHCPv6 client pass in {$log['pass']} quick on \${$oc['descr']} proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" # Add Priority to dhcp6c packets if enabled pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" {$vlantag} # if DHCPv6 server or relay is enabled pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to fe80::/10 port = 546 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 546 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::/16 port = 547 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" pass {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from ff02::/16 to fe80::/10 port = 547 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" # if an IPv6 address exists on the interface either from track-interface or statically assigned pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 546 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server"
Updated by Marcos M about 2 years ago
Proposed rules:
# for the DHCPv6 client pass in {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 547 to any port = 546 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client in {$oc['descr']}")}" # Add Priority to dhcp6c packets if enabled pass out {$log['pass']} quick on \${$oc['descr']} proto udp from any port = 546 to any port = 547 ridentifier {$increment_tracker()} label "{$fix_rule_label("allow dhcpv6 client out {$oc['descr']}")}" {$vlantag} # if DHCPv6 server or relay is enabled pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to ff02::1:2 port = 547 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 port = 547 to fe80::/10 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" # if an IPv6 address exists on the interface either from track-interface or statically assigned pass in {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from fe80::/10 to {$oc['ipv6']} port = 547 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server" pass out {$log['pass']} quick on \${$oc['descr']} inet6 proto udp from {$oc['ipv6']} port = 547 to fe80::/10 ridentifier {$increment_tracker()} label "allow access to DHCPv6 server"
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/921
Actions