Dies ist ein Beispielauszug meiner Firewallregeln auf OpenBSD Servern.
Interface axe1 beschreibt eine ungesicherte IPv4 Anbindung hinter einer externen Firewall
Interface axe0 regelt eigenständig den IPv6 Traffic
cat /etc/pf.conf
### ### ### Srv4 - Web ### ### ### set skip on lo pass # to establish keep-state block in on ! lo0 proto tcp to port 6000:6010 ### ### ### Srv4 - Web ### ### ### ### ### ### SBSHosting.biz Services ### ### ### ## Options ### set block-policy return ### set log interface axe0 ### ### ### Unlimited Traffic for AXE1 and Loopback ### ### ### # unlimited traffic for vpn and loopback ### set skip on {lo0, axe1} ### ### ### BLOCK ALL ### ### ### block in log all block out all ### ### ### GREEN INTERFACE ### ### ### pass in quick on msk0 from any to msk0 pass out quick on msk0 from msk0 to any set skip on msk0 pass in quick on axe1 from any to axe1 pass out quick on axe1 from axe1 to any set skip on axe1 ### ### ### IPv6 Anti Spoofing ### ### ### # activate spoofing protection for all interfaces block in quick from urpf-failed # antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses antispoof log quick for axe0 inet6 ### ### ### IPv6 BLOCK NMAP SCANS ### ### ### # Try to block nmap scans block in log quick on axe0 inet6 proto tcp from any to any flags FUP/FUP ### ### ### ACCESS CONTROL LIST ### ### ### ### ### ### IPv6 ICMP Internet to Maschine Access ### ### ### #IPv6 - pass in/out all IPv6 ICMP traffic pass in quick proto icmp6 all ### ### ### IPv6 ICMP Internet to Maschine Access ### ### ### ### ### ### IPv6 Administrator Access ### ### ### ### ### ### IPv6 Maschine to Internet Access ### ### ### # Allow outgoing services pass out on axe0 inet6 proto tcp to any port ssh pass out on axe0 inet6 proto tcp to any port smtp pass out on axe0 inet6 proto tcp to any port domain pass out on axe0 inet6 proto tcp to any port www pass out on axe0 inet6 proto tcp to any port https pass out on axe0 inet6 proto tcp to any port 122 pass out on axe0 inet6 proto tcp to any port ntp pass out on axe0 inet6 proto tcp to any port 43 pass out on axe0 inet6 proto udp to any port domain pass out on axe0 inet6 proto udp to any port ntp ### ### ### IPv6 Internet Access to Maschine ### ### ### # Allow incoming services pass in on axe0 inet6 proto tcp from any to axe0 port https pass in on axe0 inet6 proto tcp from any to axe0 port http ### INCOMING - TunnelBroker - SBSHosting.biz - 1 ### # 1.tunnel.tser1.pop1.ipv6.he.net # 2001:470:xxx:xxx::/64 pass in on axe0 inet6 proto tcp from 2001:470:xxx:xxx::/64 to axe0 port ssh # 2001:470:xxx::/48 pass in on axe0 inet6 proto tcp from 2001:470:xxx::/48 to axe0 port ssh ### INCOMING - TunnelBroker - SBSHosting.biz - 1 ### ... und so weiter ... # pass in on axe0 inet6 proto udp from any to axe0 port ntp ### ### ### IPv6 Internet Access to Maschine ### ### ### ### ### ### IPv6 Trace Route ### ### ### # Trace route out pass out on axe0 inet6 proto udp from any to any port 33433 >< 33626 keep state ### ### ### IPv6 Router advertisement ### ### ### # Router advertisement out pass out on axe0 inet6 proto icmp6 all icmp6-type routeradv # Router solicitation in pass in on axe0 inet6 proto icmp6 all icmp6-type routersol ### ### ### IPv6 ND advertisement ### ### ### # ND advertisement in pass in on axe0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} # ND solicitation out pass out on axe0 inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} ### ### ### IPv6 Ping Pong ### ### ### # Allow Ping pong in pass in on axe0 inet6 proto icmp6 all icmp6-type echoreq # Allow ping pong out pass out on axe0 inet6 proto icmp6 all icmp6-type echoreq keep state ### ### ### SBSHosting.biz Services ### ### ### ### EOF