The state of IPv6 and PF?

[DutchDaemon]

I made a Google Plus post about my FreeBSD/PF firewall easily fending off over 1,500 simultaneous and distributed IPs trying to hack my WordPress (in vain), and received an inquiry from Paul Vixie (if that rings a bell, a quick Google should enlighten you):

I'm still using ipfw, because last I checked, pf on FreeBSD didn't handle IPv6. Have things improved?

I'm guessing they must have. Your experiences are welcome, I'll post a link to this topic.

 

[SirDice]

PF on FreeBSD has had support for IPv6 for a very long time. I can't find the exact version when it was first introduced but I've been using it for quite some time now.

 

[kpa]

It works fine for most part but any kind of NAT on IPv6 does not work because the rewritten packets will have invalid checksums and are dropped.

Before anyone jumps in a says that NAT is never needed with IPv6, think again. How are you going to get an FTP proxy working on IPv6 without NAT?

 

[throAU]

Before anyone jumps in a says that NAT is never needed with IPv6, think again. How are you going to get an FTP proxy working on IPv6 without NAT?

Can we kill FTP off at the same time please? It's a horrible protocol that should have died back in the '90s or earlier.

 

[macfreek]

I am currently migrating from IPFW to PF, partly because I expected more active development. I was a bit disappointed that neither IPFW nor PF supports reassembly of IPv6 fragments. For IPFW, this was mentioned on the mailing list, but no actions have been taken. For PF, this is fixed in OpenBSD 5.0, but FreeBSD still seems to use the PF version of OpenBSD 4.5, and the last activity was about a year ago when Gleb Smirnoff (Glebius) made some substantial patches to PF to make it more FreeBSD-like. So I'm not sure how easy it is to get the OpenBSD 5.x PF features to FreeBSD. I don't expect much anytime soon. Hopefully I'm mistaken.