From owner-freebsd-net@freebsd.org Tue Jun 18 09:36:18 2019 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 236E815B3434; Tue, 18 Jun 2019 09:36:18 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [IPv6:2001:19f0:300:2185:123::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6FDC76C226; Tue, 18 Jun 2019 09:36:17 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [104.207.135.49]) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id x5I9aFlc057111; Tue, 18 Jun 2019 10:36:15 +0100 (BST) (envelope-from jamie@donotpassgo.dyslexicfish.net) Received: (from jamie@localhost) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5/Submit) id x5I9aFfm057110; Tue, 18 Jun 2019 10:36:15 +0100 (BST) (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201906180936.x5I9aFfm057110@donotpassgo.dyslexicfish.net> Date: Tue, 18 Jun 2019 10:36:15 +0100 Organization: Dyslexic Fish To: rfg@tristatelogic.com Cc: freebsd-questions@freebsd.org, freebsd-net@freebsd.org Subject: Re: Eliminating IPv6 (?) References: <18748.1560843874@segfault.tristatelogic.com> In-Reply-To: <18748.1560843874@segfault.tristatelogic.com> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.7 (donotpassgo.dyslexicfish.net [104.207.135.49]); Tue, 18 Jun 2019 10:36:15 +0100 (BST) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2019 09:36:18 -0000 "Ronald F. Guilmette" wrote: > As I have already learned, the /etc/rc.firewall script also assumes both the > presence of, and the desirability of IPv6 support. And unless one edits that > file manually... which I have been effectively forced to do... there is no way > to get it to simply NOT create and install multiple IPv6-related ipfw rules, I sympathise with your situation, and maybe /etc/rc.firewall could be a bit more intelligent about it, but when we had 2 seperate files, /etc/rc.firewall and /etc/rc.firewall6 it was a pain in the arse, and also made it more likely of mistakes/oversights occuring. To stop the clutter you mention, and to avoid making the file more complicated for us who do dual stack, maybe a wrapper could be made around ipfw to get it to act as a null-op if ip6 is disabled by your suggested rc.conf knob. I'd have it set rule 1 to something like "deny ip6 from any to any", and then ignore any further ip6 rules it encounters. But yes, I can see how the efforts to unify the 4/6 configurations have made things a bit more complicated for those who only use the one stack (and in the future, people may start getting similarly affected by inet4 stuff complicating their configs!) Cheers, Jamie