From owner-freebsd-hackers Tue May 16 14:22:16 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from peace.mahoroba.org (peace.calm.imasy.or.jp [202.227.26.34]) by hub.freebsd.org (Postfix) with ESMTP id E0FF337B54B for ; Tue, 16 May 2000 14:22:06 -0700 (PDT) (envelope-from ume@mahoroba.org) Received: from localhost (IDENT:PhCQqYNnr+ODXBUxOM1jfNzFG7zPPXGZ4VJzsVYGLKAg1E1u9p0SWz2FoCZEr4d1@localhost [::1]) by peace.mahoroba.org (8.10.1/3.7W-peace) with ESMTP id e4GLGWF76144; Wed, 17 May 2000 06:16:32 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Wed, 17 May 2000 06:16:32 +0900 (JST) Message-Id: <200005162116.e4GLGWF76144@peace.mahoroba.org> To: jim@thehousleys.net Cc: freebsd-hackers@freebsd.org Subject: Re: IPv6 and hosts.allow In-Reply-To: <3921B173.F6E8E479@thehousleys.net> References: <3921AB34.73A873DC@thehousleys.net> <200005162019.e4GKJsF75988@peace.mahoroba.org> <3921B173.F6E8E479@thehousleys.net> X-Mailer: xcite1.20> Mew version 1.94.2 on Emacs 20.6 / Mule 4.0 =?iso-2022-jp?B?KBskQjJWMWMbKEIp?= X-PGP-Public-Key: http://www.imasy.org/~ume/publickey.asc X-PGP-Fingerprint: 6B 0C 53 FC 5D D0 37 91 05 D0 B3 EF 36 9B 6A BC X-URL: http://www.imasy.org/~ume/ X-OS: FreeBSD 5.0-CURRENT Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: Hajimu UMEMOTO (=?ISO-2022-JP?B?GyRCR19LXBsoQiA=?= =?ISO-2022-JP?B?GyRCSCUbKEI=?=) X-Dispatcher: imput version 20000228(IM140) Lines: 49 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >>>>> On Tue, 16 May 2000 16:37:07 -0400 >>>>> James Housley said: > How do you specify IPv6 address? IPv6 address has `:' in it and it > conflict with tcp_wrappers's field separator. So, you need to wrap > IPv6 address with `[' and `]'. > jim> Like this? No. For example: ALL : [fe80::]/10 Please see manpage for host_access(5). jim> Would you like me to submit a PR with this or can you commit jim> the changes or better ones??? jim> +# To use IPv6 addresses you must enclose them in []'s jim> +ALL : [fe80::/10] To add example in /etc/hosts.allow is good idea. But, use of link-local address is not so good. Because, current IPv6 implementation of tcp_wrappers cannot treat scope-id. So, this means: allow any link-local connections from any neighbor networks It contains not only ethernet but also gif tunnel etc. Do you really need to allow link-local connection? I already rewrote tcp_wrappers to support scoped address and it is shipped as KAME ports. You can obtain it from: http://www.imasy.or.jp/~ume/ipv6/tcp_wrappers_7.6-ipv6-1.9.diff.gz By using this, you can specify: ALL : [fe80::%de0]/10 : allow But, this has some limitations. This is a patch to original tcp_wrappers. And, this doesn't work on 5.0-CURRENT nor 4.0-STABLE due to getaddrinfo() problem around treatment of IPv4 address obtained by specifying PF_UNSPEC. To work it on FreeBSD without additional KAME package, we should correct getaddrinfo(). The patch is ready and now in review. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message