From owner-freebsd-net@freebsd.org Wed Jun 19 05:31:19 2019 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48E2015D2D1D; Wed, 19 Jun 2019 05:31:19 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 54CCE75BB5; Wed, 19 Jun 2019 05:31:18 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-ot1-x32b.google.com with SMTP id 43so901963otf.8; Tue, 18 Jun 2019 22:31:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0IGH+biRNaM4exiYnpbiUBbnN3JcJ4Stpjt98GABnVg=; b=LJVIaTeiu6bgNYcuzf7slcW/Z8/mBMLFKeoaKG1DWUxpLIIxnhnmKbLTFNo+eqR7OR GrOb4A8S2j80B2HWPmXBjTSUBvPfIml/Wm7Lb7bq6BDmeNPvoHnHH/VIMjVrvErhnlaE sKqS3x8ORolpBgul9AewuZg+h1lDqdQxQ8C2BsLoSBkOpeniwQcBf2RyOIIhHd0SgMk/ KPsX8l92oA6nky0wvugRgrvzAdV3gzF8Ohz0JEUTkoJSfkrbIxfBH2HDKnan3yAQuqC3 qm8FzU7uSOccmWu2LvokzBLKO2axPoijOFh7yFN1jMskGG3EOL+PKcLl1qthX3S75f3T pUHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0IGH+biRNaM4exiYnpbiUBbnN3JcJ4Stpjt98GABnVg=; b=Yp/B3X+OVAsKTMfnLFqCGV6zEAfCZb4HcqLBUw/zVb18w2d3N+FvyscWZXCPfEMJG7 oxRiP/bY/o9BKHvm8Lf5Y6hKknFMIzWVDLYxfuyLYkpx4U7qNj1eUQBnXeIv+p5qCKzp vtu3XqV4F4p3PNcwFTDYy9asoVgQs5GqB+MDMFZ76RHXI098oNQ7dQ1n//mNpJRrLXC8 4/QGLuHnCYEbPJHdUoUFbZG+dD1/mE1wkKx/T0nsfBWo0hdM7QReGnhiQ8O56m9trq1Q Xxsrezb5VXHkmSHsx0nKA8vju/bV423tZvGCCCZMOFXmkddh5Kzq9+zLVejd6jTdSKl4 nq2w== X-Gm-Message-State: APjAAAWVL623vzKtekNoBfC+ZnqvITgWdMDYKO2G98UO0Kkg2xo4qHdI RhIVjr5dmDkB0Zb4krCxufy/R5FBYAVg23D6nuPDao9A X-Google-Smtp-Source: APXvYqxnVKOzyUhqM5XbTdgWnrILJakPMaR1Q0N19w8CCZRbRO15pbnyHPrE9eoValRD0df4jfrotvNSwZHFVYwnbU4= X-Received: by 2002:a9d:7ad4:: with SMTP id m20mr7889058otn.93.1560922277455; Tue, 18 Jun 2019 22:31:17 -0700 (PDT) MIME-Version: 1.0 References: <24393.1560893271@segfault.tristatelogic.com> In-Reply-To: <24393.1560893271@segfault.tristatelogic.com> From: Kevin Oberman Date: Tue, 18 Jun 2019 22:31:00 -0700 Message-ID: Subject: Re: Eliminating IPv6 (?) To: "Ronald F. Guilmette" Cc: FreeBSD Net , Mailinglists FreeBSD X-Rspamd-Queue-Id: 54CCE75BB5 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=LJVIaTei; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of kob6558@gmail.com designates 2607:f8b0:4864:20::32b as permitted sender) smtp.mailfrom=kob6558@gmail.com X-Spamd-Result: default: False [-6.42 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.84)[-0.840,0]; FORGED_SENDER(0.30)[rkoberman@gmail.com,kob6558@gmail.com]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[rkoberman@gmail.com,kob6558@gmail.com]; SUBJECT_HAS_QUESTION(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[b.2.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.87)[ip: (-8.81), ipnet: 2607:f8b0::/32(-3.16), asn: 15169(-2.32), country: US(-0.06)]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 05:31:19 -0000 On Tue, Jun 18, 2019 at 2:28 PM Ronald F. Guilmette wrote: > In message w@mail.gmail.com> > Andreas Nilsson wrote: > > >But why are you even running rc.firewall if it does not do what you want? > > You are asking me the very question that *I* have been asking myself > since my "upgrade" to 12.0. > > Why is /etc/rc.firewall even being executed? I never explicitly asked for > that, but that seems to just be a by-product of how things are arranged > these days.... a by-product that I have no direct control over. > > >Just set firewall_script="/path/to/script" and your good to go, no ipv6 > >anywhere to be found. > > That is *not* what the Handbook says. Please read it. > > > https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html > > The way that I am reading section 30.4.1 is that it is telling the user to > put BOTH of these things into /etc/rc.conf: > > firewall_enable="YES" > firewall_type="path-to-my-rules-file" > > And indeed, that is -exactly- what I have done on my prior FreeBSD > systems... > enable *and* configure. > > One or the other of those /etc/rc.conf lines nowadays apparently triggers > /etc/rc.firewall to run. I never explicitly asked for that to run, but > it did anyway. I am just going with the flow. > > > Regards, > rfg I was hoping to avoid this as I have not worked with IPv6 since I retired 8 years ago and I worked on this back before then by a couple of years. My memory is not perfect, so excuse any minor errors. I do know that back when I ran CURRENT I ran into a problem booting the system after ipfw and ipfw6 were merged. It stopped while starting the network if I had IPv6 enabled. At that time, IPv6 was not This was because I used the default net.inet.ip.fw.default_to_accept=0, so an automatic "65535 deny ip from any to any" was placed in ipfw. (This has long been the case and provided precedence for further automatic rules.) The problem is that IPv6 could not start unless certain IPv6 packets are allowed. I know NDP is required and, generally, certain ICMPv6 types are also needed. Without those, rules, IPv6 startup would block, unable to perform SLAAC, the default addresss assignment method and DHCPv6, if used. The result was a set of rules that are required for IPv6 to come up was added to the rules set by default. I have never seen this clearly documented except in the code and it has been changed several times over the years. On at least one case, a change broke my rule set as, unlike the reject by default rule and default loopback rule, were assigned real numbers which might fall into places in a rule-set that caused incorrect behavior. (Note: I have not read the handbook section on this in a while, so it may be documented by now.) This really needs proper documentation but it is now assumed by most OSes including Windows, MacOS, Linux and FreeBSD that IPv6 and IPv4 will be enabled by default. As time goes on, it will likely be more and more likely that disabling IPv6 will become difficult if networks are used at all. It already really requires a custom kernel to completely remove it and, even then, some IPv6 code is still be in the kernel, but unreachable unless someone has spotted these and '#ifdef"ed them. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkoberman@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683