From owner-freebsd-net Tue Feb 19 20:59: 1 2002 Delivered-To: freebsd-net@freebsd.org Received: from cheer.mahoroba.org (flets19-017.kamome.or.jp [218.45.19.17]) by hub.freebsd.org (Postfix) with ESMTP id 0BD7E37B404 for ; Tue, 19 Feb 2002 20:58:55 -0800 (PST) Received: from localhost (IDENT:ygQqQvT/Ibk3DjzxWFhT0xUBVlfE3Bg4aEnAxpFX4qg6lHyqqIqYGPBduGTwaj4w@localhost [IPv6:::1]) (user=ume mech=CRAM-MD5 bits=0) by cheer.mahoroba.org (8.12.2/8.12.2) with ESMTP/inet6 id g1K4vLKb094317 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 20 Feb 2002 13:57:21 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Wed, 20 Feb 2002 13:57:21 +0900 Message-ID: From: Hajimu UMEMOTO To: cjclark@alum.mit.edu Cc: net@freebsd.org Subject: Re: Odd Rule in rc.firewall6 In-Reply-To: <20020219185543.T48401@blossom.cjclark.org> References: <20020219185543.T48401@blossom.cjclark.org> User-Agent: xcite1.38> Wanderlust/2.8.1 (Something) SEMI/1.14.3 (Ushinoya) FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=) APEL/10.3 Emacs/21.1 (i386--freebsd) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=) X-Operating-System: FreeBSD 4.5-RELEASE MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >>>>> On Tue, 19 Feb 2002 18:55:43 -0800 >>>>> "Crist J. Clark" said: crist.clark> I was wondering if anyone here could explain this to me: crist.clark> # DAD crist.clark> ${fw6cmd} add pass ipv6-icmp from ff02::/16 to :: crist.clark> ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 crist.clark> I don't understand that first IPV6-ICMP rule. RFC2373 says, crist.clark> 2.5.2 The Unspecified Address crist.clark> The address 0:0:0:0:0:0:0:0 is called the unspecified address. crist.clark> ... crist.clark> The unspecified address must not be used as the destination address crist.clark> of IPv6 packets or in IPv6 Routing Headers. crist.clark> That rule sure looks like it is explicitly passing invalid crist.clark> traffic. Unless someone can enlighten my ignorance here, I'm going to crist.clark> nuke that rule. RFC2461 4.3. says: Source Address Either an address assigned to the interface from which this message is sent or (if Duplicate Address Detection is in progress [ADDRCONF]) the unspecified address. So, ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 must be retained. But, it seems ${fw6cmd} add pass ipv6-icmp from ff02::/16 to :: is not required. When I wrote this, maybe I might confused. But, I cannot test it just now. I'll test it tonight. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message