Date: Thu, 09 Feb 2017 17:11:25 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 216942] rc.firewall simple rule ::/96 Message-ID: <bug-216942-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216942 Bug ID: 216942 Summary: rc.firewall simple rule ::/96 Product: Base System Version: 11.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: conf Assignee: freebsd-bugs@FreeBSD.org Reporter: jasonmader@gmail.com CC: freebsd-amd64@FreeBSD.org CC: freebsd-amd64@FreeBSD.org /etc/rc.firewall SIMPLE sets a couple of IPv6 rules, # Disallow packets to malicious IPv4 compatible prefix. deny all from ::224.0.0.0/100 to any via ${oif6} deny all from any to ::224.0.0.0/100 via ${oif6} deny all from ::127.0.0.0/104 to any via ${oif6} deny all from any to ::127.0.0.0/104 via ${oif6} deny all from ::0.0.0.0/104 to any via ${oif6} deny all from any to ::0.0.0.0/104 via ${oif6} deny all from ::255.0.0.0/104 to any via ${oif6} deny all from any to ::255.0.0.0/104 via ${oif6} deny all from ::0.0.0.0/96 to any via ${oif6} deny all from any to ::0.0.0.0/96 via ${oif6} and a search showed these came from the pages of IPv6 Network Administration: Teaching the Turtle to Dance. But isn't the second section denying ::0.0.0.0/96 redundant to the first section, since all the specific IPv4 compatible addresses are subnets of ::/96? It seems from the book that you would deny ::0.0.0.0/96 if you do not plan to use any compatible addresses, or the others if you were planning to use compatible addresses. Not both at the same time as the simple configuration adds. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-216942-8>