From owner-freebsd-questions@freebsd.org Wed Jun 19 21:46:20 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48AE815CB118 for ; Wed, 19 Jun 2019 21:46:20 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 134EA846CE for ; Wed, 19 Jun 2019 21:46:18 +0000 (UTC) (envelope-from rfg@tristatelogic.com) Received: by segfault.tristatelogic.com (Postfix, from userid 1237) id CCDB04E653; Wed, 19 Jun 2019 14:46:17 -0700 (PDT) From: "Ronald F. Guilmette" To: FreeBSD Questions Subject: Re: Eliminating IPv6 (?) In-Reply-To: <3aaa4159-38cf-3de0-b0b3-22fe12f14a60@cyberleo.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <31385.1560980777.1@segfault.tristatelogic.com> Date: Wed, 19 Jun 2019 14:46:17 -0700 Message-ID: <31386.1560980777@segfault.tristatelogic.com> X-Rspamd-Queue-Id: 134EA846CE X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of rfg@tristatelogic.com designates 69.62.255.118 as permitted sender) smtp.mailfrom=rfg@tristatelogic.com X-Spamd-Result: default: False [-5.91 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[tristatelogic.com]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-2.77)[ip: (-7.29), ipnet: 69.62.128.0/17(-3.64), asn: 14051(-2.88), country: US(-0.06)]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[cached: mx1.tristatelogic.com]; NEURAL_HAM_SHORT(-0.93)[-0.930,0]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14051, ipnet:69.62.128.0/17, country:US]; RCVD_COUNT_TWO(0.00)[2]; SUBJECT_HAS_QUESTION(0.00)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 21:46:20 -0000 In message <3aaa4159-38cf-3de0-b0b3-22fe12f14a60@cyberleo.net>, CyberLeo Kitsana wrote: >On 6/18/19 3:13 PM, Ronald F. Guilmette wrote: > >> function within /etc/rc.firewall however, I do question the wisdom of >> the following two lines, in particular: >> >> ${fwcmd} add 200 deny all from any to 127.0.0.0/8 >> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > > >ipfw is a first-match firewall: the first rule encountered that matches >is applied, and the remainder are ignored. > >With this in mind, the two rules quoted make sense only in tandem with >the rule before them: > >${fwcmd} add 100 pass all from any to any via lo0 > >The first rule passes all packets on the local interface, including any >packets with an address in 127/8, and ignores all the following rules. >The next two rules block all packets with addresses within 127/8 on all >interfaces. These rules combined will block packets with 127/8 addresses >on non-local interfaces, where that address has no business being in the >first place. > >The rationale is that 127/8 addresses should not appear on the network, >but blindly trusting that they never will can open an avenue for remote >attack of services that assume the same. I did (and do) understand what the rules do, and I can (and did) infer what their intent was/is. This doesn't change any of the following points: *) If there are packets wandering around on my own little RFC 1918 network that have either src or dst of 127/8, then I don't really give a rat's ass about that, one way or the other. *) If I am sending "up" to my ISP packets that have either src or dst set to 127/8 then something is REALLY and HORRIBLY wrong at a much deeper level, I think, i.e. my ifconfig and/or my local routing table. *) If my ISP is sending "down" to me packets that have either src or dst set to 127/8, then once again, would we not all agree that this is an indication of something that has gone horribly horribly wrong someplace? In short, these rules appear to me to be rather entirely superfluous and inconsequential: ${fwcmd} add 200 deny all from any to 127.0.0.0/8 ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any Their only purpose appears to me to be (a) to burn additional CPU cycles needlessly and (b) to needlessly slow down many, most or all of my packets as they attempt to make their way to wherever they are going. But I am happy to be corrected if that's appropriate. Regards, rfg