Date: Wed, 19 Jun 2019 18:06:00 -0400 From: karl@denninger.net To: freebsd-questions@FreeBSD.org Subject: Re: Eliminating IPv6 (?) Message-ID: <9f8vqsc31infl0d0h1hhpo7l.1560981960460@denninger.net>
index | next in thread | raw e-mail
[-- Attachment #1 --]
People on the net spoof packets.
Not all ISPs filter well -- or reliably.
A compromised machine on your LAN may spoof packets too.
Packets from localhost may be (shouldn't be, but sometimes are) implicitly trusted by application code.
The CPU cycles involved are small and the point of using ipfw in the first place is to stop bad things from happening.....
All IMHO.
- Karl (on PDA)
Original Message
From: rfg@tristatelogic.com
Sent: June 19, 2019 17:46
To: freebsd-questions@FreeBSD.org
Subject: Re: Eliminating IPv6 (?)
In message <3aaa4159-38cf-3de0-b0b3-22fe12f14a60@cyberleo.net>,
CyberLeo Kitsana <cyberleo@cyberleo.net> wrote:
>On 6/18/19 3:13 PM, Ronald F. Guilmette wrote:
><snip>
>> function within /etc/rc.firewall however, I do question the wisdom of
>> the following two lines, in particular:
>>
>> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
>> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
><snip>
>
>ipfw is a first-match firewall: the first rule encountered that matches
>is applied, and the remainder are ignored.
>
>With this in mind, the two rules quoted make sense only in tandem with
>the rule before them:
>
>${fwcmd} add 100 pass all from any to any via lo0
>
>The first rule passes all packets on the local interface, including any
>packets with an address in 127/8, and ignores all the following rules.
>The next two rules block all packets with addresses within 127/8 on all
>interfaces. These rules combined will block packets with 127/8 addresses
>on non-local interfaces, where that address has no business being in the
>first place.
>
>The rationale is that 127/8 addresses should not appear on the network,
>but blindly trusting that they never will can open an avenue for remote
>attack of services that assume the same.
I did (and do) understand what the rules do, and I can (and did) infer
what their intent was/is.
This doesn't change any of the following points:
*) If there are packets wandering around on my own little RFC 1918
network that have either src or dst of 127/8, then I don't really
give a rat's ass about that, one way or the other.
*) If I am sending "up" to my ISP packets that have either
src or dst set to 127/8 then something is REALLY and HORRIBLY wrong
at a much deeper level, I think, i.e. my ifconfig and/or my local
routing table.
*) If my ISP is sending "down" to me packets that have either src or
dst set to 127/8, then once again, would we not all agree that
this is an indication of something that has gone horribly horribly
wrong someplace?
In short, these rules appear to me to be rather entirely superfluous and
inconsequential:
${fwcmd} add 200 deny all from any to 127.0.0.0/8
${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
Their only purpose appears to me to be (a) to burn additional CPU cycles
needlessly and (b) to needlessly slow down many, most or all of my packets
as they attempt to make their way to wherever they are going.
But I am happy to be corrected if that's appropriate.
Regards,
rfg
_______________________________________________
freebsd-questions@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
[-- Attachment #2 --]
0 *H
01
0
`He0 *H
��h000�k#Xd\
=0
*H
�0{1
0 UUS10U
Florida10U
Cuda Systems LLC10U
Cuda Systems CA1%0#U
Cuda Systems LLC 2017 Int CA0
170817212120Z
220816212120Z0W1
0 UUS10U
Florida10U
Cuda Systems LLC10U
karl@denninger.net0"0
*H
��0
�
T[I-ΆϏ�dn;Å@שy.us~_ZG%<MYd\gvfnsa1'6Egyjs"C [{~
_K�Pn+<*pv#Q+H/7[-vqDV^U>f%GX)H.|l`M(Cr
>е͇6#odc"YljҦln8@5SA0&ۖ"OGj?UDWZ5 dDB
7k-)9Izs-JAv
J
6L$Ն1SmY.Lqw*SH;EF'DĦH]MOgQQ|Mٙג2Z9y@
y]}6ٽeY9Y2xˆ$T=e
CǺǵbn֛{j |@LLt1[Dk5:$= ` �M�00<+00.0,+0 http://ocsp.cudasystems.net:88880 U
0�0 `HB0U
0
U
%0++03 `HB
&$OpenSSL Generated Client Certificate0
U
%՞V
=;bzQ0U
#0]^§Q\ӎϡ01
0 UUS10U
Florida10U
Niceville10U
Cuda Systems LLC10U
Cuda Systems CA1!0 U
Cuda Systems LLC 2017 CA�H^Ōc!5
H0
U
0karl@denninger.net0
*H
��۠A0-j%--$%
g2#ޡ1^>{K+uGE
v1ş7Af&b&O;
.;A5* U)ND2bF|\=
]<sˋL!wrw٧>
YMÄ3\mWR hSv!_zvl? 3_
xU%\^#O*Gk̍YI_&Fꊛ@&1n�} ͬ:{hTP3B.;bU8:Z=^Gw8
!k-@xE@i,+'Iᐚ:f
hztX7/(hY` O.1}a`%RW^akǂpCAufgDix�UTЩ/7}%=jnVZvcF<M=
2^GKH5魉
_O4ެByʈySkw=5@h.0z>
W000�k#Xd\
=0
*H
�0{1
0 UUS10U
Florida10U
Cuda Systems LLC10U
Cuda Systems CA1%0#U
Cuda Systems LLC 2017 Int CA0
170817212120Z
220816212120Z0W1
0 UUS10U
Florida10U
Cuda Systems LLC10U
karl@denninger.net0"0
*H
��0
�
T[I-ΆϏ�dn;Å@שy.us~_ZG%<MYd\gvfnsa1'6Egyjs"C [{~
_K�Pn+<*pv#Q+H/7[-vqDV^U>f%GX)H.|l`M(Cr
>е͇6#odc"YljҦln8@5SA0&ۖ"OGj?UDWZ5 dDB
7k-)9Izs-JAv
J
6L$Ն1SmY.Lqw*SH;EF'DĦH]MOgQQ|Mٙג2Z9y@
y]}6ٽeY9Y2xˆ$T=e
CǺǵbn֛{j |@LLt1[Dk5:$= ` �M�00<+00.0,+0 http://ocsp.cudasystems.net:88880 U
0�0 `HB0U
0
U
%0++03 `HB
&$OpenSSL Generated Client Certificate0
U
%՞V
=;bzQ0U
#0]^§Q\ӎϡ01
0 UUS10U
Florida10U
Niceville10U
Cuda Systems LLC10U
Cuda Systems CA1!0 U
Cuda Systems LLC 2017 CA�H^Ōc!5
H0
U
0karl@denninger.net0
*H
��۠A0-j%--$%
g2#ޡ1^>{K+uGE
v1ş7Af&b&O;
.;A5* U)ND2bF|\=
]<sˋL!wrw٧>
YMÄ3\mWR hSv!_zvl? 3_
xU%\^#O*Gk̍YI_&Fꊛ@&1n�} ͬ:{hTP3B.;bU8:Z=^Gw8
!k-@xE@i,+'Iᐚ:f
hztX7/(hY` O.1}a`%RW^akǂpCAufgDix�UTЩ/7}%=jnVZvcF<M=
2^GKH5魉
_O4ެByʈySkw=5@h.0z>
W1%0!00{1
0 UUS10U
Florida10U
Cuda Systems LLC10U
Cuda Systems CA1%0#U
Cuda Systems LLC 2017 Int CA�k#Xd\
=0
`Hei0 *H
1
*H
0
*H
1
190619220600Z0/ *H
1" /!L5̟DB;wظyjr0
*H
�ҋSi1NW'Aj3d҄hSx ||(_j
m L߷`Hd2^G
*N1QdZX(Ďփk.2|P@z^P]pJt̘[
dIm>DEQ4c*HWs5<Kwg2?x*L=F_ ^z3S-t8J2t
/(lH
xu9y[zYA J#Ly%
|yD-?s
2QڟmIH?^g<WmҬ0+=\٣) b3 #
8
Ë]>+xKw�֊znEr5RQ>
2EAD>E};B;pMR8
|LE>])w0kt@%L-,<"`rE-R
)O݁L?J?{vb`_K)�Le2U
J'������
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9f8vqsc31infl0d0h1hhpo7l.1560981960460>