Date: Thu, 01 Mar 2001 18:06:06 +0900 From: itojun@iijlab.net To: Darren Reed <darrenr@reed.wattle.id.au> Cc: freebsd-security@freebsd.org Subject: Re: IPFILTER IPv6 support non-functional? Message-ID: <19523.983437566@coconut.itojun.org> In-Reply-To: darrenr's message of Thu, 01 Mar 2001 19:32:34 %2B1100. <200103010832.TAA10542@avalon.reed.wattle.id.au>
next in thread | previous in thread | raw e-mail | index | archive | help
>But at the same time they WILL NOT MATCH "pass tcp packets" either. > >Generally, the policy should be "block everything, permit what you want" >and in that case you would end up dropping things with IPPROTO_ROUTING, >etc. Even a basic ruleset like: > >block in all >block out all >pass out proto tcp/udp all >pass in proto tcp/udp all > >will block all the IPv6 packets with routing headers, etc. but then what if you would like to permit packets with extension headers? or like only certain combinations? most of the existing packet filter languages have the same issue, btw. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19523.983437566>