From owner-freebsd-security Thu Mar 1 1: 6:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id B132437B718 for ; Thu, 1 Mar 2001 01:06:19 -0800 (PST) (envelope-from itojun@itojun.org) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id SAA19525; Thu, 1 Mar 2001 18:06:06 +0900 (JST) To: Darren Reed Cc: freebsd-security@freebsd.org In-reply-to: darrenr's message of Thu, 01 Mar 2001 19:32:34 +1100. <200103010832.TAA10542@avalon.reed.wattle.id.au> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPFILTER IPv6 support non-functional? From: itojun@iijlab.net Date: Thu, 01 Mar 2001 18:06:06 +0900 Message-ID: <19523.983437566@coconut.itojun.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >But at the same time they WILL NOT MATCH "pass tcp packets" either. > >Generally, the policy should be "block everything, permit what you want" >and in that case you would end up dropping things with IPPROTO_ROUTING, >etc. Even a basic ruleset like: > >block in all >block out all >pass out proto tcp/udp all >pass in proto tcp/udp all > >will block all the IPv6 packets with routing headers, etc. but then what if you would like to permit packets with extension headers? or like only certain combinations? most of the existing packet filter languages have the same issue, btw. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message