Date: Tue, 18 Jun 2019 10:36:15 +0100 From: Jamie Landeg-Jones <jamie@catflap.org> To: rfg@tristatelogic.com Cc: freebsd-questions@freebsd.org, freebsd-net@freebsd.org Subject: Re: Eliminating IPv6 (?) Message-ID: <201906180936.x5I9aFfm057110@donotpassgo.dyslexicfish.net> In-Reply-To: <18748.1560843874@segfault.tristatelogic.com> References: <18748.1560843874@segfault.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Ronald F. Guilmette" <rfg@tristatelogic.com> wrote: > As I have already learned, the /etc/rc.firewall script also assumes both the > presence of, and the desirability of IPv6 support. And unless one edits that > file manually... which I have been effectively forced to do... there is no way > to get it to simply NOT create and install multiple IPv6-related ipfw rules, I sympathise with your situation, and maybe /etc/rc.firewall could be a bit more intelligent about it, but when we had 2 seperate files, /etc/rc.firewall and /etc/rc.firewall6 it was a pain in the arse, and also made it more likely of mistakes/oversights occuring. To stop the clutter you mention, and to avoid making the file more complicated for us who do dual stack, maybe a wrapper could be made around ipfw to get it to act as a null-op if ip6 is disabled by your suggested rc.conf knob. I'd have it set rule 1 to something like "deny ip6 from any to any", and then ignore any further ip6 rules it encounters. But yes, I can see how the efforts to unify the 4/6 configurations have made things a bit more complicated for those who only use the one stack (and in the future, people may start getting similarly affected by inet4 stuff complicating their configs!) Cheers, Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906180936.x5I9aFfm057110>