Date: Thu, 09 Feb 2017 17:11:25 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 216942] rc.firewall simple rule ::/96 Message-ID: <bug-216942-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D216942 Bug ID: 216942 Summary: rc.firewall simple rule ::/96 Product: Base System Version: 11.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: conf Assignee: freebsd-bugs@FreeBSD.org Reporter: jasonmader@gmail.com CC: freebsd-amd64@FreeBSD.org CC: freebsd-amd64@FreeBSD.org /etc/rc.firewall SIMPLE sets a couple of IPv6 rules, # Disallow packets to malicious IPv4 compatible prefix. deny all from ::224.0.0.0/100 to any via ${oif6} deny all from any to ::224.0.0.0/100 via ${oif6} deny all from ::127.0.0.0/104 to any via ${oif6} deny all from any to ::127.0.0.0/104 via ${oif6} deny all from ::0.0.0.0/104 to any via ${oif6} deny all from any to ::0.0.0.0/104 via ${oif6} deny all from ::255.0.0.0/104 to any via ${oif6} deny all from any to ::255.0.0.0/104 via ${oif6} deny all from ::0.0.0.0/96 to any via ${oif6} deny all from any to ::0.0.0.0/96 via ${oif6} and a search showed these came from the pages of IPv6 Network Administratio= n: Teaching the Turtle to Dance. But isn't the second section denying ::0.0.0.= 0/96 redundant to the first section, since all the specific IPv4 compatible addresses are subnets of ::/96? It seems from the book that you would deny ::0.0.0.0/96 if you do not plan = to use any compatible addresses, or the others if you were planning to use compatible addresses. Not both at the same time as the simple configuration adds. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-216942-8>