From owner-freebsd-questions@freebsd.org Wed Jun 19 14:21:55 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D9ABF15BA4B5 for ; Wed, 19 Jun 2019 14:21:55 +0000 (UTC) (envelope-from cyberleo@cyberleo.net) Received: from mail.cyberleo.net (paka.cyberleo.net [IPv6:2605:3e00::d8e2:80b4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 98F4C8F18F for ; Wed, 19 Jun 2019 14:21:54 +0000 (UTC) (envelope-from cyberleo@cyberleo.net) Received: from [IPv6:2001:470:c032:102d:34f3:caff:fe4e:b829] (unknown [IPv6:2001:470:c032:102d:34f3:caff:fe4e:b829]) by mail.cyberleo.net (Postfix) with ESMTPSA id 3D57E82070; Wed, 19 Jun 2019 10:21:52 -0400 (EDT) Subject: Re: Eliminating IPv6 (?) To: FreeBSD Questions References: <23905.1560888828@segfault.tristatelogic.com> From: CyberLeo Kitsana Cc: "Ronald F. Guilmette" Message-ID: <3aaa4159-38cf-3de0-b0b3-22fe12f14a60@cyberleo.net> Date: Wed, 19 Jun 2019 09:21:49 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <23905.1560888828@segfault.tristatelogic.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 98F4C8F18F X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dmarc=pass (policy=none) header.from=cyberleo.net; spf=pass (mx1.freebsd.org: domain of cyberleo@cyberleo.net designates 2605:3e00::d8e2:80b4 as permitted sender) smtp.mailfrom=cyberleo@cyberleo.net X-Spamd-Result: default: False [-3.19 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2605:3e00::d8e2:80b4]; NEURAL_HAM_LONG(-1.00)[-0.996,0]; MIME_GOOD(-0.10)[text/plain]; IP_SCORE(0.09)[ipnet: 2000::/3(-0.26), asn: 12874(0.65), country: IT(0.05)]; NEURAL_HAM_MEDIUM(-0.99)[-0.994,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; MX_GOOD(-0.01)[mail.cyberleo.net]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[cyberleo.net,none]; NEURAL_HAM_SHORT(-0.48)[-0.479,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:12874, ipnet:2000::/3, country:IT]; MID_RHS_MATCH_FROM(0.00)[]; SUBJECT_HAS_QUESTION(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jun 2019 14:21:56 -0000 On 6/18/19 3:13 PM, Ronald F. Guilmette wrote: > function within /etc/rc.firewall however, I do question the wisdom of > the following two lines, in particular: > > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any ipfw is a first-match firewall: the first rule encountered that matches is applied, and the remainder are ignored. With this in mind, the two rules quoted make sense only in tandem with the rule before them: ${fwcmd} add 100 pass all from any to any via lo0 The first rule passes all packets on the local interface, including any packets with an address in 127/8, and ignores all the following rules. The next two rules block all packets with addresses within 127/8 on all interfaces. These rules combined will block packets with 127/8 addresses on non-local interfaces, where that address has no business being in the first place. The rationale is that 127/8 addresses should not appear on the network, but blindly trusting that they never will can open an avenue for remote attack of services that assume the same. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Element9 Communications http://www.Element9.net Furry Peace! - http://www.fur.com/peace/