Date: Wed, 19 Jun 2019 09:21:49 -0500 From: CyberLeo Kitsana <cyberleo@cyberleo.net> To: FreeBSD Questions <freebsd-questions@FreeBSD.org> Cc: "Ronald F. Guilmette" <rfg@tristatelogic.com> Subject: Re: Eliminating IPv6 (?) Message-ID: <3aaa4159-38cf-3de0-b0b3-22fe12f14a60@cyberleo.net> In-Reply-To: <23905.1560888828@segfault.tristatelogic.com> References: <23905.1560888828@segfault.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/18/19 3:13 PM, Ronald F. Guilmette wrote: <snip> > function within /etc/rc.firewall however, I do question the wisdom of > the following two lines, in particular: > > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any <snip> ipfw is a first-match firewall: the first rule encountered that matches is applied, and the remainder are ignored. With this in mind, the two rules quoted make sense only in tandem with the rule before them: ${fwcmd} add 100 pass all from any to any via lo0 The first rule passes all packets on the local interface, including any packets with an address in 127/8, and ignores all the following rules. The next two rules block all packets with addresses within 127/8 on all interfaces. These rules combined will block packets with 127/8 addresses on non-local interfaces, where that address has no business being in the first place. The rationale is that 127/8 addresses should not appear on the network, but blindly trusting that they never will can open an avenue for remote attack of services that assume the same. -- Fuzzy love, -CyberLeo <CyberLeo@CyberLeo.Net> Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Element9 Communications http://www.Element9.net Furry Peace! - http://www.fur.com/peace/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3aaa4159-38cf-3de0-b0b3-22fe12f14a60>