Re: Set net.inet6.icmp6.nodeinfo default to 0 and disable annoying ip6 logging
- In reply to: Ruben van Staveren : "Set net.inet6.icmp6.nodeinfo default to 0"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 16 Feb 2023 10:50:58 UTC
W dniu 16.02.2023 o 10:22, Ruben van Staveren pisze: > Hi list, > > Given 13.2 is nearing release, would it be possible to have a look at > > 257709 – netinet6: Set net.inet6.icmp6.nodeinfo default to 0 > <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257709> > bugs.freebsd.org > <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257709> > fbsd_favicon.ico > <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257709> > > <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257709> > > And harden FreeBSD’s default IPv6 security a bit? > > Regards, > Ruben > Hello, perhaps time to change the defaults, but still, it can be easily disabled by setting: sysctl net.inet6.icmp6.nodeinfo=0 My concern is rather kernel message buffer on IPv6 routers flooded with hundreds of entries: cannot forward src fe80:10::426:82ff:fe36:1d8, dst 2001:db8:db8::10, nxt 58, rcvif vlan5, outif vlan2 cannot forward src fe80:10::102a:79ff:fec7:61cf, dst 2001:db8:db8:a028::1, nxt 58, rcvif vlan4, outif vlan2 It's fine that these packets are not being forwarded, but logging them can't be disabled, only delayed with increasing the value of the sysctl knob "net.inet6.ip6.log_interval", which is not always the best solution. It's not always possible to implement BCP38, and even harder to ask the upstream for the implementation of the BCP38 policy, so silently discarding those packets will be fine. I am crossposting it to freebsd-net@ to gain an even wider audience and support. Is the survey on Twitter required? Cheers -- Marek Zarychta