[Bug 216942] rc.firewall simple rule ::/96

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Feb 9 17:11:25 UTC 2017


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216942

            Bug ID: 216942
           Summary: rc.firewall simple rule ::/96
           Product: Base System
           Version: 11.0-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: conf
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: jasonmader at gmail.com
                CC: freebsd-amd64 at FreeBSD.org
                CC: freebsd-amd64 at FreeBSD.org

/etc/rc.firewall SIMPLE sets a couple of IPv6 rules,

 # Disallow packets to malicious IPv4 compatible prefix.
 deny all from ::224.0.0.0/100 to any via ${oif6}
 deny all from any to ::224.0.0.0/100 via ${oif6}
 deny all from ::127.0.0.0/104 to any via ${oif6}
 deny all from any to ::127.0.0.0/104 via ${oif6}
 deny all from ::0.0.0.0/104 to any via ${oif6}
 deny all from any to ::0.0.0.0/104 via ${oif6}
 deny all from ::255.0.0.0/104 to any via ${oif6}
 deny all from any to ::255.0.0.0/104 via ${oif6}

 deny all from ::0.0.0.0/96 to any via ${oif6}
 deny all from any to ::0.0.0.0/96 via ${oif6}

and a search showed these came from the pages of IPv6 Network Administration:
Teaching the Turtle to Dance. But isn't the second section denying ::0.0.0.0/96
redundant to the first section, since all the specific IPv4 compatible
addresses are subnets of ::/96?

It seems from the book that you would deny ::0.0.0.0/96 if you do not plan to
use any compatible addresses, or the others if you were planning to use
compatible addresses. Not both at the same time as the simple configuration
adds.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list