Eliminating IPv6 (?)

CyberLeo Kitsana cyberleo at cyberleo.net
Wed Jun 19 14:21:56 UTC 2019

On 6/18/19 3:13 PM, Ronald F. Guilmette wrote:
> function within /etc/rc.firewall however, I do question the wisdom of
> the following two lines, in particular:
>         ${fwcmd} add 200 deny all from any to
>         ${fwcmd} add 300 deny ip from to any

ipfw is a first-match firewall: the first rule encountered that matches 
is applied, and the remainder are ignored.

With this in mind, the two rules quoted make sense only in tandem with 
the rule before them:

${fwcmd} add 100 pass all from any to any via lo0

The first rule passes all packets on the local interface, including any 
packets with an address in 127/8, and ignores all the following rules. 
The next two rules block all packets with addresses within 127/8 on all 
interfaces. These rules combined will block packets with 127/8 addresses 
on non-local interfaces, where that address has no business being in the 
first place.

The rationale is that 127/8 addresses should not appear on the network, 
but blindly trusting that they never will can open an avenue for remote 
attack of services that assume the same.

Fuzzy love,

<CyberLeo at CyberLeo.Net>
Technical Administrator

CyberLeo.Net Webhosting

Element9 Communications

Furry Peace! - http://www.fur.com/peace/

More information about the freebsd-questions mailing list