Eliminating IPv6 (?)
CyberLeo Kitsana
cyberleo at cyberleo.net
Wed Jun 19 14:21:56 UTC 2019
On 6/18/19 3:13 PM, Ronald F. Guilmette wrote:
<snip>
> function within /etc/rc.firewall however, I do question the wisdom of
> the following two lines, in particular:
>
> ${fwcmd} add 200 deny all from any to 127.0.0.0/8
> ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
<snip>
ipfw is a first-match firewall: the first rule encountered that matches
is applied, and the remainder are ignored.
With this in mind, the two rules quoted make sense only in tandem with
the rule before them:
${fwcmd} add 100 pass all from any to any via lo0
The first rule passes all packets on the local interface, including any
packets with an address in 127/8, and ignores all the following rules.
The next two rules block all packets with addresses within 127/8 on all
interfaces. These rules combined will block packets with 127/8 addresses
on non-local interfaces, where that address has no business being in the
first place.
The rationale is that 127/8 addresses should not appear on the network,
but blindly trusting that they never will can open an avenue for remote
attack of services that assume the same.
--
Fuzzy love,
-CyberLeo
<CyberLeo at CyberLeo.Net>
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
Element9 Communications
http://www.Element9.net
Furry Peace! - http://www.fur.com/peace/
More information about the freebsd-questions
mailing list