Eliminating IPv6 (?)

Ronald F. Guilmette rfg at tristatelogic.com
Wed Jun 19 21:46:20 UTC 2019

In message <3aaa4159-38cf-3de0-b0b3-22fe12f14a60 at cyberleo.net>, 
CyberLeo Kitsana <cyberleo at cyberleo.net> wrote:

>On 6/18/19 3:13 PM, Ronald F. Guilmette wrote:
>> function within /etc/rc.firewall however, I do question the wisdom of
>> the following two lines, in particular:
>>         ${fwcmd} add 200 deny all from any to
>>         ${fwcmd} add 300 deny ip from to any
>ipfw is a first-match firewall: the first rule encountered that matches 
>is applied, and the remainder are ignored.
>With this in mind, the two rules quoted make sense only in tandem with 
>the rule before them:
>${fwcmd} add 100 pass all from any to any via lo0
>The first rule passes all packets on the local interface, including any 
>packets with an address in 127/8, and ignores all the following rules. 
>The next two rules block all packets with addresses within 127/8 on all 
>interfaces. These rules combined will block packets with 127/8 addresses 
>on non-local interfaces, where that address has no business being in the 
>first place.
>The rationale is that 127/8 addresses should not appear on the network, 
>but blindly trusting that they never will can open an avenue for remote 
>attack of services that assume the same.

I did (and do) understand what the rules do, and I can (and did) infer
what their intent was/is.

This doesn't change any of the following points:

    *) If there are packets wandering around on my own little RFC 1918
       network that have either src or dst of 127/8, then I don't really
       give a rat's ass about that, one way or the other.

    *) If I am sending "up" to my ISP packets that have either
       src or dst set to 127/8 then something is REALLY and HORRIBLY wrong
       at a much deeper level, I think, i.e. my ifconfig and/or my local
       routing table.

    *) If my ISP is sending "down" to me packets that have either src or
       dst set to 127/8, then once again, would we not all agree that
       this is an indication of something that has gone horribly horribly
       wrong someplace?

In short, these rules appear to me to be rather entirely superfluous and

         ${fwcmd} add 200 deny all from any to
         ${fwcmd} add 300 deny ip from to any

Their only purpose appears to me to be (a) to burn additional CPU cycles
needlessly and (b) to needlessly slow down many, most or all of my packets
as they attempt to make their way to wherever they are going.

But I am happy to be corrected if that's appropriate.


More information about the freebsd-questions mailing list