Eliminating IPv6 (?)

karl at denninger.net karl at denninger.net
Wed Jun 19 22:06:42 UTC 2019 

People on the net spoof packets.

Not all ISPs filter well -- or reliably.

A compromised machine on your LAN may spoof packets too.

Packets from localhost may be (shouldn't be, but sometimes are) implicitly trusted by application code.

The CPU cycles involved are small and the point of using ipfw in the first place is to stop bad things from happening.....

All IMHO.

- Karl (on PDA)



	  Original Message  



From: rfg at tristatelogic.com
Sent: June 19, 2019 17:46
To: freebsd-questions at FreeBSD.org
Subject: Re: Eliminating IPv6 (?)


In message <3aaa4159-38cf-3de0-b0b3-22fe12f14a60 at cyberleo.net>,
CyberLeo Kitsana <cyberleo at cyberleo.net> wrote:

>On 6/18/19 3:13 PM, Ronald F. Guilmette wrote:
><snip>
>> function within /etc/rc.firewall however, I do question the wisdom of
>> the following two lines, in particular:
>>
>>         ${fwcmd} add 200 deny all from any to 127.0.0.0/8
>>         ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
><snip>
>
>ipfw is a first-match firewall: the first rule encountered that matches
>is applied, and the remainder are ignored.
>
>With this in mind, the two rules quoted make sense only in tandem with
>the rule before them:
>
>${fwcmd} add 100 pass all from any to any via lo0
>
>The first rule passes all packets on the local interface, including any
>packets with an address in 127/8, and ignores all the following rules.
>The next two rules block all packets with addresses within 127/8 on all
>interfaces. These rules combined will block packets with 127/8 addresses
>on non-local interfaces, where that address has no business being in the
>first place.
>
>The rationale is that 127/8 addresses should not appear on the network,
>but blindly trusting that they never will can open an avenue for remote
>attack of services that assume the same.

I did (and do) understand what the rules do, and I can (and did) infer
what their intent was/is.

This doesn't change any of the following points:

    *) If there are packets wandering around on my own little RFC 1918
       network that have either src or dst of 127/8, then I don't really
       give a rat's ass about that, one way or the other.

    *) If I am sending "up" to my ISP packets that have either
       src or dst set to 127/8 then something is REALLY and HORRIBLY wrong
       at a much deeper level, I think, i.e. my ifconfig and/or my local
       routing table.

    *) If my ISP is sending "down" to me packets that have either src or
       dst set to 127/8, then once again, would we not all agree that
       this is an indication of something that has gone horribly horribly
       wrong someplace?

In short, these rules appear to me to be rather entirely superfluous and
inconsequential:

         ${fwcmd} add 200 deny all from any to 127.0.0.0/8
         ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any

Their only purpose appears to me to be (a) to burn additional CPU cycles
needlessly and (b) to needlessly slow down many, most or all of my packets
as they attempt to make their way to wherever they are going.

But I am happy to be corrected if that's appropriate.


Regards,
rfg
_______________________________________________
freebsd-questions at freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20190619/e479b576/attachment.bin>

More information about the freebsd-questions mailing list