[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 prefix length.
On Wed, Dec 04, 2002 at 08:34:56AM -0300, Alejandro G. Belluscio wrote:
> When I try to configure a rule:
> block in quick on $IntIF inet6 from ! $IntIF/64 to any
> I get an error message:
> /etc/pf.conf:115: illegal netmask value /64
Can you show the output of ifconfig $IntIF, I assume you have both IPv4
and IPv6 addresses assigned to it? Looks like a bug where the /64
netmask is applied to an IPv4 address of the interface, though I can't
reproduce it with -current.
Using '!' on something that potentially expands to a list of addresses
is problematic, as you can easily generate the infamous 'negated list',
which makes the rule apply to all packets.
I personally would use the single IPv6 address, literally, there:
block in quick on $IntIF inet6 from ! 2001:470:1f00:670::/64
> Does this comes from the fact that the interface can have multiple
> addresses there's no way to have one natural address. So do I have
> to specify the IP6?
As long as the interface has only a single IPv6 address assigned, it
should work. When there are several addresses, it's wiser to explicitely
use '! addr/mask' instead of '! if/mask', as the latter expands to rules
that would match any packets. If you don't know what I mean, try and run
it through pfctl -nvf, you'll see :)
> Is there any documentation on how to do
> firewalling in IPv6?
> Because I've been trying and I really couldn't find.
An example rule set that filters IPv6 on gif0 is on
and there are plenty of examples linked to from the bottom of