[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 prefix length.



On Wed, Dec 04, 2002 at 08:34:56AM -0300, Alejandro G. Belluscio wrote:
>   When I try to configure a rule:
>     block in quick on $IntIF inet6 from ! $IntIF/64 to any
>   I get an error message:
>     /etc/pf.conf:115: illegal netmask value /64
Can you show the output of ifconfig $IntIF, I assume you have both IPv4
and IPv6 addresses assigned to it? Looks like a bug where the /64
netmask is applied to an IPv4 address of the interface, though I can't
reproduce it with -current.
Using '!' on something that potentially expands to a list of addresses
is problematic, as you can easily generate the infamous 'negated list',
which makes the rule apply to all packets.
I personally would use the single IPv6 address, literally, there:
  block in quick on $IntIF inet6 from ! 2001:470:1f00:670::/64
>   Does this comes from the fact that the interface can have multiple
>   addresses there's no way to have one natural address. So do I have
>   to specify the IP6?
As long as the interface has only a single IPv6 address assigned, it
should work. When there are several addresses, it's wiser to explicitely
use '! addr/mask' instead of '! if/mask', as the latter expands to rules
that would match any packets. If you don't know what I mean, try and run
it through pfctl -nvf, you'll see :)
>   Is there any documentation on how to do
>   firewalling in IPv6?
>   Because I've been trying and I really couldn't find.
An example rule set that filters IPv6 on gif0 is on
  http://www.benzedrine.cx/pf.conf
and there are plenty of examples linked to from the bottom of
  http://www.benzedrine.cx/pf.html
Daniel