Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: npf bug(?)



In article <Pine.NEB.4.64.1703310723590.22851%6bone.informatik.uni-leipzig.de@localhost>,
 <6bone%6bone.informatik.uni-leipzig.de@localhost> wrote:
>On Thu, 30 Mar 2017, Christos Zoulas wrote:
>
>> All the statistics are incremented in npf_reassembly. This means that they
>> must be ipv4 packets... Don't you have any v4 traffic?
>>
>> christos
>>
>Hello,
>
>the router has only one IPv4 address for management, DNS and 6to4. It 
>routes only IPv6 packets.
>
>npf has only IPv6 rules. Except for the default rule:
>
>group default {
>         pass final all;
>}
>
>So it can really be IPv4 traffic. Can I disable the verification of the 
>fragmentation of IPv4 packets? I want to be sure that no 6to4 IPv4 packets 
>are discarded.

I would add some rules to block the ipv4 traffic, except when it comes from
your 'known hosts' to your 'known interfaces and ports'.

christos



Home | Main Index | Thread Index | Old Index