Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/etc sync with rc.d/network, about IPv6 prefix filters
details: https://anonhg.NetBSD.org/src/rev/407ecbbb35f5
branches: trunk
changeset: 485676:407ecbbb35f5
user: itojun <itojun%NetBSD.org@localhost>
date: Wed May 03 07:04:22 2000 +0000
description:
sync with rc.d/network, about IPv6 prefix filters
(since we still ship it, we need to make it up-to-date)
diffstat:
etc/netstart | 45 ++++++++++++++++++++++++++++++++++++++++++---
1 files changed, 42 insertions(+), 3 deletions(-)
diffs (65 lines):
diff -r 33a49594291e -r 407ecbbb35f5 etc/netstart
--- a/etc/netstart Wed May 03 06:08:45 2000 +0000
+++ b/etc/netstart Wed May 03 07:04:22 2000 +0000
@@ -1,6 +1,6 @@
#!/bin/sh -
#
-# $NetBSD: netstart,v 1.74 2000/02/13 07:47:26 itojun Exp $
+# $NetBSD: netstart,v 1.75 2000/05/03 07:04:22 itojun Exp $
# from: @(#)netstart 8.1 (Berkeley) 7/23/93
if [ -f /etc/rc.subr ]; then
@@ -204,12 +204,51 @@
if ifconfig lo0 inet6 >/dev/null 2>&1; then
# We have IPv6 support in kernel.
- # disallow scoped unicast dest without outgoing scope identifiers.
+ # disallow link-local unicast dest without outgoing scope
+ # identifiers.
+ #
route add -inet6 fe80:: -prefixlen 10 ::1 -reject
- route add -inet6 fc80:: -prefixlen 10 ::1 -reject
+
+ # disallow site-local unicast dest without outgoing scope
+ # identifiers.
+ # If you configure site-locals without scope id (it is
+ # permissible config for routers that are not on scope
+ # boundary), you may want to comment the following one out.
+ #
+ route add -inet6 fec0:: -prefixlen 10 ::1 -reject
# disallow "internal" addresses to appear on the wire.
+ #
route add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject
+
+ # disallow packets to malicious IPv4 compatible prefix
+ #
+ route add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject
+ route add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject
+ route add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject
+ route add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject
+
+ # disallow packets to malicious 6to4 prefix
+ #
+ route add -inet6 2002:e000:: -prefixlen 20 ::1 -reject
+ route add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject
+ route add -inet6 2002:0000:: -prefixlen 24 ::1 -reject
+ route add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject
+
+ # Completely disallow packets to IPv4 compatible prefix.
+ # This may conflict with RFC1933 under following circumstances:
+ # (1) An IPv6-only KAME node tries to originate packets to IPv4
+ # comatible destination. The KAME node has no IPv4
+ # compatible support. Under RFC1933, it should transmit
+ # native IPv6 packets toward IPv4 compatible destination,
+ # hoping it would reach a router that forwards the packet
+ # toward auto-tunnel interface.
+ # (2) An IPv6-only node originates a packet to IPv4 compatible
+ # destination. A KAME node is acting as an IPv6 router, and
+ # asked to forward it.
+ # Due to rare use of IPv4 compatible address, and security
+ # issues with it, we disable it by default.
+ #
route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
sysctl -w net.inet6.ip6.forwarding=0 >/dev/null
Home |
Main Index |
Thread Index |
Old Index