Re: IPFILTER IPv6 support non-functional?
From: itojun@iijlab.net
Date: 03/01/01
- Next message: itojun@iijlab.net: "Re: IPFILTER IPv6 support non-functional?"
- Previous message: Kris Kennaway: "Re: ssh tricks (was Re: ssh -t <host> /bin/sh trick (was Re: ftp"
- Maybe in reply to: Hajimu UMEMOTO: "Re: IPFILTER IPv6 support non-functional?"
- Next in thread: Darren Reed: "Re: IPFILTER IPv6 support non-functional?"
- Reply: Darren Reed: "Re: IPFILTER IPv6 support non-functional?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Darren Reed <darrenr@reed.wattle.id.au> From: itojun@iijlab.net Date: Thu, 01 Mar 2001 18:06:06 +0900
>But at the same time they WILL NOT MATCH "pass tcp packets" either.
>
>Generally, the policy should be "block everything, permit what you want"
>and in that case you would end up dropping things with IPPROTO_ROUTING,
>etc. Even a basic ruleset like:
>
>block in all
>block out all
>pass out proto tcp/udp all
>pass in proto tcp/udp all
>
>will block all the IPv6 packets with routing headers, etc.
but then what if you would like to permit packets with extension
headers? or like only certain combinations?
most of the existing packet filter languages have the same issue, btw.
itojun
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: itojun@iijlab.net: "Re: IPFILTER IPv6 support non-functional?"
- Previous message: Kris Kennaway: "Re: ssh tricks (was Re: ssh -t <host> /bin/sh trick (was Re: ftp"
- Maybe in reply to: Hajimu UMEMOTO: "Re: IPFILTER IPv6 support non-functional?"
- Next in thread: Darren Reed: "Re: IPFILTER IPv6 support non-functional?"
- Reply: Darren Reed: "Re: IPFILTER IPv6 support non-functional?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
