Re: npf bug(?)

To: current-users%netbsd.org@localhost
Subject: Re: npf bug(?)
From: christos%astron.com@localhost (Christos Zoulas)
Date: Fri, 31 Mar 2017 15:59:15 +0000 (UTC)

In article <Pine.NEB.4.64.1703310723590.22851%6bone.informatik.uni-leipzig.de@localhost>,
 <6bone%6bone.informatik.uni-leipzig.de@localhost> wrote:
>On Thu, 30 Mar 2017, Christos Zoulas wrote:
>
>> All the statistics are incremented in npf_reassembly. This means that they
>> must be ipv4 packets... Don't you have any v4 traffic?
>>
>> christos
>>
>Hello,
>
>the router has only one IPv4 address for management, DNS and 6to4. It 
>routes only IPv6 packets.
>
>npf has only IPv6 rules. Except for the default rule:
>
>group default {
>         pass final all;
>}
>
>So it can really be IPv4 traffic. Can I disable the verification of the 
>fragmentation of IPv4 packets? I want to be sure that no 6to4 IPv4 packets 
>are discarded.

I would add some rules to block the ipv4 traffic, except when it comes from
your 'known hosts' to your 'known interfaces and ports'.

christos

Follow-Ups:
- Re: npf bug(?)
  - From: 6bone

References:
- npf bug(?)
  - From: 6bone
- Re: npf bug(?)
  - From: 6bone
- Re: npf bug(?)
  - From: Christos Zoulas
- Re: npf bug(?)
  - From: 6bone

Prev by Date: current danger?
Next by Date: Re: current danger?
Previous by Thread: Re: npf bug(?)
Next by Thread: Re: npf bug(?)
Indexes:

Home | Main Index | Thread Index | Old Index