Re: blocklistd.conf blocking an ipv6 /48 subnet

[Greg Troxel <gdt%lexort.com@localhost>]

Brook Milligan <brook%biology.nmsu.edu@localhost> writes:

> I understand that the blocklistd.conf syntax for blocking an ipv4 subnet is the following:
>
>      [remote]
>      * stream tcp * =/24 = =
>
> Presumably, there is something similar for blocking an ipv6 subnet.  I
> have tried replacing the address (field 1) with [*] and the name
> (field 5) with =/48, but that seems to block ipv4 subnets with a mask
> of /48.
>
> What is the syntax for blocking a ipv6 /48 subnet?

I am looking at the NetBSD 9 man pages and example, reproduced below

[remote]
0.0.0.0/0	stream	tcp	*		=/24	=	=
#[0::0]/0	stream	tcp	*		=/64	=	=

I think you need to have a :: to cause the parser to treat the first
field as a v6 literal.

With 9 (blacklistd), not having a remote entry for v6 leads to a /128
being blocked.  (In my experience this is super rare.)

I can see why you want to block a /48, but would be interested if you
are willing to share the details of the kind of bad behavior you
experience, and if there is a pattern of blocking /64  and then later
having a failure form a later /64 within the same /48.