Re: blocklistd.conf blocking an ipv6 /48 subnet

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: blocklistd.conf blocking an ipv6 /48 subnet
From: Brook Milligan <brook%biology.nmsu.edu@localhost>
Date: Tue, 30 Dec 2025 10:13:46 -0700

> On Dec 30, 2025, at 09:45, Greg Troxel <gdt%lexort.com@localhost> wrote:
> 
> I am looking at the NetBSD 9 man pages and example, reproduced below

I’m confused; where did you find those man pages?  I’m seeing no such information in the cvs tree (https://cvsweb.netbsd.org/bsdweb.cgi/src/external/bsd/blocklist/bin/), the published man pages, or anywhere else.  Hence my question.

> [remote]
> 0.0.0.0/0       stream  tcp     *               =/24    =       =
> #[0::0]/0       stream  tcp     *               =/64    =       =

This clears things up a lot.  Unless I missed something, perhaps this should be added to the cvs tree.

> With 9 (blacklistd), not having a remote entry for v6 leads to a /128
> being blocked.  (In my experience this is super rare.)

OK, so there may be no need for an extra ipv6 block, I suppose.

> I can see why you want to block a /48, but would be interested if you
> are willing to share the details of the kind of bad behavior you
> experience, and if there is a pattern of blocking /64  and then later
> having a failure form a later /64 within the same /48.

I have no problems with ipv6 addresses, but wanted to block them as I do ipv4.  I figured the same approach (blocking subnets) would be prudent, but perhaps that is not necessary in practice.

Thanks for your help.

Cheers,
Brook

References:
- blocklistd.conf blocking an ipv6 /48 subnet
  - From: Brook Milligan
- Re: blocklistd.conf blocking an ipv6 /48 subnet
  - From: Greg Troxel

Prev by Date: Re: blocklistd.conf blocking an ipv6 /48 subnet
Previous by Thread: Re: blocklistd.conf blocking an ipv6 /48 subnet
Indexes:

Home | Main Index | Thread Index | Old Index