tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: frag6: better limitation

Le 31/01/2018 à 12:38, David Brownlee a écrit :
On 31 January 2018 at 08:46, Manuel Bouyer <> wrote:
On Wed, Jan 31, 2018 at 08:17:36AM +0100, Maxime Villard wrote:

My patch is useful only if you restrict addresses in the first place. In that
case there is only a limited number of craftable src addresses. Typically:

       wm0 [public side]: allow 10 IPv6 addresses
       wm1 [local side]:  allow everything

This seems to be a very specific and rare use case ...

Would a combination of global and a per interface limit handle most of
the cases without increased DoS risk?

Yes, probably. In fact, it would be a lot better if it was done in the
firewall directly.

Home | Main Index | Thread Index | Old Index