/etc/rc.firewall SIMPLE sets a couple of IPv6 rules, # Disallow packets to malicious IPv4 compatible prefix. deny all from ::224.0.0.0/100 to any via ${oif6} deny all from any to ::224.0.0.0/100 via ${oif6} deny all from ::127.0.0.0/104 to any via ${oif6} deny all from any to ::127.0.0.0/104 via ${oif6} deny all from ::0.0.0.0/104 to any via ${oif6} deny all from any to ::0.0.0.0/104 via ${oif6} deny all from ::255.0.0.0/104 to any via ${oif6} deny all from any to ::255.0.0.0/104 via ${oif6} deny all from ::0.0.0.0/96 to any via ${oif6} deny all from any to ::0.0.0.0/96 via ${oif6} and a search showed these came from the pages of IPv6 Network Administration: Teaching the Turtle to Dance. But isn't the second section denying ::0.0.0.0/96 redundant to the first section, since all the specific IPv4 compatible addresses are subnets of ::/96? It seems from the book that you would deny ::0.0.0.0/96 if you do not plan to use any compatible addresses, or the others if you were planning to use compatible addresses. Not both at the same time as the simple configuration adds.