Bug 216942 - rc.firewall simple rule ::/96 redundant?
Summary: rc.firewall simple rule ::/96 redundant?
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 11.0-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-rc (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-09 17:11 UTC by Jason Mader
Modified: 2017-02-09 17:16 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Mader 2017-02-09 17:11:25 UTC 
/etc/rc.firewall SIMPLE sets a couple of IPv6 rules,

 # Disallow packets to malicious IPv4 compatible prefix.
 deny all from ::224.0.0.0/100 to any via ${oif6}
 deny all from any to ::224.0.0.0/100 via ${oif6}
 deny all from ::127.0.0.0/104 to any via ${oif6}
 deny all from any to ::127.0.0.0/104 via ${oif6}
 deny all from ::0.0.0.0/104 to any via ${oif6}
 deny all from any to ::0.0.0.0/104 via ${oif6}
 deny all from ::255.0.0.0/104 to any via ${oif6}
 deny all from any to ::255.0.0.0/104 via ${oif6}

 deny all from ::0.0.0.0/96 to any via ${oif6}
 deny all from any to ::0.0.0.0/96 via ${oif6}

and a search showed these came from the pages of IPv6 Network Administration: Teaching the Turtle to Dance. But isn't the second section denying ::0.0.0.0/96 redundant to the first section, since all the specific IPv4 compatible addresses are subnets of ::/96?

It seems from the book that you would deny ::0.0.0.0/96 if you do not plan to use any compatible addresses, or the others if you were planning to use compatible addresses. Not both at the same time as the simple configuration adds.