On 04/07/17 18:00, I love OpenBSD wrote: > I second to more IPv6 related information. > I am curious about blocking port scanning in IPv6 Web. Does pf let me put a > CIDR into the named table based on offending IPv6 address and 64-bit mask? I > mean something similar to 'overload <table>' option.
Tables can hold both inet and inet6 items, and you can add them as single addresses or with masks: [Fri Apr 07 18:31:40] peter@skapet:~$ doas pfctl -t myself -T show 127.0.0.1 192.168.103.1 213.187.179.198 ::1 2001:470:27:658::2 2001:470:28:658::1 2001:470:df85:dead:beef::1 fe80::1 fe80::7210:6fff:fe3e:dfd4 fe80::7210:6fff:fe3e:dfd5 [Fri Apr 07 18:31:59] peter@skapet:~$ doas pfctl -t myself -T add 2001:470:df85:dead:beef::1/64 1/1 addresses added. [Fri Apr 07 18:32:08] peter@skapet:~$ doas pfctl -t myself -T show 127.0.0.1 192.168.103.1 213.187.179.198 ::1 2001:470:27:658::2 2001:470:28:658::1 2001:470:df85:dead::/64 2001:470:df85:dead:beef::1 fe80::1 fe80::7210:6fff:fe3e:dfd4 fe80::7210:6fff:fe3e:dfd5 [Fri Apr 07 18:32:13] peter@skapet:~$ overload rules would work similarly. If you need to differentiate between address families, you use inet and inet6 respectively in the criteria. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.