What kind of anger and rudeness is that? We're all (at least those who ask questions) learning here. @misc is for that, right?
And I think you should learn, too. You must. You said it's -no way- related to PF. Yet, it was PF in the end. Anyway, stop blindly insulting people here. Zack Newman <z...@philomathiclife.com>, 8 Tem 2023 Cmt, 20:02 tarihinde şunu yazdı: > I am only replying to this in the interest of closure since I am > already part of this thread, but disclaimer here is some tough love. > > You need to stop being lazy and actually understand your network > topology, the security/privacy real or contrived-I see you adhere to > the whole security by obscurity nonsense with the masking of the last > 2 octets of that IPv4 address-and pf. Besides your first attempt at > "magically" fixing your problem which was doomed to fail for the > reasons I gave, you are now asking for people to guess what rules you > need. > > Do you "really need to block 'martians'"? Seriously? Ignoring the > philosophical trap of what you mean by "need", do you even know what a > "martian" is; and if not, then why are you blindly blocking them? If you > don't know what you are doing, then just don't do it. I don't even know > what a "martian" is other than an alien thing from outer space. In the > interest of providing a modicum of constructive criticism as opposed to > just criticism, here you go: > > https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml > . > > https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml > Not sure if that is what "martians" refer to, but your "martians" > appear to be a proper subset of what is listed there or at least close. > With that information, seek out what those blocks mean and decide based > on your topology and security/privacy needs if you should block > them. > > Should I block 192.168.3.2 on my laptop? What about > ingress traffic from 2343:24ad:afde:8224::23 destined to UDP port 764 > on my VPS? Those are obviously rhetorical questions as only I know (or > at least _should_ know) what my network topology is like, what > services I run, to whom I want to serve, etc. > > You clearly blindly copied and pasted some rules you found without > knowing what they do or why you are doing it as evidenced by the rather > embarrassing blocking of your DHCP server. If you are going to be lazy > and just want stuff to magically work, then disable pf. Bam. Don't need > to worry about anything. If you plan to block stuff though, then > actually learn about what you are blocking and why. > > Here is a tiny olive branch: I would allow all egress traffic from your > VPS since that is within _my_ wheel of trust. If my VPS is trying to > talk to an IP, then either it is already compromised or at least running > software it shouldn't at which point I have bigger problems; or it > needs to. Does that "magical" rule apply to you? I don't know, and it > sounds like you don't either. Even if it does, you will still need to > decide if you want to allow other IPs to send traffic; but that requires > you to learn more about your topology, pf, and security/privacy needs. > >
