Brook Milligan <[email protected]> writes: > I understand that the blocklistd.conf syntax for blocking an ipv4 subnet is > the following: > > [remote] > * stream tcp * =/24 = = > > Presumably, there is something similar for blocking an ipv6 subnet. I > have tried replacing the address (field 1) with [*] and the name > (field 5) with =/48, but that seems to block ipv4 subnets with a mask > of /48. > > What is the syntax for blocking a ipv6 /48 subnet?
I am looking at the NetBSD 9 man pages and example, reproduced below [remote] 0.0.0.0/0 stream tcp * =/24 = = #[0::0]/0 stream tcp * =/64 = = I think you need to have a :: to cause the parser to treat the first field as a v6 literal. With 9 (blacklistd), not having a remote entry for v6 leads to a /128 being blocked. (In my experience this is super rare.) I can see why you want to block a /48, but would be interested if you are willing to share the details of the kind of bad behavior you experience, and if there is a pattern of blocking /64 and then later having a failure form a later /64 within the same /48.
