On 2014/04/29 23:12, Stuart Henderson wrote: > On 2014/04/29 22:25, Paul de Weerd wrote: > > Disabling IPv6 should not be necessary: it shouldn't be enabled by > > default, even link-local addresses. > > If doing this, then we need a way to enable link-local, like the opposite > of "ifconfig $if -inet6". Current process to re-enable just the link-local > is to configure some other v6 address and delete it again, which is > acceptable when the option to remove the link-local is just used by people > who explicitly don't want v6 at all, but is a bit too ugly if it's > something that people need to use just to enable v6. > > I also wonder about blocking all-nodes mcast in the sample pf.conf... > (personally there are places I find them very useful but I think this is > a saner default - it's always fun doing a node-name query on conference > wifi/etc). > > Index: pf.conf > =================================================================== > RCS file: /cvs/src/etc/pf.conf,v > retrieving revision 1.53 > diff -u -p -r1.53 pf.conf > --- pf.conf 25 Jan 2014 10:28:36 -0000 1.53 > +++ pf.conf 29 Apr 2014 21:35:03 -0000 > @@ -19,6 +19,8 @@ set skip on lo > block return # block stateless traffic > pass # establish keep-state > > +block in inet6 proto icmp6 to ff02::1 # block all-nodes multicast > queries > +
doh. this is not quite targetted enough ;) maybe drop types 128 and 139 - any others?
