Re: Topics for revised PF and networking tutorial

[Peter N. M. Hansteen]

On 04/07/17 18:00, I love OpenBSD wrote:
> I second to more IPv6 related information.
> I am curious about blocking port scanning in IPv6 Web. Does pf let me put a 
> CIDR into the named table based on offending IPv6 address and 64-bit mask? I 
> mean something similar to 'overload <table>' option.

Tables can hold both inet and inet6 items, and you can add them as
single addresses or with masks:

[Fri Apr 07 18:31:40] peter@skapet:~$ doas pfctl -t myself -T show
   127.0.0.1
   192.168.103.1
   213.187.179.198
   ::1
   2001:470:27:658::2
   2001:470:28:658::1
   2001:470:df85:dead:beef::1
   fe80::1
   fe80::7210:6fff:fe3e:dfd4
   fe80::7210:6fff:fe3e:dfd5
[Fri Apr 07 18:31:59] peter@skapet:~$ doas pfctl -t myself -T add
2001:470:df85:dead:beef::1/64
1/1 addresses added.
[Fri Apr 07 18:32:08] peter@skapet:~$ doas pfctl -t myself -T show
   127.0.0.1
   192.168.103.1
   213.187.179.198
   ::1
   2001:470:27:658::2
   2001:470:28:658::1
   2001:470:df85:dead::/64
   2001:470:df85:dead:beef::1
   fe80::1
   fe80::7210:6fff:fe3e:dfd4
   fe80::7210:6fff:fe3e:dfd5
[Fri Apr 07 18:32:13] peter@skapet:~$

overload rules would work similarly.

If you need to differentiate between address families, you use inet and
inet6 respectively in the criteria.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.