> And while on the topic; perhaps for IPv6/shorewall6 there can be a > NULL_ROUTE_RFC4193 and NULL_ROUTE_RFC3849 that would null-route > respectively the fc00::/7 range which is reserved for Unique Local IPv6 > Unicast Addresses, and the 2001:DB8::/32 range which is reserved for > documentation.
Another range (yes, sorry, hehe) one might want to block is from the deprecated 6bone ranges defined in RFC 3701 which actually describes two blocks that are no longer operational: 5F00::/8 (TEST_OLD) 3FFE::/16 (TEST_NEW) One might think that it's overkill to block these since they are no longer used. In my opinion it's better to filter out these ranges on the local end than relying on the remote end. Consider the following document for instance: http://www.sixxs.net/archive/docs/IEPG2013_ULA_in_the_wild.pdf And a synopsis: http://www.sixxs.net/news/2013/#ulainthewild-0728 Quote: Geoff Huston presented at the IEPG meeting his findings of ULA in the Wild. He found amongst others that there is a large amount of networks apparently using fd00::/48. [...] As a responsible network administrator one does conform to BCP-38 which solves a number of potential attacks against your network and prevents these kind of leaks. Mark ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
