Hi again! > Am 13.05.2014 um 18:47 schrieb Christian Rohmann <[email protected]>: > > Hello Nigel, > > >> On 12.05.2014 16:11, Nigel Kukard wrote: >> This is actually a very good point. We do need different CIDR's for both. >> >> Does anyone else have anything to add, or ideas on how you want it >> implemented? > > This is a very good idea and absolutely necessary. Currently this can be > done by using two greylisting policies. One with source "0.0.0.0/0" > matching only IPv4 adresses and one with source "::/0" to match only > IPv6 addresses. I am referring to now this worked on git commit 8b1b6fae > from August 2011. I believe though that with a more current version the > way IPv6 addresses are matched has changed a little.
I have made that working now as you said, but I feel this is a huge effort and should not be like that. A member element for a policy should already have fields for IPv6 addresses and IPv4 addresses separately. Building two policies, one for v4 and another one for v6 is much configuration effort, useless overhead and error-prone because you don't only have to define that a source address should NOT be included in the "local ipv6 addresses" but also that it should actually be included in the an additional "all ipv6 addresses, e.g ::0/0" to match only incoming v6 traffic. Additionally to that, maintaining two entries for greylisting just to set a different bitmasks for the sender's addresses seems too much overhead to me. > > Please have a look at my post "[policyd-users] Why not release a 2.1?", > http://lists.policyd.org/pipermail/users_lists.policyd.org/2011-October/003556.html, > from 2011 I also believe that a software like this, being designed to be used for infrastructure where nowadays IPv6 is more than common a proper and mature support of it should be a no-brainer. I was honestly already surprised that v1 was not able to handle v6, and even more that the current stable that is included in my Debian wheezy wasn't either. Additionally to the greylisting, the "access" part does also not yet work. I have set the allowed IPs to "0.0.0.0/0,::0/0" in the config file, and now adding an ACCESS entry that applies to the IPV6 Incoming traffic policy still blocks all traffic that comes from IPv6 IPs. Cheers Christian _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
