[ndbug] PF question - is it reasonable to block all IPv6 traffic

Philip Paeps philip at trouble.is
Sat Dec 24 00:19:15 PST 2016

On 2016-12-23 19:00:46 (+0530), Hrishikesh Murukkathampoondi 
<hrishim at gmail.com> wrote:
> A sample pf.conf file (from BSDnow I think) recommends blocking IPv6.

If anyone is recommending that in 2016 (almost 2017!) they should not
be taken seriously.  It's time to start thinking about turning off
legacy IP.  Turning off IPv6 is not a reasonable thing to do anymore.

> If my machine has an IPv4 address only is it reasonable have pf
> block all traffic in and out?

You should inquire with your ISP about what stopping them from
enabling IPv6 for you!  I realise IPv6 is *very* slow going in
India, but the more people who hassle their ISPs, the more chance
that things will start moving.  That's how things started moving
in other countries too.

> # Block all IPV6 traffic
> block in quick inet6 all
> block out quick inet6 all

You could just "block quick inet6 all" in a single line.  But see
above: you should get on the IPv6 internet.

> The machine is a Digital Ocean Droplet with a static IPv4 address

Digital Ocean supports IPv6.  Why don't you use it?


Philip Paeps
Senior Reality Engineer
Ministry of Information

More information about the talk mailing list