[ndbug] PF question - is it reasonable to block all IPv6 traffic
philip at trouble.is
Sat Dec 24 00:19:15 PST 2016
On 2016-12-23 19:00:46 (+0530), Hrishikesh Murukkathampoondi
<hrishim at gmail.com> wrote:
> A sample pf.conf file (from BSDnow I think) recommends blocking IPv6.
If anyone is recommending that in 2016 (almost 2017!) they should not
be taken seriously. It's time to start thinking about turning off
legacy IP. Turning off IPv6 is not a reasonable thing to do anymore.
> If my machine has an IPv4 address only is it reasonable have pf
> block all traffic in and out?
You should inquire with your ISP about what stopping them from
enabling IPv6 for you! I realise IPv6 is *very* slow going in
India, but the more people who hassle their ISPs, the more chance
that things will start moving. That's how things started moving
in other countries too.
> # Block all IPV6 traffic
> block in quick inet6 all
> block out quick inet6 all
You could just "block quick inet6 all" in a single line. But see
above: you should get on the IPv6 internet.
> The machine is a Digital Ocean Droplet with a static IPv4 address
Digital Ocean supports IPv6. Why don't you use it?
Senior Reality Engineer
Ministry of Information
More information about the talk