On Thu, Feb 10, 2011 at 02:07:34PM +0100, Harald Dunkel wrote:
| On 02/10/11 11:22, Paul de Weerd wrote:
| > What are you trying to achieve ? You mention your provider doesn't
| > support IPv6 yet but want to make sure neighbour sollicitation works ?
| > Why do you want to support neighbour discovery when your ISP doesn't
| > do IPv6 ?
|
| Sorry, I should have provided more information about the setup.
| I've got 2 OpenBSD hosts building a fail-safe gateway. All internal
| and external interfaces are setup with carp. There are 2 external
| and 3+ internal networks. The IP providers on the external interfaces
| don't support IPv6 (yet). I would like to keep my options open on the
| internal subnets.
Then it sounds like you ought to filter only on the interfaces facing
the ISP, possibly removing link-local addresses from them too. Your
rule would probably look like 'block quick on egress inet6'.
| > If you don't use IPv6, 'block quick inet6' is quite appropriate
| > (especially if building a kernel without IPV6 is your alternative).
| > You may also want to block all tunneled traffic with 'block quick inet
| > proto ipv6' and disable link-local addresses on your interfaces with
| > `ifconfig ${INTERFACE} -inet6` (or add '-inet6' to your
| > /etc/hostname.if files).
|
| I missed this "-inet6" in ifconfig(8), and surely I would have
| forgotten to filter "proto ipv6" to the internet.
Note that this still leaves other tunneling possibilities open, of
course (ICMP / DNS / HTTP(S) / E-mail / ...), it's just the obvious
candidate. And if you *want* IPv6 while your ISP does not support it
yet, tunneling is often an appropriate workaround, in which case you
shouldn't be filtering (all of) it.
Cheers,
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
