version 1.146, 2015/07/18 00:03:34 |
version 1.147, 2015/07/18 00:37:23 |
|
|
;; |
;; |
esac |
esac |
eval "$cmd" |
eval "$cmd" |
done < /etc/hostname.$if |
done </etc/hostname.$if |
} |
} |
|
|
# Start multiple: |
# Start multiple: |
|
|
ip6kernel=YES |
ip6kernel=YES |
|
|
# Disallow link-local unicast dest without outgoing scope identifiers. |
# Disallow link-local unicast dest without outgoing scope identifiers. |
route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject > /dev/null |
route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject >/dev/null |
|
|
# Disallow site-local unicast dest without outgoing scope identifiers. |
# Disallow site-local unicast dest without outgoing scope identifiers. |
# If you configure site-locals without scope id (it is permissible |
# If you configure site-locals without scope id (it is permissible |
# config for routers that are not on scope boundary), you may want |
# config for routers that are not on scope boundary), you may want |
# to comment the line out. |
# to comment the line out. |
route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject > /dev/null |
route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject >/dev/null |
|
|
# Disallow "internal" addresses to appear on the wire. |
# Disallow "internal" addresses to appear on the wire. |
route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null |
route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject >/dev/null |
|
|
# Disallow packets to malicious IPv4 compatible prefix. |
# Disallow packets to malicious IPv4 compatible prefix. |
route -qn add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject > /dev/null |
route -qn add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject >/dev/null |
route -qn add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject > /dev/null |
route -qn add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject >/dev/null |
route -qn add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject > /dev/null |
route -qn add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject >/dev/null |
route -qn add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject > /dev/null |
route -qn add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject >/dev/null |
|
|
# Disallow packets to malicious 6to4 prefix. |
# Disallow packets to malicious 6to4 prefix. |
route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject > /dev/null |
route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject >/dev/null |
route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject > /dev/null |
route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject >/dev/null |
route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject > /dev/null |
route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject >/dev/null |
route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject > /dev/null |
route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject >/dev/null |
|
|
# Disallow packets without scope identifier. |
# Disallow packets without scope identifier. |
route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject > /dev/null |
route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject >/dev/null |
route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject > /dev/null |
route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject >/dev/null |
|
|
# Completely disallow packets to IPv4 compatible prefix. |
# Completely disallow packets to IPv4 compatible prefix. |
# |
# |
|
|
# |
# |
# Due to rare use of IPv4 compatible addresses, and security issues |
# Due to rare use of IPv4 compatible addresses, and security issues |
# with it, we disable it by default. |
# with it, we disable it by default. |
route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null |
route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject >/dev/null |
|
|
rtsolif="" |
rtsolif="" |
else |
else |
|
|
# Look for default routes in /etc/mygate. |
# Look for default routes in /etc/mygate. |
[[ -z $dhcpif ]] && stripcom /etc/mygate | while read gw; do |
[[ -z $dhcpif ]] && stripcom /etc/mygate | while read gw; do |
[[ $gw == @(*:*) ]] && continue |
[[ $gw == @(*:*) ]] && continue |
route -qn delete default > /dev/null 2>&1 |
route -qn delete default >/dev/null 2>&1 |
route -qn add -host default $gw && break |
route -qn add -host default $gw && break |
done |
done |
[[ -z $rtsolif ]] && stripcom /etc/mygate | while read gw; do |
[[ -z $rtsolif ]] && stripcom /etc/mygate | while read gw; do |
[[ $gw == !(*:*) ]] && continue |
[[ $gw == !(*:*) ]] && continue |
route -qn delete -inet6 default > /dev/null 2>&1 |
route -qn delete -inet6 default >/dev/null 2>&1 |
route -qn add -host -inet6 default $gw && break |
route -qn add -host -inet6 default $gw && break |
done |
done |
|
|
|
|
# NO YES none installed daemon will run |
# NO YES none installed daemon will run |
# YES/interface NO -interface YES=def. iface |
# YES/interface NO -interface YES=def. iface |
# Any other combination -reject config error |
# Any other combination -reject config error |
route -qn delete 224.0.0.0/4 > /dev/null 2>&1 |
route -qn delete 224.0.0.0/4 >/dev/null 2>&1 |
case "$multicast_host:$multicast_router" in |
case "$multicast_host:$multicast_router" in |
NO:NO) |
NO:NO) |
route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null |
route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject >/dev/null |
;; |
;; |
NO:YES) |
NO:YES) |
;; |
;; |
|
|
ed -s "!ifconfig $multicast_host" <<EOF |
ed -s "!ifconfig $multicast_host" <<EOF |
/^ inet /p |
/^ inet /p |
EOF |
EOF |
fi 2> /dev/null` |
fi 2>/dev/null` |
if [ "X${maddr}" != "X" ]; then |
if [ "X${maddr}" != "X" ]; then |
set $maddr |
set $maddr |
route -qn add -net 224.0.0.0/4 -interface $2 > /dev/null |
route -qn add -net 224.0.0.0/4 -interface $2 >/dev/null |
else |
else |
route -qn add -net 224.0.0.0/4 -interface \ |
route -qn add -net 224.0.0.0/4 -interface \ |
127.0.0.1 -reject > /dev/null |
127.0.0.1 -reject >/dev/null |
fi |
fi |
;; |
;; |
*:*) |
*:*) |
echo 'config error, multicasting disabled until rc.conf is fixed' |
echo 'config error, multicasting disabled until rc.conf is fixed' |
route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject > /dev/null |
route -qn add -net 224.0.0.0/4 -interface 127.0.0.1 -reject >/dev/null |
;; |
;; |
esac |
esac |
|
|
|
|
ifmstart "pppoe tun gif gre bridge" |
ifmstart "pppoe tun gif gre bridge" |
|
|
# Reject 127/8 other than 127.0.0.1. |
# Reject 127/8 other than 127.0.0.1. |
route -qn add -net 127 127.0.0.1 -reject > /dev/null |
route -qn add -net 127 127.0.0.1 -reject >/dev/null |
|
|
if [ "$ip6kernel" = "YES" ]; then |
if [ "$ip6kernel" = "YES" ]; then |
# This is to make sure DAD is completed before going further. |
# This is to make sure DAD is completed before going further. |