| version 1.201, 2019/10/25 06:01:27 |
version 1.202, 2020/01/15 00:19:40 |
|
|
| ip6kernel=YES |
ip6kernel=YES |
| |
|
| # Disallow link-local unicast dest without outgoing scope identifiers. |
# Disallow link-local unicast dest without outgoing scope identifiers. |
| route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject >/dev/null |
route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject |
| |
|
| # Disallow site-local unicast dest without outgoing scope identifiers. |
# Disallow site-local unicast dest without outgoing scope identifiers. |
| # If you configure site-locals without scope id (it is permissible |
# If you configure site-locals without scope id (it is permissible |
| # config for routers that are not on scope boundary), you may want |
# config for routers that are not on scope boundary), you may want |
| # to comment the line out. |
# to comment the line out. |
| route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject >/dev/null |
route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject |
| |
|
| # Disallow "internal" addresses to appear on the wire. |
# Disallow "internal" addresses to appear on the wire. |
| route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject >/dev/null |
route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject |
| |
|
| # Disallow packets to malicious 6to4 prefix. |
# Disallow packets to malicious 6to4 prefix. |
| route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject >/dev/null |
route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject |
| route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject >/dev/null |
route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject |
| route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject >/dev/null |
route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject |
| route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject >/dev/null |
route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject |
| |
|
| # Disallow packets without scope identifier. |
# Disallow packets without scope identifier. |
| route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject >/dev/null |
route -qn add -inet6 ff01:: -prefixlen 16 ::1 -reject |
| route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject >/dev/null |
route -qn add -inet6 ff02:: -prefixlen 16 ::1 -reject |
| |
|
| # Completely disallow packets to IPv4 compatible prefix. |
# Completely disallow packets to IPv4 compatible prefix. |
| # |
# |
|
|
| # |
# |
| # Due to rare use of IPv4 compatible addresses, and security issues |
# Due to rare use of IPv4 compatible addresses, and security issues |
| # with it, we disable it by default. |
# with it, we disable it by default. |
| route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject >/dev/null |
route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject |
| else |
else |
| ip6kernel=NO |
ip6kernel=NO |
| fi |
fi |
![[BACK]](/icons/back.gif){kind=icon}
Return to netstart CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / etc