=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/etc/netstart,v retrieving revision 1.97 retrieving revision 1.98 diff -c -r1.97 -r1.98 *** src/etc/netstart 2004/05/29 07:01:03 1.97 --- src/etc/netstart 2004/10/20 21:17:34 1.98 *************** *** 1,6 **** #!/bin/sh - # ! # $OpenBSD: netstart,v 1.97 2004/05/29 07:01:03 deraadt Exp $ # Returns true if $1 contains only alphanumerics isalphanumeric() { --- 1,6 ---- #!/bin/sh - # ! # $OpenBSD: netstart,v 1.98 2004/10/20 21:17:34 deraadt Exp $ # Returns true if $1 contains only alphanumerics isalphanumeric() { *************** *** 203,230 **** ip6kernel=YES # Disallow link-local unicast dest without outgoing scope identifiers. ! route -q add -inet6 fe80:: -prefixlen 10 ::1 -reject > /dev/null # Disallow site-local unicast dest without outgoing scope identifiers. # If you configure site-locals without scope id (it is permissible # config for routers that are not on scope boundary), you may want # to comment the line out. ! route -q add -inet6 fec0:: -prefixlen 10 ::1 -reject > /dev/null # Disallow "internal" addresses to appear on the wire. ! route -q add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null # Disallow packets to malicious IPv4 compatible prefix. ! route -q add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject > /dev/null ! route -q add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject > /dev/null ! route -q add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject > /dev/null ! route -q add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject > /dev/null # Disallow packets to malicious 6to4 prefix. ! route -q add -inet6 2002:e000:: -prefixlen 20 ::1 -reject > /dev/null ! route -q add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject > /dev/null ! route -q add -inet6 2002:0000:: -prefixlen 24 ::1 -reject > /dev/null ! route -q add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject > /dev/null # Completely disallow packets to IPv4 compatible prefix. # This may conflict with RFC1933 under following circumstances: --- 203,230 ---- ip6kernel=YES # Disallow link-local unicast dest without outgoing scope identifiers. ! route -qn add -inet6 fe80:: -prefixlen 10 ::1 -reject > /dev/null # Disallow site-local unicast dest without outgoing scope identifiers. # If you configure site-locals without scope id (it is permissible # config for routers that are not on scope boundary), you may want # to comment the line out. ! route -qn add -inet6 fec0:: -prefixlen 10 ::1 -reject > /dev/null # Disallow "internal" addresses to appear on the wire. ! route -qn add -inet6 ::ffff:0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null # Disallow packets to malicious IPv4 compatible prefix. ! route -qn add -inet6 ::224.0.0.0 -prefixlen 100 ::1 -reject > /dev/null ! route -qn add -inet6 ::127.0.0.0 -prefixlen 104 ::1 -reject > /dev/null ! route -qn add -inet6 ::0.0.0.0 -prefixlen 104 ::1 -reject > /dev/null ! route -qn add -inet6 ::255.0.0.0 -prefixlen 104 ::1 -reject > /dev/null # Disallow packets to malicious 6to4 prefix. ! route -qn add -inet6 2002:e000:: -prefixlen 20 ::1 -reject > /dev/null ! route -qn add -inet6 2002:7f00:: -prefixlen 24 ::1 -reject > /dev/null ! route -qn add -inet6 2002:0000:: -prefixlen 24 ::1 -reject > /dev/null ! route -qn add -inet6 2002:ff00:: -prefixlen 24 ::1 -reject > /dev/null # Completely disallow packets to IPv4 compatible prefix. # This may conflict with RFC1933 under following circumstances: *************** *** 239,245 **** # asked to forward it. # Due to rare use of IPv4 compatible addresses, and security issues # with it, we disable it by default. ! route -q add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null rtsolif="" else --- 239,245 ---- # asked to forward it. # Due to rare use of IPv4 compatible addresses, and security issues # with it, we disable it by default. ! route -qn add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject > /dev/null rtsolif="" else