Révision eb71461c
Ajouté par Chris Buechler il y a plus de 9 ans
| etc/inc/filter.inc | ||
|---|---|---|
| 2703 | 2703 |
$tracker = $saved_tracker; |
| 2704 | 2704 |
|
| 2705 | 2705 |
$ipfrules .= <<<EOD |
| 2706 |
# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device, |
|
| 2707 |
# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but |
|
| 2708 |
# route-to can override that, causing problems such as in redmine #2073 |
|
| 2709 |
block in {$log['block']} quick from 169.254.0.0/16 to any
|
|
| 2710 |
block in {$log['block']} quick from any to 169.254.0.0/16
|
|
| 2706 | 2711 |
#--------------------------------------------------------------------------- |
| 2707 | 2712 |
# default deny rules |
| 2708 | 2713 |
#--------------------------------------------------------------------------- |
Formats disponibles : Unified diff
block IPv4 link-local. Per RFC 3927, hosts "MUST NOT send the packet to
any router for forwarding", and "any network device receiving such a
packet MUST NOT forward it". FreeBSD won't route it (route-to can override in
some circumstances), so it can't be in use as a real network anywhere with
the possible exception of local-only networks. Unlikely any such situation
exists anywhere.
Fixes ticket #2073