diff options
author | Chris Buechler <cmb@pfsense.org> | 2014-10-14 13:21:45 -0500 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2014-10-14 13:21:45 -0500 |
commit | eb71461cc05483a043a8ca1263203fb5506582f1 (patch) | |
tree | fb5464683f5512775870f25839e7c1ef4e50190c /etc | |
parent | 69b79ff061d8b136229f6e929f195340b30abab7 (diff) | |
download | pfsense-eb71461cc05483a043a8ca1263203fb5506582f1.zip pfsense-eb71461cc05483a043a8ca1263203fb5506582f1.tar.gz |
block IPv4 link-local. Per RFC 3927, hosts "MUST NOT send the packet to
any router for forwarding", and "any network device receiving such a
packet MUST NOT forward it". FreeBSD won't route it (route-to can override in
some circumstances), so it can't be in use as a real network anywhere with
the possible exception of local-only networks. Unlikely any such situation
exists anywhere.
Fixes ticket #2073
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index c7f9693..79fb652 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2703,6 +2703,11 @@ function filter_rules_generate() { $tracker = $saved_tracker; $ipfrules .= <<<EOD +# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device, +# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but +# route-to can override that, causing problems such as in redmine #2073 +block in {$log['block']} quick from 169.254.0.0/16 to any +block in {$log['block']} quick from any to 169.254.0.0/16 #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- |