PF Which local IPv6 addresses should I block?

[Mayhem30]

I currently use this to block select local IPv4 addresses :

table <deny_local> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                     10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
                     0.0.0.0/8, 240.0.0.0/4 }
block in quick on $EXT_IF from <deny_local> to any

Which local IPv6 addresses should be added to that list?

 

[SirDice]

Why bother with specific ranges? Just block everything incoming, and only allow what you need.

Private network - Wikipedia

en.wikipedia.org

Link-local address - Wikipedia

en.wikipedia.org

Bogon filtering - Wikipedia

en.wikipedia.org

 

[Mayhem30]

I do block everything incoming, but I thought something extra was needed to block people pretending to be the local network.

Are any of these Antispoof rules necessary then?

set skip on lo0
...
..

# Allow all outgoing traffic
pass out quick all


# Antispoof rules
antispoof quick for $EXT_IF
block in quick on $EXT_IF from no-route to any
block in quick on $EXT_IF from urpf-failed to any
block in quick on $EXT_IF from any to 255.255.255.255

# deny all incoming traffic
block in all

pass in quick on $EXT_IF ...
...

 

[jem]

I currently use this to block select local IPv4 addresses :

table <deny_local> { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                     10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
                     0.0.0.0/8, 240.0.0.0/4 }
block in quick on $EXT_IF from <deny_local> to any

Which local IPv6 addresses should be added to that list?

RFC 6890 lists various "Special Use" IP address ranges that you might wish to reject traffic from.

My /etc/pf.table.rfc6860:

# RFC 6890: Special-Purpose IP Address Registry Entries
#
# IPv4 Special-Purpose Address Registry Entries
#
# "This host on this network"
0.0.0.0/8
# Private-Use
10.0.0.0/8
# Shared Address Space
100.64.0.0/10
# Loopback
127.0.0.0/8
# Link Local
169.254.0.0/16
# Private-Use
172.16.0.0/12
# IETF Protocol Assignments
192.0.0.0/24
# Documentation (TEST-NET-1)
192.0.2.0/24
# 6to4 Relay Anycast
192.88.99.0/24
# Private-Use
192.168.0.0/16
# Benchmarking
198.18.0.0/15
# Documentation (TEST-NET-2)
198.51.100.0/24
# Documentation (TEST-NET-3)
203.0.113.0/24
# Reserved
240.0.0.0/4
# Limited Broadcast
255.255.255.255/32
#
# IPv6 Special-Purpose Address Registry Entries
#
# Loopback
::1/128
# Unspecified Address
::/128
# IPv4-IPv6 Translation
64:ff9b::/96
# IPv4-mapped Address
::ffff:0:0/96
# Discard-Only Address Block
100::/64
# IETF Protocol Assignments
2001::/23
# 6to4
2002::/16
# Unique-Local
fc00::/7