Daniel Wrote:


"Take your OpenBSD box and connect it to a laptop with a crossover cable.
Run tcpdump on the laptop, so you see all packets that the OpenBSD box
sends:

# tcpdump -s 1600 -neeevvvXi fxp0 ... ... ..."


I usually use tcpdump with -netttvvvr (or i) , just to
mention this.


Unfortunately I don't have any spare computers I can use at
present (i've given most of my older ones away to neighbors).
I do have a crossover cable (and more computer-spares than
can be counted easily).


I almost wish I hadn't decided to finally investigate these
packets. I could also have added a pfctl -F all entry before
my firewall-rules load , but it would only have concealed things.


I'm not a programmer. Considering the very-high level of expertise
within the OpenBSD-community , i'll be a mere novice for years
to come. If I thought I could have submitted proper "bug reports" ,
I would have. I do believe there are bugs.


If I accept (but greatly dislike) the design-issue that allows
the 2 or so packets to pass out before my firewall-rules are loaded.
If I accept that pflog may not be fully-initialized and available
at the same time the PF filtering-engine is , somehow? I still
find it very hard to accept that pfctl -si can list packets that
pfctl -v -s rules cannot , and that 3 (or sometimes 4) icmp6
packets can pass out seemingly regardless of any actions taken. How
is it that pfctl -si can list packets that PF cannot block? Surely
if PF can see these packets it should be able to stop them?


If you investigate no further and you are correct , nothing
unpleasant will ever happen. If there are bugs , and
PF cannot control (or reliably control) some of these IPv6
packets , some successful attacks against PF and most of the
BSD-family will result. If increasing numbers of users migrate
to IPv6 , any possible windows-of-opportunity will be exploited.
I know you are aware , I just wanted to make my final point.


I give up.


Please , reply to none of the above.


Please just tell me if OpenBSD and PF are capable of being
used reliably with IPv6 excised from the kernel. If anyone
else has reason to believe that removing IPv6 from an OpenBSD
kernel breaks things "unexpectedly" , please post.


One would imagine that OpenBSD and PF are not DEPENDENT upon
IPv6 in any way? I do not use it , I use nothing that requires
it , I do not wish to use it. Before it ever becomes mainstream
there may very well be "IPv6a" or "IPv7" standards proposed.
Even now , at worst I am only passing out 2 definitely unfiltered
packets , 3 or 4 probably unfiltered packets , and usually have at least
statistics of 1 or 2 blocked and dropped icmp6 packets. If I had
anything vital that required IPv6 (for unknown reasons) , I really
don't think that the at most 7 icmp6 packets could cause it to function
demonstrably.


I really don't wish to compile or re-compile a kernel on every release
just to remove IPv6 , but it will give me peace-of-mind. It will also
be a learning experience , i've not had reason or attempted to
compile/recompile OpenBSD kernels before. I've done some Slackware kernels
in the distant past. Is there no other way to achieve the same result?
Perhaps changing the /etc/netstart "ipv6kernel=YES" field? I can try it
perhaps , or perhaps try calling the loading of my pf.conf file from a point
before /etc/netstart is called within /etc/rc? In the worst-case scenario I
might definitely stop all packets passing out (and passing-around generally).
A new flavor perhaps "KamikazeBSD" , no-networking guaranteed , maybe it could
display a nice piece of ASCII-art or wallpaper. I fear there be dragons...


Apologies to all if my posts are hard to follow , I need to find a better
way to post as well. Though i've read Usenet posts for years , I don't
usually post.


I also do have tendencies towards distraction... ...maybe i'll post some
more of my OpenBSD "pet-peeves/wish-list" for the amusement of some. I
will try to do this only as a new post. One can never list all of one's
peeves completely or at one discrete point in time...


Btw , I don't think one of my posts went through , in it I mentioned that I
configure my LAN and WAN addresses statically and do not use DHCP/BootP.
I believe it was Maurice who raised the possibility of DHCP-related problems.


Best Regards to all.

An Odd User.


If anyone has an estimate on the percentage of OpenBSD users requiring
IPv6 support , it would be very interesting to see.