Correctly firewalling IPv6 was a bit of ... / 2013-08-20

2013-08-20 Correctly firewalling IPv6 was a bit of ...
Correctly firewalling IPv6 was a bit of a search for me but I think I managed it. There is a bit of an apparent contradiction: filtering too much ipv6-icmp will break things, and allowing it too much will allow a neighbour cache overflow attack. In the end I settled on allowing ipv6-icmp in the INPUT ip6tables rule but not on the FORWARD ip6tables rule. Both rules do have a rule for ESTABLISHED,RELATED traffic. This all for the external interface(s), internal interfaces are trusted.

I tested this with nmap from an external ipv6-enabled host and found out there is no way to input ipv6 address ranges. So to scan a number of addresses I had to type them all in full.

Tags: , , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.57 2022/02/15 21:48:18 koos Exp $ in 0.008633 seconds.