Correctly firewalling IPv6 was a bit of ... / 2013-08-20

2013-08-20 Correctly firewalling IPv6 was a bit of ... 5 years ago
Correctly firewalling IPv6 was a bit of a search for me but I think I managed it. There is a bit of an apparent contradiction: filtering too much ipv6-icmp will break things, and allowing it too much will allow a neighbour cache overflow attack. In the end I settled on allowing ipv6-icmp in the INPUT ip6tables rule but not on the FORWARD ip6tables rule. Both rules do have a rule for ESTABLISHED,RELATED traffic. This all for the external interface(s), internal interfaces are trusted.

I tested this with nmap from an external ipv6-enabled host and found out there is no way to input ipv6 address ranges. So to scan a number of addresses I had to type them all in full.

Tags: , , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.003796 seconds.