Am 12.07.2013 16:04, schrieb Chris Adams: > Once upon a time, Tim <ignored_mailbox@xxxxxxxxxxxx> said: >> How is your firewall set up? When you allow something for IPv4, does it >> make a corresponding rule for IPv6, at the same time. Likewise, for if >> you block something. And I mean that in two ways, dealing with ports, >> and addresses. I may decide to block all port 80 traffic, and I'd hope >> my firewall doesn't just put a block on IPv4 traffic, requiring me to >> separately set up another rule for the IPv6. Or, I may find out that >> I'm seeing unwanted traffic from www.example.com, I'll probably have to >> find out their IPv4 and IPv6 IPs and individually block them. > > Does _every_ firewall that claims IPv4 and IPv6 support do that > correctly? I don't know, probably not. * iptables and iptables6 are two different things * as long as my network has no public ipv6 addresses there is no need * i would have to tighten iptables6 rules 1:1 to iptables4 * my webserver must not access 127.0.0.1:445 * without ipv6 enabled i do not need to block it for ::1 and start to deal with iptables6 at all which would happen for this machine *after* a public ipv6 IP becomes a topic so again: ipv6disable=1 has to disable the *entire* stack as it currently does with F17/F18 as long as *I* decide as admin that all components of the machine are ipv6-capable and *before* i set a AAA-record to the machine ______________________________________ the first lines on any of my machines to prevent os-fingerprinting and different port-scan methods which otherwise would be possible how are looking these things like in ipv6? i do not know and until i have on no network a public ipv6 address i do not need to know it iptables -A INPUT ! -i lo -m conntrack --ctstate INVALID -j DROP iptables -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW --dport 0 -j DROP iptables -A INPUT ! -i lo -p udp -m conntrack --ctstate NEW --dport 0 -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A INPUT ! -i lo -p tcp --tcp-flags ACK,URG URG -j DROP iptables -A INPUT ! -i lo -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
