* Tom Callaway > I know less than nothing about DHCPv6. I used the rule offered earlier > in the thread by Paul Wouters. If there is a more appropriate ruleset, > please tell me what it is and I'll regenerate the patch. This one will certainly work (it's the patch attached bug #591630): ip6tables -A INPUT -p udp --dport 546 -j ACCEPT This one *most likely* works (it assumes /sbin/dhclient in Fedora will *always* use a link-local source address when building a DHCPv6 request. I believe that is the case, but I have not reviewed its source code to verify): ip6tables -A INPUT -p udp --dport 546 -d fe80::/64 -j ACCEPT Also, the latter one might be much more desirable from a security standpoint, as it prevents random people/attackers on the internet from transmitting unsolicited packets to the DHCPv6 client. In order to successfully transmit a packet to a node using its link-local address in fe80::/64 as the destination address, you'll have to be on the same link. And if you have an attacker on the same link, you're dead anyway - matching the source address and/or source port adds nothing, those are trivially spoofed. Also, I removed the "-m state --state NEW" part, as I don't think doing a stateful match on the packet adds anything but processing overhead. After all, the reason for adding an explicit exception for DHCPv6 is that it *can't* be successfully matched by the current ip6tables state module. But I have no problems with it being included either, if it makes anyone happier. Best regards, -- Tore Anderson -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
