Simon Leinen writes:
> Anyway, I finally learned how to configure filters on my Linux
> laptop, and found that the following command (as root) makes my box
> ignore RAs from that particular address:
> ip6tables -A INPUT -s fe80::204:23ff:fe7a:fb3e \
> --protocol ipv6-icmp --icmpv6-type router-advertisement \
> -j DROP
A second source of bogus RAs has popped up, so currently I recommend:
----------------------------------------------------------------------
#!/bin/sh
evil_ll="fe80::204:23ff:fe7a:fb3e fe80::20c:f1ff:fe34:45c0"
ip6tables -F INPUT
for ll in ${evil_ll}
do
ip6tables -A INPUT -s "${ll}" \
--protocol ipv6-icmp --icmpv6-type router-advertisement \
-j DROP
done
----------------------------------------------------------------------
An alternative would be to find out the addresses of the "real" IPv6
routers and block RAs from anywhere else.
Of course SEND (SEcure Neighbor Discovery) will solve this, right?
--
Simon.
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf