-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Jan 28, 2012 at 07:00:11PM -0600, chris at the-brannons.com wrote: > I just allow all ICMPv6 traffic. Is there anything wrong with that? I guess the answer to that would depend on one's point of view, and level of paranoia (grin). Since yourself, Kirk, and maybe more folks who haven't asked want to know why I'm asking this, I might as well explain, and let all of you know just how paranoid I am. My brother in-law bought me a wireless access point recently. There's a longer story behind that, and yes, my internal LAN was all wired until now. Given the security history of wireless networking, I decided that if I did wireless here, it would be fed off a separate NIC in my machine, and that I'd run only ipsec over it, or something even more secure. This is exactly what I did. The wireless access point is attached to a separate network interface on its own separate private subnet. The idea is that even if someone were to break encryption, and gain access to the wireless access point, all it would get then is a class c v4 address and a documentation v6 address which they could literally do nothing with without my giving them a ssl cert, and a username/password if they're running windows. I currently have ppp/l2tp/ipsec going for windows clients (previously mentioned longer story), I almost have ipsec to ipsec between linux machines going over v4, and am working on ipsec to ipsec between linux boxes over v6, which is why I'm asking what I am. I've locked things down enough with ip6tables to block everything inbound, and outbound on the NIC attached to the wireless access point. This includes router advertisements, and neighbor solicitations. In order to get the ipsec connection going, I first need to issue the client a 2001:db8 address. So, I need to know what I should allow through without ipsec to make that happen. Hopefully that explains why I'm asking. Greg - -- web site: http://www.romuald.net.eu.org gpg public key: http://www.romuald.net.eu.org/pubkey.asc skype: gregn1 (authorization required, add me to your contacts list first) - -- Free domains: http://www.eu.org/ or mail dns-manager at EU.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk8ku6EACgkQ7s9z/XlyUyATIwCeN5ddTu+rtPy6CDIjUP/WhO8c a0wAnRHZepDhhbvyl4LEGpEXFJcidA8m =RodA -----END PGP SIGNATURE-----
