OT, ip6tables rules for radvd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Boy, completely different than me.  I run my wireless adhoc network
totally open and encourage passers-by to use it.  I also encourage
visitors to install babled and partake in the cloud.

   Kirk

On Sat, 28 Jan 2012, Gregory Nowak wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, Jan 28, 2012 at 07:00:11PM -0600, chris at the-brannons.com wrote:
>> I just allow all ICMPv6 traffic.  Is there anything wrong with that?
>
> I guess the answer to that would depend on one's point of view, and
> level of paranoia (grin). Since yourself, Kirk, and maybe more folks
> who haven't asked want to know why I'm asking this, I might as well
> explain, and let all of you know just how paranoid I am.
>
> My brother in-law bought me a wireless access point recently. There's
> a longer story behind that, and yes, my internal LAN was all wired
> until now. Given the security history of wireless networking, I
> decided that if I did wireless here, it would be fed off a separate
> NIC in my machine, and that I'd run only ipsec over it, or something
> even more secure. This is exactly what I did. The wireless access point is
> attached to a separate network interface on its own separate private
> subnet. The idea is that even if someone were to break encryption, and
> gain access to the wireless access point, all it would get then is a
> class c v4 address and a documentation v6 address which they could
> literally do nothing with without my giving them a ssl cert, and a
> username/password if they're running windows. I currently have
> ppp/l2tp/ipsec going for windows clients (previously mentioned longer
> story), I almost have ipsec to ipsec between linux machines going over
> v4, and am working on ipsec to ipsec between linux boxes over v6,
> which is why I'm asking what I am.
>
> I've locked things down enough with ip6tables to block everything
> inbound, and outbound on the NIC attached to the wireless access
> point. This includes router advertisements, and neighbor
> solicitations. In order to get the ipsec connection going, I first
> need to issue the client a 2001:db8 address. So, I need to know what I
> should allow through without ipsec to make that happen. Hopefully that
> explains why I'm asking.
>
> Greg
>
>
> - --
> web site: http://www.romuald.net.eu.org
> gpg public key: http://www.romuald.net.eu.org/pubkey.asc
> skype: gregn1
> (authorization required, add me to your contacts list first)
>
> - --
> Free domains: http://www.eu.org/ or mail dns-manager at EU.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAk8ku6EACgkQ7s9z/XlyUyATIwCeN5ddTu+rtPy6CDIjUP/WhO8c
> a0wAnRHZepDhhbvyl4LEGpEXFJcidA8m
> =RodA
> -----END PGP SIGNATURE-----
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>

--
Kirk Reiser				The Computer Braille Facility
e-mail: kirk at braille.uwo.ca		University of Western Ontario
phone: (519) 661-3061



[Index of Archives]     [Linux for the Blind]     [Fedora Discussioin]     [Linux Kernel]     [Yosemite News]     [Big List of Linux Books]
  Powered by Linux