On Wed, 26 Apr 2006, Philip Westphal wrote: > i think my problem is quit simple, but i´m a little bit under pressure, > and google didn´t help. i have a firewall machine, with ip6tables > running on it, and behind this firewall there is a webserver with > apache2 running. the network looks like this: [...] > my problem is, that packets from the LAPTOP to the APACHE (and > vice-versa) go through all 3 chains INPUT, OUTPUT and FORWARD. if i > don´t make any rules, i have to set all 3 chains to ACCEPT to get > packets through. if i have INPUT and OUTPUT on drop (FORWARD is all the > time on ACCEPT), i need to allow especially packets to or from port 80 > or icmpv6 on the INPUT and OUTPUT chain. IPv6 is not just IPv4 with bumped up address space: ARP is replaced by ND (Neighbour Discovery), which is performed over ICMPv6. So if you block ICMPv6 completely in INPUT/OUTPUT, you actually disable IPv6. Have a look at the IETF draft 'Best Current Practice for Filtering ICMPv6 Messages in Firewalls': http://www.ietf.org/internet-drafts/draft-ietf-v6ops-icmpv6-filtering-bcp-01.txt Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
