On Fri, 4 Apr 2008, martin f krafft wrote: > also sprach Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> [2008.04.03.1814 +0200]: > > In order to handle ICMPv6 in the best way I'd suggest to read > > rfc4890 titled Recommendations for Filtering ICMPv6 Messages in > > Firewalls, which even comes with a sample ip6tables script. > > I read over that document and I am a bit dazzled at the complexity > of the resulting ip6tables ruleset after running the script. [...] The RFC is well worth to read because it shows the complexity of ICMPv6 and the related filtering problems: - As ARP is replaced by ICMPv6 in IPv6, dropping ICMPv6 blindly means no IPv6 at all. - IPv6 inherently rely on multicast, but multicast is *not* supported by netfilter connection tracking at all and that must be taken into account in the filtering rules. > I hope you concur, however, that its appendix B is useless. It's a sample script, as far as I know from the time when IPv6 connection tracking in netfilter was experimental and people mostly ran IPv6 without conntrack. Let me put this way: a new sample script which is cleaned up and takes the current kernel features into account would be highly useful for the netfilter user community. Everyone entering the realm of IPv6 faces the same filtering problems and a lot of headache, hair-pulling could be saved by providing proper recipes. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
