also sprach Nicolas KOWALSKI <niko@xxxxxxxxxxxxxxxxx> [2008.04.04.1057 +0200]: > -A INPUT -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -s ::/0 -d ff01::/32 -j ACCEPT > -A INPUT -s ::/0 -d ff02::/32 -j ACCEPT > -A INPUT -s ::/0 -d ::/0 -m state --state INVALID -j LOG > -A INPUT -s ::/0 -d ::/0 -m state --state INVALID -j DROP Why do you treat multicast special before INVALID? > -A INPUT -s fe80::/64 -d ::/0 -j ACCEPT So local clients should be able to access everything on the machine? Why treat them special? > -A INPUT -s 2001:6f8:3f1::/48 -d ::/0 -i eth0 -j ACCEPT Source-authenticated rules *can* be exploited. > -A INPUT -s ::/0 -d ::/0 -p ipv6-icmp -j ACCEPT > -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 22 -j ACCEPT You probably want --syn in there too. > -A FORWARD -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -s 2001:6f8:3f1::/48 -d ::/0 -i eth0 -j ACCEPT You might want to use -o on those too. -- martin | http://madduck.net/ | http://two.sentenc.es/ "the 'volatile' keyword is implemented syntactically but not semantically" -- documentation of m$ visual c, around 1992 spamtraps: madduck.bogus@xxxxxxxxxxx
Attachment:
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
