Martin, Thanks for your reply and comments, they are helpfull ! martin f krafft <madduck@xxxxxxxxxxx> writes: > also sprach Nicolas KOWALSKI <niko@xxxxxxxxxxxxxxxxx> [2008.04.04.1057 +0200]: >> -A INPUT -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -s ::/0 -d ff01::/32 -j ACCEPT >> -A INPUT -s ::/0 -d ff02::/32 -j ACCEPT >> -A INPUT -s ::/0 -d ::/0 -m state --state INVALID -j LOG >> -A INPUT -s ::/0 -d ::/0 -m state --state INVALID -j DROP > > Why do you treat multicast special before INVALID? These rules matched the router sollicitation packets, apparently. I will reorder the ICMPv6 ACCEPT rule before INVALID. >> -A INPUT -s fe80::/64 -d ::/0 -j ACCEPT > > So local clients should be able to access everything on the machine? > Why treat them special? Yes, local clients have full access. So I only restrict remote access to services. Not very secure, indeed; I will remove this. >> -A INPUT -s 2001:6f8:3f1::/48 -d ::/0 -i eth0 -j ACCEPT > > Source-authenticated rules *can* be exploited. Even with the '-i eth0' ? Well, I will remove this also. >> -A INPUT -s ::/0 -d ::/0 -p ipv6-icmp -j ACCEPT >> -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 22 -j ACCEPT > > You probably want --syn in there too. ESTABLISHED,RElATED connections are matched before, so at this point these can only be new sessions, and so I did not feel it was necessary to add more checks. I will correct this. >> -A FORWARD -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j ACCEPT >> -A FORWARD -s 2001:6f8:3f1::/48 -d ::/0 -i eth0 -j ACCEPT > > You might want to use -o on those too. Right. So, my new configuration is now: # Generated by ip6tables-save v1.3.6 on Fri Apr 4 13:57:56 2008 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [24:28015] -A INPUT -s ::/0 -d ::/0 -i lo -j ACCEPT -A INPUT -s ::/0 -d ::/0 -p ipv6-icmp -j ACCEPT -A INPUT -s ::/0 -d ::/0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s ::/0 -d ::/0 -m state --state INVALID -j LOG -A INPUT -s ::/0 -d ::/0 -m state --state INVALID -j DROP -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 465 -m state --state NEW -j ACCEPT -A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 993 -m state --state NEW -j ACCEPT -A INPUT -s ::/0 -d ::/0 -j DROP -A FORWARD -s ::/0 -d 2001:6f8:3f1::/48 -i sixxs -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 2001:6f8:3f1::/48 -d ::/0 -i eth0 -o sixxs -j ACCEPT -A FORWARD -s ::/0 -d ::/0 -j DROP COMMIT # Completed on Fri Apr 4 13:57:56 2008 -- Nicolas -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
