On Mon, 30 Aug 2010, Thomas Jacob wrote: > On Mon, 2010-08-30 at 14:42 +0200, Jozsef Kadlecsik wrote: > > > Please check out RFC 4890: Recommendations for Filtering ICMPv6 Messages > > in Firewalls, which discusses ICMPv6 filtering in details. It even comes > > with an example shell script for netfilter/ip6tables in the appendix. > > Are you sure that this is still accurate for current kernels? > > For instance, I would have assumed that things like > destination-unreachable or packet-too-big are handled > by the stateful inspection code (i.e. are matched by > --state RELATED, ESTABLISHED) same as for IPv4? The sample script in the RFC tries to handle both cases: kernel with and without IPv6 connection tracking (STATE_ENABLED shell variable). Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
