On Wed, 2 Feb 2011, Jonathan Tripathy wrote: > On 01/02/11 23:00, Guido Winkelmann wrote: > > On Tuesday 01 February 2011 22:38:49 you wrote: > > > With IPv6, does anyone have any experience on how to do this? I know we > > > can use ip6tables, but isn't there some trickery with NDP (Which > > > replaces ARP)? > > There shouldn't be, just as long as you only filter on the source address of > > outgoing packets, and not on the destination of incoming ones. The NDP > > request > > packets go to weird multicast addresses that depend on the address being > > requested. I haven't totally figured out the scheme yet (haven't really > > tried). > I really do need to filter by both the source and destination IP addresses. > Amongst other things, I want to make sure that packets destined for another > VPS never arrive at the wrong VPS. This can happen when the Linux bridge is > "re-learning" the MAC Address mappings. > > It is wise to allow *all icmpv6* traffic destined for the multicast address to > the destined VPS? There's an RFC on the subject: Recommendations for Filtering ICMPv6 Messages in Firewalls, rfc4890. It's well worth reading it. > > Answer packets for NDP always have a valid IPv6 address from the answering > > host as their source address. Also, they're IPv6 packets like any other and > > not a separate protocol as with ARP+IPv4. > Yes, however there is nothing currently like arptables for IPv6 that I know > of. There is no ARP in IPv6 - so there's no arptable for IPv6. > Even though the NDP answers may have a correct source IP, surely the > payload could provide wrong (i.e. malicious) data... Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
