Ð ÐÐÐ, 06/06/2011 Ð 21:47 +0000, bmcdowell@xxxxxxxxxxxxxxxxxx ÐÐÑÐÑ: > Hello list. I'm updating my IBF (invisible bridging firewall) deployments, and I'd like to add support for ip6tables. In the near-term, I'd like to '-P DROP' everything, but I'd rather not have to reinvent the wheel once/when/if we start supporting this protocol in the DMZ. > > Everything seems to be moving along just fine, except the matter of the link local addressing. While not specifically a netfilter issue, I do wonder if anyone on the list has dealt with this in the past. It seems to my somewhat-limited understanding of the protocol that there's simply no way to filter ipv6 without 'speaking' it. Even in my very early days of learning ipv4 I could have specified a '0.0.0.0' address on the interface, but ipv6 is designed from the ground up to prohibit this behavior. Ostensibly for issues such as address allotment, any ipv6 enabled interface defaults to being able to converse with any other interface on the same layer 3 link. For an IBF this is potentially a bad thing, because now my unaddressable device is suddenly addressable, even if only to those on the same local link. The simplest example scenario I can imagine is a compromised FTP/Web server speaking to a vulnerable iptables firewall and re-writing the rules it carries. > > While I can certainly firewall off this traffic easily using netfilter today, I'll not be able to do that forever. The moment I allow link-local traffic I'll be exposing my bridge interfaces to the same. Assuming netfilter is never down or misconfigured seems to be a fatal conceit. > > Thoughts? > > You can turn off ipv6 on interfaces. This should not prevent bridging ipv6, but will remove any ipv6 logic from them. > Thanks in advance. > > Bob McDowell > Network/Security Engineer > Cox HealthPlans > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
