Christoph Anton Mitterer a écrit : > > On Sat, 2013-07-27 at 21:49 +0200, Pascal Hambourg wrote: >> You should not blindly drop UNTRACKED or INVALID IPv6 packets. > > Why not INVALID IPv6 packets? AFAICS, the patch you've mentioned only > removes tracking for these kinds of packets, but doesn't mark them > invalid. Because before the patch, older kernels marked NDP packets INVALID. > 1) So... are there any other reasonable default rules one should make > for IPv6 (or IPv4) then? Sure. On an ethernet-like interface, accept the following ICMPv6 types, with hop limit 255 as these packets are link-local only : - neighbour solicitation and neighbour advertisement in both directions - router solicitation in output and router advertisement in input if the box is an IPv6 host using stateless autoconfiguration - router solicitation in input and router advertisement in output if the box is an IPv6 router with radvd or the like listening on this interface. Then you can drop anything else you (don't) like. > I guess the kernel itself already assures that any address of his own > interfaces are not accepted as source address for packages coming over > the wire? I.e. to prevent spoofing of the hosts own addresses. Yes. > 2) What about INVALID/UNTRACKED with respect to IPv4? Is it there still > advisable to DROP them unconditionally? AFAIK, IPv4 has nothing like NDP, so - INVALID : normally, yes. - UNTRACKED : AFAIK, it can only be the result of the NOTRACK target, so you would know about it. > Oh and btw: Does the IPsec handling I do still work with IPv6 or has > anything changed there as well? I don't use IPSec and don't know about its handling by iptables. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
