Re: Problem with ipv6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 9 Oct 2024 09:50:22 +0200
Daniel <tech@xxxxxxxxxx> wrote:

> 
> Le 08/10/2024 à 22:28, Kevin P. Fleming a écrit :
> > On Tue, Oct 8, 2024, at 16:08, Martin Brampton wrote:
> >>           chain output {
> >>                   type filter hook output priority filter; policy
> >> drop; ct state { established, related } accept
> >>                   ip protocol icmp icmp type echo-request accept
> >>                   ip protocol icmp icmp type echo-request ip daddr
> >> 127.0.0.1 accept
> >>                   icmpv6 type echo-request accept
> >>                   ip protocol { tcp, udp } th dport 53 accept
> >>                   tcp dport 123 accept
> >>                   tcp dport { 80, 443 } accept
> >>                   tcp dport { 25, 465, 587, 993, 995, 4190 } accept
> >>           }
> > What happens if you change this policy to 'accept', and make no
> > other changes?
> 
> Or simply add new in state
> 
> ct state { established, related, new } accept

IIRC many NDP packets have ct state = untracked, so you are proposing
to accept all TCP+UDP connections and still having broken IPv6.






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux