Le 09/10/2024 à 11:19, Carl Lei a écrit :
On Wed, 9 Oct 2024 10:46:34 +0200
Daniel <tech@xxxxxxxxxx> wrote:
Le 09/10/2024 à 10:11, Carl Lei a écrit :
On Wed, 9 Oct 2024 09:50:22 +0200
Daniel<tech@xxxxxxxxxx> wrote:
Le 08/10/2024 à 22:28, Kevin P. Fleming a écrit :
On Tue, Oct 8, 2024, at 16:08, Martin Brampton wrote:
chain output {
type filter hook output priority filter;
policy drop; ct state { established, related } accept
ip protocol icmp icmp type echo-request accept
ip protocol icmp icmp type echo-request ip
daddr 127.0.0.1 accept
icmpv6 type echo-request accept
ip protocol { tcp, udp } th dport 53 accept
tcp dport 123 accept
tcp dport { 80, 443 } accept
tcp dport { 25, 465, 587, 993, 995, 4190 }
accept }
What happens if you change this policy to 'accept', and make no
other changes?
Or simply add new in state
ct state { established, related, new } accept
IIRC many NDP packets have ct state = untracked, so you are
proposing to accept all TCP+UDP connections and still having broken
IPv6.
Well, from my understanding, policy accept does the same
Well, if you meant to keep policy=drop and to add ctstate=new ->
accept, it won't accept untracked NDP packets, so not going to work.
Yes. What I have
chain output {
type filter hook output priority filter; policy drop;
meta l4proto ipv6-icmp counter packets 601917 bytes
34178441 accept
oif "eth0" ct state established,related,new counter
packets 5373812 bytes 64917554996 accept
oif "lo" accept
}
and it does the job
[...]
--
Daniel ]