[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

stateful firewall and ipv6...

	Hello, sorry for the cross-posting, but this is indeed a matter
that has to do both with IPv6 and firewalling, therefore...

I have been using for a long time a startup script that uses iptables to
set up a simple packet filtering firewall to let more or less anything out
of my computer and automatically let back packets belonging to RELATED and
ESTABLISHED connections back in. It drops more or less any other
incoming packet. This does work very well... for IPv4.

A couple of weeks ago, I decided to begin learning something about IPv6,
and in order to experiment I installed freenet6 on my laptop, which
painlessly got me a working IPv6 tunnel. Then I began finding some strange
failed connection attempts in my logs, which in the past were blocked by
my very simple firewalling layout. Of course, they were coming through
IPv6, which appeared to be not at all filtered by my firewall. Then I
found out that a separate ip6tables tool exists for IPv6 firewalling, but
it did not seem to support RELATED and ESTABLISHED rules, nor anything
like it. At the moment, I am using an extremely tight ip6tables script,
more or less blocking all incoming connections and only letting in tcp
packets with SYN unset, but this does not look very useful, does it? Would
some knowledgeable person point me to some useful HOWTO, FAQ, whatever doc
I can read about (statefully) firewalling IPv6 with Linux?

Thanks in advance
Giacomo

-- 
_________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>
_________________________________________________________________

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 248     Fax : +39 070 71180 222
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________



-- 
To UNSUBSCRIBE, email to debian-ipv6-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: