|(23 intermediate revisions by 6 users not shown)|
|−|I' m doing a rewrite of this article to make it more correct and simple, and also to cleanup a lot of unnecessary info. Once the cleanup, etc is done the merge to the iptables article that is suggested on the iptables discussion page will make a lot more sense [[User: Thestinger| Thestinger]] 07:28, 12 March 2010 (EST) |+|
', and to .
the the to is the a [[User:|]] 07:28, (EST)
| || |
|−|Except for a few more tweaks, I'm pretty much done with the [[ Simple_stateful_firewall_HOWTO#Firewall_for_a_single_machine]] section. I' m going to rewrite the script at the bottom to contain the new rules. Also, I plan on adding a section about the recent module to the "hide your computer" section that shows how to trick portscanners into thinking open ports are closed. Once that's done, I 'll read over the NAT section and see what I can do to improve it . [[User: Thestinger| Thestinger]] 10: 25, 15 March 2010 ( EDT) |+|
I'to the to the . I your to
I the see do it [[User:|]] :, 15 ()
Revision as of 11:46, 6 October 2013
IPv6 icmp replies
For ipv6 adaptation.
As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [].
I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)
- Other articles have suggested a vanilla reject, thus:
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -j REJECT
--Steve-o (talk) 13:44, 13 September 2013 (UTC)
- I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
- I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --Indigo (talk) 12:15, 15 September 2013 (UTC)