|(22 intermediate revisions by 6 users not shown)|
|−|I' m doing a rewrite of this article to make it more correct and simple, and also to cleanup a lot of unnecessary info. Once the cleanup, etc is done the merge to the iptables article that is suggested on the iptables discussion page will make a lot more sense [[User: Thestinger| Thestinger]] 07:28, 12 March 2010 (EST) |+|
', and to .
the the to is the a [[User:|]] 07:28, (EST)
| || |
Except for a few more tweaks, I'm pretty much done with the [[Simple_stateful_firewall_HOWTO#Firewall_for_a_single_machine]] section. I'm going to rewrite the script at the bottom to contain the new rules. Also, I plan on adding a section about the recent module to the "hide your computer" section that shows how to trick portscanners into thinking open ports are closed. Once that's done, I'll read over the NAT section and see what I can do to improve it. : [[User:Thestinger|Thestinger]] 10:25, 15 March 2010 (EDT) |+|
:a , :
| || |
Still to finish: port knocking section, ssh bruteforce protection with recent module, rewrite of NAT section, firewall script. I' m probably going to end up rewriting a lot of the stuff too, just to make it short and sweet. [[User: Thestinger| Thestinger]] 12: 50, 8 April 2010 ( EDT) |+|
I'to the to
it . [[User :|]]12:, ()
Revision as of 11:46, 6 October 2013
IPv6 icmp replies
For ipv6 adaptation.
As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [].
I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)
- Other articles have suggested a vanilla reject, thus:
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -j REJECT
--Steve-o (talk) 13:44, 13 September 2013 (UTC)
- I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
- I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --Indigo (talk) 12:15, 15 September 2013 (UTC)