|(19 intermediate revisions by 6 users not shown)|
|−|I' m doing a rewrite of this article to make it more correct and simple, and also to cleanup a lot of unnecessary info. Once the cleanup, etc is done the merge to the iptables article that is suggested on the iptables discussion page will make a lot more sense [[User: Thestinger| Thestinger]] 07:28, 12 March 2010 (EST) |+|
', and to .
the the to is the a [[User:|]] 07:28, (EST)
| || |
Except for a few more tweaks, I'm pretty much done with the [[Simple_stateful_firewall_HOWTO#Firewall_for_a_single_machine]] section. I'm going to rewrite the script at the bottom to contain the new rules. Also, I plan on adding a section about the recent module to the "hide your computer" section that shows how to trick portscanners into thinking open ports are closed. Once that's done, I'll read over the NAT section and see what I can do to improve it. : [[User:Thestinger|Thestinger]] 10:25, 15 March 2010 (EDT) |+|
:a , :
| || |
|−|::Still to finish: port knocking section, ssh bruteforce protection with recent module, rewrite of NAT section, firewall script. I'm probably going to end up rewriting a lot of the other stuff too, to make the article/guide easier to follow. [[User:Thestinger|Thestinger]] 12:50, 8 April 2010 (EDT) |+|
| || |
|−|== NAT == |+|
and the .
|−|The NAT section here is incomplete and there is a far superior article here: [[ NAT'ing firewall - Share your broadband connection]] . If no one opposes it, I'm going to work on improving [[ NAT'ing firewall - Share your broadband connection]] and then get rid of the NAT section here once it has no unique information. This article is for a "Simple Stateful Firewall", not an NAT. [[User: Thestinger| Thestinger]] 13: 35, 9 April 2010 ( EDT) |+|
is an . [[User:|]] :, ()
Revision as of 11:46, 6 October 2013
IPv6 icmp replies
For ipv6 adaptation.
As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [].
I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)
- Other articles have suggested a vanilla reject, thus:
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -j REJECT
--Steve-o (talk) 13:44, 13 September 2013 (UTC)
- I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
- I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --Indigo (talk) 12:15, 15 September 2013 (UTC)