|(14 intermediate revisions by 6 users not shown)|
|−|Still to finish: port knocking section, ssh bruteforce protection with recent module, rewrite of NAT section, firewall script. I' m probably going to end up rewriting a lot of the other stuff too, to make the article/guide easier to follow. [[User: Thestinger| Thestinger]] 12: 50, 8 April 2010 ( EDT) |+|
with , , .
I 'the to the .[[User:|]] :, ()
| || |
Also need to fix the portscanner section, right now a local windows machine will get themselves on the list from netbios stuff, it' s just a matter of adding a limit to how many packets is normal and then putting ones that go over that on the recent list [[User: Thestinger| Thestinger]] 20: 32, 19 April 2010 ( EDT) . |+|
'to and the
[[User:|]] :, ()
Revision as of 11:46, 6 October 2013
IPv6 icmp replies
For ipv6 adaptation.
As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [].
I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)
- Other articles have suggested a vanilla reject, thus:
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -j REJECT
--Steve-o (talk) 13:44, 13 September 2013 (UTC)
- I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
- I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --Indigo (talk) 12:15, 15 September 2013 (UTC)