Difference between revisions of "Talk:Simple stateful firewall"
(Rename/Move proposal.) |
(→Script to automate the firewal setup: re) |
||
(29 intermediate revisions by 9 users not shown) | |||
Line 1: | Line 1: | ||
− | == | + | == IPv6 icmp replies == |
+ | For ipv6 adaptation. | ||
+ | As '''--reject-with icmp6-proto-unreachable''' does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[https://tools.ietf.org/html/rfc4443#section-3.1]]. | ||
+ | I think the '''icmp6-adm-prohibited''' which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--[[User:Cladmi|Cladmi]] 07:28, 15 February 2012 (EST) | ||
− | + | :: Other articles have suggested a vanilla reject, thus: | |
− | |||
− | == | + | -A INPUT -p tcp -j REJECT --reject-with tcp-reset |
+ | -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable | ||
+ | -A INPUT -j REJECT | ||
+ | |||
+ | --[[User:Steve-o|Steve-o]] ([[User talk:Steve-o|talk]]) 13:44, 13 September 2013 (UTC) | ||
+ | :::I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to | ||
+ | -A INPUT -j REJECT --reject-with icmp6-adm-prohibited | ||
+ | :::I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 12:15, 15 September 2013 (UTC) | ||
+ | |||
+ | == Script to automate the firewal setup == | ||
+ | |||
+ | I've created a script to set the rules for a common use case at https://gist.github.com/adityamukho/7366051 | ||
+ | |||
+ | It borrows some parts of sysctl setup from http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/ | ||
+ | |||
+ | :Please [[Help:Style#Discussion_pages|sign]] your posts by typing {{ic|<nowiki>~~~~</nowiki>}} next time. | ||
+ | :You don't need a script to set up iptables, you can just copy the file containing the rules - and we [[Simple_Stateful_Firewall#Example_iptables.rules_file|already have that]]. Also the sysctl part is already on our wiki: [[Sysctl#TCP.2FIP_stack_hardening]]. Feel free to add any missing information, but I don't think it is necessary to include any scripts - they just prevent the user from understanding the core of the problem. | ||
+ | :-- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 07:26, 8 November 2013 (UTC) |
Revision as of 07:26, 8 November 2013
IPv6 icmp replies
For ipv6 adaptation. As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[1]]. I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)
- Other articles have suggested a vanilla reject, thus:
-A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable -A INPUT -j REJECT
--Steve-o (talk) 13:44, 13 September 2013 (UTC)
- I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
Script to automate the firewal setup
I've created a script to set the rules for a common use case at https://gist.github.com/adityamukho/7366051
It borrows some parts of sysctl setup from http://0v.org/installing-ghost-on-ubuntu-nginx-and-mysql/
- Please sign your posts by typing
~~~~
next time. - You don't need a script to set up iptables, you can just copy the file containing the rules - and we already have that. Also the sysctl part is already on our wiki: Sysctl#TCP.2FIP_stack_hardening. Feel free to add any missing information, but I don't think it is necessary to include any scripts - they just prevent the user from understanding the core of the problem.
- -- Lahwaacz (talk) 07:26, 8 November 2013 (UTC)