Talk:Simple stateful firewall

From ArchWiki
Revision as of 07:26, 8 November 2013 by Lahwaacz (talk | contribs) (Script to automate the firewal setup: re)
Jump to: navigation, search

IPv6 icmp replies

For ipv6 adaptation. As --reject-with icmp6-proto-unreachable does not exist in ipv6, as told in the page, and according to the error messages description in the RFC [[1]]. I think the icmp6-adm-prohibited which means "Communication with destination administratively prohibited" may be the message to send. It is only by reading the RFC, I am not a network expert and I have no idea of what is generally done in this case.--Cladmi 07:28, 15 February 2012 (EST)

Other articles have suggested a vanilla reject, thus:
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable

--Steve-o (talk) 13:44, 13 September 2013 (UTC)

I'd say it depends what you want to do and the link to the RFC above by Cladmi is perfectly correct. I would change your last rule to
  -A INPUT -j REJECT --reject-with  icmp6-adm-prohibited
I would argue there is no big harm done complying with it anyway (more the contrary: the connecting system learns there is an IPv6 capable fw). Do you see reasons not to do it like that? --Indigo (talk) 12:15, 15 September 2013 (UTC)

Script to automate the firewal setup

I've created a script to set the rules for a common use case at

It borrows some parts of sysctl setup from

Please sign your posts by typing ~~~~ next time.
You don't need a script to set up iptables, you can just copy the file containing the rules - and we already have that. Also the sysctl part is already on our wiki: Sysctl#TCP.2FIP_stack_hardening. Feel free to add any missing information, but I don't think it is necessary to include any scripts - they just prevent the user from understanding the core of the problem.
-- Lahwaacz (talk) 07:26, 8 November 2013 (UTC)