From: Jonathan Tripathy <jonnyt@abpni.co.uk>
To: Thomas Jacob <jacob@internet24.de>, netfilter@vger.kernel.org
Subject: Re: IPv6 routing
Date: Mon, 30 Aug 2010 13:33:33 +0100 [thread overview]
Message-ID: <4C7BA51D.8030004@abpni.co.uk> (raw)
In-Reply-To: <1283171041.16291.63.camel@enterprise.ims-firmen.de>
On 30/08/10 13:24, Thomas Jacob wrote:
> On Mon, 2010-08-30 at 12:10 +0100, Jonathan Tripathy wrote:
>
>> On a side note: netfilter currently has arptables to stop arp cache
>> poisoning. Is there any similar thing for NDP poisoning? I can prevent
>> the actual flow of non-icmpv6 IP traffic to a host by using ip6tables on
>> my bridge device (which sits in the middle of all hosts), however this
>> won't stop DOS attacks..
>>
> Neighbour discovery is using link local multicast addresses, so
> you only need to be worried about being flooded from your LAN,
> same as with arp. If you are worried about it, then I think
> ip6tables doesn't do much for you at the moment, I am afraid. IPv6
> support is a long way from being up to IPv4 standards in Linux
> (and elsewhere). Please let the list know if you find a solution ;)
>
> BTW, I wouldn't accept all icmpv6 packets if you're security
> conscious, you really only need the following for basic
> IPv6 connectivity:
>
> (Taken from Ubuntu's ufw package)
>
> (linked to INPUT chain)
>
> target prot opt source destination
> ACCEPT ipv6-icmp anywhere anywhere
> ipv6-icmp neighbour-solicitation
> ACCEPT ipv6-icmp anywhere anywhere
> ipv6-icmp neighbour-advertisement
> ACCEPT ipv6-icmp anywhere anywhere
> ipv6-icmp router-solicitation
> ACCEPT ipv6-icmp anywhere anywhere
> ipv6-icmp router-advertisement
>
> (and maybe not even the last two, if you are using
> static routing).
Hi Thomas,
Thanks for the excellent explanation.
Yes I am worried about by "LAN" being flooded, as my "LAN" actually
hosts public (read: "untrusted") VPS for customers.
But ah well. I'm sure netfilter will have ndptables some day. We're only
testing IPv6 at the minute anyway. And we've got iptables which will
prevent any non-icmp traffic from working, as well as ebtables to
prevent MAC spoofing.
That's good to know about the "fine-tuning" of the rules for icmpv6 -
the is exactly what I was looking for!
Cheers
next prev parent reply other threads:[~2010-08-30 12:33 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-30 10:26 IPv6 routing Jonathan Tripathy
2010-08-30 10:37 ` Jonathan Tripathy
2010-08-30 10:43 ` Jan Engelhardt
2010-08-30 10:45 ` Jonathan Tripathy
2010-08-30 11:10 ` Jonathan Tripathy
2010-08-30 12:24 ` Thomas Jacob
2010-08-30 12:33 ` Jonathan Tripathy [this message]
2010-08-30 12:42 ` Jozsef Kadlecsik
2010-08-30 12:54 ` Thomas Jacob
2010-08-30 13:18 ` Jozsef Kadlecsik
2010-08-30 13:43 ` Thomas Jacob
2010-08-30 12:47 ` Thomas Jacob
2010-08-30 12:48 ` Jonathan Tripathy
2010-08-30 17:17 ` Pascal Hambourg
2010-08-30 12:07 ` Jan Engelhardt
2010-08-30 12:08 ` Jonathan Tripathy
-- strict thread matches above, loose matches on Subject: below --
2001-04-20 17:37 Carlos Parada (EST)
2001-04-20 17:43 ` Gregory Maxwell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C7BA51D.8030004@abpni.co.uk \
--to=jonnyt@abpni.co.uk \
--cc=jacob@internet24.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.