Glen Pitt-Pladdy :: BlogICMPv6 Firewalling Quick Reference (crib sheet) | |||
I regularly configure IPv6 firewalls, and while services are relatively straight forward, there is an awful lot of ICMPv6 that needs to be handled in different ways. Fortunately the IETF issued RFC4890 as advice on this. This is my attempt to summarise the basics from RFC4890 about what ICMPv6 should be treated how. I have probably made quite a few errors, so let me know if you spot any. There is an example ip6tables script in Appendix B of RFC4890 which may be of use. I also provide some script snippets at the end of each section. Individual host / firewall interfacesThese are packets which are not forwarded but are addressed to or handled (eg. multicast) by the host it's self rather than passed on to another address. With ip6tables these would be on the INPUT chain. Always ACCEPT (4.4.1):
Normally ACCEPT (4.4.2):
ACCEPT if hop limit == 255 (4.4.1):
ACCEPT if LL source address (4.4.1):
ACCEPT if hop limit == 1, LL source address (4.4.1):
Shound be dropped anyway (4.4.3):
Should have policy (4.4.4):
DROP (4.4.5):
* = these should only be seen in response to other packets so with ip6tables a RELATED state should allow these CodeSome shell (/bin/sh) code for filtering inbound (ip6tables INPUT chain) ICMP, with the assumption that the default policy/rule for the INPUT chain is DROP.... if not then see Marcus Ranum's site:
IP6TABLES=/sbin/ip6tables Forwarding (routing) firewallsThese will be on site boundaries and will be routing only traffic that will be off the local network. With ip6tables these would be on the FORWARD chain. Always ACCEPT (4.3.1):
Normally ACCEPT (4.3.2):
Shound be dropped anyway (4.3.3):You may want to catch those with hop limit == 1 to stop Time Exceeded messages being generated, or maybe just drop the lot.
Should have policy (4.3.4):
DROP (4.3.5):
* = these should only be seen in response to other packets so with ip6tables a RELATED state should allow these CodeSome shell (/bin/sh) code for filtering forwarded (ip6tables FORWARD chain) ICMP, with the assumption that the default policy/rule for the FORWARD chain is DROP.... if not then see Marcus Ranum's site:
ICMP6_ACCEPT_RESP=" Bridging (transparent) firewallsBridge filtering firewalls pass local network traffic which will be needed (eg. neighbor discovery) for hosts as well as traffic going over site boundaries. As such, bridging firewalls will be filtering both of the above functions and really will need both sets of rules configuring with due care to filter according to it being a local network packet or from beyond site boundaries as to which rules to apply. |
|||
Disclaimer: This is a load of random thoughts, ideas and other nonsense and is not intended to be taken seriously. I have no idea what I am doing with most of this so if you are stupid and naive enough to believe any of it, it is your own fault and you can live with the consequences. More importantly this blog may contain substances such as humor which have not yet been approved for human (or machine) consumption and could seriously damage your health if taken seriously. If you still feel the need to litigate (or whatever other legal nonsense people have dreamed up now), then please address all complaints and other stupidity to yourself as you clearly "don't get it". This site uses cookies stored for for generating usage statistics and makes use of Google Analytics with it's own policies.
Copyright Glen Pitt-Pladdy 2008-2019
|
Comments: