[TriLUG] IPv6 workshop

Randy Barlow randy at electronsweatshop.com
Tue Apr 19 22:46:11 EDT 2011


On 04/19/11 19:56, Igor Partola wrote:
> I am currently running Teredo (via miredo), since my router is too
> underpowered to run in a dual-stack mode. Here are the rules I ended
> up using:
> 
> # ip6tables -A INPUT -i lo -j ACCEPT
> # ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> # ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
> # ip6tables -A INPUT -p icmpv6 -j ACCEPT
> # ip6tables -A INPUT -j DROP
> 
> I think this covers most cases, basically allowing IPv6 ping, ssh and
> any established connections through, but dropping everything else.
> Does anyone have any suggestions for anything else I should have for
> an average home workstation?

UDP 5353 is nice, if you are into multicast DNS. mDNS can be nice for v6
hosts to find each other if you haven't setup formal DNS yet, or for
zeroconf/avahi enabled services to discover each other on your network.

Other than that, my rules look pretty similar to yours, except that I
added a REJECT instead of a DROP (though I meaninglessly set the default
policy to DROP). REJECT is nicer when I am trying to hit something I'm
not allowed to, but I guess it could cause me to send more ICMP packets
than I would like to, and causes me to be more friendly to crackers than
I should :)

-- 
R

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://www.trilug.org/pipermail/trilug/attachments/20110419/6e872e09/attachment.pgp>


More information about the TriLUG mailing list