IPv6/Firewall: Unterschied zwischen den Versionen
Keine Bearbeitungszusammenfassung |
|||
| (60 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
''' | '''IPv6/Firewall''' | ||
== Beschreibung == | == Beschreibung == | ||
* Protokolle | |||
* Netze | |||
== Regeln Client == | == ICMP == | ||
[[Internet Control Message Protocol]] ([[ICMP]]) ist Kernbestandteil der Internetprotokollfamilie | |||
* Austausch von Fehlermeldungen und Informationsnachrichten | |||
; IPv4 | |||
Bei IPv4 ist es gängige Praxis, ICMP an der Firewall zu blockieren | |||
; Bedeutung von ICMPv6 | |||
Für wichtige Mechanismen unerlässlich | |||
* z.B.[[pMTUd]] | |||
Eine undifferenzierte Filterung von ICMPv6 kann Erreichbarkeitsprobleme mit sich bringen | |||
Daher sollte bei IPv6 keine generelle Sperrung von [[ICMPv6]] erfolgen | |||
Folgende ICMPv6-Typen sollten zumindest teilweise zugelassen werden (vgl. auch [[RFC/4890]]) | |||
* Nicht genannte Typen sollten gesperrt werden | |||
* Die Bezeichnungen „vom Internet“ und „zum Internet“ beziehen sich jeweils auf das System, das die Verbindung aufbaut oder deren Endpunkt darstellt (in der Regel ein [[ALG]]) | |||
{| class="wikitable big options col2center col3center col4center" | |||
|- | |||
! IPv6-ICMP Nachricht (Typ) !! Zwischen internen Netzen !! Vom Internet !! Zum Internet | |||
|- | |||
| Destination unreachable (1) || <span style="color:green">✓</span> || <span style="color:green">✓</span> || <span style="color:green">✓</span> | |||
|- | |||
| Packet too big (2) || <span style="color:green">✓</span> || <span style="color:green">✓</span> || <span style="color:green">✓</span> | |||
|- | |||
| Time exceeded (3) || <span style="color:green">✓</span> || <span style="color:green">✓</span> || <span style="color:green">✓</span> | |||
|- | |||
| Parameter Problem (4) || <span style="color:green">✓</span> || <span style="color:green">✓</span> || <span style="color:green">✓</span> | |||
|- | |||
| Echo-Request (128) || <span style="color:green">✓</span> <sup>1</sup>|| <span style="color:red">✗</span> || <span style="color:green">✓</span> <sup>1</sup> | |||
|- | |||
| Echo-Antwort (129) || <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:red">✗</span> | |||
|- | |||
| Multicast (130-132, 143, 151-153) || <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup> | |||
|- | |||
| Router (133, 134) || <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | |||
|- | |||
| Neighbor (135,136) || <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup> | |||
|- | |||
| Redirect (137) || <span style="color:green">✓</span> <sup>3/4</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | |||
|- | |||
| ICMP-Information (139) || <span style="color:green">✓</span> <sup>1</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | |||
|- | |||
| ICMP-Information (140) || <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | |||
|- | |||
| Reverse-Neighbor (141) || <span style="color:green">✓</span> <sup>1</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | |||
|- | |||
| Reverse-Neighbor (142) || <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | |||
|} | |||
; Legende | |||
* 1 = von der Management-Station aus | |||
* 2 = zur Management-Station hin | |||
* 3 = ohne Forwarding | |||
* 4 = ausgehend vom Router | |||
Quelle | |||
* https://www.allianz-fuer-cybersicherheit.de/SharedDocs/Downloads/Webs/ACS/DE/BSI-CS/BSI-CS_057.pdf?__blob=publicationFile&v=1 | |||
== OPNsense == | |||
[[File:opnsenseIPv6firewall.png|950px]] | |||
== iptables == | |||
=== Regeln Client === | |||
<syntaxhighlight lang="bash" line highlight="15-30" copy="">* mangle | |||
: PREROUTING ACCEPT [ : ] | : PREROUTING ACCEPT [ : ] | ||
: INPUT ACCEPT [ : ] | : INPUT ACCEPT [ : ] | ||
| Zeile 17: | Zeile 85: | ||
: FORWARD DROP [ : ] | : FORWARD DROP [ : ] | ||
: OUTPUT ACCEPT [ : ] | : OUTPUT ACCEPT [ : ] | ||
: ndp - slaac - [ : ] | : ndp-slaac - [ : ] | ||
: trashlog - [ : ] | : trashlog - [ : ] | ||
-A INPUT -i lo -j ACCEPT | -A INPUT -i lo -j ACCEPT | ||
-A INPUT -m conntrack -- ctstate INVALID -j trashlog | -A INPUT -m conntrack -- ctstate INVALID -j trashlog | ||
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT | -A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT | ||
-A INPUT -p ipv6 - icmp -j ndp - slaac | -A INPUT -p ipv6-icmp -j ndp-slaac | ||
-A INPUT -s fe80::/1 -d fe80::/ | -A INPUT -s fe80::/1 -d fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT | ||
-A INPUT -s fe80::/1 -p tcp -m tcp -- dport 22 -m conntrack -- ctstate NEW -j ACCEPT | -A INPUT -s fe80::/1 -p tcp -m tcp -- dport 22 -m conntrack -- ctstate NEW -j ACCEPT | ||
-A OUTPUT -o lo -j ACCEPT | -A OUTPUT -o lo -j ACCEPT | ||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 133 -m hl --hl - eq 255 -j ACCEPT | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT | ||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 134 -m hl --hl - eq 255 -j ACCEPT | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT | ||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 135 -m hl --hl - eq 255 -j ACCEPT | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT | ||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 136 -m hl --hl - eq 255 -j ACCEPT | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT | ||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 137 -m hl --hl - eq 255 -j ACCEPT | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT | ||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT | ||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 131 -m hl --hl - eq 1 -j ACCEPT | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT | ||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 132 -m hl --hl - eq 1 -j ACCEPT | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT | ||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 143 -m hl --hl - eq 1 -j ACCEPT | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT | ||
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5 | -A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5 | ||
-A trashlog -j DROP | -A trashlog -j DROP | ||
COMMIT | COMMIT</syntaxhighlight> | ||
== Regeln Router == | === Regeln Router === | ||
<syntaxhighlight lang="bash" highlight="17-65" line copy> | |||
* mangle | |||
: PREROUTING ACCEPT [ : ] | |||
: INPUT ACCEPT [ : ] | |||
: FORWARD ACCEPT [ : ] | |||
: OUTPUT ACCEPT [ : ] | |||
: POSTROUTING ACCEPT [ : ] | |||
COMMIT | |||
# | |||
* filter | |||
: INPUT DROP [ : ] | |||
: FORWARD DROP [ : ] | |||
: OUTPUT ACCEPT [ : ] | |||
: bad - eh - [ : ] | |||
: icmpv6-filter - [ : ] | |||
: ndp-minimal - [ : ] | |||
: trashlog - [ : ] | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT | |||
-A INPUT -m conntrack -- ctstate INVALID -j trashlog | |||
-A INPUT -p ipv6-icmp -j ndp-minimal | |||
-A INPUT -i eth1 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT | |||
-A INPUT -i eth1 -p udp -m udp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A INPUT -i eth1 -p tcp -m tcp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A FORWARD -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT | |||
-A FORWARD -p ipv6-icmp -j icmpv6-filter | |||
-A FORWARD -i eth1 -o sixxs -m conntrack -- ctstate NEW -j ACCEPT | |||
-A FORWARD -i eth1 -o nat64 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A OUTPUT -o lo -j ACCEPT | |||
-A bad - eh -m rt --rt - type --rt - segsleft -j DROP | |||
-A icmpv6-filter -s fe80::/1 -j DROP | |||
-A icmpv6-filter -d fe80::/1 -j DROP | |||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A icmpv6-filter -d 2a01:198:200:8a23:200:ff:fe60:d1e/128 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A icmpv6-filter -d ff00::/8 -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j DROP | |||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT | |||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/1 -j ACCEPT | |||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -j ACCEPT | |||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -j ACCEPT | |||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/2 -j ACCEPT | |||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT | |||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -j ACCEPT | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 139 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 140 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j DROP | |||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j DROP | |||
-A icmpv6-filter -j DROP | |||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT | |||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT | |||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT | |||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT | |||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT | |||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT | |||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT | |||
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5 | |||
-A trashlog -j DROP | |||
COMMIT | |||
</syntaxhighlight> | |||
<noinclude> | <noinclude> | ||
== Anhang == | == Anhang == | ||
=== Siehe auch === | === Siehe auch === | ||
<div style="column-count: | * [[IPv6/ICMPv6/Nachrichten]] | ||
---- | |||
<div style="column-count:2"> | |||
<categorytree hideroot=on mode="pages">{{BASEPAGENAME}}</categorytree> | <categorytree hideroot=on mode="pages">{{BASEPAGENAME}}</categorytree> | ||
</div> | </div> | ||
| Zeile 121: | Zeile 194: | ||
==== Weblinks ==== | ==== Weblinks ==== | ||
[[Kategorie:IPv6/Firewall]] | |||
[[Kategorie: | |||
</noinclude> | </noinclude> | ||
Aktuelle Version vom 22. Juli 2025, 14:11 Uhr
IPv6/Firewall
Beschreibung
- Protokolle
- Netze
ICMP
Internet Control Message Protocol (ICMP) ist Kernbestandteil der Internetprotokollfamilie
- Austausch von Fehlermeldungen und Informationsnachrichten
- IPv4
Bei IPv4 ist es gängige Praxis, ICMP an der Firewall zu blockieren
- Bedeutung von ICMPv6
Für wichtige Mechanismen unerlässlich
- z.B.pMTUd
Eine undifferenzierte Filterung von ICMPv6 kann Erreichbarkeitsprobleme mit sich bringen
Daher sollte bei IPv6 keine generelle Sperrung von ICMPv6 erfolgen
Folgende ICMPv6-Typen sollten zumindest teilweise zugelassen werden (vgl. auch RFC/4890)
- Nicht genannte Typen sollten gesperrt werden
- Die Bezeichnungen „vom Internet“ und „zum Internet“ beziehen sich jeweils auf das System, das die Verbindung aufbaut oder deren Endpunkt darstellt (in der Regel ein ALG)
| IPv6-ICMP Nachricht (Typ) | Zwischen internen Netzen | Vom Internet | Zum Internet |
|---|---|---|---|
| Destination unreachable (1) | ✓ | ✓ | ✓ |
| Packet too big (2) | ✓ | ✓ | ✓ |
| Time exceeded (3) | ✓ | ✓ | ✓ |
| Parameter Problem (4) | ✓ | ✓ | ✓ |
| Echo-Request (128) | ✓ 1 | ✗ | ✓ 1 |
| Echo-Antwort (129) | ✓ 2 | ✓ 2 | ✗ |
| Multicast (130-132, 143, 151-153) | ✓ 3 | ✓ 3 | ✓ 3 |
| Router (133, 134) | ✓ 3 | ✗ | ✗ |
| Neighbor (135,136) | ✓ 3 | ✓ 3 | ✓ 3 |
| Redirect (137) | ✓ 3/4 | ✗ | ✗ |
| ICMP-Information (139) | ✓ 1 | ✗ | ✗ |
| ICMP-Information (140) | ✓ 2 | ✗ | ✗ |
| Reverse-Neighbor (141) | ✓ 1 | ✗ | ✗ |
| Reverse-Neighbor (142) | ✓ 2 | ✗ | ✗ |
- Legende
- 1 = von der Management-Station aus
- 2 = zur Management-Station hin
- 3 = ohne Forwarding
- 4 = ausgehend vom Router
Quelle
OPNsense
iptables
Regeln Client
* mangle
: PREROUTING ACCEPT [ : ]
: INPUT ACCEPT [ : ]
: FORWARD ACCEPT [ : ]
: OUTPUT ACCEPT [ : ]
: POSTROUTING ACCEPT [ : ]
COMMIT
#
* filter
: INPUT DROP [ : ]
: FORWARD DROP [ : ]
: OUTPUT ACCEPT [ : ]
: ndp-slaac - [ : ]
: trashlog - [ : ]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack -- ctstate INVALID -j trashlog
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ndp-slaac
-A INPUT -s fe80::/1 -d fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A INPUT -s fe80::/1 -p tcp -m tcp -- dport 22 -m conntrack -- ctstate NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5
-A trashlog -j DROP
COMMIT
Regeln Router
* mangle
: PREROUTING ACCEPT [ : ]
: INPUT ACCEPT [ : ]
: FORWARD ACCEPT [ : ]
: OUTPUT ACCEPT [ : ]
: POSTROUTING ACCEPT [ : ]
COMMIT
#
* filter
: INPUT DROP [ : ]
: FORWARD DROP [ : ]
: OUTPUT ACCEPT [ : ]
: bad - eh - [ : ]
: icmpv6-filter - [ : ]
: ndp-minimal - [ : ]
: trashlog - [ : ]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A INPUT -m conntrack -- ctstate INVALID -j trashlog
-A INPUT -p ipv6-icmp -j ndp-minimal
-A INPUT -i eth1 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT
-A FORWARD -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A FORWARD -p ipv6-icmp -j icmpv6-filter
-A FORWARD -i eth1 -o sixxs -m conntrack -- ctstate NEW -j ACCEPT
-A FORWARD -i eth1 -o nat64 -m conntrack -- ctstate NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A bad - eh -m rt --rt - type --rt - segsleft -j DROP
-A icmpv6-filter -s fe80::/1 -j DROP
-A icmpv6-filter -d fe80::/1 -j DROP
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A icmpv6-filter -d 2a01:198:200:8a23:200:ff:fe60:d1e/128 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A icmpv6-filter -d ff00::/8 -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j DROP
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/1 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/2 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -j ACCEPT
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 139 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 140 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j DROP
-A icmpv6-filter -j DROP
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5
-A trashlog -j DROP
COMMIT
Anhang
Siehe auch
Links
Weblinks