IPv6/Firewall: Unterschied zwischen den Versionen
K Textersetzung - „<div style="column-count:3">“ durch „<div style="column-count:2">“ |
K Textersetzung - „ “ durch „ “ |
||
| (6 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
''' | '''IPv6/Firewall''' | ||
== | == Beschreibung == | ||
* Protokolle | |||
* Netze | |||
== ICMP == | |||
[[Internet Control Message Protocol]] ([[ICMP]]) ist Kernbestandteil der Internetprotokollfamilie | |||
* Austausch von Fehlermeldungen und Informationsnachrichten | * Austausch von Fehlermeldungen und Informationsnachrichten | ||
; IPv4 | |||
Bei IPv4 ist es gängige Praxis, ICMP an der Firewall zu blockieren | Bei IPv4 ist es gängige Praxis, ICMP an der Firewall zu blockieren | ||
; | ; Bedeutung von ICMPv6 | ||
Für Mechanismen | Für wichtige Mechanismen unerlässlich | ||
* z.B.[[pMTUd]] | |||
Eine undifferenzierte Filterung von ICMPv6 kann Erreichbarkeitsprobleme mit sich bringen | |||
Daher sollte bei IPv6 keine generelle Sperrung von [[ICMPv6]] erfolgen | Daher sollte bei IPv6 keine generelle Sperrung von [[ICMPv6]] erfolgen | ||
Folgende ICMPv6-Typen sollten zumindest teilweise zugelassen werden (vgl. auch [[RFC/4890]]) | Folgende ICMPv6-Typen sollten zumindest teilweise zugelassen werden (vgl. auch [[RFC/4890]]) | ||
* Nicht genannte Typen sollten gesperrt werden | * Nicht genannte Typen sollten gesperrt werden | ||
* Die Bezeichnungen „vom Internet“ und „zum Internet“ beziehen sich jeweils auf das System, das die Verbindung aufbaut oder deren Endpunkt darstellt (in der Regel ein [[ALG]]) | * Die Bezeichnungen „vom Internet“ und „zum Internet“ beziehen sich jeweils auf das System, das die Verbindung aufbaut oder deren Endpunkt darstellt (in der Regel ein [[ALG]]) | ||
| Zeile 20: | Zeile 30: | ||
! IPv6-ICMP Nachricht (Typ) !! Zwischen internen Netzen !! Vom Internet !! Zum Internet | ! IPv6-ICMP Nachricht (Typ) !! Zwischen internen Netzen !! Vom Internet !! Zum Internet | ||
|- | |- | ||
| Destination unreachable (1) || <span style="color:green">✓</span> | | Destination unreachable (1) || <span style="color:green">✓</span> || <span style="color:green">✓</span> || <span style="color:green">✓</span> | ||
|- | |- | ||
| Packet too big (2) || <span style="color:green">✓</span> | | Packet too big (2) || <span style="color:green">✓</span> || <span style="color:green">✓</span> || <span style="color:green">✓</span> | ||
|- | |- | ||
| Time exceeded (3) || <span style="color:green">✓</span> | | Time exceeded (3) || <span style="color:green">✓</span> || <span style="color:green">✓</span> || <span style="color:green">✓</span> | ||
|- | |- | ||
| Parameter Problem (4) || <span style="color:green">✓</span> | | Parameter Problem (4) || <span style="color:green">✓</span> || <span style="color:green">✓</span> || <span style="color:green">✓</span> | ||
|- | |- | ||
| Echo-Request (128) || <span style="color:green">✓</span> <sup>1</sup>|| <span style="color:red">✗</span> | | Echo-Request (128) || <span style="color:green">✓</span> <sup>1</sup>|| <span style="color:red">✗</span> || <span style="color:green">✓</span> <sup>1</sup> | ||
|- | |- | ||
| Echo-Antwort (129) || <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:red">✗</span> | | Echo-Antwort (129) || <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:red">✗</span> | ||
| Zeile 34: | Zeile 44: | ||
| Multicast (130-132, 143, 151-153) || <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup> | | Multicast (130-132, 143, 151-153) || <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup> | ||
|- | |- | ||
| Router (133, 134) || <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:red">✗</span> | | Router (133, 134) || <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | ||
|- | |- | ||
| Neighbor (135,136) || <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup> | | Neighbor (135,136) || <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup>|| <span style="color:green">✓</span> <sup>3</sup> | ||
|- | |- | ||
| Redirect (137) || <span style="color:green">✓</span> <sup>3/4</sup>|| <span style="color:red">✗</span> | | Redirect (137) || <span style="color:green">✓</span> <sup>3/4</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | ||
|- | |- | ||
| ICMP-Information (139) || <span style="color:green">✓</span> <sup>1</sup>|| <span style="color:red">✗</span> | | ICMP-Information (139) || <span style="color:green">✓</span> <sup>1</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | ||
|- | |- | ||
| ICMP-Information (140) || <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:red">✗</span> | | ICMP-Information (140) || <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | ||
|- | |- | ||
| Reverse-Neighbor (141) || <span style="color:green">✓</span> <sup>1</sup>|| <span style="color:red">✗</span> | | Reverse-Neighbor (141) || <span style="color:green">✓</span> <sup>1</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | ||
|- | |- | ||
| Reverse-Neighbor (142) || <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:red">✗</span> | | Reverse-Neighbor (142) || <span style="color:green">✓</span> <sup>2</sup>|| <span style="color:red">✗</span> || <span style="color:red">✗</span> | ||
|} | |} | ||
| Zeile 89: | Zeile 99: | ||
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT | ||
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT | ||
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT | ||
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT | ||
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT | ||
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq | -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT | ||
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5 | -A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5 | ||
-A trashlog -j DROP | -A trashlog -j DROP | ||
| Zeile 133: | Zeile 143: | ||
-A icmpv6-filter -d 2a01:198:200:8a23:200:ff:fe60:d1e/128 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT | -A icmpv6-filter -d 2a01:198:200:8a23:200:ff:fe60:d1e/128 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT | ||
-A icmpv6-filter -d ff00::/8 -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j DROP | -A icmpv6-filter -d ff00::/8 -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j DROP | ||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 2 | -A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT | ||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/1 -j ACCEPT | -A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/1 -j ACCEPT | ||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -j ACCEPT | -A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -j ACCEPT | ||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -j ACCEPT | -A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -j ACCEPT | ||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/2 -j ACCEPT | -A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/2 -j ACCEPT | ||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 1 | -A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT | ||
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -j ACCEPT | -A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -j ACCEPT | ||
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP | -A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP | ||
| Zeile 160: | Zeile 170: | ||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT | -A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT | ||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT | -A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT | ||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq | -A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT | ||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq | -A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT | ||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq | -A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT | ||
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq | -A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT | ||
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5 | -A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5 | ||
-A trashlog -j DROP | -A trashlog -j DROP | ||
Aktuelle Version vom 14. Juni 2026, 00:46 Uhr
IPv6/Firewall
Beschreibung
- Protokolle
- Netze
ICMP
Internet Control Message Protocol (ICMP) ist Kernbestandteil der Internetprotokollfamilie
- Austausch von Fehlermeldungen und Informationsnachrichten
- IPv4
Bei IPv4 ist es gängige Praxis, ICMP an der Firewall zu blockieren
- Bedeutung von ICMPv6
Für wichtige Mechanismen unerlässlich
- z.B.pMTUd
Eine undifferenzierte Filterung von ICMPv6 kann Erreichbarkeitsprobleme mit sich bringen
Daher sollte bei IPv6 keine generelle Sperrung von ICMPv6 erfolgen
Folgende ICMPv6-Typen sollten zumindest teilweise zugelassen werden (vgl. auch RFC/4890)
- Nicht genannte Typen sollten gesperrt werden
- Die Bezeichnungen „vom Internet“ und „zum Internet“ beziehen sich jeweils auf das System, das die Verbindung aufbaut oder deren Endpunkt darstellt (in der Regel ein ALG)
| IPv6-ICMP Nachricht (Typ) | Zwischen internen Netzen | Vom Internet | Zum Internet |
|---|---|---|---|
| Destination unreachable (1) | ✓ | ✓ | ✓ |
| Packet too big (2) | ✓ | ✓ | ✓ |
| Time exceeded (3) | ✓ | ✓ | ✓ |
| Parameter Problem (4) | ✓ | ✓ | ✓ |
| Echo-Request (128) | ✓ 1 | ✗ | ✓ 1 |
| Echo-Antwort (129) | ✓ 2 | ✓ 2 | ✗ |
| Multicast (130-132, 143, 151-153) | ✓ 3 | ✓ 3 | ✓ 3 |
| Router (133, 134) | ✓ 3 | ✗ | ✗ |
| Neighbor (135,136) | ✓ 3 | ✓ 3 | ✓ 3 |
| Redirect (137) | ✓ 3/4 | ✗ | ✗ |
| ICMP-Information (139) | ✓ 1 | ✗ | ✗ |
| ICMP-Information (140) | ✓ 2 | ✗ | ✗ |
| Reverse-Neighbor (141) | ✓ 1 | ✗ | ✗ |
| Reverse-Neighbor (142) | ✓ 2 | ✗ | ✗ |
- Legende
- 1 = von der Management-Station aus
- 2 = zur Management-Station hin
- 3 = ohne Forwarding
- 4 = ausgehend vom Router
Quelle
OPNsense
iptables
Regeln Client
* mangle
: PREROUTING ACCEPT [ : ]
: INPUT ACCEPT [ : ]
: FORWARD ACCEPT [ : ]
: OUTPUT ACCEPT [ : ]
: POSTROUTING ACCEPT [ : ]
COMMIT
#
* filter
: INPUT DROP [ : ]
: FORWARD DROP [ : ]
: OUTPUT ACCEPT [ : ]
: ndp-slaac - [ : ]
: trashlog - [ : ]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack -- ctstate INVALID -j trashlog
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ndp-slaac
-A INPUT -s fe80::/1 -d fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A INPUT -s fe80::/1 -p tcp -m tcp -- dport 22 -m conntrack -- ctstate NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5
-A trashlog -j DROP
COMMIT
Regeln Router
* mangle
: PREROUTING ACCEPT [ : ]
: INPUT ACCEPT [ : ]
: FORWARD ACCEPT [ : ]
: OUTPUT ACCEPT [ : ]
: POSTROUTING ACCEPT [ : ]
COMMIT
#
* filter
: INPUT DROP [ : ]
: FORWARD DROP [ : ]
: OUTPUT ACCEPT [ : ]
: bad - eh - [ : ]
: icmpv6-filter - [ : ]
: ndp-minimal - [ : ]
: trashlog - [ : ]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A INPUT -m conntrack -- ctstate INVALID -j trashlog
-A INPUT -p ipv6-icmp -j ndp-minimal
-A INPUT -i eth1 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT
-A FORWARD -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A FORWARD -p ipv6-icmp -j icmpv6-filter
-A FORWARD -i eth1 -o sixxs -m conntrack -- ctstate NEW -j ACCEPT
-A FORWARD -i eth1 -o nat64 -m conntrack -- ctstate NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A bad - eh -m rt --rt - type --rt - segsleft -j DROP
-A icmpv6-filter -s fe80::/1 -j DROP
-A icmpv6-filter -d fe80::/1 -j DROP
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A icmpv6-filter -d 2a01:198:200:8a23:200:ff:fe60:d1e/128 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A icmpv6-filter -d ff00::/8 -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j DROP
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/1 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/2 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -j ACCEPT
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 139 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 140 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j DROP
-A icmpv6-filter -j DROP
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq 1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq 1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq 1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq 1 -j ACCEPT
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5
-A trashlog -j DROP
COMMIT
Anhang
Siehe auch
Links
Weblinks