IPv6/Firewall: Unterschied zwischen den Versionen

Version vom 21. Mai 2025, 06:14 Uhr

IPv6/Firewall - Beschreibung

Beschreibung

Regeln Client

* mangle
: PREROUTING ACCEPT [ : ]
: INPUT ACCEPT [ : ]
: FORWARD ACCEPT [ : ]
: OUTPUT ACCEPT [ : ]
: POSTROUTING ACCEPT [ : ]
COMMIT
#
* filter
: INPUT DROP [ : ]
: FORWARD DROP [ : ]
: OUTPUT ACCEPT [ : ]
: ndp - slaac - [ : ]
: trashlog - [ : ]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack -- ctstate INVALID -j trashlog
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A INPUT -p ipv6 - icmp -j ndp - slaac
-A INPUT -s fe80::/1 -d fe80::/1 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A INPUT -s fe80::/1 -p tcp -m tcp -- dport 22 -m conntrack -- ctstate NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 133 -m hl --hl - eq 255 -j ACCEPT
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 134 -m hl --hl - eq 255 -j ACCEPT
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 135 -m hl --hl - eq 255 -j ACCEPT
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 136 -m hl --hl - eq 255 -j ACCEPT
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 137 -m hl --hl - eq 255 -j ACCEPT
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 13 -m hl --hl - eq 1 -j ACCEPT
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 131 -m hl --hl - eq 1 -j ACCEPT
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 132 -m hl --hl - eq 1 -j ACCEPT
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 143 -m hl --hl - eq 1 -j ACCEPT
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5
-A trashlog -j DROP
COMMIT

Regeln Router

* mangle
: PREROUTING ACCEPT [ : ]
: INPUT ACCEPT [ : ]
: FORWARD ACCEPT [ : ]
: OUTPUT ACCEPT [ : ]
: POSTROUTING ACCEPT [ : ]
COMMIT
#
* filter
: INPUT DROP [ : ]
: FORWARD DROP [ : ]
: OUTPUT ACCEPT [ : ]
: bad - eh - [ : ]
: icmpv6 - filter - [ : ]
: ndp - minimal - [ : ]
: trashlog - [ : ]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A INPUT -m conntrack -- ctstate INVALID -j trashlog
-A INPUT -p ipv6 - icmp -j ndp - minimal
-A INPUT -i eth1 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 133 -m hl --hl - eq 255 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT
-A FORWARD -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A FORWARD -p ipv6 - icmp -j icmpv6 - filter
-A FORWARD -i eth1 -o sixxs -m conntrack -- ctstate NEW -j ACCEPT
-A FORWARD -i eth1 -o nat64 -m conntrack -- ctstate NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A bad - eh -m rt --rt - type --rt - segsleft -j DROP
-A icmpv6 - filter -s fe80::/1 -j DROP
-A icmpv6 - filter -d fe80::/1 -j DROP
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A icmpv6 - filter -d 2 a 1 :198:2 :8 a23 :2 : ff : fe6 : d1e /128 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A icmpv6 - filter -d ff ::/8 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 129 -j DROP
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 2 -j ACCEPT
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 3/1 -j ACCEPT
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 4/ -j ACCEPT
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 4/1 -j ACCEPT
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 4/2 -j ACCEPT
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 1 -j ACCEPT
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 3/ -j ACCEPT
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 135 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 136 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 133 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 134 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 137 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type  13 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 131 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 132 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 143 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 147 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 139 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type  14 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 144 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 145 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 146 -j DROP
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 147 -j DROP
-A icmpv6 - filter -j DROP
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 135 -m hl --hl - eq 255 -j ACCEPT
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 136 -m hl --hl - eq 255 -j ACCEPT
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 137 -m hl --hl - eq 255 -j ACCEPT
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type  13 -m hl --hl - eq   1 -j ACCEPT
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 131 -m hl --hl - eq   1 -j ACCEPT
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 132 -m hl --hl - eq   1 -j ACCEPT
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 143 -m hl --hl - eq   1 -j ACCEPT
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5
-A trashlog -j DROP
COMMIT

Anhang

Siehe auch

Links

Weblinks

@@ Zeile 2: / Zeile 2: @@
 == Beschreibung ==
-[[File:opnsenseIPv6firewall.png|900px]]
+[[File:opnsenseIPv6firewall.png|950px]]
 == Regeln Client ==