IPv6/Firewall: Unterschied zwischen den Versionen
Weiterleitung auf IPv6/Firewall/tmp entfernt Markierung: Weiterleitung entfernt |
Keine Bearbeitungszusammenfassung |
||
| Zeile 1: | Zeile 1: | ||
'''{{BASEPAGENAME}}''' - Beschreibung | |||
== Beschreibung == | |||
[[File:opnsenseIPv6firewall.png]] | |||
== Regeln Client == | |||
* mangle | |||
: PREROUTING ACCEPT [ : ] | |||
: INPUT ACCEPT [ : ] | |||
: FORWARD ACCEPT [ : ] | |||
: OUTPUT ACCEPT [ : ] | |||
: POSTROUTING ACCEPT [ : ] | |||
COMMIT | |||
# | |||
* filter | |||
: INPUT DROP [ : ] | |||
: FORWARD DROP [ : ] | |||
: OUTPUT ACCEPT [ : ] | |||
: ndp - slaac - [ : ] | |||
: trashlog - [ : ] | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT -m conntrack -- ctstate INVALID -j trashlog | |||
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT | |||
-A INPUT -p ipv6 - icmp -j ndp - slaac | |||
-A INPUT -s fe80::/1 -d fe80::/1 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 128 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A INPUT -s fe80::/1 -p tcp -m tcp -- dport 22 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A OUTPUT -o lo -j ACCEPT | |||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 133 -m hl --hl - eq 255 -j ACCEPT | |||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 134 -m hl --hl - eq 255 -j ACCEPT | |||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 135 -m hl --hl - eq 255 -j ACCEPT | |||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 136 -m hl --hl - eq 255 -j ACCEPT | |||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 137 -m hl --hl - eq 255 -j ACCEPT | |||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 13 -m hl --hl - eq 1 -j ACCEPT | |||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 131 -m hl --hl - eq 1 -j ACCEPT | |||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 132 -m hl --hl - eq 1 -j ACCEPT | |||
-A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 143 -m hl --hl - eq 1 -j ACCEPT | |||
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5 | |||
-A trashlog -j DROP | |||
COMMIT | |||
== Regeln Router == | |||
* mangle | |||
: PREROUTING ACCEPT [ : ] | |||
: INPUT ACCEPT [ : ] | |||
: FORWARD ACCEPT [ : ] | |||
: OUTPUT ACCEPT [ : ] | |||
: POSTROUTING ACCEPT [ : ] | |||
COMMIT | |||
# | |||
* filter | |||
: INPUT DROP [ : ] | |||
: FORWARD DROP [ : ] | |||
: OUTPUT ACCEPT [ : ] | |||
: bad - eh - [ : ] | |||
: icmpv6 - filter - [ : ] | |||
: ndp - minimal - [ : ] | |||
: trashlog - [ : ] | |||
-A INPUT -i lo -j ACCEPT | |||
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT | |||
-A INPUT -m conntrack -- ctstate INVALID -j trashlog | |||
-A INPUT -p ipv6 - icmp -j ndp - minimal | |||
-A INPUT -i eth1 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 133 -m hl --hl - eq 255 -j ACCEPT | |||
-A INPUT -i eth1 -p udp -m udp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A INPUT -i eth1 -p tcp -m tcp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A FORWARD -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT | |||
-A FORWARD -p ipv6 - icmp -j icmpv6 - filter | |||
-A FORWARD -i eth1 -o sixxs -m conntrack -- ctstate NEW -j ACCEPT | |||
-A FORWARD -i eth1 -o nat64 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A OUTPUT -o lo -j ACCEPT | |||
-A bad - eh -m rt --rt - type --rt - segsleft -j DROP | |||
-A icmpv6 - filter -s fe80::/1 -j DROP | |||
-A icmpv6 - filter -d fe80::/1 -j DROP | |||
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 128 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A icmpv6 - filter -d 2 a 1 :198:2 :8 a23 :2 : ff : fe6 : d1e /128 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 128 -m conntrack -- ctstate NEW -j ACCEPT | |||
-A icmpv6 - filter -d ff ::/8 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 129 -j DROP | |||
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 2 -j ACCEPT | |||
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 3/1 -j ACCEPT | |||
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 4/ -j ACCEPT | |||
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 4/1 -j ACCEPT | |||
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 4/2 -j ACCEPT | |||
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 1 -j ACCEPT | |||
-A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 3/ -j ACCEPT | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 135 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 136 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 133 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 134 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 137 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 13 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 131 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 132 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 143 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 147 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 139 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 14 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 144 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 145 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 146 -j DROP | |||
-A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 147 -j DROP | |||
-A icmpv6 - filter -j DROP | |||
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 135 -m hl --hl - eq 255 -j ACCEPT | |||
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 136 -m hl --hl - eq 255 -j ACCEPT | |||
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 137 -m hl --hl - eq 255 -j ACCEPT | |||
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 13 -m hl --hl - eq 1 -j ACCEPT | |||
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 131 -m hl --hl - eq 1 -j ACCEPT | |||
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 132 -m hl --hl - eq 1 -j ACCEPT | |||
-A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 143 -m hl --hl - eq 1 -j ACCEPT | |||
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5 | |||
-A trashlog -j DROP | |||
COMMIT | |||
<noinclude> | |||
== Anhang == | |||
=== Siehe auch === | |||
<div style="column-count:3"> | |||
<categorytree hideroot=on mode="pages">{{BASEPAGENAME}}</categorytree> | |||
</div> | |||
---- | |||
{{Special:PrefixIndex/{{BASEPAGENAME}}/}} | |||
=== Links === | |||
==== Weblinks ==== | |||
{{DEFAULTSORT:new}} | |||
{{DISPLAYTITLE:new}} | |||
[[Kategorie:new]] | |||
</noinclude> | |||
[[Kategorie:IPv6/Firewall]] | [[Kategorie:IPv6/Firewall]] | ||
Version vom 21. Mai 2025, 06:13 Uhr
IPv6/Firewall - Beschreibung
Beschreibung
Regeln Client
* mangle : PREROUTING ACCEPT [ : ] : INPUT ACCEPT [ : ] : FORWARD ACCEPT [ : ] : OUTPUT ACCEPT [ : ] : POSTROUTING ACCEPT [ : ] COMMIT # * filter : INPUT DROP [ : ] : FORWARD DROP [ : ] : OUTPUT ACCEPT [ : ] : ndp - slaac - [ : ] : trashlog - [ : ] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack -- ctstate INVALID -j trashlog -A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT -A INPUT -p ipv6 - icmp -j ndp - slaac -A INPUT -s fe80::/1 -d fe80::/1 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 128 -m conntrack -- ctstate NEW -j ACCEPT -A INPUT -s fe80::/1 -p tcp -m tcp -- dport 22 -m conntrack -- ctstate NEW -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 133 -m hl --hl - eq 255 -j ACCEPT -A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 134 -m hl --hl - eq 255 -j ACCEPT -A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 135 -m hl --hl - eq 255 -j ACCEPT -A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 136 -m hl --hl - eq 255 -j ACCEPT -A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 137 -m hl --hl - eq 255 -j ACCEPT -A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 13 -m hl --hl - eq 1 -j ACCEPT -A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 131 -m hl --hl - eq 1 -j ACCEPT -A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 132 -m hl --hl - eq 1 -j ACCEPT -A ndp - slaac -p ipv6 - icmp -m icmp6 -- icmpv6 - type 143 -m hl --hl - eq 1 -j ACCEPT -A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5 -A trashlog -j DROP COMMIT
Regeln Router
* mangle : PREROUTING ACCEPT [ : ] : INPUT ACCEPT [ : ] : FORWARD ACCEPT [ : ] : OUTPUT ACCEPT [ : ] : POSTROUTING ACCEPT [ : ] COMMIT # * filter : INPUT DROP [ : ] : FORWARD DROP [ : ] : OUTPUT ACCEPT [ : ] : bad - eh - [ : ] : icmpv6 - filter - [ : ] : ndp - minimal - [ : ] : trashlog - [ : ] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT -A INPUT -m conntrack -- ctstate INVALID -j trashlog -A INPUT -p ipv6 - icmp -j ndp - minimal -A INPUT -i eth1 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 133 -m hl --hl - eq 255 -j ACCEPT -A INPUT -i eth1 -p udp -m udp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT -A FORWARD -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT -A FORWARD -p ipv6 - icmp -j icmpv6 - filter -A FORWARD -i eth1 -o sixxs -m conntrack -- ctstate NEW -j ACCEPT -A FORWARD -i eth1 -o nat64 -m conntrack -- ctstate NEW -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A bad - eh -m rt --rt - type --rt - segsleft -j DROP -A icmpv6 - filter -s fe80::/1 -j DROP -A icmpv6 - filter -d fe80::/1 -j DROP -A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 128 -m conntrack -- ctstate NEW -j ACCEPT -A icmpv6 - filter -d 2 a 1 :198:2 :8 a23 :2 : ff : fe6 : d1e /128 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 128 -m conntrack -- ctstate NEW -j ACCEPT -A icmpv6 - filter -d ff ::/8 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 129 -j DROP -A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 2 -j ACCEPT -A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 3/1 -j ACCEPT -A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 4/ -j ACCEPT -A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 4/1 -j ACCEPT -A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 4/2 -j ACCEPT -A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 1 -j ACCEPT -A icmpv6 - filter -s 2 a 1 :198:2 :8 a23 ::/64 -p ipv6 - icmp -m icmp6 -- icmpv6 - type 3/ -j ACCEPT -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 135 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 136 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 133 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 134 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 137 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 13 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 131 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 132 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 143 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 147 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 139 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 14 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 144 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 145 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 146 -j DROP -A icmpv6 - filter -p ipv6 - icmp -m icmp6 -- icmpv6 - type 147 -j DROP -A icmpv6 - filter -j DROP -A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 135 -m hl --hl - eq 255 -j ACCEPT -A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 136 -m hl --hl - eq 255 -j ACCEPT -A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 137 -m hl --hl - eq 255 -j ACCEPT -A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 13 -m hl --hl - eq 1 -j ACCEPT -A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 131 -m hl --hl - eq 1 -j ACCEPT -A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 132 -m hl --hl - eq 1 -j ACCEPT -A ndp - minimal -p ipv6 - icmp -m icmp6 -- icmpv6 - type 143 -m hl --hl - eq 1 -j ACCEPT -A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5 -A trashlog -j DROP COMMIT