Zum Inhalt springen

IPv6/Firewall: Unterschied zwischen den Versionen

Aus Foxwiki
Versionsgeschichte interaktiv durchsuchen
← Zum vorherigen VersionsunterschiedZum nächsten Versionsunterschied →
VisuellWikitext
Keine Bearbeitungszusammenfassung
Keine Bearbeitungszusammenfassung
Zeile 9: Zeile 9:
| Destination unreachable (1) || || ✓  || ✓  || ✓
| Destination unreachable (1) || || ✓  || ✓  || ✓
|-
|-
| Packet too big (2) || || ✓  || ✓  || ✓
| Packet too big (2) || ✓  || ✓  || ✓
|-
|-
| Time exceeded (3) || || ✓  || ✓  || ✓
| Time exceeded (3) || ✓  || ✓  || ✓
|-
|-
| Parameter Problem (4) || || ✓  || ✓  || ✓
| Parameter Problem (4) || ✓  || ✓  || ✓
|-
|-
| Echo-Request (128) || || 1✓  || ✗  || 1✓
| Echo-Request (128) || 1✓  || ✗  || 1✓
|-
|-
| Echo-Antwort (129) || || 2✓  || 2✓  || ✗
| Echo-Antwort (129) || 2✓  || 2✓  || ✗
|-
|-
| Multicast (130-132, 143, 151-153) || || 3✓  || 3✓  || 3✓
| Multicast (130-132, 143, 151-153) || 3✓  || 3✓  || 3✓
|-
|-
| Router (133, 134) || 3✓  || ✗  || ✗
| Router (133, 134) || 3✓  || ✗  || ✗
|-
|-
| Neighbor (135,136) || || 3✓  || 3✓  || 3✓
| Neighbor (135,136) || 3✓  || 3✓  || 3✓
|-
|-
| Redirect (137) || 3/4✓  || ✗  || ✗
| Redirect (137) || 3/4✓  || ✗  || ✗
|-
|-
| ICMP-Information (139) || || 1✓  || ✗  || ✗
| ICMP-Information (139) || 1✓  || ✗  || ✗
|-
|-
| ICMP-Information (140) || || 2✓  || ✗  || ✗
| ICMP-Information (140) || 2✓  || ✗  || ✗
|-
|-
| Reverse-Neighbor (141) || || 1✓  || ✗  || ✗
| Reverse-Neighbor (141) || 1✓  || ✗  || ✗
|-
|-
| Reverse-Neighbor (142) || || 2✓  || ✗  || ✗
| Reverse-Neighbor (142) || 2✓  || ✗  || ✗
|}
|}


Version vom 4. Juni 2025, 17:01 Uhr

IPv6/Firewall


IPv6-ICMP Nachricht (Typ) Zwischen internen Netzen Vom Internet Zum Internet
Destination unreachable (1)
Packet too big (2)
Time exceeded (3)
Parameter Problem (4)
Echo-Request (128) 1✓ 1✓
Echo-Antwort (129) 2✓ 2✓
Multicast (130-132, 143, 151-153) 3✓ 3✓ 3✓
Router (133, 134) 3✓
Neighbor (135,136) 3✓ 3✓ 3✓
Redirect (137) 3/4✓
ICMP-Information (139) 1✓
ICMP-Information (140) 2✓
Reverse-Neighbor (141) 1✓
Reverse-Neighbor (142) 2✓

1 = von der Management-Station aus, 2 = zur Management-Station hin, 3 = ohne Forwarding, 4 = ausgehend vom Router

Beschreibung

Regeln Client

* mangle
 : PREROUTING ACCEPT [ : ]
 : INPUT ACCEPT [ : ]
 : FORWARD ACCEPT [ : ]
 : OUTPUT ACCEPT [ : ]
 : POSTROUTING ACCEPT [ : ]
 COMMIT
 #
 * filter
 : INPUT DROP [ : ]
 : FORWARD DROP [ : ]
 : OUTPUT ACCEPT [ : ]
 : ndp-slaac - [ : ]
 : trashlog - [ : ]
 -A INPUT -i lo -j ACCEPT
 -A INPUT -m conntrack -- ctstate INVALID -j trashlog
 -A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
 -A INPUT -p ipv6-icmp -j ndp-slaac
 -A INPUT -s fe80::/1 -d fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
 -A INPUT -s fe80::/1 -p tcp -m tcp -- dport 22 -m conntrack -- ctstate NEW -j ACCEPT
 -A OUTPUT -o lo -j ACCEPT
 -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
 -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
 -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
 -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
 -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
 -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq   1 -j ACCEPT
 -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq   1 -j ACCEPT
 -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq   1 -j ACCEPT
 -A ndp-slaac -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq   1 -j ACCEPT
 -A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5
 -A trashlog -j DROP
 COMMIT

Regeln Router

* mangle
: PREROUTING ACCEPT [ : ]
: INPUT ACCEPT [ : ]
: FORWARD ACCEPT [ : ]
: OUTPUT ACCEPT [ : ]
: POSTROUTING ACCEPT [ : ]
COMMIT
#
* filter
: INPUT DROP [ : ]
: FORWARD DROP [ : ]
: OUTPUT ACCEPT [ : ]
: bad - eh - [ : ]
: icmpv6-filter - [ : ]
: ndp-minimal - [ : ]
: trashlog - [ : ]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A INPUT -m conntrack -- ctstate INVALID -j trashlog
-A INPUT -p ipv6-icmp -j ndp-minimal
-A INPUT -i eth1 -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp -- dport 53 -m conntrack -- ctstate NEW -j ACCEPT
-A FORWARD -m conntrack -- ctstate RELATED , ESTABLISHED -j ACCEPT
-A FORWARD -p ipv6-icmp -j icmpv6-filter
-A FORWARD -i eth1 -o sixxs -m conntrack -- ctstate NEW -j ACCEPT
-A FORWARD -i eth1 -o nat64 -m conntrack -- ctstate NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A bad - eh -m rt --rt - type --rt - segsleft -j DROP
-A icmpv6-filter -s fe80::/1 -j DROP
-A icmpv6-filter -d fe80::/1 -j DROP
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A icmpv6-filter -d 2a01:198:200:8a23:200:ff:fe60:d1e/128 -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack -- ctstate NEW -j ACCEPT
-A icmpv6-filter -d ff00::/8 -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j DROP
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 2   -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/1 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 4/2 -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 1   -j ACCEPT
-A icmpv6-filter -s 2a01:198:200:8a23::/64 -p ipv6-icmp -m icmp6 --icmpv6-type 3/0 -j ACCEPT
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 130 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 131 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 132 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 143 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 139 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 140 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 144 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 145 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 146 -j DROP
-A icmpv6-filter -p ipv6-icmp -m icmp6 --icmpv6-type 147 -j DROP
-A icmpv6-filter -j DROP
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m hl --hl-eq   1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m hl --hl-eq   1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m hl --hl-eq   1 -j ACCEPT
-A ndp-minimal -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m hl --hl-eq   1 -j ACCEPT
-A trashlog -j LOG -- log - prefix " TRASHLOG : " --log - level 5
-A trashlog -j DROP
COMMIT


Anhang

Siehe auch

Links

Weblinks


Abgerufen von „https://wiki.foxtom.de/index.php?title=IPv6/Firewall&oldid=145678