OT, ip6tables rules for radvd

Gregory Nowak greg at romuald.net.eu.org
Sat Jan 28 22:23:14 EST 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, Jan 28, 2012 at 07:00:11PM -0600, chris at the-brannons.com wrote:
> I just allow all ICMPv6 traffic.  Is there anything wrong with that?

I guess the answer to that would depend on one's point of view, and
level of paranoia (grin). Since yourself, Kirk, and maybe more folks
who haven't asked want to know why I'm asking this, I might as well
explain, and let all of you know just how paranoid I am.

My brother in-law bought me a wireless access point recently. There's
a longer story behind that, and yes, my internal LAN was all wired
until now. Given the security history of wireless networking, I
decided that if I did wireless here, it would be fed off a separate
NIC in my machine, and that I'd run only ipsec over it, or something
even more secure. This is exactly what I did. The wireless access point is
attached to a separate network interface on its own separate private
subnet. The idea is that even if someone were to break encryption, and
gain access to the wireless access point, all it would get then is a
class c v4 address and a documentation v6 address which they could
literally do nothing with without my giving them a ssl cert, and a
username/password if they're running windows. I currently have
ppp/l2tp/ipsec going for windows clients (previously mentioned longer
story), I almost have ipsec to ipsec between linux machines going over
v4, and am working on ipsec to ipsec between linux boxes over v6,
which is why I'm asking what I am.

I've locked things down enough with ip6tables to block everything
inbound, and outbound on the NIC attached to the wireless access
point. This includes router advertisements, and neighbor
solicitations. In order to get the ipsec connection going, I first
need to issue the client a 2001:db8 address. So, I need to know what I
should allow through without ipsec to make that happen. Hopefully that
explains why I'm asking.

Greg


- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager at EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk8ku6EACgkQ7s9z/XlyUyATIwCeN5ddTu+rtPy6CDIjUP/WhO8c
a0wAnRHZepDhhbvyl4LEGpEXFJcidA8m
=RodA
-----END PGP SIGNATURE-----

More information about the Speakup mailing list