Attachment 'ip6fw_client.conf.txt'

Download

   1 #!/bin/sh
   2 
   3 fw6cmd="/sbin/ip6fw"
   4 
   5 	############
   6 	# This is a prototype setup that will protect your system somewhat
   7 	# against people from outside your own network.
   8 	############
   9 
  10 	# set these to your network and prefixlen and ip
  11 	#
  12 	# This needs more work
  13 	#
  14 	net="2001:db8:2:1::"
  15 	prefixlen="64"
  16 	ip="2001:db8:2:1::1"
  17 
  18 	#setup_local
  19 	############
  20 	# Only in rare cases do you want to change these rules
  21 	#
  22 	${fw6cmd} add 100 pass all from any to any via lo0
  23 	${fw6cmd} add 200 deny all from any to ::1
  24 	${fw6cmd} add 300 deny all from ::1 to any
  25 	#
  26 	# ND
  27 	#
  28 	# DAD
  29 	${fw6cmd} add pass ipv6-icmp from :: to ff02::/16
  30 	# RS, RA, NS, NA, redirect...
  31 	${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
  32 
  33 	#setup comminication
  34 
  35 	# Allow any traffic to or from my own net.
  36 	${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen}
  37 	${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip}
  38 
  39 	# Allow any link-local multicast traffic
  40 	${fw6cmd} add pass all from fe80::/10 to ff02::/16
  41 	${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16
  42 
  43 	# Allow TCP through if setup succeeded
  44 	${fw6cmd} add pass tcp from any to any established
  45 
  46 	# Allow IP fragments to pass through
  47 	${fw6cmd} add pass all from any to any frag
  48 
  49 	# Allow setup of incoming email
  50 	${fw6cmd} add pass tcp from any to ${ip} 25 setup
  51 
  52 	# Allow setup of outgoing TCP connections only
  53 	${fw6cmd} add pass tcp from ${ip} to any setup
  54 
  55 	# Disallow setup of all other TCP connections
  56 	${fw6cmd} add deny tcp from any to any setup
  57 
  58 	# Allow DNS queries out in the world
  59 	${fw6cmd} add pass udp from any 53 to ${ip}
  60 	${fw6cmd} add pass udp from ${ip} to any 53
  61 
  62 	# Allow NTP queries out in the world
  63 	${fw6cmd} add pass udp from any 123 to ${ip}
  64 	${fw6cmd} add pass udp from ${ip} to any 123
  65 
  66 	# Allow ICMPv6 destination unreach
  67 	${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1
  68 
  69 	# Allow NS/NA/toobig (don't filter it out)
  70 	${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136
  71 
  72 	# Everything else is denied by default, unless the
  73 	# IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
  74 	# config file.

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.
  • [get | view] (2006-08-18 08:50:22, 401.0 KB) [[attachment:6net_ipv6security.pdf]]
  • [get | view] (2006-08-18 15:11:33, 172.7 KB) [[attachment:IDS-and-IPv6.pdf]]
  • [get | view] (2006-08-21 14:23:53, 2.0 KB) [[attachment:ip6fw_client.conf.txt]]
  • [get | view] (2006-08-21 14:24:14, 4.9 KB) [[attachment:ip6fw_simple.conf.txt]]
  • [get | view] (2006-09-06 09:36:04, 6.9 KB) [[attachment:ip6tables.conf.txt]]
  • [get | view] (2006-08-21 11:21:57, 190.2 KB) [[attachment:ipv6_ciscoacl.pdf]]
  • [get | view] (2006-08-21 11:22:16, 182.5 KB) [[attachment:ipv6_ciscoacl_cisco.pdf]]
  • [get | view] (2006-08-21 10:51:13, 93.6 KB) [[attachment:ipv6_ip6fw.pdf]]
  • [get | view] (2006-08-21 10:16:25, 504.4 KB) [[attachment:ipv6_pf.pdf]]
  • [get | view] (2006-08-21 11:48:01, 250.2 KB) [[attachment:ipv6_windowsxp_firewall.pdf]]
  • [get | view] (2006-08-18 15:56:19, 0.7 KB) [[attachment:pf_boot_client.conf.txt]]
  • [get | view] (2006-08-21 10:38:01, 0.8 KB) [[attachment:pf_simple_client.conf.txt]]
  • [get | view] (2006-09-12 13:40:08, 2.7 KB) [[attachment:pf_simple_firewall_http_ssh_server.conf.txt]]
  • [get | view] (2006-09-12 13:36:25, 1.8 KB) [[attachment:pf_simple_firewall_noserver.conf.txt]]
 All files | Selected Files: delete move to page copy to page

You are not allowed to attach a file to this page.