[Firewall] Allowing ipv6 echo requests from a single source external address

Gombo Okpa+AIF at gombo.crabdance.com
Wed Dec 14 14:26:13 CET 2011


Good day and thank you Lonnie.

On Mon, 12 Dec 2011 08:00:48 -0600
Lonnie Abelbeck <lists at lonnie.abelbeck.com> wrote:

> Gombo,
> 
> I probably wasn't clear, but I was suggesting something like the following in your custom-rules file:
> -----------------------------------------------------------------------------------------
> # Put any custom (iptables) rules here down below:
> ##################################################
> # Repeat for all required [IPV6 ADDRESS]
> #
> ip6tables -A INPUT_CHAIN -p icmpv6 --icmpv6-type echo-request -s [IPV6 ADDRESS] -j ACCEPT
> #
> ip6tables -A INPUT_CHAIN -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
> #
> for icmpv6_type in 133 134 135 136; do
>   ip6tables -A INPUT_CHAIN -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -s [IPV6 ADDRESS] -j ACCEPT
> fi
> -----------------------------------------------------------------------------------------
> 
> The problem will be finding all the [IPV6 ADDRESS] values necessary.
> 
> Lonnie
>
  ... 

I did exactly as instructed and it's still a no-go.

Not sure why it is so difficult to do in Linux.  I recently set it up
on a FreeBSD box that I run remotely with the IPFW equivalent of the
first two ip6tables rules -- and it worked the first time.

Thank you for your continuing help and interest.

-- 
Gombo







More information about the Firewall mailing list