| View previous topic :: View next topic |
| Author |
Message |
wswartzendruber
Veteran
Joined: 23 Mar 2004
Posts: 1261
Location: Idaho, USA
|
 Posted: Wed Jan 05, 2011 3:34 am Post subject: Filtering IPv6 Router Advertisements: WHAT!? |
 |
|
I'm told that despite router advertisements being ICMPv6, I can't use ip6tables to filter them. "Packets don't pass through the CPU unless they jump interfaces" is what I'm told.
I'm having a very hard time believing this. |
|
| Back to top |
|
 |
massimo
Veteran
Joined: 22 Jun 2003
Posts: 1226
|
| Posted: Wed Jan 05, 2011 2:18 pm Post subject: |
|
|
Have a look at [1]. Nevertheless, you will not be able to prevent any packet from entering your interface physically (unless you cut the cable or filter it at some other point in your network).
[1] RFC4890
_________________
Hello 911? How are you? |
|
| Back to top |
|
|
maxime1986
n00b
Joined: 23 Oct 2009
Posts: 74
|
| Posted: Wed Jan 05, 2011 5:03 pm Post subject: |
|
|
you can't filter then but at least you can specify if you want to accept it :
sysctl net.ipv6.conf.all.accept_ra |
|
| Back to top |
|
|
pa4wdh
l33t
Joined: 16 Dec 2005
Posts: 812
|
| Posted: Wed Jan 05, 2011 8:30 pm Post subject: |
|
|
You can absolutely filter them (i know for sure because i had problems because i blocked them  ).
Any packet entering or leaving a linux system passes the CPU (maybe with an exception for special hardware, but i guess thats not the case).
Maybe the one who told you this is confused with IPv4's ARP, because that's not IP but an ARP packet directly in an ethernet frame you can't filter it with iptables.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
| Back to top |
|
|
hayalci
n00b
Joined: 18 Jul 2004
Posts: 44
|
| Posted: Tue Jan 11, 2011 12:33 am Post subject: |
|
|
| pa4wdh wrote: |
Any packet entering or leaving a linux system passes the CPU (maybe with an exception for special hardware, but i guess thats not the case).
|
But that does not mean you can block anything with iptables. e.g. DHCP still works even if you block all traffic with iptables. |
|
| Back to top |
|
|
pa4wdh
l33t
Joined: 16 Dec 2005
Posts: 812
|
| Posted: Tue Jan 11, 2011 9:10 am Post subject: |
|
|
As far as i know from experience building my own set of firewall rules on my router (IPv4 and IPv6, doing routing, DHCP, DNS, HTTP, OpenVPN, FTP, SSH), you can block really anything as long as it's carried on IP, so the only exception would be ARP in case of IPv4. Since DHCP is just using UDP ports 67 and 68 i see no reason why you wouldn't be able to block it.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
| Back to top |
|
|
hayalci
n00b
Joined: 18 Jul 2004
Posts: 44
|
| Posted: Sun Jan 23, 2011 8:55 pm Post subject: |
|
|
| DHCP still works because it taps into the network interface and takes DHCP packets from there. Even if you block it with iptables rules, so that the packet is dropped, the DHCP client(/server) will still get what it needs. |
|
| Back to top |
|
|
RNHavens
n00b
Joined: 22 May 2007
Posts: 8
|
| Posted: Mon Jan 24, 2011 3:54 am Post subject: |
|
|
| What about Ebtables to filter at layer two? I've never looked into the above topics, but I would think that Ebtables would stop all of them. |
|
| Back to top |
|
|
|
Networking & Security
