ipv6 question!

Karl Auer kauer at biplane.com.au
Mon Jun 1 12:27:04 UTC 2009

On Mon, 2009-06-01 at 11:36 +0200, Michael Casey wrote:
> So, could it be reality, that the "next-generation" Linux Distro's
> e.g.: iptables will Default not ACCEPT, rather then this:
> --------------------
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

That would be a better default anyway, IMHO.

> + allow ICMP on INPUT because I heard/read that IPv6 relies more on

For IPv6, you need to use ip6tables - iptables filters only IPv4. But
you are right - IPv6 relies heavily on ICMP for things like neighbour
discovery (which includes router discovery), so if you turn off ICMP you
basically turn off your IPv6 network. Of course, you need it in all
directions, not just INPUT!

That said, turning off ICMP for IP4 is also not a very good thing to do.
You lose things like PMTU, and you make troubleshooting more difficult
than it has to be. There is really no need to block ICMP - the desire to
do so stems chiefly from the bad old days of the "ping of death".

Regards, K.

Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090601/753037e9/attachment.pgp>

More information about the ubuntu-users mailing list