It is very important that IPsec encapsulated traffic bypass fast-track. If you intend to use multicast forwarding, then this address list entry should be disabled.Īdd action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedĪdd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidĪdd action=drop chain=forward src-address-list=no_forward_ipv6 comment="defconf: drop bad forward IPs"Īdd action=drop chain=forward dst-address-list=no_forward_ipv6 comment="defconf: drop bad forward IPs"Īdd action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6Īdd action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6Īdd action=accept chain=forward comment="defconf: accept HIP" protocol=139Īdd action=accept chain=forward comment="defconf: accept IKE" protocol=udp dst-port=500,4500Īdd action=accept chain=forward comment="defconf: accept AH" protocol=ipsec-ahĪdd action=accept chain=forward comment="defconf: accept ESP" protocol=ipsec-espĪdd action=accept chain=forward comment="defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsecĪdd action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN It is there because in most cases multicast is not used. Notice that in this list multicast address range is added. Add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6Īdd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedĪdd action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udpĪdd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16Īdd action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpĪdd action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ahĪdd action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-espĪdd action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN Protect the Clientsīefore the actual set of rules, let's create a necessary address-list that contains all IPv4/6 addresses that cannot be forwarded.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |