<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.28.3">
</HEAD>
<BODY>
On Thu, 2013-03-21 at 15:54 +1000, Nick Edwards wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
I must have missed something here, because with icmp., that freebsd
link shows what I'm doing now, and people here are saying not to
O
</PRE>
</BLOCKQUOTE>
Darren pretty much answered your question earlier on in the thread.<BR>
This should work for you, it might be nasty, but it does work <IMG SRC="cid:1363850404.9984.8.camel@tardis" ALIGN="middle" ALT=":)" BORDER="0"><BR>
<BR>
ip6tables -F<BR>
ip6tables -P INPUT ACCEPT (or drop)<BR>
ip6tables -P OUTPUT ACCEPT<BR>
ip6tables -P FORWARD DROP<BR>
<BR>
ip6tables -A INPUT -i lo -j ACCEPT<BR>
ip6tables -A INPUT -s fe80::/10 -j ACCEPT<BR>
ip6tables -A INPUT -d ff00::/8 -j ACCEPT<BR>
<BR>
ip6tables -A INPUT -s y:o:u:r:assigned:range/mask<BR>
<BR>
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT<BR>
<BR>
if you are forwarding<BR>
ip6tables -A FORWARD -s y:o:u:r:assigned:range/mask -j ACCEPT<BR>
ip6tables -A FORWARD -d y:o:u:r:assigned:range/mask -j ACCEPT<BR>
<BR>
---input accepts for any ports like 25, 80, etc here---<BR>
<BR>
ip6tables -A INPUT -p tcp --dport 1:1023 -j DROP<BR>
ip6tables -A INPUT -p udp -j DROP<BR>
<BR>
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT <BR>
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT <BR>
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT <BR>
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT <BR>
ip6tables -A INPUT -p icmpv6 -j DROP<BR>
<BR>
<BR>
Since you earlier said you static assigned IP's I see no point in allowing NDP (but I too are no ipv6 expert)<BR>
<BR>
</BODY>
</HTML>