[firewall6] doc++ && filtrage++
Ignore-this: b7ceefc14cc7041ea1b34c32e431bd55 darcs-hash:20110308203939-8fbb1-344bb5a9a9b00dc29c5811fd8cf97e05857a35cc.gz
This commit is contained in:
Olivier Huber
parent
7a6a840c0f
commit
fbe8b43e87
1 changed files with 9 additions and 0 deletions
|
|
@ -129,6 +129,11 @@ def main_router():
|
||||||
dev_ip6 = iface6('sixxs2')
|
dev_ip6 = iface6('sixxs2')
|
||||||
|
|
||||||
# Les blacklistes
|
# Les blacklistes
|
||||||
|
# Si on les met après la règle conntrack, une connexion existante ne sera
|
||||||
|
# pas sevrée et dinc avec un tunnel ssh idoine, la blacklist aurait aucun
|
||||||
|
# effet.
|
||||||
|
# Alternative : flusher la table conntrack des entrées concernant cette
|
||||||
|
# machine.
|
||||||
blacklist(ip6tables)
|
blacklist(ip6tables)
|
||||||
ip6tables.filter.forward('-o %s -j BLACKLIST_SRC' % dev_ip6)
|
ip6tables.filter.forward('-o %s -j BLACKLIST_SRC' % dev_ip6)
|
||||||
ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6)
|
ip6tables.filter.forward('-i %s -j BLACKLIST_DST' % dev_ip6)
|
||||||
|
|
@ -162,6 +167,10 @@ icmp6-addr-unreachable' % (prefix['adm'][0]))
|
||||||
for icmpv6 in authorized_icmpv6:
|
for icmpv6 in authorized_icmpv6:
|
||||||
ip6tables.filter.forward('-p icmpv6 -m icmp6 --icmpv6-type %s -j \
|
ip6tables.filter.forward('-p icmpv6 -m icmp6 --icmpv6-type %s -j \
|
||||||
ACCEPT' % icmpv6)
|
ACCEPT' % icmpv6)
|
||||||
|
ip6tables.filter.forward('-p icmpv6 -j DROP')
|
||||||
|
|
||||||
|
# cf https://www.sixxs.net/faq/connectivity/?faq=filters
|
||||||
|
ip6tables.filter.forward('-m rt --rt-type 0 -j DROP')
|
||||||
|
|
||||||
# Ouverture des ports
|
# Ouverture des ports
|
||||||
ports(dev_ip6, dev_crans)
|
ports(dev_ip6, dev_crans)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue