-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi.
> 1. Following "deny by default" principle, change the default section > policy to DROP. The firewall package already add rules to allow all > lo traffic, there should be no impact to user. NACK. If at all it should be reject, not drop - to at least give users a chance to see that the firewall is swallowing traffic. > 2. harden the allow dhcp renew rule, source port should always be 67 ACK. > 3. Refer to rfc4890 ICMPv6 Filtering Recommendations, Appendix B. > (http://www.ietf.org/rfc/rfc4890.txt) The sample ICMPv6 filter rules > indicates ip6tables can keep track most icmpv6 traffic as "RELATED". > The icmpv6 filter can be hardened. I'm not sure about that. In theory DHCP response traffic should be kept as related as well, in practise the idle times are too high so the connections fall out of the conntrack table. I prefer to keep explicit ICMP whitelists, relying on related state tracking with varying timeouts will lead to unpredictable behaviour. > 4. Allow most icmpv6 neighbour discovery traffic as kernel will > enforce "hop-limit=255" rule (packet is not forwarded) Any reason why you remove ICMP failure notifications like "too-big" from the whitelist? > 5. remove limit 1000 to avoid possible denial of service (attacker > can stop all ICMP traffic by sending more than 1000 ICMP packet/s) As I already mentioned in the ticket, instead of removing the limit, I'd rather see hashlimits implemented, that rate-limit the traffic per host or prefix. ~ Jow -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+CwbYACgkQdputYINPTPMi1wCglYj4VOBCxUL5se7mDz7uKAnb akQAnjUOnmyFB/MtZQuLiuxHGc1jCCZI =Dr9a -----END PGP SIGNATURE----- _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
