Why do I need ICMPv6? For two reasons – firstly, it is essential to the operation of IPv6, or at least the Packet Too Big message is. It stops all input to the Mikrotik itself from outside, however, except for ICMPv6.
The above allows established and related packets to be forwarded into my networks, it allows ICMPv6 in, and allows anything into my network on port 22 (ssh). My first attempt looked like this (note that the default policy on all default chains is “accept”): /ipv6 firewall filterĪdd action=accept chain=forward connection-state=established in-interface=pppoe-out1Īdd action=accept chain=forward connection-state=related in-interface=pppoe-out1Īdd action=accept chain=forward in-interface=pppoe-out1 protocol=icmpv6Īdd action=accept chain=forward dst-port=22 in-interface=pppoe-out1 protocol=tcpĪdd action=drop chain=forward in-interface=pppoe-out1Īdd action=accept chain=input in-interface=pppoe-out1 protocol=icmpv6Īdd action=drop chain=input in-interface=pppoe-out1Īdd action=drop chain=input in-interface=ether1-gateway The other approach is to have rules that block specific things, then allow everything else, but this is not as safe.
Generally speaking, you should have rules that allow specific things, followed by a catch-all rule that blocks everything else. If you have a rule that allows everything, followed by a rule that blocks (say) HTTP, then the second rule will never have any effect. Within a given chain, the order of the rules is critical, as they are applied in the order given. It’s possible to create your own chains, too, but that wasn’t needed in this simple ruleset. The forward chain controls packets passing through the router – neither destined for nor sourced from interfaces on the router. The output chain controls packets leaving the router, sourced from an interface on the router. So rulesets should in general be kept as small as possible.īy the way – the input chain controls packets arriving at the router addressed to interfaces actually on the router ( any interface on the router, including loopback interfaces). Simplicity is itself a security positive. Also, large rulesets are difficult to understand, and therefore harder to create, inspect and modify.
Worst case, large rulesets can slow the delivery of packets. The more rules you have the greater the load on your router, and for a very small unit such as the RB951-2n, that can be a real problem. This is a pretty minimal approach, but starting small is generally a good idea. I wanted to stop the Internet getting to the Mikrotik itself, and forward only ICMPv6 and ssh into my network, while not preventing any outbound connections. My IPv6 hosts are all quite capable of defending themselves, but a packet filter at the border reduces traffic on the network, plus I wanted to see how Mikrotik did it. Once my little Mikrotik RB951-2n was working properly, I decided to give it a proper packet filter.
0 kommentar(er)
