Michael Casey michaelcasey73@gmail.com writes:
So, could it be reality, that the "next-generation" Linux Distro's e.g.: iptables will Default not ACCEPT, rather then this:
iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- allow ICMP on INPUT because I heard/read that IPv6 relies more on ICMP
it could make a "good standard firewall" (?FIXME) - if anyone puts any server service, than he must know that he must change the INPUT XYZ
This is what f11 does:
/etc/sysconfig/ip6tables: # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT
It looks good to me, including the newer wording in system-config-firewall around icmp and ipv6-icmp which discourages clueless admins from blocking icmp's and gumming up the works.
-wolfgang