DHCPv6 *still* broken for F17 alpha
tore at fud.no
Fri Mar 2 21:39:24 UTC 2012
* Tom Callaway
> I know less than nothing about DHCPv6. I used the rule offered earlier
> in the thread by Paul Wouters. If there is a more appropriate ruleset,
> please tell me what it is and I'll regenerate the patch.
This one will certainly work (it's the patch attached bug #591630):
ip6tables -A INPUT -p udp --dport 546 -j ACCEPT
This one *most likely* works (it assumes /sbin/dhclient in Fedora will
*always* use a link-local source address when building a DHCPv6 request.
I believe that is the case, but I have not reviewed its source code to
ip6tables -A INPUT -p udp --dport 546 -d fe80::/64 -j ACCEPT
Also, the latter one might be much more desirable from a security
standpoint, as it prevents random people/attackers on the internet from
transmitting unsolicited packets to the DHCPv6 client. In order to
successfully transmit a packet to a node using its link-local address in
fe80::/64 as the destination address, you'll have to be on the same
link. And if you have an attacker on the same link, you're dead anyway -
matching the source address and/or source port adds nothing, those are
Also, I removed the "-m state --state NEW" part, as I don't think doing
a stateful match on the packet adds anything but processing overhead.
After all, the reason for adding an explicit exception for DHCPv6 is
that it *can't* be successfully matched by the current ip6tables state
module. But I have no problems with it being included either, if it
makes anyone happier.
More information about the devel