Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Last revision Both sides next revision | ||
cisco:ipv6 [2010/04/09 08:54] a |
cisco:ipv6 [2010/11/11 08:48] greebo |
||
---|---|---|---|
Line 48: | Line 48: | ||
**reload is needed** | **reload is needed** | ||
+ | |||
+ | == IPv6 access lists ACL == by Jan Bervar from [[http:// | ||
+ | |||
+ | < | ||
+ | ! najbolj osnovni anti-spoofing, | ||
+ | deny ipv6 2001: | ||
+ | ! ICMP za ND-NS, treba je upoštevati kup kombinacij naslovov | ||
+ | permit icmp FE80::/10 FE80::/10 nd-ns | ||
+ | permit icmp FE80::/10 FE80::/10 nd-na | ||
+ | permit icmp FE80::/10 host FF02:: | ||
+ | permit icmp host 2A02: | ||
+ | permit icmp host 2A02: | ||
+ | ! dovolimo minimalen lokalni RA za morebitni troubleshooting, | ||
+ | permit icmp FE80::/10 host FF02::1 router-advertisement | ||
+ | ! dovolimo PING na/iz lokalnih vmesnikov usmerjevalnika | ||
+ | permit icmp any host 2A02: | ||
+ | permit icmp any host 2A02: | ||
+ | permit icmp any host 2001: | ||
+ | permit icmp any host 2001: | ||
+ | ! dovolimo BGP za naše BGP-sosede | ||
+ | permit tcp host 2A02: | ||
+ | permit tcp host 2A02: | ||
+ | ! prepovemo ves promet na izpostavljene omrežne naprave | ||
+ | deny ipv6 any host 2A02: | ||
+ | deny ipv6 any host 2001: | ||
+ | deny ipv6 any host 2001: | ||
+ | deny ipv6 any host 2001: | ||
+ | ! pustimo ves ostali promet naprej, da ga pregledajo bolj pametne škatle za usmerjevalnikom | ||
+ | permit ipv6 any 2001: | ||
+ | ! drugega pa seveda ne sme biti | ||
+ | deny ipv6 any any log-input | ||
+ | </ | ||
+ | |||
+ | |||
+ | Če filtriraš na TCP in UDP za tranziten promet, se nič ne spremeni. Traceroute delajo UNIXi AFAIK še vedno preko UDP na visokih portih, Windowsi pa še vedno (ravnokar preverjeno) preko ICMP echo zahtev. | ||
+ | |||
+ | Pa naj še enkrat opomnim na tisti IOS-ov trik: če *nimaš* na koncu ACLja "deny ipv6 any any", ti bo IOS na začetku implicitno (in skrito) dodal " | ||
+ |