#!/bin/sh fw6cmd="/sbin/ip6fw" ############ # This is a prototype setup that will protect your system somewhat # against people from outside your own network. ############ # set these to your network and prefixlen and ip # # This needs more work # net="2001:db8:2:1::" prefixlen="64" ip="2001:db8:2:1::1" #setup_local ############ # Only in rare cases do you want to change these rules # ${fw6cmd} add 100 pass all from any to any via lo0 ${fw6cmd} add 200 deny all from any to ::1 ${fw6cmd} add 300 deny all from ::1 to any # # ND # # DAD ${fw6cmd} add pass ipv6-icmp from :: to ff02::/16 # RS, RA, NS, NA, redirect... ${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10 #setup comminication # Allow any traffic to or from my own net. ${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen} ${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip} # Allow any link-local multicast traffic ${fw6cmd} add pass all from fe80::/10 to ff02::/16 ${fw6cmd} add pass all from ${net}/${prefixlen} to ff02::/16 # Allow TCP through if setup succeeded ${fw6cmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fw6cmd} add pass all from any to any frag # Allow setup of incoming email ${fw6cmd} add pass tcp from any to ${ip} 25 setup # Allow setup of outgoing TCP connections only ${fw6cmd} add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections ${fw6cmd} add deny tcp from any to any setup # Allow DNS queries out in the world ${fw6cmd} add pass udp from any 53 to ${ip} ${fw6cmd} add pass udp from ${ip} to any 53 # Allow NTP queries out in the world ${fw6cmd} add pass udp from any 123 to ${ip} ${fw6cmd} add pass udp from ${ip} to any 123 # Allow ICMPv6 destination unreach ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 # Allow NS/NA/toobig (don't filter it out) ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file.