It is there because in most cases multicast is not used.
Notice that in this list multicast address range is added.
Add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6Īdd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedĪdd action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udpĪdd action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16Īdd action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udpĪdd action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ahĪdd action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-espĪdd action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN Protect the Clientsīefore the actual set of rules, let's create a necessary address-list that contains all IPv4/6 addresses that cannot be forwarded.
0 kommentar(er)
