|
Linux policy: Selectively allowing autoconf
![[no]](/s/countries/no.gif) Shadow Hawkins on Friday, 21 November 2008 10:45:39
I use autoconf to configure my laptop at home, on my wireless network. However, I also often happen to use the same laptop in "hostile" environments where I don't want to trust anyone capable of sending a RA. Like just now, when some jerk at work (on a large open wireless network), seems to be announcing a 6to4 prefix from his Windows PC. Great...
I guess I can solve this by using scripts to update /proc/sys/net/ipv6/conf/ath0/autoconf based on the current connected network, but I have a feeling that this should be a common problem with a more elegant solution.
So the question is What do other people do?
Bjorn
Linux policy: Selectively allowing autoconf
Use ip6tables to only accept RA's from your known routers (thus the one at home) is the best way to go here, this also avoids this issue in other cases. If you then add a LOG statement for everything that gets rejected you will be able to see when there is a rogue one on your local link. More elegantly probably is a LOG and then add to a list of sources to drop from.
Unfortunately afaik one can't do 'deep-RA' filtering and thus eg filtering based on the announced prefix thereby filtering out eg all 6to4 announcements.
|
![[ch]](/s/countries/ch.gif)
on Friday, 21 November 2008 10:51:14
Posting is only allowed when you are