[j-nsp] IPv6 firewall
kura@iij.ad.jp
kura@iij.ad.jp
Wed, 2 Oct 2002 02:11:18 +0900 (JST)
From: stuart@tech.org
Date: Tue Oct 01 2002 17:34:15 JST
>
> This "from" specification should also specify that the protocol is
> TCP; otherwise, it may be generating a match on packets that you do
> not intend that it match (such as routing protocol packets).
>
> Try:
>
> from {
> source-address {
> ::/0;
> 3ffe:507:200::/56 except; # example
> }
> next-header tcp;
> destination-port telnet;
> }
>
> or something like that.
I added 'next-header tcp' in my filter but no changes were
observed.
And I think that routing is not my problem. The following
figure is a part of my test network.
=+======+= =+======+=
| segA | | segB |
Router_A M-10 Router_B
My problem is that ping6 from Router_A to loopback I/F of
Router_B, and from Router_B to loopback of Router_A, fail
only after appling the filter to lo0.0 of M-10. Of course
every router has route to segA, segB and loopback I/F of
each other even after appling the filter.
Best regards,
--
Tomohiko Kurahashi <kura@iij.ad.jp>
Network Engineering Division, Technology Department
Internet Initiative Japan Inc.