On Tue, 12 Aug 2014 20:13:43 +0000 (UTC)
Kill Your TV <killyourtv@???> wrote:
> Assuming I understood the request properly, I tried the following:
>
> a/config/chroot_local-includes/etc/ferm/ferm.conf +++
> b/config/chroot_local-includes/etc/ferm/ferm.conf @@ -179,6 +179,7 @@
> domain ip6 { table filter {
> chain INPUT {
> policy DROP;
> + daddr ::1 saddr ::1 REJECT;
> }
>
> chain FORWARD {
I also tried copying the rule from the OUTPUT chain, wrapping it in a
"interface lo outerface lo" block. When I attempted to restart, ferm
complained, something like "cannot use matches for policy" or the like.
Then I tried the following:
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -179,6 +179,8 @@ domain ip6 {
table filter {
chain INPUT {
policy DROP;
+ LOG log-prefix "Dropped inbound packet: " log-level debug
log-uid;
+ REJECT reject-with icmp6-port-unreachable;
}
With that (which probably will be line wrapped when I hit send), there
were no blocked inbound connections logged, and the counters for the
INPUT chain didn't increase either, so I think that adding rules to the
INPUT chain probably on't change the behaviour seen with respect to this
ticket; the only blocked activity is seen on the OUTPUT chain.
--
GPG ID: 0x5BF72F42D0952C5A
Fingerprint: BD12 65FD 4954 C40A EBCB F5D7 5BF7 2F42 D095 2C5A
