the ppl at netfilter have got a patch for ip6tables to allow -j REJECT rather -j DROP. Would be happy to help impliment this as it's a fairly important tool for secureing gentoo against ipv6 based attacks. Reproducible: Always Steps to Reproduce: 1.emerge iptables with "USE= ipv6" 2. 3. applying the patch to the userland utilities is really the easy part. Haveing to modify the kernel and recompile ( even as a module) driven by an ebuild might be tricky.
I'm also interested in this. In fact, I'm surprised they didn't put it in the standard ip6tables.. For me this would be useful mainly for rejecting port 113 (ident) connections, so that it wouldn't take a long time to connect to an IPv6 IRC server..
please include a link to the patch.
> please include a link to the patch. I'm also interested in but it's a kernel patch, not an iptables one. Maybe it's available on other kernel sources than the gentoo-sources. Patch is on SVN: http://svn.netfilter.org/cgi-bin/viewcvs.cgi/trunk/patch-o-matic-ng/patchlets/REJECT/ and FTP in bzip2 archives: http://ftp.netfilter.org/pub/patch-o-matic-ng/ http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
Install a kernel that has the ipv6 REJECT in it, and then iptables will automatically build the module.