ipv6 network fail (newbie alert)
Nick Edwards
nick.z.edwards at gmail.com
Fri Mar 15 08:39:52 CET 2013
On 3/11/13, Steinar H. Gunderson <sesse at google.com> wrote:
> On Sat, Mar 09, 2013 at 12:24:37PM +1000, Nick Edwards wrote:
>> No idea, why, but this seems to have fixed it, thanks Gert!
>> all these years of ipv4, now with ipv6 I feel like i should be like a
>> little kid and re-start kindergarten again :)
>
> In general, you don't want to be firewalling off stuff unless you know
> exactly what you're doing -- it's so easy to break things.
>
> Unfortunately we're pretty much borked when it comes to IPv4 there; e.g.
> path MTU discovery does not really work anymore (try an MTU 1492 tunnel
> without MSS rewriting once, and observe large parts of the Internet break).
> I don't have too high hopes for IPv6 :-/
>
> /* Steinar */
> --
> Software Engineer, Google Switzerland
>
I have seen this block - don't block argument before, many times, I
have never experienced any "known" problems, however talking to
another sys admin in my city (who I use to work with few years back),
he suggested I use, as he does
(copy and paste from him on icq) :
/usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
/usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
/usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 11 -j ACCEPT
/usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 12 -j ACCEPT
/usr/local/sbin/ip6tables -A INPUT -p icmpv6 -j DROP
Do you see anything wrong with that? Our network policy is deny
everything we don't need and let in only what we must.
Nik
More information about the ipv6-ops
mailing list