ipv6 network fail (newbie alert)

Philipp Kern phil at philkern.de
Fri Mar 15 08:51:49 CET 2013


Nick,

am Fri, Mar 15, 2013 at 05:39:52PM +1000 hast du folgendes geschrieben:
> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 11 -j ACCEPT
> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 12 -j ACCEPT
> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 -j DROP
> 
> Do you see anything wrong with that? Our network policy is deny
> everything we don't need and let in only what we must.

yes, not compliant to RFC4890, which you were pointed to. You're
dropping type 2, for instance, which is unhelpful.

Kind regards
Philipp Kern


More information about the ipv6-ops mailing list