ipv6 network fail (newbie alert)
Nick Edwards
nick.z.edwards at gmail.com
Fri Mar 15 09:42:21 CET 2013
On 3/15/13, Philipp Kern <phil at philkern.de> wrote:
> Nick,
>
> am Fri, Mar 15, 2013 at 05:39:52PM +1000 hast du folgendes geschrieben:
>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 11 -j ACCEPT
>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 12 -j ACCEPT
>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 -j DROP
>>
>> Do you see anything wrong with that? Our network policy is deny
>> everything we don't need and let in only what we must.
>
> yes, not compliant to RFC4890, which you were pointed to. You're
> dropping type 2, for instance, which is unhelpful.
>
> Kind regards
> Philipp Kern
>
Type 2, I concede, but type 1, I do not , defeats purpose of drop from
my reading.
More information about the ipv6-ops
mailing list