ipv6 network fail (newbie alert)
Nick Edwards
nick.z.edwards at gmail.com
Wed Mar 20 08:48:19 CET 2013
On 3/16/13, Darren Pilgrim <list_ipv6-ops at bluerosetech.com> wrote:
> On 2013-03-15 00:39, Nick Edwards wrote:
>> I have seen this block - don't block argument before, many times, I
>> have never experienced any "known" problems, however talking to
>> another sys admin in my city (who I use to work with few years back),
>> he suggested I use, as he does
>> (copy and paste from him on icq) :
>>
>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 11 -j ACCEPT
>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 12 -j ACCEPT
>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 -j DROP
>
> I think your friend is confusing ICMPv4 and ICMPv6. Types 3, 4, 11, and
> 12 are used in ICMPv4. The approximate equivalent in ICMPv6 is 1, 2, 3,
> and 4. You need to allow them on the output and forward paths as well.
> You probably also want to allow types 135 and 136 for minimal NDP
> functionality.
>
ok, so, it would be best to simply remove all icmp/icmp6 options,
clear them all out, but then use :
/usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
blocking nothing else?
Thanks
Nik
More information about the ipv6-ops
mailing list