ipv6 network fail (newbie alert)
Wade Roberts
ipv6-ops at acquired-taste.net
Wed Mar 20 09:00:38 CET 2013
On 2013-03-20, at 18:48, Nick Edwards <nick.z.edwards at gmail.com> wrote:
> On 3/16/13, Darren Pilgrim <list_ipv6-ops at bluerosetech.com> wrote:
>> On 2013-03-15 00:39, Nick Edwards wrote:
>>> I have seen this block - don't block argument before, many times, I
>>> have never experienced any "known" problems, however talking to
>>> another sys admin in my city (who I use to work with few years back),
>>> he suggested I use, as he does
>>> (copy and paste from him on icq) :
>>>
>>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT
>>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT
>>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 11 -j ACCEPT
>>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 12 -j ACCEPT
>>> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 -j DROP
>>
>> I think your friend is confusing ICMPv4 and ICMPv6. Types 3, 4, 11, and
>> 12 are used in ICMPv4. The approximate equivalent in ICMPv6 is 1, 2, 3,
>> and 4. You need to allow them on the output and forward paths as well.
>> You probably also want to allow types 135 and 136 for minimal NDP
>> functionality.
>>
>
> ok, so, it would be best to simply remove all icmp/icmp6 options,
> clear them all out, but then use :
> /usr/local/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
> blocking nothing else?
>
>
> Thanks
> Nik
Before blocking anything, at a minimum be familiar with the implications.
For ICMPv6 in particular, parse the following:
http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xml
--
Wade
More information about the ipv6-ops
mailing list