Link-local and ACLs

Gert Doering gert at space.net
Wed Jul 26 09:52:33 CEST 2017 

Hi,

On Wed, Jul 26, 2017 at 08:48:43AM +1200, Brian E Carpenter wrote:
> >> And why would ACLs be relevant for on-link traffic?
> > 
> > Interface ACLs are relevant for all packets leaving or entering an
> > interface, generally...
> 
> Yes, but why are they relevant except for routers? I didn't see
> anything in the original message that limited its scope to routers.
> Most nodes aren't routers. I don't expect to see ACLs on normal
> hosts.

All my hosts that are in some way Internet exposed have ACLs of
some sort - call it "Windows firewall" or "FreeBSD pf(4)".

Usually these implicitly understand what is needed to make ND work,
but I've heard more than once about cases where Linux people blocked
"everything on input except tcp/80" with ip6tables, killing ND in the 
process -> bam, machine fell of the net, IPv6 gone.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20170726/759a0e23/attachment.bin

More information about the ipv6-ops mailing list