On 2008-04-02, martin f krafft <madduck@xxxxxxxxxxx> wrote: > > I have two IPv6 hosts and while one can ping other hosts fine, the > other cannot. I use the simplest ip6tables configuration on both: > > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT ACCEPT > > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -j LOG --log-prefix "[INPUT6]: " > > On a Debian sid host with 2.6.24, this works fine and my ping6 > packets get answered. > > On the host running Debian etch with 2.6.18, the ping6's leave, are > answered, but the firewall then catches them: > ICMPv6 is used for neighborhood discovery (similar to ARP in IPv4). Therefore droping all new packets is bad idea because it will drop ND requestes from other link local stations. -- Petr -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
