On Wednesday 2008-04-02 23:44, Petr Pisar wrote:
I have two IPv6 hosts and while one can ping other hosts fine, the
other cannot. I use the simplest ip6tables configuration on both:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-prefix "[INPUT6]: "
On a Debian sid host with 2.6.24, this works fine and my ping6
packets get answered.
On the host running Debian etch with 2.6.18, the ping6's leave, are
answered, but the firewall then catches them:
ICMPv6 is used for neighborhood discovery (similar to ARP in IPv4).
Therefore droping all new packets is bad idea because it will drop ND
requestes from other link local stations.
Even so, it should not be INVALID but NEW.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
