On Mon, 2010-08-30 at 14:42 +0200, Jozsef Kadlecsik wrote: > Please check out RFC 4890: Recommendations for Filtering ICMPv6 Messages > in Firewalls, which discusses ICMPv6 filtering in details. It even comes > with an example shell script for netfilter/ip6tables in the appendix. Are you sure that this is still accurate for current kernels? For instance, I would have assumed that things like destination-unreachable or packet-too-big are handled by the stateful inspection code (i.e. are matched by --state RELATED, ESTABLISHED) same as for IPv4? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
