Re: Problem with ipv6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ah, progress! If the policy is changed to accept, things work. Also, if 
it is kept as drop, but the input ICMP rule is copied to output, things 
work.

Is this a sensible rule?

                  icmpv6 type { destination-unreachable, packet-too-big,
time-exceeded, parameter-problem, echo-request, mld-listener-query,
nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
nd-neighbor-advert } accept

On 08/10/2024 21:28, Kevin P. Fleming wrote:
> On Tue, Oct 8, 2024, at 16:08, Martin Brampton wrote:
>>           chain output {
>>                   type filter hook output priority filter; policy drop;
>>                   ct state { established, related } accept
>>                   ip protocol icmp icmp type echo-request accept
>>                   ip protocol icmp icmp type echo-request ip daddr
>> 127.0.0.1 accept
>>                   icmpv6 type echo-request accept
>>                   ip protocol { tcp, udp } th dport 53 accept
>>                   tcp dport 123 accept
>>                   tcp dport { 80, 443 } accept
>>                   tcp dport { 25, 465, 587, 993, 995, 4190 } accept
>>           }
> What happens if you change this policy to 'accept', and make no other changes?
>
> At a minimum, you aren't allowing outbound IPv6 ICMP ND packets, which are required for finding other hosts (analogous to IPv4 ARP).
>






[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux