[ipv6hackers] Operational ICMPv6 Filtering

Gert Doering gert at space.net
Thu May 31 14:11:28 CEST 2012


Hi,

On Thu, May 31, 2012 at 11:43:12AM +0100, daniel.bartram at bt.com wrote:
> I take the viewpoint of allowing the following:
> 
> Permit icmp any any packet-too-big
> Permit icmp any any time-exceeded
> Permit icmp any any echo-reply
> Permit icmp any any echo request
> Permit icmp any any destination-unreachable
> Permit icmp any any time-exceeded
> 
> And blocking everything else.

Congratulations for dropping neighbor discovery, and killing all your v6
right away.

I can only strongly recommend people to not invent something new on their
own, but read this RFC first...

4890 Recommendations for Filtering ICMPv6 Messages in Firewalls. E.  
     Davies, J. Mohacsi. May 2007.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279



More information about the Ipv6hackers mailing list