Re: iptables bug with neighborhood discovery?

To: debian-ipv6@lists.debian.org, debian-firewall@lists.debian.org
Subject: Re: iptables bug with neighborhood discovery?
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Thu, 12 Nov 2009 10:14:47 +0100
Message-id: <4AFBD207.4000105@plouf.fr.eu.org>
In-reply-to: <4AFBBBDB.2020008@gmx.at>
References: <4AFBBBDB.2020008@gmx.at>

Hello,

Alram Lechner a écrit :
> 
> i am administrate a debian firewall since 2 years without problems. this 
> weeks, we want to activate IPv6 in testing mode. out firewall script are 
> generated with fwbuilder. after i have activated IPv6 on our firewall, i 
> run into some troubles. the first one was, the radvd wasn't able to send 
> advertisement multicasts (radvd log: operation not permitted). first i 
> ignored this problem and i tested ping6 between the hosts and the 
> firewall with the FE80:: addresses. this wasn't also working. after 2 
> days debugging and searching the error, i found out the following:
> 
> fwbuilder generates at the top of the FW script this rules, when the 
> option 'Drop packets that are not associated with any known connection' 
> is active:

Connection tracking does not work with Neighbor Discovery. One reason is
that Neighbor Discovery uses multicast, and connection tracking does not
work with multicast. So you must add rules to accept specifically the
ICMPv6 query and reply types used by Neighbor Discovery (Neighbor
Solicitation, Neighbor Advertisement, Router Solicitation, Router
Advertisement) on interfaces that need it (e.g. ethernet-type, not
point-to-point).

Reply to:

References:
- iptables bug with neighborhood discovery?
  - From: Alram Lechner <alram.lechner@gmx.at>

Prev by Date: iptables bug with neighborhood discovery?
Next by Date: Re: iptables bug with neighborhood discovery?
Previous by thread: iptables bug with neighborhood discovery?
Next by thread: Re: iptables bug with neighborhood discovery?
Index(es):
- Date
- Thread