Re: (Debian 2.6.32-45) problems using ipv6/ip6tables #2

To: debian-user@lists.debian.org
Subject: Re: (Debian 2.6.32-45) problems using ipv6/ip6tables #2
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Tue, 22 May 2012 00:55:53 +0200
Message-id: <[🔎] 4FBAC7F9.9000604@plouf.fr.eu.org>
In-reply-to: <[🔎] 20120516T142232.GA.bfa2c.stse@fsing.rootsland.net>
References: <[🔎] 1513412350.1244511.1337169282950.JavaMail.open-xchange@email.1und1.de> <[🔎] 20120516T142232.GA.bfa2c.stse@fsing.rootsland.net>

Hello,

Stephan Seitz a écrit :
> 
> IPv6 doesn't have ARP anymore, it uses ICMPv6 to 
> discover ARP addresses and neighbours with the help of multicast IPv6 
> addresses. So your configuration probably drops these packets. It would 
> try to allow all icmpv6 traffic:
> 	${IPT} -A INPUT  -j ACCEPT -m state \! -state INVALID -p icmpv6
> 	${IPT} -A OUTPUT -j ACCEPT -m state \! -state INVALID -p icmpv6

Bad luck : neighbour discovery packets may be in the INVALID state
because of the multicast not handled by connection tracking.

> If you want to tune these rules you have to look into the standards to 
> get all necessary ICMPv6 types you need for a working setup.

neighbour-solicitation
neighbour-advertisement

If you use SLAAC (stateless address autoconfiguration from RA) :
router-solicitation
router-advertisement

And of course, all ICMPv6 types in the RELATED,ESTABLISH states.

Reply to:

References:
- (Debian 2.6.32-45) problems using ipv6/ip6tables #2
  - From: "gustav@spllg.de" <gustav@spllg.de>
- Re: (Debian 2.6.32-45) problems using ipv6/ip6tables #2
  - From: Stephan Seitz <stse+debian@fsing.rootsland.net>

Prev by Date: Re: Mythtv problem with versions
Next by Date: Re: Update-initramfs Most vs Dep
Previous by thread: Re: (Debian 2.6.32-45) problems using ipv6/ip6tables #2
Next by thread: Re: Re: (Debian 2.6.32-45) problems using ipv6/ip6tables #2
Index(es):
- Date
- Thread