Re: (Debian 2.6.32-45) problems using ipv6/ip6tables #2
g.spellauge a écrit :
> thanks, bu what i do not understand is the fact, that v6-traffic (even
> the responses to http-requests) is completely blocked after successfully
> receiving a few echo-replys?
Because after some time the neighbour cache entry expires and needs to
be refreshed, but your ruleset drops the requires ICMPv6 neighbour
discovery packets.
> if i modify
>
> ${IPT} -A INPUT -i ${INE_IFACE} -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> ${IPT} -A INPUT -i ${INE_IFACE} -p
> icmpv6 -j ACCEPT --match limit --limit 10/minute
>
> everthing works fine.
Well, the last rule accepts enough ICMPv6 packets to refresh the
neighbour cache. Note however that 10/minute may not be enough if the
host is communicating with many neighbours.
Reply to: