Re: (Debian 2.6.32-45) problems using ipv6/ip6tables #2

To: "g.spellauge" <sp@softing.com>
Cc: debian-user@lists.debian.org
Subject: Re: (Debian 2.6.32-45) problems using ipv6/ip6tables #2
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Sun, 27 May 2012 01:13:06 +0200
Message-id: <[🔎] 4FC16382.8030304@plouf.fr.eu.org>
In-reply-to: <[🔎] 4FBE01C1.9040208@softing.com>
References: <[🔎] 20120516T142232.GA.bfa2c.stse@fsing.rootsland.net> <[🔎] 4FBE01C1.9040208@softing.com>

g.spellauge a écrit :
> thanks, bu what i do not understand is the fact, that  v6-traffic (even
> the responses to http-requests) is completely blocked after successfully
> receiving a few echo-replys?

Because after some time the neighbour cache entry expires and needs to
be refreshed, but your ruleset drops the requires ICMPv6 neighbour
discovery packets.

> if i modify
> 
>       ${IPT} -A INPUT  -i ${INE_IFACE} -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>       ${IPT} -A INPUT  -i ${INE_IFACE} -p
> icmpv6                            -j ACCEPT --match limit --limit 10/minute
> 
> everthing works fine.

Well, the last rule accepts enough ICMPv6 packets to refresh the
neighbour cache. Note however that 10/minute may not be enough if the
host is communicating with many neighbours.

Reply to:

References:
- Re: (Debian 2.6.32-45) problems using ipv6/ip6tables #2
  - From: Stephan Seitz <stse+debian@fsing.rootsland.net>
- Re: Re: (Debian 2.6.32-45) problems using ipv6/ip6tables #2
  - From: "g.spellauge" <sp@softing.com>

Prev by Date: Re: Install Squeeze with firmware
Next by Date: If you want to install stable released version
Previous by thread: Re: Re: (Debian 2.6.32-45) problems using ipv6/ip6tables #2
Next by thread: something about the dnet-common
Index(es):
- Date
- Thread