On Thursday, May 08, 2014 12:25:54 PM Olivier Mascia wrote: > Are there other documentation on ICMPv6 filtering, > without dropping essential functionality, in the > specific context of pfSense 2.1.x?
My personal opinion, we already killed IPv4 by filtering
ICMP (and thereby, killing pMTU). Let's not repeat that in
IPv6.
That said, ICMPv6 is different from ICMPv4, as it ensures
link reachability among hosts (ARP is gone, as you know).
It would be nice for pfSense, perhaps, to provide rate
limits that would help ensure ICMPv6 isn't abused, but does
not cut off service.
That said, if you do want to filter ICMPv6, be sure to (at
least) allow the following ICMPv6 messages:
echo-reply
echo-request
membership-query
membership-report
membership-termination
neighbor-advertisement
neighbor-solicit
router-advertisement
router-solicit
time-exceeded
Mark.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
