On May 8, 2014 12:05:34 PM CDT, Brian Candler <[email protected]> wrote:
>On 08/05/2014 11:51, Olivier Mascia wrote:
>> On the WAN interface, I’m currently allowing full ICMPv6 in, albeit
>only from Global Unicast and Multicast addresses.
>> That is: only from 2000::/3 and ff00::/8.
>I don't think you'll see any packets with multicast source addresses.
>It's possible you could see packets with Link-Local source addresses
>(fe80::/64) from the upstream router, but you may not care.
>
>
>_______________________________________________
>List mailing list
>[email protected]
>https://lists.pfsense.org/mailman/listinfo/list
Sorry for the late addition... Perhaps this was already covered, but if not:
Please don't filter ICMPv6. This is one of the key points every intro-to-v6
class teaches: IPv6 actually *needs* ICMPv6 to function in pretty much every
situation.
The official guidance on this subject is RFC 4890, "Recommendations for Firing
ICMPv6 Messages in Firewalls".
The TL;DR version is " just don't ".
If a firewall operator can't read the RFC, and accurately distinguish between
transit and local traffic, then they shouldn't filter any of it.
(Yes, I'm being a hard-ass here, because I already see people breaking IPv6
because they think it's OK to filter ICMP.)
It is probably possible to extrapolate a base set of recommendations that
pfSense might be able to build in, similar to how there's a lot of automatic
IPv4 filtering under the hood, but I don't believe this has been done yet.
-Adam
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
