On 21-5-2014 9:11, Olivier Mascia wrote: > Le 14 mai 2014 à 03:37, Chris Buechler <c...@pfsense.com > <mailto:c...@pfsense.com>> a écrit : > >> > IMO, I agree that it's best to let ICMP flow free on IPv6. ICMP >> has had >> > a bad reputation for a long time, and it's mostly undeserved in >> recent >> > times. >> > >> > Jim >> >> How should I interpret the code you pointed to? >> That pfSense do let ICMPv6 flow freely (at least most of it deemed >> to be required for IPv6 correct behavior) by default, and it then >> is not dropped by the default block rule? >> >> >> The ICMPv6 traffic that's considered required for things to function >> properly is automatically allowed. > > Excellent. Thanks!
The rules should automatically allow ICMP6 echo, packet to big and neighbor discovery on the link-local addresses so that basic functionality works. Iirc ICMP6 echo is not allowed from the internet using the GUA addresses, but ND, RA and RS is for normal operation. The rules are specifically higher in the ruleset to prevent accidentally blocking (and breaking) your IPv6 internet. To be fair, we could make the RA and RS rules a bit more fine grained for ICMP6, but those would apply to the link-local scope and are of limited reachability (atleast not from the internet). We already toggle a sysctl if we want to accept a RS for a given interface, so that would be of limited use. Regards, Seth _______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
