Le 21 mai 2014 à 09:23, Seth Mos <[email protected]> a écrit : >>> The ICMPv6 traffic that's considered required for things to function >>> properly is automatically allowed. >> >> Excellent. Thanks! > > The rules should automatically allow ICMP6 echo, packet to big and > neighbor discovery on the link-local addresses so that basic > functionality works. > > Iirc ICMP6 echo is not allowed from the internet using the GUA > addresses, but ND, RA and RS is for normal operation. > > The rules are specifically higher in the ruleset to prevent accidentally > blocking (and breaking) your IPv6 internet. > > To be fair, we could make the RA and RS rules a bit more fine grained > for ICMP6, but those would apply to the link-local scope and are of > limited reachability (atleast not from the internet). > > We already toggle a sysctl if we want to accept a RS for a given > interface, so that would be of limited use.
In followup of this discussion and before reading you above, I had updated my ruleset to allow ICMPv6 echoreq (with log) on the WAN from 2000::/3 only. I have no blocking rule for ICMPv6. Only that echoreq additional allow rule, which if correctly understood is not strictly required, but it fits my will until the day I would get a flooding attack on that. On the LAN, I have no ICMP rules whatsoever and if reading you correctly, should be just right. It at least just seems so, LAN interface pingable from LAN and we see no issue with our IPv6 network, being able to reach any IPv6 target, either LAN or WAN side. To my understanding, I'm then just fine set, with the added 'pingability' from the WAN (albeit on ICMPv6 only, not ICMPv4 which is blocked by default rules). If I'm wrong and still have understood something wrong, I'll gladly stand corrected. Thanks! __ Olivier Mascia tipgroup.com/om _______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
