Hi,
I am reviewing our firewall rules and have a question regarding IPv6
Neighbor Discovery. In Stewart's "The Book of PF" boook, I interpret the
section on IPv6 Neighbor Discovery to mean that it is a good idea to
allow Neighbor Solicitations and Advertisements only from the local
networks. Our pf rule for IPv6 Neighbor Discovery therefore looks as
follows (We use static IPv6 addresses, no SLAAC, and static routing.):
# IPv6 Neighbor Discovery - Limited to directly connected networks
# "egress" and "internal" are interface groups
pass quick inet6 \
proto icmp6 \
from { (egress:network) (internal:network) } \
icmp6-type { neighbrsol neighbradv } \
keep state
I noticed in the relevant RFC (RFC 4861, Section 11.2) that packets are
discarded if the hop count is not 255 (i.e., when packets arrive via a
gateway). Should the firewall rule nevertheless restrict the networks as
described above and is this best practise and are there other (security
related) points to consider?
best regards
Frederik
