[Firehol-support] parameter "all" not matching icmp/icmpv6?
Phil Whineray
phil at sanewall.org
Sat Jun 21 18:11:39 BST 2014
Hi Mihai
On Thu, Jun 19, 2014 at 03:39:38AM -0700, Mihai Hanor wrote:
> The firehol help (displayed when running firehol without any parameters)
> states that "all" "matches all packets, all protocols, all of everything".
> Why is netfilter logging neighbor solicitation and router solicitation,
> when I have "server all drop", on a particular interface? I seems that
> I have to put a specific rule, for it to drop that type of packets,
> without logging them.
That message dates to when FireHOL was IPv4 only. Thanks for pointing
this out, as it needs to be updated. The "all" includes ICMP but not ICMPv6
due to its replacing protocols such as ARP which do not get filtered by
most firewalls.
If you're sure you want to drop these packets and do so silently, then
you can drop them explicitly as you suggest.
For anyone considering this, please note that dropping incoming NS packets
will stop other machines on the network being able to resolve your IPv6
address and will likely prevent IPv6 from operating properly. See
the "Important ICMP differences" section on this page for some extra
information:
http://firehol.org/upgrade/
Hope that helps
Phil
More information about the Firehol-support
mailing list