[Firehol-devs] IPv6 neighbor discovery not working with an allow-everything interface
phil at sanewall.org
Sat Jan 18 08:26:40 GMT 2014
On Mon, Jan 13, 2014 at 07:53:21AM +0000, Andreas Unterkircher wrote:
> I guess we should note somewhere, that even an interface that
> accepts everything in & out will not permit IPv6 neighbor- and
> router-discovery on that interface. "all" only permits stateful
> packet behavior while ND and RD are working "stateless" (or at
> least conntrack cannot track them) and will get filtered.
Agreed - I will most likely try to add this to the tutorial information
and possibly a FAQ on the new website. And the general ICMPv6 service
description probably needs a dire security warning for routers, come
to think of it.
Some additional thoughs I have below.
The 'all' service is able to start complex services also, so it would
be possible to make it include the necessary rules. I don't think doing
so is a good idea because the implications for these packets is
quite different to most.
In particular "all" in an interface probably means allowing router
announce packets in, but out would be a special case (when we are an
ipv6 router) and in a router it will be rare to want to pass these
or neighbour packets in general (maybe if we are a bridge).
Another alternative would be to include some standard rules at the end
of an IPv6-capable interface, which would allow the common case (e.g. allow
neighbour discovery/announce and required error icmp in and out). By
including the rules at the end, they could be explicitly dropped by the
user within the rules.
That still leaves the question of router discovery/announce. It would
be possible to allow incoming announces as part of the default rules
on an interface although where ND/NA are roughly equivalent to ARP,
RD/RA present an additional risk in that any host could try to
autoconfigure your default gateway.
If anyone has any ideas on how the rules could be simplified I'd welcome
the input. Some pertinent links:
More information about the Firehol-devs