[Firehol-support] router_ra pppoe and firehol ?!

Tamer Higazi th982a at googlemail.com
Thu Jul 23 16:57:16 BST 2015


Phil... I did whatever you said to me, and it still doesn't work, the
errors are still remaining.

I wrote my own iptables and ip6tables rules, denied everything and
accepted only ICMP and ICMPv6 on all devices and it works without
problems.... for days....

my machine runs in ipv4 and ipv6 dual stack mode with pppoe dialin, DTAG AG.


best, Tamer



Am 21.07.2015 um 08:11 schrieb Phil Whineray:
>> My latest results, I can ping out with ipv6 but in the logs are:
>>
>> Jul 20 03:26:28 livetool kernel: OUT-inet:IN= OUT=enp6s1
>> SRC=fe80:0000:0000:0000:02e0:53ff:fe0c:9d18
>> DST=fe80:0000:0000:0000:021d:aaff:fe87:cd28 LEN=72 TC=0 HOPLIMIT=255
>> FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0
> 
> Here is a list of the ICMPv6 types:
> 
> http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-2
> 
> You will see that type 135 is Neighbour Solicitation, and it is going
> OUT on enp6s1 which means that interface is missing the line:
>   client ipv6neigh accept
> 
>> and as I suggest, later ip6 won't work anymore.... (sniff.... i guess).
> 
> NS works similarly to ARP in IPv4 and is cached so it will work for a
> little while until the value becomes stale and there is no way to refresh
> it. You can inspect the tables by running `ip -6 nei`.
> 
> Cheers
> Phil
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
> 




More information about the Firehol-support mailing list