[GLLUG] radvd and vlans
Tim Woodall
t at woodall.me.uk
Wed Feb 7 10:00:36 UTC 2018
On Wed, 7 Feb 2018, Tim Woodall via GLLUG wrote:
>>
>> Are you allowing all the neighbour discovery ICMP messages?
>>
>> I have the following on my firewall
>> ${IP6TABLES} -t filter -A INPUT -p icmpv6 -s fe80::/10 -j ACCEPT
>> ${IP6TABLES} -t filter -A OUTPUT -p icmpv6 -s fe80::/10 -j ACCEPT
>> ${IP6TABLES} -t filter -A INPUT -p icmpv6 -d fe80::/10 -j ACCEPT
>> ${IP6TABLES} -t filter -A OUTPUT -p icmpv6 -d fe80::/10 -j ACCEPT
>> ${IP6TABLES} -t filter -A INPUT -p icmpv6 -s 2001:08b0:xxxx::/48 -j
>> ACCEPT
>> ${IP6TABLES} -t filter -A OUTPUT -p icmpv6 -s 2001:08b0:xxxx::/48 -j
>> ACCEPT
>> ${IP6TABLES} -t filter -A INPUT -p icmpv6 -d 2001:08b0:xxxx::/48 -j
>> ACCEPT
>> ${IP6TABLES} -t filter -A OUTPUT -p icmpv6 -d 2001:08b0:xxxx::/48 -j
>> ACCEPT
>>
>> These allow more than strictly required. Particularly lines 6 and 7. I
>> think there's a ff00:: address involved in this that would probably be
>> better than my entire /48 to/from anywhere.
>>
>> (and obfscating my /48 is probably futile - might even be visible in the
>> header of the enail - but I'm hopefully now using privacy addressing)
>>
>> Tim.
>>
>>
>>
>
> Quick google - the addresses are ff02::2 - all routers multicast address
> and ff02::1 - all hosts multicast address.
>
And I now see that the rules above 'work for me' but are not sufficient.
In particular, I think the ff02:: link local multicast addresses should
also be allowed in and out.
More information about the GLLUG
mailing list