Archive > 20.1 Legacy Series

Question about automatic ipv6-icmp floating rule

(1/2) > >>

Claypenguin:
Hello all,

I have a question about the automatically generated ipv6-icmp floating rule. In my understanding this rule should allow all ipv6-icmp traffic on all interfaces, because it's an ipv6 requirement, right? But unless I'm adding another rule on WAN-in that allows ipv6-icmp traffic, ipv6-icmp to my devices is being filtered.

Am I missing something here?

Cheers

https://imgur.com/QlqJihR

marjohn56:
Although ICMP is a requirement and is/can be used for certain management functions its a bit hard to force people to leave the firewall totally open for all ICMP v6 traffic, if Opnsense did that there would be a lot of grief! I have an allow all ICMPv6 rule, but my GeoIP rule takes priority and blocks most regions... just in case.


You have the choice by adding an allow all rule or tailor it to suit your needs. You'll find Windows firewall also blocks unsolicited inbound ICMPv6 packets, take it up with Microsoft and see how far you get. :)



Claypenguin:
I've noticed the Windows thing  :D

So regarding the automatic rule, what exactly does it do then?

Edit:

For anyone interested, I've looked at little bit more into this and apparently the automatic rules are only for icmp6-types unreach, toobig, neighbrsol and neighbradv. I've manually added the rules to my firewall that are recommended as per RFC4890 https://tools.ietf.org/html/rfc4890#section-4.3.1

IsaacFL:
For the WAN interface, you only need a rule passing in icmp Echo Request.  All of the other types of icmp, will be handled by the stateful part of the fire wall.

For example, you should only see an Echo Response (Type 129) coming in after a local host sent out an Echo Request (Type 128).  The stateful firewall will automatically allow the response in.

You would not want to allow an unsolicited Echo Response to pass into the firewall.

This is also true if you allow icmpv4 on the WAN interface.

matusp:
Hello IsaacFL,
tried setting an inbound rule on WAN allowing all ICMPv6 messages for test purposes, but it still does not earn me a full score on https://ipv6-test.com/
Understand this would not be the most secure approach.
Can you suggest the rules to be set?
Thanks!
Matus

Navigation

[0] Message Index

[#] Next page

Go to full version