The ping response is only required during registration/update of the the tunnel endpoint or do I need to allow it during the use of the tunnel after registration?
Only for setup, but you should consider allowing it after too
Quote from: cholzhauer on May 29, 2015, 04:30:22 AM
Only for setup, but you should consider allowing it after too
What will happen if it is not allowed?
Why are you against having icmp4 open?
Quote from: kriteknetworks on May 30, 2015, 04:44:44 AM
Why are you against having icmp4 open?
Because I don't want to put so many rules on my firewall because maximum number of rules are limited.
Don't want too many firewall rules? Drop/exclude the one that blocks ICMP ;)
Want to operate a network like a professional, rather than someone that believes the FUD of leaving ICMP reachable? rate-limit ICMP, don't block.
We're you planning on blocking ICMP6 as well? Because if so, enjoy the crappy broken PMTUD you'd be introducing.
Quote from: broquea on May 30, 2015, 10:01:59 AM
Don't want too many firewall rules? Drop/exclude the one that blocks ICMP ;)
Want to operate a network like a professional, rather than someone that believes the FUD of leaving ICMP reachable? rate-limit ICMP, don't block.
We're you planning on blocking ICMP6 as well? Because if so, enjoy the crappy broken PMTUD you'd be introducing.
There are two reasons.
Firstly, I can only configure allow rules on my upstream(AWS) stateful firewall.
Secondly, egress traffic is very expensive, so I want to drop as many packets as possible to prevent responding while allowing incoming packets dynamically using ip6tables connection tracking.
Does this setup has any problem?