Text only | Text with Images

Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 Basics & Questions & General Chatter => Topic started by: evantkh on June 14, 2015, 06:11:15 AM

Title: Bad effects of blocking IPv6 ping
Post by: evantkh on June 14, 2015, 06:11:15 AM
As I know, blocking all ICMPv6 is a bad idea as it may cause connectivity issues.
In my setup, I would like to only open things(e.g. some TCP ports, UDP ports) that I really need to use, leaving all other thing dropped unless allowed by ip6tables connection tracking with allowing ESTABLISHED,RELATED traffic.
In this case, the server will not be pingable using ICMPv6 echo request from the internet. Will it cause other issues?
Title: Re: Bad effects of blocking IPv6 ping
Post by: cholzhauer on June 14, 2015, 07:09:28 AM
http://blogs.cisco.com/security/icmp-and-security-in-ipv6
Title: Re: Bad effects of blocking IPv6 ping
Post by: evantkh on June 14, 2015, 10:26:20 PM
Quote from: cholzhauer on June 14, 2015, 07:09:28 AM
http://blogs.cisco.com/security/icmp-and-security-in-ipv6

He says nothing about ping(echo request).
Title: Re: Bad effects of blocking IPv6 ping
Post by: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?
Title: Re: Bad effects of blocking IPv6 ping
Post by: broquea on June 15, 2015, 08:20:34 AM
block type 139/140, and rate limit the rest. problem solved.
Title: Re: Bad effects of blocking IPv6 ping
Post by: evantkh on June 15, 2015, 08:21:50 AM
Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?

I want to block everything, allowing only outbound connectivity.
Title: Re: Bad effects of blocking IPv6 ping
Post by: evantkh on June 15, 2015, 08:29:16 AM
Quote from: broquea on June 15, 2015, 08:20:34 AM
block type 139/140, and rate limit the rest. problem solved.

What are the bad effects of blocking echo request?

In my current setup, I can ping outside, LAN devices can ping each other, but outside cannot ping inside.
Title: Re: Bad effects of blocking IPv6 ping
Post by: evantkh on June 15, 2015, 08:55:32 AM
Quote from: broquea on June 15, 2015, 08:20:34 AM
block type 139/140, and rate limit the rest. problem solved.

I forgot to mention that I am using a stateful firewall, not the stateless one.
Is it good to use ip6tables connection tracking instead of exposing the inbound icmpv6 connectivity to the internet?
Title: Re: Bad effects of blocking IPv6 ping
Post by: kriteknetworks on June 15, 2015, 11:18:12 AM
Quote from: evantkh on June 15, 2015, 08:21:50 AM
Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?

I want to block everything, allowing only outbound connectivity.

You already said this. You didn't answer my question. What do you gain by blocking icmp6?
Title: Re: Bad effects of blocking IPv6 ping
Post by: evantkh on June 15, 2015, 07:18:28 PM
Quote from: kriteknetworks on June 15, 2015, 11:18:12 AM
Quote from: evantkh on June 15, 2015, 08:21:50 AM
Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?

I want to block everything, allowing only outbound connectivity.

You already said this. You didn't answer my question. What do you gain by blocking icmp6?

I am not specifically against having icmp6 open, but I am against having anything open. This will lead to devices not pingable from the internet and people said that blocking ping(echo request) is a bad idea and without explaining how it affects icmp6 error signalling, and the icmp6 type is not the same as echo request.
Text only | Text with Images