As I know, blocking all ICMPv6 is a bad idea as it may cause connectivity issues.
In my setup, I would like to only open things(e.g. some TCP ports, UDP ports) that I really need to use, leaving all other thing dropped unless allowed by ip6tables connection tracking with allowing ESTABLISHED,RELATED traffic.
In this case, the server will not be pingable using ICMPv6 echo request from the internet. Will it cause other issues?
http://blogs.cisco.com/security/icmp-and-security-in-ipv6
Quote from: cholzhauer on June 14, 2015, 07:09:28 AM
http://blogs.cisco.com/security/icmp-and-security-in-ipv6
He says nothing about ping(echo request).
What do you gain by blocking icmp6?
block type 139/140, and rate limit the rest. problem solved.
Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?
I want to block everything, allowing only outbound connectivity.
Quote from: broquea on June 15, 2015, 08:20:34 AM
block type 139/140, and rate limit the rest. problem solved.
What are the bad effects of blocking echo request?
In my current setup, I can ping outside, LAN devices can ping each other, but outside cannot ping inside.
Quote from: broquea on June 15, 2015, 08:20:34 AM
block type 139/140, and rate limit the rest. problem solved.
I forgot to mention that I am using a stateful firewall, not the stateless one.
Is it good to use ip6tables connection tracking instead of exposing the inbound icmpv6 connectivity to the internet?
Quote from: evantkh on June 15, 2015, 08:21:50 AM
Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?
I want to block everything, allowing only outbound connectivity.
You already said this. You didn't answer my question. What do you gain by blocking icmp6?
Quote from: kriteknetworks on June 15, 2015, 11:18:12 AM
Quote from: evantkh on June 15, 2015, 08:21:50 AM
Quote from: kriteknetworks on June 15, 2015, 05:30:49 AM
What do you gain by blocking icmp6?
I want to block everything, allowing only outbound connectivity.
You already said this. You didn't answer my question. What do you gain by blocking icmp6?
I am not specifically against having icmp6 open, but I am against having anything open. This will lead to devices not pingable from the internet and people said that blocking ping(echo request) is a bad idea and without explaining how it affects icmp6 error signalling, and the icmp6 type is not the same as echo request.