• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

IPv4 ping response

Started by evantkh, May 28, 2015, 06:21:35 AM

Previous topic - Next topic

evantkh

The ping response is only required during registration/update of the the tunnel endpoint or do I need to allow it during the use of the tunnel after registration?

cholzhauer

Only for setup, but you should consider allowing it after too

evantkh

Quote from: cholzhauer on May 29, 2015, 04:30:22 AM
Only for setup, but you should consider allowing it after too
What will happen if it is not allowed?

kriteknetworks

Why are you against having icmp4 open?

evantkh

Quote from: kriteknetworks on May 30, 2015, 04:44:44 AM
Why are you against having icmp4 open?
Because I don't want to put so many rules on my firewall because maximum number of rules are limited.

broquea

Don't want too many firewall rules? Drop/exclude the one that blocks ICMP ;)

Want to operate a network like a professional, rather than someone that believes the FUD of leaving ICMP reachable? rate-limit ICMP, don't block.

We're you planning on blocking ICMP6 as well? Because if so, enjoy the crappy broken PMTUD you'd be introducing.

evantkh

Quote from: broquea on May 30, 2015, 10:01:59 AM
Don't want too many firewall rules? Drop/exclude the one that blocks ICMP ;)

Want to operate a network like a professional, rather than someone that believes the FUD of leaving ICMP reachable? rate-limit ICMP, don't block.

We're you planning on blocking ICMP6 as well? Because if so, enjoy the crappy broken PMTUD you'd be introducing.

There are two reasons.

Firstly, I can only configure allow rules on my upstream(AWS) stateful firewall.
Secondly, egress traffic is very expensive, so I want to drop as many packets as possible to prevent responding while allowing incoming packets dynamically using ip6tables connection tracking.

Does this setup has any problem?