(usagi-users 02954) Re: [netfilter] problem with icmpv6 and connection tracking

[Yasuyuki Kozakai <yasuyuki.kozakai@xxxxxxxxxxxxx>]

Hi,

From: Fabio Massimo Di Nitto <fabbione@xxxxxxxxxxxx>
Subject: (usagi-users 02953) [netfilter] problem with icmpv6 and connection tracking
Date: Wed, 19 May 2004 09:44:55 +0200 (CEST)

> Firewall rules:
> 
> #! /bin/sh
> CMD=/usr/local/v6/sbin/ip6tables
> $CMD -F INPUT
> $CMD -P INPUT DROP
> #$CMD -A INPUT -j ACCEPT -p icmpv6
> $CMD -A INPUT -j ACCEPT -p tcp --destination-port 22
> $CMD -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
> 
> gundam is at 3ffe:100:e:3::4    (one normal host)
> trider-g7 is at 3ffe:100:e:3::1 (default gw)
> 
> gundam:~# ping6 trider-g7
> PING trider-g7(trider-g7.fabbione.net) 56 data bytes
> 
> --- trider-g7 ping statistics ---
> 3 packets transmitted, 0 received, 100% packet loss, time 1999ms
> 
> gundam:~# ping6 trider-g7
> PING trider-g7(trider-g7.fabbione.net) 56 data bytes
> 64 bytes from trider-g7.fabbione.net: icmp_seq=4 ttl=64 time=1999 ms
> 64 bytes from trider-g7.fabbione.net: icmp_seq=5 ttl=64 time=999 ms
> 
> --- trider-g7 ping statistics ---
> 7 packets transmitted, 2 received, 71% packet loss, time 5998ms
> rtt min/avg/max/mdev = 999.969/1499.891/1999.813/499.922 ms, pipe 3

With your rule, almost ICMPv6 packets for DAD, Address Auto Configuration,
and so on are dropped. Because the packets to multicast address are not
tracked.

I think these ICMPv6 packets should not be filtered.

> gundam:~# ping6 trider-g7
> PING trider-g7(trider-g7.fabbione.net) 56 data bytes
> From ::1 icmp_seq=1 Destination unreachable: Address unreachable
> From ::1 icmp_seq=2 Destination unreachable: Address unreachable

"state" of these echo-request from ::1 to ::1 are NEW, then dropped with
your rules.

How about adding this rule ?
	ip6tables -A INPUT -i lo -j ACCEPT

Regards,