Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ICMP on IPv6 - Block or allow ?

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      I run a mail server sitting behind pfSense. By default I block everything that is not needed. With the advent of IPv6 there might be a requirement to allow certain ICMPv6 traffic through.

      I have had a look at RFC 4890 namely section 4.3.1 and I am still not convinced.

      Can I ask what is the opinion of others who run similar systems and what they do?

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by

        This is a list of incoming ICMP6(4) *)  messages that you should allow regardless of your doubts:

        
unreach
toobig
timex
paramprob
echoreq
routeradv
neighbradv

        Those are mandatory for sites hosting IPv6 servers. For clients you might be tempted to leave out some of those like ping (echoreq) but it still doesn't make your host undiscoverable.

        *) https://www.freebsd.org/cgi/man.cgi?query=icmp6&apropos=0&sektion=0&manpath=FreeBSD+10.3-RELEASE&arch=default&format=html

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          @kpa, thanks for that. I had allowed some of those after reading this:

          https://www.infoblox.com/wp-content/uploads/infoblox-infographic-ipv6-best-practice.pdf

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.