ICMPv6 on tunnel interface gets blocked regardless of firewall rules
-
I've allowed all connections from POP address to END point address, but still SIXXS POP cannot ping my END point.
IPv6 works otherwise but this is bit of a problem, as i cannot get any ISK and the tunnel will be disabled after 7 days. -
Make a floating rule like this:
-
Why would you open the whole ICMPv4 proto via a floating rule just to let SixXS ping your IPv6 tunnel endpoint? You just need ICMPv6, also not the whole proto.
The only thing you need to allow is IPv6 ICMP echoreq on your tunnel interface to your tunnel endpoint IP. No floating rule required. Works fine here on the lastest 2.1 RC1. -
Why would you open the whole ICMPv4 proto via a floating rule just to let SixXS ping your IPv6 tunnel endpoint?
And why not? Because Mr. Gibson tells me I'm not stealthed and hence I'm doomed? Also, don't forget that PTR records are harmful!!!
The string of text above is known as your Internet connection's "reverse DNS." The end of the string is probably a domain name related to your ISP. This will be common to all customers of this ISP. But the beginning of the string uniquely identifies your Internet connection. The question is: Is the beginning of the string an "account ID" that is uniquely and permanently tied to you, or is it merely related to your current public IP address and thus subject to change?
The concern is that any web site can easily retrieve this unique "machine name" (just as we have) whenever you visit. It may be used to uniquely identify you on the Internet. In that way it's like a "supercookie" over which you have no control. You can not disable, delete, or change it. Due to the rapid erosion of online privacy, and the diminishing respect for the sanctity of the user, we wanted to make you aware of this possibility. Note also that reverse DNS may disclose your geographic location.
Riiight. Because noone's got my IP in the first place. Reverse records are baaad, mkay! ::) :D
-
It is unnecessary to open ICMPv4 to keep the SixXS tunnel from being disabled.
-
It is unnecessary to open ICMPv4 to keep the SixXS tunnel from being disabled.
It's necessary to open ICMPv4 for any reasonable debugging/diagnostics purposes. This ping blocking madness serves absolutely no useful purpose.
-
That is off topic here.
-
What's off topic here? Enabling ping? Yes, because "tightening" ICMP rules and creating bazillion of them for each interface separately makes so much more sense than setting up one simple catch-all floating rule that does the job. ::)
-
Like I said, when someone asks you how to keep a SixXS tunnel from being disabled and all that is neccessary for that is IPv6 ICMP echoreq to the tunnel endpoint, I don't think it is good advice to tell them to open up ICMPv4 from any to any.
Just one example, the OP could be running DMZs with Public v4 IPs. He would open them up completely for all ICMP types coming from the internet.
Not necessarily what he might want as a side effect for just keeping the IPv6 SixXS tunnel alive. -
Goes nowhere. From my POV, blocking ICMP is a pretty useless and as far as IPv6 goes, also completely broken idea. So, we'll agree to disagree.