2

After deciding that my small server needed a firewall, I used ferm to configure iptables and ip6tables for me (this question should be tagged ferm, but I cannot create the tag).

I am using the same rules for both ipv4 and ipv6, but as soon as I put up the firewall, IPv6 connections (on all ports) stop working and I have to drop to IPv4. Why could that be?

My /etc/ferm.conf

domain (ip ip6) table filter { chain INPUT { policy DROP; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # allow local connections interface lo ACCEPT; # respond to ping proto icmp icmp-type echo-request ACCEPT; # allow SSH connections proto tcp dport ssh ACCEPT; # allow all my lovely server stuff proto tcp dport (http https smtp imap imaps) ACCEPT; # Teamspeak 3 Server proto tcp dport (10011 30033) ACCEPT; proto udp dport 9987 ACCEPT; # Prosody XMPP proto tcp dport (5222 5269) ACCEPT; # ident connections are also allowed proto tcp dport auth ACCEPT; # the rest is dropped by the above policy } # outgoing connections are not limited chain OUTPUT policy ACCEPT; # this is not a router chain FORWARD policy DROP; }

ip6tables -vnL

Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all * * ::/0 ::/0 state INVALID 24 8224 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED 0 0 ACCEPT all lo * ::/0 ::/0 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:25 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:143 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:993 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:10011 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:30033 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:9987 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:5222 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:5269 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:113 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 24 packets, 8224 bytes) pkts bytes target prot opt in out source destination
Improve this question

1 Answer 1

Reset to default
7

The problem is that you are dropping most ICMPv6 packets. Many essential IPv6 functions depend on ICMPv6, such as Neighbor Discovery (equivalent to ARP in IPv4). ICMP is a crucial part of the IP protocols (both IPv4 and IPv6) but the impact of bad ICMP filtering is much more severe for IPv6 than for IPv4. You are probably better off by allowing all ICMP and then (maybe) filter out things that you don't want.

For more background information take a look at RFC 4890.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.