Evitar o descarte de pacotes de Solicitação de Roteador IPv6 (Tipo 133)

4

Estou vendo entradas de diário como as seguintes, que aparecem em intervalos regulares de quatro segundos:

Jan 22 19:31:00 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:04 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:08 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:12 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0

RFC4890 - Recomendações para filtrar mensagens ICMPv6 em firewall lista Router Solicitation (Type 133) em Section 4.4.1 - Traffic That Must Not Be Dropped .

Mas parece que minha configuração está de fato caindo neles.

Meus iptables são gerados por firehol , configurado assim:

version 6

# ssh on port 5090 (ssh is a built-in service name)
server_ssh_hidden_ports="tcp/5090"
client_ssh_hidden_ports="default"

# mosh
server_mosh_ports="udp/60001:60020" # Mosh uses 60001 to 60999 counting up
client_mosh_ports="default"

# NoMachine (nxserver is a built-in, but seemingly on incorrect ports)
server_nomachine_ports="tcp/4000"
client_nomachine_ports="default"

# Deluge
server_deluge_ports="tcp/8112"
client_deluge_ports="default"

# Zerotier-one
interface zt0 zerotier
        policy reject # be nicer than default "drop" on internal network
        protection strong

        server "ssh_hidden mosh" accept with limit 8/min 10 # rate/period [burst]
        server "nomachine deluge" accept with limit 8/min 10 # rate/period [burst]
        #server "ssh_hidden nomachine" accept with recent recent-zerotier 30 6 # name, seconds, attempts per period

        client all accept

# All interfaces - look at fallthrough if putting this non-last as it didn't work without it
interface any global
        protection strong
        server ssh_hidden accept with limit 8/min 10
        client all accept

Como faço para remover essas mensagens de log ruidosas?

    
por Tom Hale 22.01.2017 / 13:46

1 resposta

1

Como mencionado em Configuração do FireHOL IPv6 , adicione o seguinte ao topo do seu firehol.conf :

ipv6 interface any v6interop proto icmpv6
  client ipv6neigh accept
  server ipv6neigh accept
  client ipv6mld accept
  client ipv6router accept
  policy return
    
por 23.01.2017 / 09:12