On Thursday, January 27, 2022 12:13:32 AM CET lists@xxxxxxxxxxxxxxx wrote: Oh, I forgot something > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT > > > > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT > > > > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT > > > > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT > > > > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 128 -j ACCEPT > > > > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 129 -j ACCEPT > > > https://www.ietf.org/rfc/rfc4890.txt 4.3.3. Traffic That Will Be Dropped Anyway -- No Special Attention Needed Allow this ICMPv6 types only if the hop limit field is 255. (I can never remember the numbers, so I always use ICMPv6 type names) e.g.: -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT > > > > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT > > > > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT > > > > > > > > > -A ICMPv6_IN -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT > > > > > > Best not to filter ICMPv6 at all. Or just ratelimit echo-request maybe also echo-reply. -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays