UFW default ICMPv6 before6.rules modification
Bug #299268 reported by
Ryan Giobbi
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
Binary package hint: ufw
In ufw 0.23.2, a minor feature request:
in the before6.rules, restrict NDP messages to hop limit to 255:
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-
-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type router-
-A ufw6-before-input -p udp --sport 67 --dport 68 -m hl --hl-eq 255 -j ACCEPT
This should limit NDP messages and DHCPv6 to the local network.
Related branches
Changed in ufw: | |
status: | Triaged → Fix Committed |
To post a comment you must log in.
RFC 4861 specifies that NDP messages shouldn't be passed through routers.
Also, host (non-router) systems shouldn't need the
-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
rule as they send router solicitations, they don't need to receive them.