Make before6.rules follow RFC 4890
Bug #1030214 reported by
Patrick Fasano
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ufw |
Fix Released
|
Medium
|
Unassigned |
Bug Description
RFC 4890 lists what ICMPv6 types MUST NOT (in the RFC meaning of the phrase) be blocked by a firewall. The attached patch adds those required ICMPv6 types.
From ufw 0.31.1-1
Ubuntu 12.04
tags: | added: wishlist |
Changed in ufw: | |
status: | Incomplete → Triaged |
Changed in ufw: | |
status: | Triaged → Fix Committed |
milestone: | none → 0.34 |
importance: | Undecided → Medium |
Changed in ufw: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I guess you are referring to section 4.4 (specifically 4.4.1), however I found this document to be pretty unclear. The shipped ufw configuration is for a host-based firewall. While the RFC states 3 types are defined in the report (router, bridge and 'end host'), the 'end host' is not clearly defined (at least for me). In fact, section 4.4 references a multi-homed host and not the 'end host'. While I definitely want to let through appropriate icmpv6 messages, I need more information before adding the ones you suggest (in fact, you patch misses some that the RFC said must not be denied, furthering the confusion).
I think I would at this point prefer to wait for bugs to come in indicating that ufw's current configuration is broken rather than trying to fix it and possibly getting it wrong. That is unless someone can provide clarity on this (with authoritative references). I am going to mark this as 'Incomplete' for now.