Question

Which ICMPv6 message types to block on a web server

Posted November 21, 2021 86 views
FirewallIPv6

Hi, I have a Debian droplet with IPv6 enabled and the eth0 interface having a global link (public routable address) and a local link.

The droplet serves as a web server, hosting a public website.

I’m implementing a firewall on the host using iptables/ip6tables. Whereas I am accepting any traffic on the local link, I am not sure if I can safely block the following ICMPv6 message types on the global link:

  • Router Solicitation (Type 133)
  • Router Advertisement (Type 134)
  • Neighbor Solicitation (Type 135)
  • Neighbor Advertisement (Type 136)
  • Inverse Neighbor Discovery Solicitation (Type 141)
  • Inverse Neighbor Discovery Advertisement (Type 142)

  • Listener Query (Type 130)

  • Listener Report (Type 131)

  • Listener Done (Type 132)

  • Listener Report v2 (Type 143)

  • Certificate Path Solicitation (Type 148)

  • Certificate Path Advertisement (Type 149)

  • Multicast Router Advertisement (Type 151)

  • Multicast Router Solicitation (Type 152)

  • Multicast Router Termination (Type 153)

Many thanks for any help.

Submit an answer

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!