Question

Which ICMPv6 message types to block on a web server

Hi, I have a Debian droplet with IPv6 enabled and the eth0 interface having a global link (public routable address) and a local link.

The droplet serves as a web server, hosting a public website.

I’m implementing a firewall on the host using iptables/ip6tables. Whereas I am accepting any traffic on the local link, I am not sure if I can safely block the following ICMPv6 message types on the global link:

  • Router Solicitation (Type 133)

  • Router Advertisement (Type 134)

  • Neighbor Solicitation (Type 135)

  • Neighbor Advertisement (Type 136)

  • Inverse Neighbor Discovery Solicitation (Type 141)

  • Inverse Neighbor Discovery Advertisement (Type 142)

  • Listener Query (Type 130)

  • Listener Report (Type 131)

  • Listener Done (Type 132)

  • Listener Report v2 (Type 143)

  • Certificate Path Solicitation (Type 148)

  • Certificate Path Advertisement (Type 149)

  • Multicast Router Advertisement (Type 151)

  • Multicast Router Solicitation (Type 152)

  • Multicast Router Termination (Type 153)

Many thanks for any help.

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hello there,

This is explained in details by RFC4890 , section 4:

https://www.rfc-editor.org/rfc/rfc4890#section-4

4.3 Recommendations for ICMPv6 Transit Traffic

4.3.1. Traffic That Must Not Be Dropped

4.3.3. Traffic That Will Be Dropped Anyway – No Special Attention Needed

4.3.5. Traffic That Should Be Dropped Unless a Good Case Can Be Made

Hope that this helps! Regards, Alex