On 6/8/20 8:58 AM, PGNet Dev wrote: > On 6/8/20 8:13 AM, Simon Hobson wrote: >> I am really not an expert in IPv6 :-( > > heh. is _anyone_? much voudou req'd! ;-) > >> will drop it AND send back an ICMP6 PTB (Packet Too Big) message to the >> source - thus explicitly telling the source to use smaller packets for that >> flow. If the PTB packets are filtered, then the mechanism fails. >> >> This can occur at any hop, and in the test cases you've found, they will be >> artificially simulating this as a test. 1280 won't be configured on any of >> your systems, IIRC it's the minimum packet size supported in IPv6. > > chatting with the @testsite admin, the fallback is, in fact, intentional. as > you surmised, as a a test. > > _if_ i'm reading all this corretly, the fallback _should_ happen > > it appears it's done with low-overhead once per flow ... > > i'm still unclear whether it's to be 'fixed' or 'avoided' by mss etc. config > in SW, or whether i'm being told "all good!" > >> IIRC, by default Shorewall6 will configure the rules needed to allow >> mandatory ICMP6 packets through. Have you perhaps added some of your own >> that could be dropping them ? > > not that i've intended. > > i _have_ been monkeying a great deal trying to get this > redirect-all-IPv6-over-the-wireguard-vpn biz working. as usual, in > retrospect it's a relatively trivial setup; far less 'opaque' & finicky than > openvpn, ime. > > so, still possible I've fubar'd something; not jumping out at me, atm, tho. > > when you suggest "by default Shorewall6 will configure", is that indeed by > out-of-the-box default, not requiring ANY rules/shorewall.conf/etc/etc? > >
As shipped, shorewall6.conf includes 'AllowICMPs' in the BLACKLIST_DEFAULT, DROP_DEFAULT, and REJECT_DEFAULT settings. The AllowICMPs action accepts all ICMP6 packet types required by RFC 4890. So if your net->all policy is DROP (recommended), REJECT or BLACKLIST, then your firewalls should pass those packets. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
