IPv6 라우터 요청(유형 133) 패킷 삭제 방지

tag-icon tag-icon iptables firewall firehol
IPv6 라우터 요청(유형 133) 패킷 삭제 방지

다음 일지 항목이 4초마다 나타납니다.

Jan 22 19:31:00 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:04 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:08 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:12 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0

RFC4890 - 방화벽에서 ICMPv6 메시지 필터링에 대한 권장 사항Router Solicitation (Type 133) 에 나열되어 있습니다 Section 4.4.1 - Traffic That Must Not Be Dropped.

하지만 내 구성이 실제로 해당 항목을 제거하는 것 같습니다.

내 iptables는 다음에 의해 생성됩니다.firehol, 구성은 다음과 같습니다.

version 6

# ssh on port 5090 (ssh is a built-in service name)
server_ssh_hidden_ports="tcp/5090"
client_ssh_hidden_ports="default"

# mosh
server_mosh_ports="udp/60001:60020" # Mosh uses 60001 to 60999 counting up
client_mosh_ports="default"

# NoMachine (nxserver is a built-in, but seemingly on incorrect ports)
server_nomachine_ports="tcp/4000"
client_nomachine_ports="default"

# Deluge
server_deluge_ports="tcp/8112"
client_deluge_ports="default"

# Zerotier-one
interface zt0 zerotier
        policy reject # be nicer than default "drop" on internal network
        protection strong

        server "ssh_hidden mosh" accept with limit 8/min 10 # rate/period [burst]
        server "nomachine deluge" accept with limit 8/min 10 # rate/period [burst]
        #server "ssh_hidden nomachine" accept with recent recent-zerotier 30 6 # name, seconds, attempts per period

        client all accept

# All interfaces - look at fallthrough if putting this non-last as it didn't work without it
interface any global
        protection strong
        server ssh_hidden accept with limit 8/min 10
        client all accept

이렇게 시끄러운 로그 메시지를 제거하려면 어떻게 해야 합니까?

답변1

에서 언급했듯이FireHOL IPv6 설정, 상단에 다음을 추가하세요 firehol.conf.

ipv6 interface any v6interop proto icmpv6
  client ipv6neigh accept
  server ipv6neigh accept
  client ipv6mld accept
  client ipv6router accept
  policy return

관련 정보