Results 1 to 4 of 4

Thread: syslog full of UFW BLOCK PROTO=ICMPv6

  1. #1
    Join Date
    Jan 2014
    Beans
    51

    syslog full of UFW BLOCK PROTO=ICMPv6

    [Ubuntu Server 12.04.05 LTS]

    Hi all,
    Hope you can help me with this

    My syslog is full of these local link scope pings being blocked and I'd like to know what I have to do to allow them so it stops logging:
    Oct 6 13:56:26 servername kernel: [333021.138558] [UFW BLOCK] IN=eth0 OUT= MAC=33:33:00:00:00:01:80:3f:5d:87:e2:93:86:dd SRC=fe80:0000:0000:0000:823f:5dff:fe87:e293 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=130 CODE=0
    my /etc/default/ufw has:
    Code:
    # Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
    # accepted). You will need to 'disable' and then 'enable' the firewall for
    # the changes to take affect.
    IPV6=yes
    (I'd prefer to leave it enabled)

    I've tried adding a user rule:

    Code:
    sudo ufw allow from fe80::/10 to ff02::0001 proto icmpv6
    sudo ufw allow from fe80::/10 to ff02::0001 proto ICMPv6
    both fail with:
    ERROR: Unsupported protocol 'icmpv6'
    ERROR: Unsupported protocol 'ICMPv6'




    I've also tried adding to the before.rules:
    Code:
    -A ufw-before-input -p icmpv6 --icmpv6-type echo-request -s fe80::/10 -j ACCEPT
    &/or:
    -A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -s fe80::/10 -j ACCEPT
    but then the service won't start:
    ~$ sudo service ufw restart
    ufw stop/waiting
    start: Job failed to start
    ~$

    I want to allow the link local scope to ping with ICMPv6 and I'm having a hard time searching for the proper way to allow it. The wiki's are slim on the subject
    https://wiki.ubuntu.com/UncomplicatedFirewall
    I find nothing

    https://wiki.ubuntu.com/IPv6
    Code:
    Tunneled IPv6
    
    If your uplink only passes IPv4 traffic, you will need to tunnel your IPv6 traffic to a compatible relay somewhere. Most tunnels use IPv4 protocol 41 encapsulation (6in4), where the data payload is just the IPv6 packet itself. Not all firewalls and NATs can properly pass protocol 41. Alternatively providers might provide AYIYA or TSP tunnels which send their tunneled packets over UDP, which is generally accepted by most firewalls and supported by most NATsNote: ICMP is protocol 1, IGMP is protocol 2, TCP is protocol 6, UDP is protocol 17.
    (except I'm not worried about tunneled 4to1)

    https://help.ubuntu.com/community/UFW
    Code:
    Enable PING
    
    Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.
    In order to disable ping (icmp) requests, you need to edit /etc/ufw/before.rules and remove the following lines:
    
    # ok icmp codes
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
    (do I have to duplicate these lines with ufw6-before-input?)

    Thanks in advance for any help you can offer

  2. #2
    Join Date
    Jan 2014
    Beans
    51

    Re: syslog full of UFW BLOCK PROTO=ICMPv6

    I could just allow all with:
    Code:
    sudo ufw allow from fe80::/10 to ff02::1
    but I'd rather not.

    Seems like it should be possible I'm just not finding the right location or syntax somewhere.

    again thanks if you can point me in the right direction

  3. #3
    Join Date
    Jan 2014
    Beans
    51

    Re: syslog full of UFW BLOCK PROTO=ICMPv6

    After looking into this a little more I realized this is my wireless bridge device I have connecting my non-wired bedroom htpc to my wired network.

    The packets are Multicast Listener Query's (ICMPv6 Type 130) from the device looking for I'm guessing streaming devices on the network for some reason (there's nothing documented from the manufacturer as to why it's doing it, so I'm guessing)

    I could of course allow all proto/ports from the specific IPv6 addresses of the two bridges but I'd like to learn how to break it down and allow the specific protocol & type.



    After realizing I can't add "-A ufw6-before-input..." into the before.rules file rather than the before6.rules file... *kicks self*

    Adding:
    Code:
    -A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -s fe80::/10 -j ACCEPT
    to before6.rules and restarting the service, UFW starts ok but the packets are still getting blocked, so type: echo-request won't cover type=130 :-/

    Is there any documentation about the before6.rules, and specifically the names of the --icmpv6-type options?

  4. #4
    Join Date
    Jan 2014
    Beans
    51

    Re: syslog full of UFW BLOCK PROTO=ICMPv6

    turns out the answer was simply 130:

    /etc/ufw/before6.rules
    Quote Originally Posted by david144
    -A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80:0000:0000:0000:823f:5dff:fe87:e293/64 -j ACCEPT
    Code:
    sudo service ufw restart
    I just didn't realize it could be a numeric value, I was assuming it had to be a word like multicast-listener or something.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •