[FS#73] Router doesn't answer to ping to ff02::1
LEDE Bugs
lede-bugs at lists.infradead.org
Wed Aug 24 21:11:00 PDT 2016
The following task has a new comment added:
FS#73 - Router doesn't answer to ping to ff02::1
User who did this - Vittorio Gambaletta (VittGam)
----------
Hi,
I hope this will not lead to security problems in the future. I know that one of the best practices for configuring netfilter is to always drop INVALID packets, for example to avoid unNATted packets to go through the firewall; but netfilter is quite... complicated, so maybe there could be other corner cases which are unhandled now. Anyway, it seems it should still be okay with these patches (at least for the unNATted packets case) when the default policy for the FORWARD chain in the filter table is DROP.
What about this patch from me instead, which specifically allowed link-local IPv6 to bypass the INVALID-matching rules? https://patchwork.ozlabs.org/patch/617646/
Cheers,
Vittorio
----------
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=73#comment310
More information about the lede-bugs
mailing list