0

I have a compliance test that is requiring my node to respond to unrecognized next-headers per RFC 2460. I am running a debian 3.16 kernel. My current firewall implementation is dropping these frames per the INPUT rule of DROP by default unless match. I have a few match rules, but they are very specific to items that I want to allow through. Since this is a pretty vanilla frame, if I allow all unrecognized traffic then what is the point of having a firewall? I saw a man page on ip6tables that will allow some header filtering, but my version of ip6tables 1.4.21 does not.

Is there an easy way to allow this specific traffic without opening the firewall up completely?

Full disclosure: I thought about asking this question here first, but I asked on the UNIX forum first with little traffic and no response so I moved to Network Engineering and was told to ask it here instead.

1 Answers1

-1

You may want to try this:

ip6tables -A INPUT -m ipv6header --soft --header hop,dst,route,frag,auth,esp,none,prot -j ACCEPT

Assuming iptables have ipv6header module compiled in, this command should match most of the next-header cases and do ACCEPT.

1bool
  • 1
  • 1