mirror of
https://github.com/firehol/firehol.git
synced 2024-06-28 18:02:33 +00:00
Explain that ICMPv6 ND/RD packets are untracked
This commit is contained in:
parent
b9d3663767
commit
edd7dace10
@ -229,11 +229,16 @@ FIREHOL\_DROP\_INVALID
|
||||
: If set to 1, this variable causes FireHOL to drop all packets
|
||||
matched as `INVALID` in the iptables(8) connection tracker.
|
||||
|
||||
You may be better off using
|
||||
[firehol-protection(5)][keyword-firehol-protection] to control
|
||||
matching of `INVALID` packets and others on a per-interface
|
||||
and per-router basis.
|
||||
|
||||
> **Note**
|
||||
>
|
||||
> You can use [firehol-protection(5)][keyword-firehol-protection] to
|
||||
> control matching of `INVALID` packets and others on a per-interface
|
||||
> and per-router basis.
|
||||
> Care must be taken on IPv6 interfaces, since ICMPv6 packets such
|
||||
> as Neighbour Discovery are not tracked, meaning they are marked
|
||||
> as INVALID.
|
||||
|
||||
Example:
|
||||
|
||||
|
@ -7437,8 +7437,10 @@ All the others are simple single socket services.
|
||||
|
||||
Please note that the service:
|
||||
|
||||
all matches all packets, all protocols, all of everything,
|
||||
while ensuring that required kernel modules are loaded.
|
||||
all matches all packets and all protocols, while ensuring that
|
||||
required kernel modules are loaded. Packets "untracked" by
|
||||
iptables (e.g. ICMPv6 neighbour discovery packets) are not
|
||||
included in "all" and must be handled separately.
|
||||
|
||||
any allows the matching of packets with unusual rules, like
|
||||
only protocol but no ports. If service any is used
|
||||
|
Loading…
Reference in New Issue
Block a user