From edd7dace10427c8f0780764ec5ea81d69e3857d7 Mon Sep 17 00:00:00 2001 From: Phil Whineray Date: Sun, 27 Jul 2014 11:23:42 +0100 Subject: [PATCH] Explain that ICMPv6 ND/RD packets are untracked --- doc/firehol/firehol-variables.5.md | 11 ++++++++--- sbin/firehol.in | 6 ++++-- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/doc/firehol/firehol-variables.5.md b/doc/firehol/firehol-variables.5.md index 18ecbdc..0dfb5b9 100644 --- a/doc/firehol/firehol-variables.5.md +++ b/doc/firehol/firehol-variables.5.md @@ -229,11 +229,16 @@ FIREHOL\_DROP\_INVALID : If set to 1, this variable causes FireHOL to drop all packets matched as `INVALID` in the iptables(8) connection tracker. + You may be better off using + [firehol-protection(5)][keyword-firehol-protection] to control + matching of `INVALID` packets and others on a per-interface + and per-router basis. + > **Note** > - > You can use [firehol-protection(5)][keyword-firehol-protection] to - > control matching of `INVALID` packets and others on a per-interface - > and per-router basis. + > Care must be taken on IPv6 interfaces, since ICMPv6 packets such + > as Neighbour Discovery are not tracked, meaning they are marked + > as INVALID. Example: diff --git a/sbin/firehol.in b/sbin/firehol.in index c95c4ae..8c6fd57 100755 --- a/sbin/firehol.in +++ b/sbin/firehol.in @@ -7437,8 +7437,10 @@ All the others are simple single socket services. Please note that the service: - all matches all packets, all protocols, all of everything, - while ensuring that required kernel modules are loaded. + all matches all packets and all protocols, while ensuring that + required kernel modules are loaded. Packets "untracked" by + iptables (e.g. ICMPv6 neighbour discovery packets) are not + included in "all" and must be handled separately. any allows the matching of packets with unusual rules, like only protocol but no ports. If service any is used