thr3ads.net - Shorewall users - ICMPv6 fragmented packets are blocked [Aug 2012]

If this information is useful, please help other people find it:
Share via:

alex

2012-Aug-06 15:20 UTC

ICMPv6 fragmented packets are blocked

Hello,

I noticed that current ip6tables rules which generates with Shorewall
(version 4.5.6 on FC17 with ip6tables-1.4.14) block ICMPv6 packets with
size greater than 1452 bytes (which are fragmented during transition).
Could you please explain, is this standard feature of ip6tables or I have
to add some additional rules?

I run command:
    ping6 -s 1453 2001:db8:a23::333

And get the following message in firewall log:

Aug  6 17:35:30 linux-host kernel: [76091.578492]
Shorewall:net2fw:DROP:IN=eth0 OUTMAC=78:e3:b5:94:62:ff:00:0f:fe:d5:3d:19:86:dd
SRC=2001:0db8:0a23:0000:0000:0000:0000:0335
DST=2001:0db8:0a23:0000:0000:0000:0000:0333 LEN=108 TC=0 HOPLIMIT=64
FLOWLBL=0 FRAG:1448 ID:0000000e PROTO=ICMPv6

These are my ip6tables rules:

-A INPUT -i eth0 -j net2fw
-A INPUT -i lo -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -g reject
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level
6
-A FORWARD -g reject
-A OUTPUT -o eth0 -j fw2net
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 4 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 141 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 142 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130 -m
comment --comment "Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131 -m
comment --comment "Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132 -m
comment --comment "Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143 -m
comment --comment "Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 148 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -p ipv6-icmp -m icmp6 --icmpv6-type 149 -m comment --comment
"Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 151 -m
comment --comment "Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 152 -m
comment --comment "Needed ICMP types (RFC4890)" -j ACCEPT
-A AllowICMPs -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 153 -m
comment --comment "Needed ICMP types (RFC4890)" -j ACCEPT
-A Broadcast -d 2001:db8:a23::/128 -j DROP
-A Broadcast -d 2001:db8:a23:0:ffff:ffff:ffff:ff80/121 -j DROP
-A Broadcast -d ff00::/8 -j DROP
-A Drop -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject
-A Drop -p ipv6-icmp -j AllowICMPs
-A Drop -j Broadcast
-A Drop -j Invalid
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment SMB -j
DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment SMB -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment
SMB -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB
-j DROP
-A Drop -p tcp -j NotSyn
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS
Replies" -j
DROP
-A Invalid -m conntrack --ctstate INVALID -j DROP
-A NotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A Reject -p tcp -m tcp --dport 113 -m comment --comment Auth -j reject
-A Reject -p ipv6-icmp -j AllowICMPs
-A Reject -j Broadcast
-A Reject -j Invalid
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment SMB -j
reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment SMB -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment
SMB -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment SMB
-j reject
-A Reject -p tcp -j NotSyn
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS
Replies"
-j DROP
-A fw2net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A fw2net -j ACCEPT
-A logdrop -j DROP
-A logreject -j reject
-A net2fw -m conntrack --ctstate INVALID,NEW -j dynamic
-A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m comment --comment Ping
-j ACCEPT
-A net2fw -j Drop
-A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6
-A net2fw -j DROP
-A reject -d 2001:db8:a23::/128 -j DROP
-A reject -d 2001:db8:a23:0:ffff:ffff:ffff:ff80/121 -j DROP
-A reject -s ff00::/8 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp6-port-unreachable
-A reject -p ipv6-icmp -j REJECT --reject-with icmp6-addr-unreachable
-A reject -j REJECT --reject-with icmp6-adm-prohibited
-A sfilter -j LOG --log-prefix "Shorewall:sfilter:DROP:" --log-level 6
-A sfilter -j DROP
COMMIT


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Tom Eastep

2012-Aug-06 17:12 UTC

head link

Re: ICMPv6 fragmented packets are blocked

On 08/06/2012 08:20 AM, alex wrote:> Hello,
>
> I noticed that current ip6tables rules which generates with Shorewall
> (version 4.5.6 on FC17 with ip6tables-1.4.14) block ICMPv6 packets with
> size greater than 1452 bytes (which are fragmented during transition).
> Could you please explain, is this standard feature of ip6tables or I
> have to add some additional rules?
It''s a current Netfilter (ip6tables) limitation.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Shorewall users - Aug 2012 - ICMPv6 fragmented packets are blocked

ICMPv6 fragmented packets are blocked

Re: ICMPv6 fragmented packets are blocked