防止丢弃 IPv6 路由器请求（类型 133）数据包

2024-5-28 • tag-icon

我看到如下日记条目，它们每隔 4 秒出现一次：

Jan 22 19:31:00 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:04 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:08 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:12 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0

RFC4890 - 在防火墙中过滤 ICMPv6 消息的建议列出Router Solicitation (Type 133) 在Section 4.4.1 - Traffic That Must Not Be Dropped.

但看来我的配置确实正在删除它们。

我的 iptables 是由生成的firehol，配置如下：

version 6

# ssh on port 5090 (ssh is a built-in service name)
server_ssh_hidden_ports="tcp/5090"
client_ssh_hidden_ports="default"

# mosh
server_mosh_ports="udp/60001:60020" # Mosh uses 60001 to 60999 counting up
client_mosh_ports="default"

# NoMachine (nxserver is a built-in, but seemingly on incorrect ports)
server_nomachine_ports="tcp/4000"
client_nomachine_ports="default"

# Deluge
server_deluge_ports="tcp/8112"
client_deluge_ports="default"

# Zerotier-one
interface zt0 zerotier
        policy reject # be nicer than default "drop" on internal network
        protection strong

        server "ssh_hidden mosh" accept with limit 8/min 10 # rate/period [burst]
        server "nomachine deluge" accept with limit 8/min 10 # rate/period [burst]
        #server "ssh_hidden nomachine" accept with recent recent-zerotier 30 6 # name, seconds, attempts per period

        client all accept

# All interfaces - look at fallthrough if putting this non-last as it didn't work without it
interface any global
        protection strong
        server ssh_hidden accept with limit 8/min 10
        client all accept

如何删除这些嘈杂的日志消息？

答案1

正如中提到的FireHOL IPv6 设置，将以下内容添加到您的顶部firehol.conf：

ipv6 interface any v6interop proto icmpv6
  client ipv6neigh accept
  server ipv6neigh accept
  client ipv6mld accept
  client ipv6router accept
  policy return

答案1

相关内容