我看到如下日记条目,它们每隔 4 秒出现一次:
Jan 22 19:31:00 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:04 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:08 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
Jan 22 19:31:12 tara kernel: OUT-global:IN= OUT=enp3s0f2 SRC=fe80:0000:0000:0000:56e4:c37c:30cc:668f DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=158870 PROTO=ICMPv6 TYPE=133 CODE=0
RFC4890 - 在防火墙中过滤 ICMPv6 消息的建议列出Router Solicitation (Type 133)
在Section 4.4.1 - Traffic That Must Not Be Dropped
.
但看来我的配置确实正在删除它们。
我的 iptables 是由生成的firehol
,配置如下:
version 6
# ssh on port 5090 (ssh is a built-in service name)
server_ssh_hidden_ports="tcp/5090"
client_ssh_hidden_ports="default"
# mosh
server_mosh_ports="udp/60001:60020" # Mosh uses 60001 to 60999 counting up
client_mosh_ports="default"
# NoMachine (nxserver is a built-in, but seemingly on incorrect ports)
server_nomachine_ports="tcp/4000"
client_nomachine_ports="default"
# Deluge
server_deluge_ports="tcp/8112"
client_deluge_ports="default"
# Zerotier-one
interface zt0 zerotier
policy reject # be nicer than default "drop" on internal network
protection strong
server "ssh_hidden mosh" accept with limit 8/min 10 # rate/period [burst]
server "nomachine deluge" accept with limit 8/min 10 # rate/period [burst]
#server "ssh_hidden nomachine" accept with recent recent-zerotier 30 6 # name, seconds, attempts per period
client all accept
# All interfaces - look at fallthrough if putting this non-last as it didn't work without it
interface any global
protection strong
server ssh_hidden accept with limit 8/min 10
client all accept
如何删除这些嘈杂的日志消息?
答案1
正如中提到的FireHOL IPv6 设置,将以下内容添加到您的顶部firehol.conf
:
ipv6 interface any v6interop proto icmpv6 client ipv6neigh accept server ipv6neigh accept client ipv6mld accept client ipv6router accept policy return