Facebook
Twitter
It seems as if there's a problem with the IPv6 firewall ICMPv6 default settings. On our installations Plesk generates the following rules for icmpv6:
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 128/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 129/0 -j ACCEPT
After activating the firewall first everything looks fine but some clicks later I noticed outages on the web interface and also on the ssh console. As this is a typical result of MTU problems I've inspected the firewall rules and noticed that ICMPv6 "packet-too-big" messages are being dropped which always causes such problems.
To give a short explanation of our typical setup: the servers a directly connected to the internet with a MTU of 1500 but the workstation from which we access the server are beyond a DSL line which has only an MTU of 1454. As a result of this the server gets for every packet he sends to our workstation with an MTU > 1454 an icmpv6 reply "packet-to-big". In normal circumstances the IP stack would fragment the packet and send them again, but since the packet-too-big message is dropped the connection gets broken.
According to RFC 4890 packet-too-big messages must be accepted.
First I tried to fix this by a custom firewall rule in the web interface, but this seems to lack support of ICMP (only tcp and udp are allowed), so I had to add my rule manually as a first fix to /opt/psa/var/modules/firewall/firewall-active.sh
In general the following line should fix the problem:
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
As this didn't work I've inspected the dropped packets, here is the result of a regular ping packet with a size of 1500 bytes:
May 13 00:49:53 web01 kernel: [ 5098.923791] IN=eth0 OUT= MAC=ZZZ SRC=XXX:1000 DST=YYY:3000 LEN=1488 TC=0 HOPLIMIT=124 FLOWLBL=0 FRAG:0 INCOMPLETE ID:0000002e PROTO=ICMPv6 TYPE=128 CODE=0 ID=2 SEQ=3363
May 13 00:49:53 web01 kernel: [ 5098.923964] IN=eth0 OUT= MAC=ZZZ SRC=XXX:1000 DST=YYY:3000 LEN=116 TC=0 HOPLIMIT=124 FLOWLBL=0 FRAG:1440 ID:0000002e PROTO=ICMPv6
The first line shows the ping packet, the second line is the packet-too-big answer from the router in front of our DSL line. As you may notice this line does not contain the packet type and code (this should be TYPE=2 CODE=0). At the moment I'm not sure why the ICMP type and code were not detected so the only possibility to get the firewall with IPv6 working is to allow any ICMPv6 packets by:
/sbin/ip6tables -A INPUT -p icmpv6 -j ACCEPT
Maybe someone knows a better solution to keep IPv6 running.
So here's my question: How do I create a persistent rule to accept ICMPv6 packets? The web interface does not allow this and /opt/psa/var/modules/firewall/firewall-active.sh is replaced each time I change the firewall configuration.
Plesk 10.4.4 Update #31 - Debian Squeeze 64 Bit
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 128/0 -j ACCEPT
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 129/0 -j ACCEPT
After activating the firewall first everything looks fine but some clicks later I noticed outages on the web interface and also on the ssh console. As this is a typical result of MTU problems I've inspected the firewall rules and noticed that ICMPv6 "packet-too-big" messages are being dropped which always causes such problems.
To give a short explanation of our typical setup: the servers a directly connected to the internet with a MTU of 1500 but the workstation from which we access the server are beyond a DSL line which has only an MTU of 1454. As a result of this the server gets for every packet he sends to our workstation with an MTU > 1454 an icmpv6 reply "packet-to-big". In normal circumstances the IP stack would fragment the packet and send them again, but since the packet-too-big message is dropped the connection gets broken.
According to RFC 4890 packet-too-big messages must be accepted.
First I tried to fix this by a custom firewall rule in the web interface, but this seems to lack support of ICMP (only tcp and udp are allowed), so I had to add my rule manually as a first fix to /opt/psa/var/modules/firewall/firewall-active.sh
In general the following line should fix the problem:
/sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
As this didn't work I've inspected the dropped packets, here is the result of a regular ping packet with a size of 1500 bytes:
May 13 00:49:53 web01 kernel: [ 5098.923791] IN=eth0 OUT= MAC=ZZZ SRC=XXX:1000 DST=YYY:3000 LEN=1488 TC=0 HOPLIMIT=124 FLOWLBL=0 FRAG:0 INCOMPLETE ID:0000002e PROTO=ICMPv6 TYPE=128 CODE=0 ID=2 SEQ=3363
May 13 00:49:53 web01 kernel: [ 5098.923964] IN=eth0 OUT= MAC=ZZZ SRC=XXX:1000 DST=YYY:3000 LEN=116 TC=0 HOPLIMIT=124 FLOWLBL=0 FRAG:1440 ID:0000002e PROTO=ICMPv6
The first line shows the ping packet, the second line is the packet-too-big answer from the router in front of our DSL line. As you may notice this line does not contain the packet type and code (this should be TYPE=2 CODE=0). At the moment I'm not sure why the ICMP type and code were not detected so the only possibility to get the firewall with IPv6 working is to allow any ICMPv6 packets by:
/sbin/ip6tables -A INPUT -p icmpv6 -j ACCEPT
Maybe someone knows a better solution to keep IPv6 running.
So here's my question: How do I create a persistent rule to accept ICMPv6 packets? The web interface does not allow this and /opt/psa/var/modules/firewall/firewall-active.sh is replaced each time I change the firewall configuration.
Plesk 10.4.4 Update #31 - Debian Squeeze 64 Bit
Last edited:
