s4mb0l Posted February 3, 2011 Report Share Posted February 3, 2011 When I start uTorrent, I get bunch of ICMP requests directed to my computer IPv6 address:16:45:13 firewall,info forward: in:wlan1 out:bridge1, src-mac 88:43:e1:xx:xx:xx, proto ICMP (type 128, code 0), 2001::5ef5:73b8:14fb:d87f:a2a8:282f->xxxx:xxxx:xxxx:x::x, len 1216:45:15 firewall,info forward: in:wlan1 out:bridge1, src-mac 88:43:e1:xx:xx:xx, proto ICMP (type 128, code 0), 2001::5ef5:73b8:14fb:d87f:a2a8:282f->xxxx:xxxx:xxxx:x::x, len 1216:45:17 firewall,info forward: in:wlan1 out:bridge1, src-mac 88:43:e1:xx:xx:xx, proto ICMP (type 128, code 0), 2001::5ef5:79fd:28fa:a320:b164:c833->xxxx:xxxx:xxxx:x::x, len 1216:45:19 firewall,info forward: in:wlan1 out:bridge1, src-mac 88:43:e1:xx:xx:xx, proto ICMP (type 128, code 0), 2001::5ef5:79fd:28fa:a320:b164:c833->xxxx:xxxx:xxxx:x::x, len 1216:45:21 firewall,info forward: in:wlan1 out:bridge1, src-mac 88:43:e1:xx:xx:xx, proto ICMP (type 128, code 0), 2001::5ef5:79fd:28fa:a320:b164:c833->xxxx:xxxx:xxxx:x::x, len 12Is this behavior normal, because I'm blocking all ICMP traffic (except for the router)? Link to comment Share on other sites More sharing options...
Firon Posted February 3, 2011 Report Share Posted February 3, 2011 Why are you blocking all ICMP traffic? Some ICMP messages should be allowed. You break path MTU discovery and make it take a lot longer for peers to drop you from their peerlists (especially for DHT) when your client isn't running if you block everything.And yeah, uT uses IPv6, so it's normal. Link to comment Share on other sites More sharing options...
s4mb0l Posted February 3, 2011 Author Report Share Posted February 3, 2011 OK, thanks for response. I'm blocking it on my client machine for security purpose, but it's allowed on my router. Which types of ICMP messages are used for path MTU discovery, to allow it?edit: I'm reading RFC 1981, and according to it, router respond with ICMPv6 Packet Too Big (type 2) in case of bigger MTU, and that's allowed on my side. Are there any other drawbacks of blocking ICMPv6 on my client machine? Link to comment Share on other sites More sharing options...
Firon Posted February 3, 2011 Report Share Posted February 3, 2011 http://en.wikipedia.org/wiki/ICMP_Destination_UnreachableHonestly, blocking ICMP offers no security benefit whatsoever. In any case, you need to allow the above for ICMPv4, and at least codes 3 and 4.For ICMPv6, you want type 1 and 2. Link to comment Share on other sites More sharing options...
s4mb0l Posted February 3, 2011 Author Report Share Posted February 3, 2011 That's already enabled on router, I'm only blocking incoming type 128 for the client address. Thanks Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.