Every guide I can find on the internet recommends that a drop (forward) rule for invalid IPv6 packets is placed before any rule which allows forwards from LAN subnet to the internet interface.
Code: Select all
add action=accept chain=forward comment="accept established and related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=accept chain=forward comment="accept local originator forwards" in-interface=Office
add action=accept chain=forward comment="accept ICMPv6" protocol=icmpv6
add action=drop chain=forward comment="drop all" log-prefix=ipv6
With this setup I seem to get a lot of drops in connection, especially Android apps which seem to generate a lot of entries into the log with the "ipv6,invalid" prefix.
If I move the rules around so I allow all "local originator forwards" before the drop invalid rule, things seem to improve massively.
Is there a security issue with allowing these "invalid" packets from my LAN to the internet?
Code: Select all
add action=accept chain=forward comment="accept established and related" connection-state=established,related
add action=accept chain=forward comment="accept local originator forwards" in-interface=Office
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=accept chain=forward comment="accept ICMPv6" protocol=icmpv6
add action=drop chain=forward comment="drop all" log-prefix=ipv6
Thanks.