Deprecated: IPv6 with an IPv4 mindset

I manage many services for others on the internet, as well as my own.

Most people are happy with fairly basic security, but I prefer to tiedown my own servers- I only like to leave the ports open that I have to, and now that I’m back on a static network, I can start to block things more effectively (no, you don’t need to portscan me; I’ve still got ssh enabled globally, but it’s without-passwords, sorry).

Today I ran into an issue which I created by myself which caused an issue with my IPv6 nameservers. I probably would have found this sooner, but since I didn’t have access to debug on the hypervisor, I just assumed it was a problem with the host. Oops I broke the cardinal rule!

Long story short, I adapted my IPv4 iptables rules to IPv6 without thinking too much about it. I actually had this evilness in the wild:

ip6tables -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type 8 -j ACCEPT

I swear I thought that I had thought about this. The problem with this is that ipv6-icmp is protocol 51, and I didn’t really think this through. I broke NDP with this, and didn’t notice that it happened immediately, since it took awhile for IPv6 services to completely drop. Silly me.

Thank you, RAMHost, for being more clueful than myself on this stupid I created by politely informing me of my errant ICMP block.