Announcement

Collapse
No announcement yet.

IPv6 ICMP packets showing up in firewall log.

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    IPv6 ICMP packets showing up in firewall log.

    Hello,

    I have a stupid cable modem from Spectrum (formerly Time Warner Cable). I have limited options for configuring the built-in firewall. I have, under the WAN-TO-LAN section, ICMP blocked for IPv4 and IPv6.

    On my Linux box, I see a ton of these messages:
    Code:
    [ 678.503434] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC=33:33:00:00:00:fb:00:11:24:c5:31:4e:86:dd SRC=fe80:0000:0000:0000:0211:24ff:fec5:314e DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=72 TC=0 HOPLIMIT=1 FLOWLBL=0 OPT ( ) PROTO=ICMPv6 TYPE=131 CODE=0
    and a few of these:
    Code:
    [ 1105.809174] SFW2-INext-DROP-DEFLT IN=enp5s0 OUT= MAC= SRC=fe80:0000:0000:0000:0224:1dff:fe80:1b73 DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=88 TC=0 HOPLIMIT=1 FLOWLBL=646285 PROTO=UDP SPT=5353 DPT=5353 LEN=48
    I'm still in the process of learning about IPv6. I believe port 5353 UDP is for Bonjour. I'm running OpenSuSE (Tumbleweed) and thought I disabled the Bonjour service. I have no need for it.

    For the SRC address, for the ICMPv6 packets, the fe80....doesn't that mean it's a link-local address and is non-routable? What exactly does that mean? Is it sort of like a local loopback (127.0.0.1)?

    This is what ifconfig shows:
    Code:
    enp5s0  Link encap:Ethernet HWaddr 00:24:1D:80:1B:73 
     inet addr:192.168.2.5 Bcast:192.168.2.255 Mask:255.255.255.0
     inet6 addr: 2604:6000:d2c2:a400:9c58:6d75:755e:a4d7/64 Scope:Global
     inet6 addr: 2604:6000:d2c2:a400::1/64 Scope:Global
     inet6 addr: 2604:6000:d2c2:a400:224:1dff:fe80:1b73/64 Scope:Global
     inet6 addr: fe80::224:1dff:fe80:1b73/64 Scope:Link
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
     RX packets:30756 errors:0 dropped:2 overruns:0 frame:0
     TX packets:23366 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:1000 
     RX bytes:22579555 (21.5 Mb) TX bytes:3616189 (3.4 Mb)

lo    Link encap:Local Loopback 
     inet addr:127.0.0.1 Mask:255.0.0.0
     inet6 addr: ::1/128 Scope:Host
     UP LOOPBACK RUNNING MTU:65536 Metric:1
     RX packets:0 errors:0 dropped:0 overruns:0 frame:0
     TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:1 
     RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
    I'm not really sure what ff02:0000:0000:0000:0000:0000:0000:00fb is and why I'm seeing it through dmesg on my OpenSuSE Tumbleweed box. Any ideas? Notice I have an fe80 address, but it's not the same address that dmesg is showing.

    Is my machine somehow pinging another machine out there or something? Any help would be greatly appreciated.


    **EDIT: I think that MAC address, 33:33.... has something to do with multicast. It's been a while, but isn't multicast where I can send packets to unknown sources? Essentially, send a packet to everyone on the network? Not really sure why I'd be doing that or if my wife's cell phone, tablet, laptop or the customer's Mac is somehow sending them out. I'd like to track this down. It's a bit worrisome.

    Thank you.
    Last edited by Spork Schivago; 01-14-2017, 03:49 PM.
    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
    Tags: None
    #2
    Re: IPv6 ICMP packets showing up in firewall log.

    Bonjour is an Apple service.
    A cable modem is not stupid, it's a device. Treat as a dumb pipe and plug in your own device to enable security.

    Comment

      #3
      Re: IPv6 ICMP packets showing up in firewall log.

      Originally posted by diif View Post
      Bonjour is an Apple service.
      A cable modem is not stupid, it's a device. Treat as a dumb pipe and plug in your own device to enable security.
      Yes, the cable modem isn't stupid, I was frustrated. The website running on the cable modem has a very limited firewall. Eventually, I will put a device between them and I do have a firewall on my PC. I have ICMP packets blocked coming from the WAN to the LAN, on the cable modem. Even though the firewall options are very limited, there's an option to block ICMP packets. And I have them blocked for IPv4 and IPv6.

      I should have been more clear. I believe these ICMPv6 packets are originating somewheres on the local area network. I wanted to confirm this though and make sure that's the case and that somehow, someone didn't get around the firewall on the cable modem. I just don't know enough about IPv6.

      I did some research and what I think is because the IPv6 SRC address for the 5353 stuff starts with fe80, that means it's a multicast, which isn't routable, right? I wanted to confirm that this is actually coming from a device on the local area network. I have Bonjour services disabled on my local Linux box though, so why would the Mac be sending them to my machine? Does it not matter if I'm running the Bonjour service or not? Does it just randomly try to connect?

      The ping thing is the one that worries me a bit though. I'm not pinging on clients on any of our devices. I'm trying to understand what's going on. If the destination is to the IP address: ff02:0000:0000:0000:0000:0000:0000:00fb, why does my Linux box get the traffic?

      Thanks for helping.
      -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

      Comment

        #4
        Re: IPv6 ICMP packets showing up in firewall log.

        Bonjour is installed (along with a whole load of other bloated crap) when you install i-tunes.

        Comment

          #5
          Re: IPv6 ICMP packets showing up in firewall log.

          Originally posted by stj View Post
          Bonjour is installed (along with a whole load of other bloated crap) when you install i-tunes.
          Yup, but I never installed i-tunes. Bonjour seems to come installed and enabled on a lot of different Linux distros for some reason. I think the Mac comes with I-Tunes and is probably causing some of the traffic, but I still don't understand the ICMPv6 stuff. For some reason, earlier, I never pieced together the Mac and Bonjour stuff. I think it's because I am really tired. There's so much work and I only get to sleep like 4 or 5 hours a night right now. It's like my brain is broken. It's hard to remember stuff and think straight.

          I apologize if some of my questions aren't very clear or sound stupid. I just need to get one good night of sleep!
          -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

          Comment

            #6
            Re: IPv6 ICMP packets showing up in firewall log.

            Bonjour is running on the Mac. It runs on all Macs by default. It's designed to help devices and applications discover each other on the network.

            Comment

              #7
              Re: IPv6 ICMP packets showing up in firewall log.

              Thanks Diif.
              -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

              Comment

                #8
                Re: IPv6 ICMP packets showing up in firewall log.

                I mistakenly thought ping when I saw the ICMPv6 protocol. It wasn't until now when I looked at the type and saw type 131 (Multicast Listener Report).

                I'm still a bit confused with multicast, so I will hit up google and do some research. I'm having trouble understanding why the ICMPv6 type 131 traffic has a different source address compared to the data destined to port 5353.

                I found a site using google. http://ipv6friday.org/blog/2011/12/ipv6-multicast/

                I'll try to find something a bit more in depth if that doesn't answer my questions.

                Thank you for helping me users.
                -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                Comment

                Previous template Next
                Working...