On Mon, May 15, 2023 at 8:38 PM Willy Manga <mangawilly@gmail.com> wrote:
Side question: even if it was by design, is it a good practice to completely restrict ICMP(v6)?
Answering only your side question: there's a difference between completely restricting ICMPv6 and restricting echo-request. Restricting echo-request is more or less harmless. You deny troubleshooters insight into your system, but that's a wash because you deny hackers the same thing. And if you're popular enough to be a target for "am I connected to the Internet right now" probes and don't want to be, restricting it is not the worst idea. Restricting all ICMPv6 is disastrous. Similar to IPv4, machines running IPv6 require ICMPv6 packet-too-big messages to successfully implement path MTU discovery. Without them, many protocols do not work reliably. This includes TCP. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/