[IAG] Configuring firewall rules to deny ipv6-icmp from wan to lan does not take effect
Problem Description
Configuring firewall rules to deny IPV6-ICMP from WAN to LAN does not take effect
Effective troubleshooting steps
-
Configure firewall rules (as shown below). It is unsuccessful to reject ipv6-icmp in the wan to lan direction. Only ipv4-ICMP can be rejected.
-
In the connection monitoring, the application identified is ICMPv6, which is identified by the ac application identification module;
-
Configure the application control policy to deny ICMP. The test can be denied. But the test result is that both lan to wan and wan to lan are rejected
-
The customer expects to reject only the ipv6-icmp data in the wan to lan direction.
Root cause
IAG can identify ipv6-icmp, but it is identified by the IAG application identification module; Firewall rules rely on the protonum tag in the native connection tracking of Linux to determine whether it is the icmp protocol. Currently, this tag is not set when icmp-ipv6 traffic passes, resulting in rule mismatch
solution
Through the custom icmp-ipv6 service, the icmp-ipv6 in the wan to lan direction can be controlled
Add Service
②Select Other and fill in the protocol number 58 (58 is icmp-ipv6)
③Policy association icmp-ipv6
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=7881&isOpen=true