- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drop IPv6
Hello,
I have Comcast as my ISP and am seeing a large amount of "reverse path check failed, drop" messages. I believe it because there is a rogue device on the Comcast side that is spewing IPv6 at the WAN interface. I understand it is due to anti-spoofing but was hoping there is a way to just drop it. The exact log message looks like this:
"10 27 2015 07:30:29 10.0.1.1 <LOC7:WARN> date=2015-10-27 time=07:25:01 devname=FortiGate devid=FWF60D logid=0000000006 type=traffic subtype=forward level=warning vd=root srcip=2001:558:4082:38::1 srcname="2001:558:4082:38::1" srcintf="wan1" dstip=ff02::1:ff1a:4566 dstname="ff02::1:ff1a:4566" dstintf=unknown-0 proto=58 action=deny policyid=0 dstcountry="Reserved" srccountry="United States" trandisp=noop service="icmp6/135/0" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="reverse path check failed, drop"
Is there a way to drop this message without logging it? I want to log other invalid IPv4 packets but just not this IPv6 stuff. Any ideas?
TIA, Joe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A suggestion, can you write a local-in policy6 for this source or dest { ff02::1:ff1a:4566 } and drop it?
(e.g assuming you have a group with all of the offenders listed and the host added in )
config firewall address6
edit badhost1
set ip6 2001:558:4082:38::1/64
end
config firewall addrgrp6
edit OFFENDER_GROUP
set member badhost1
set comment " my bad guy lists"
set color 32
end
and
config firewall local-in-policy6 edit 0 set srcaddr OFFENDER_GROUP set dstaddr all set action deny set service ALL set schedule always set comment " drop these src ipv6 address SOCPUPPETS" end
I believe traffic dropped at the local-in-policy6 would overrride any logging. Test this behavior and see if it meets your goal and requirements.
What is the ipv6 address on your WAN & LAN interfaces? And you do know that's a ipv6 multicast dst_address ?
PCNSE
NSE
StrongSwan