I've noticed that my logs are getting multiple reports of this:
Code: Select all
May 26 07:02:03 DebianTim kernel: [204567.275982] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
Code: Select all
# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153 } accept
Code: Select all
# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
ip6 nexthdr ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153 } accept
So how do I shut these messages up?
Code: Select all
nft list ruleset
table ip6 wg-quick-tun0 {
chain preraw {
type filter hook prerouting priority raw; policy accept;
iifname != "tun0" ip6 daddr fd7d:76ee:e68f:a993:6c33:1401:f02c:98a8 fib saddr type != local drop
}
chain premangle {
type filter hook prerouting priority mangle; policy accept;
meta l4proto udp meta mark set ct mark
}
chain postmangle {
type filter hook postrouting priority mangle; policy accept;
meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
}
}
table ip wg-quick-tun0 {
chain preraw {
type filter hook prerouting priority raw; policy accept;
iifname != "tun0" ip daddr 10.0.0.0 fib saddr type != local drop
}
chain premangle {
type filter hook prerouting priority mangle; policy accept;
meta l4proto udp meta mark set ct mark
}
chain postmangle {
type filter hook postrouting priority mangle; policy accept;
meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
}
}
table ip sshguard {
set attackers {
type ipv4_addr
flags interval
}
chain blacklist {
type filter hook input priority filter - 10; policy accept;
ip saddr @attackers drop
}
}
table ip6 sshguard {
set attackers {
type ipv6_addr
flags interval
}
chain blacklist {
type filter hook input priority filter - 10; policy accept;
ip6 saddr @attackers drop
}
}
Code: Select all
ip route
default via 192.168.0.0 dev enp1s0 proto dhcp src 192.168.0.0 metric 100
10.128.0.0/10 dev tun0 proto kernel scope link src 10.0.0.0
192.168.0.0/24 dev enp1s0 proto kernel scope link src 192.168.0.0 metric 100
Thanks, I'm sure it's something simple to someone more familiar with NFTables