From: Wolfgang Bumiller Date: Fri, 25 Mar 2016 09:02:01 +0000 (+0100) Subject: firewall: add a 'Notes on IPv6' section X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=commitdiff_plain;h=6300d4240606850fa3fd0bd30f6d965b5fad4d67 firewall: add a 'Notes on IPv6' section --- diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 3ec1d30..6869939 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -263,6 +263,7 @@ Traffic from these ips is dropped by every host's and VM's firewall. 213.87.123.0/24 ---- +[[ipfilter-section]] Standard IP set 'ipfilter-net*' ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -369,3 +370,27 @@ ifdef::manvolnum[] include::copyright.adoc[] endif::manvolnum[] +Notes on IPv6 +^^^^^^^^^^^^^ + +The firewall contains a few IPv6 specific options. One thing to note is that +IPv6 does not use the ARP protocol anymore, and instead uses NDP (Neighbor +Discovery Protocol) which works on IP level and thus needs IP addresses to +succeed. For this purpose link-local addresses derived from the interface's MAC +address are used. By default the 'NDP' option is enabled on both host and VM +level to allow neighbor discovery (NDP) packets to be sent and received. + +Beside neighbor discovery NDP is also used for a couple of other things, like +autoconfiguration and advertising routers. + +By default VMs are allowed to send out router solicitation messages (to query +for a router), and to receive router advetisement packets. This allows them to +use stateless auto configuration. On the other hand VMs cannot advertise +themselves as routers unless the 'Allow Router Advertisement' (`radv: 1`) option +is set. + +As for the link local addresses required for NDP, there's also an 'IP Filter' +(`ipfilter: 1`) option which can be enabled which has the same effect as adding +an `ipfilter-net*` ipset for each of the VM's network interfaces containing the +corresponding link local addresses. (See the +<> section for details.)