Ubuntu
ufw package

how do I allow ICMPv6 Multicast Listener Query (type=130)?

Asked by David

I have a couple of wireless bridge devices which bridge my bedroom htpc to my wired network and the one acting as the access point is doing 3 multicast listener query broadcasts every 60 seconds and I want to allow it on my ufw so it stops bombarding my syslog.

Here's the log entries:
Oct 6 15:46:27 servername kernel: [339615.127342] [UFW BLOCK] IN=eth0 OUT= MAC=33:33:00:00:00:01:80:3f:5d:87:e2:93:86:dd SRC=fe80:0000:0000:0000:823f:5dff:fe87:e293 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=76 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=130 CODE=0

How do I specify type=130 in the before6.rules file?

I could allow fe80::/10 to ff02:1 for any protocol but I'd rather not if possible.

Thanks.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu ufw Edit question
Assignee:
No assignee Edit question
Solved by:
David
Solved:
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

You can use gufw as a GUI to ufw. I assume a desktop OA on the system running ufw

Revision history for this message
David (david-avery) said : 		#2

Sorry I didn't follow your meaning about "desktop OA" Andrew.

as for gufw, my problem isn't managing the files via a console I'm fine using vi (I should have been more specific this is on a server that I'm seeing the packets getting blocked)

my problem is I need to know how to specify the type of "130" for the following line in the /etc/ufw/before6.rules file:

-A ufw6-before-input -p icmpv6 --icmpv6-type ???? -s fe80::/10 -j ACCEPT

Revision history for this message
David (david-avery) said : 		#3

Sorry, never mind...

I was assuming I had to put some wordy variable name for the --icmpv6-type. Turns out 130 works fine:

-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80:0000:0000:0000:823f:5dff:fe87:e293/64 -j ACCEPT

Worked and I tailed syslog for 5 minutes and saw nothing. Commented it out and restarted the service, tailed syslog and saw the blocks every minute. Uncommented it and tailed again another 5 minutes and nothing. I'm going to mark it solved, I'm sorry wasting others time by not trying the simplest approach first.

Hopefully if anyone else looks up this question for answers it helps them :)