HP-UX IPFilter Version A.03.05.14 Administrator's Guide
HP-UX and IPv6 Support
Using IPv6 Support in HP-UX IPFilter
Chapter 6 109
ICMPv6 filtering
ICMPv6 filtering must be carefully configured to ensure that an IPv6
network functions properly. For example, do not block Neighbor
Discovery messages (type 135 and 136). Other examples of critical
ICMPv6 messages are Destination Unreachable (type 1) and Packet Too
Big (type 2).
HP-UX IPFilter enables you to uniquely identify an ICMPv6 message
using its type and code. A new keyword, icmpv6-type, is introduced. Use
the following rule to pass ICMPv6 type 135 code 0 packets:
pass in quick proto icmpv6 from any to any icmpv6-type 135 code
0
NOTE The type and code can only be specified as a decimal number.
At minimum, the following rules must be configured:
pass in quick proto icmpv6 from any to any icmpv6-type 133
pass in quick proto icmpv6 from any to any icmpv6-type 134
pass in quick proto icmpv6 from any to any icmpv6-type 135
pass in quick proto icmpv6 from any to any icmpv6-type 136
pass out quick proto icmpv6 from any to any icmpv6-type 133
pass out quick proto icmpv6 from any to any icmpv6-type 134
pass out quick proto icmpv6 from any to any icmpv6-type 135
pass out quick proto icmpv6 from any to any icmpv6-type 136
The following is additional information about message types 133-136:
• 133—Router solicitation
• 134—Router advertisement
• 135—Neighbor solicitation
• 136—Neighbor advertisement
IPv6 Extension Headers
The following extension headers are supported with IPv6:
• Destination options header (dstopts)
• Hop-by-hop options header(hopopts)
• Mobility header (mobility)