Configuring network interfaces Configure IPv6 addressing support
Digi TransPort® Routers User Guide
356
Support for IPv6 packets in firewall rules
There are several areas in the firewall rules syntax for handling IPv6 packets. For more information on
these changes and detailed parameter descriptions, see Firewall.
nn Firewall rules can now specify IPv6 addresses. You can specify an IPv6 address anywhere you
can specify an IPv4 address. However, you cannot use IPv4 and IPv6 addresses together in a
single rule.
n Address/port translation is not supported with IPv6 packets. In rules, avoid mixing address
translation with IPv6-specific keywords. See Specifying IP addresses and ranges in firewall
rules.
n In the [action] firewall script field:
l In the block action, the optional field return-icmpv6 causes an ICMPv6 packet to be
returned from the interface from which that packet was received.
l If a rule specifies action dscp, the traffic class portion of the IPv6 header is modified with
the DSCPvalue.
n Several [options] keywords are allowed with rules for IPv4 packets: oneroute, onvlan, onvrf,
routeto, and oosed. Using these keywords implies that the rule should only match on IPv4
packets.
n In the [version] firewall script field, you can specify IP version to which the rule applies: IPv4 or
IPv6.
n In the [tos] firewall script field, for IPv6 packets, the traffic class field in the IPv6 header is
checked.
n The [proto] firewall script field has an icmpv6 option.
n For the [inspect-state] firewall script field that performs stateful inspection:
l None of the oos options are supported for IPv6 packets.
l You can use the inspect-state option with the following ICMPv6 packet types:
ICMPv6 type Matching ICMPv6 type
Echo Echo reply
nn You can filter packets based on ICMPv6 codes, using the [icmpv6] field. See Set filters in
firewall rules.
To Next Page
Loading...
