ICMPv6 required types

I was reading RFC 4890 and it suggests allowing in types 1-4, 128-137, 148-149, 151-153, but some of these ranges seem to be targeted at upstream providers (specifically 137, 148-149, 151-153). I’m just creating firewall rules for a bastion host.

For a bastion host, is the RFC correct or would 1-4, 128-136 be a more appropriate range to allow in?

For internal/non-public systems that need internet access for pip, npm, etc would that same range be appropriate?

I would turn this around and ask if there is any ICMP that you should be blocking as a host. I can’t think of any. As a host you are not routing or forwarding anything so it isn’t as if your firewall is protecting anyone else. Just your host.

Linux and other operating systems generally have explicit rule settings for responding to various ICMP messages which are part of the TCP/IP stack. The firewall is redundant and not necessary.

As above, you don’t want to just go blocking ICMPv6 for “reasons” unless you know (or rather, have a specific reason) why. It’s used for flow control and if you DO silly things you will cause yourself all manner of ipv6 related network performance problems.

Been there, done that, had the performance problems (i’ve been dual stack here for about a decade now).