firewall: refine default ICMPv6 rules to better conform with RFC4890, do not forward link local ICMP message types, allow parameter problem
SVN-Revision: 27321
This commit is contained in:
Jo-Philipp Wich
parent
f9e4619b97
commit
07abf4a81e
1 changed files with 2 additions and 13 deletions
|
|
@ -48,27 +48,16 @@ config rule
|
|||
option src wan
|
||||
option dest *
|
||||
option proto icmp
|
||||
list icmp_type router-solicitation
|
||||
list icmp_type router-advertisement
|
||||
list icmp_type neighbour-solicitation
|
||||
list icmp_type neighbour-advertisement
|
||||
list icmp_type echo-request
|
||||
list icmp_type destination-unreachable
|
||||
list icmp_type packet-too-big
|
||||
list icmp_type time-exceeded
|
||||
list icmp_type bad-header
|
||||
list icmp_type unknown-header-type
|
||||
option limit 1000/sec
|
||||
option family ipv6
|
||||
option target ACCEPT
|
||||
|
||||
# Drop leaking router advertisements on WAN
|
||||
config rule
|
||||
option src *
|
||||
option dest wan
|
||||
option proto icmp
|
||||
option icmp_type router-advertisement
|
||||
option family ipv6
|
||||
option target DROP
|
||||
|
||||
# include a file with users custom iptables rules
|
||||
config include
|
||||
option path /etc/firewall.user
|
||||
|
|
|
|||
Loading…
Reference in a new issue