firewall: refine default ICMPv6 rules to better conform with RFC4890, do not forward...

SVN-Revision: 27321

diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config
index c7bc798250850898f218d22619566e0ffa3d4db7..b47823fe2d12e628c3a8b18263a16eb5f60d8a1c 100644 (file)
--- a/package/firewall/files/firewall.config
+++ b/package/firewall/files/firewall.config
@@ -48,27 +48,16 @@ config rule
        option src              wan
        option dest             *
        option proto            icmp
-       list icmp_type          router-solicitation
-       list icmp_type          router-advertisement
-       list icmp_type          neighbour-solicitation
-       list icmp_type          neighbour-advertisement
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
+       list icmp_type          bad-header
+       list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT
 
-# Drop leaking router advertisements on WAN
-config rule
-       option src              *
-       option dest             wan
-       option proto            icmp
-       option icmp_type        router-advertisement
-       option family           ipv6
-       option target           DROP
-
 # include a file with users custom iptables rules
 config include
        option path /etc/firewall.user