From: Jo-Philipp Wich Date: Thu, 30 Jun 2011 12:22:05 +0000 (+0000) Subject: firewall: refine default ICMPv6 rules to better conform with RFC4890, do not forward... X-Git-Tag: reboot~16462 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=07abf4a81e88b8ee42d2bb79d4abf2250d098d78;p=openwrt%2Fstaging%2Fxback.git firewall: refine default ICMPv6 rules to better conform with RFC4890, do not forward link local ICMP message types, allow parameter problem SVN-Revision: 27321 --- diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config index c7bc798250..b47823fe2d 100644 --- a/package/firewall/files/firewall.config +++ b/package/firewall/files/firewall.config @@ -48,27 +48,16 @@ config rule option src wan option dest * option proto icmp - list icmp_type router-solicitation - list icmp_type router-advertisement - list icmp_type neighbour-solicitation - list icmp_type neighbour-advertisement list icmp_type echo-request list icmp_type destination-unreachable list icmp_type packet-too-big list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type option limit 1000/sec option family ipv6 option target ACCEPT -# Drop leaking router advertisements on WAN -config rule - option src * - option dest wan - option proto icmp - option icmp_type router-advertisement - option family ipv6 - option target DROP - # include a file with users custom iptables rules config include option path /etc/firewall.user