Mercurial > mbse-firewall / file comparison
comparison: sbin/mbse-firewall
sbin/mbse-firewall
- changeset 10
- 798ac120a09e
- parent 9
- 2e298d35241f
- child 11
- c5697bee6884
equal
deleted
inserted
replaced
| 9:2e298d35241f | 10:798ac120a09e |
|---|---|
| 1 #!/bin/bash | 1 #!/bin/bash |
| 2 | 2 |
| 3 # --------------------------------------------------------------------------- | 3 # --------------------------------------------------------------------------- |
| 4 # Copyright (C) 2013-2015 by Michiel Broek. | 4 # Copyright (C) 2013-2016 by Michiel Broek. |
| 5 # Homepage http://www.mbse.eu | 5 # Homepage http://www.mbse.eu |
| 6 # Email mbse At mbse dOt eu | 6 # Email mbse At mbse dOt eu |
| 7 # | 7 # |
| 8 # This file is part of mbse-firewall. | 8 # This file is part of mbse-firewall. |
| 9 # | 9 # |
| 20 # You should have received a copy of the GNU General Public License | 20 # You should have received a copy of the GNU General Public License |
| 21 # along with this program; see the file COPYING. If not, write to the Free | 21 # along with this program; see the file COPYING. If not, write to the Free |
| 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. | 22 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. |
| 23 # --------------------------------------------------------------------------- | 23 # --------------------------------------------------------------------------- |
| 24 | 24 |
| 25 MBSEFW_VERSION="0.0.20" | 25 MBSEFW_VERSION="0.0.22" |
| 26 | 26 |
| 27 # Sanity checks | 27 # Sanity checks |
| 28 if [ "$(id -u)" != "0" ]; then | 28 if [ "$(id -u)" != "0" ]; then |
| 29 echo "** You must be root to run this program" | 29 echo "** You must be root to run this program" |
| 30 exit 1 | 30 exit 1 |
| 406 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -j ACCEPT | 406 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -j ACCEPT |
| 407 if [ "$FW_FORWARD" = "1" ]; then | 407 if [ "$FW_FORWARD" = "1" ]; then |
| 408 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT | 408 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-request -m limit --limit 15/second -j ACCEPT |
| 409 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT | 409 $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT |
| 410 fi | 410 fi |
| 411 | |
| 412 if [ -n "$IF_EXT6" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then | |
| 413 $IP6TABLES -A INPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP | |
| 414 $IP6TABLES -A OUTPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP | |
| 415 elif [ -n "$IF_EXT" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then | |
| 416 $IP6TABLES -A INPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP | |
| 417 $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP | |
| 418 fi | |
| 419 $IP6TABLES -A INPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT | |
| 420 $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT | |
| 411 | 421 |
| 412 # rules to permit IPv6 Neighbor discovery | 422 # rules to permit IPv6 Neighbor discovery |
| 413 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT | 423 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT |
| 414 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j DROP # Silent drop HOPLIMIT <> 255 | 424 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j DROP # Silent drop HOPLIMIT <> 255 |
| 415 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT | 425 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT |
