# HG changeset patch # User Michiel Broek # Date 1472749281 -7200 # Node ID 798ac120a09e98bfda5704ba226c73e4a1e661dd # Parent 2e298d35241fe686e520c3b33689672b19c00c38 Added icmpv6 code 132. Version 0.0.22 diff -r 2e298d35241f -r 798ac120a09e sbin/mbse-firewall --- a/sbin/mbse-firewall Sun Oct 25 11:33:03 2015 +0100 +++ b/sbin/mbse-firewall Thu Sep 01 19:01:21 2016 +0200 @@ -1,7 +1,7 @@ #!/bin/bash # --------------------------------------------------------------------------- -# Copyright (C) 2013-2015 by Michiel Broek. +# Copyright (C) 2013-2016 by Michiel Broek. # Homepage http://www.mbse.eu # Email mbse At mbse dOt eu # @@ -22,7 +22,7 @@ # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. # --------------------------------------------------------------------------- -MBSEFW_VERSION="0.0.20" +MBSEFW_VERSION="0.0.22" # Sanity checks if [ "$(id -u)" != "0" ]; then @@ -409,6 +409,16 @@ $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT fi + if [ -n "$IF_EXT6" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then + $IP6TABLES -A INPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP + $IP6TABLES -A OUTPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP + elif [ -n "$IF_EXT" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then + $IP6TABLES -A INPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP + $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP + fi + $IP6TABLES -A INPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT + $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT + # rules to permit IPv6 Neighbor discovery $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j DROP # Silent drop HOPLIMIT <> 255