# HG changeset patch # User Michiel Broek # Date 1499890888 -7200 # Node ID c5697bee68841ee8709c68710baa7f991422ea64 # Parent 798ac120a09e98bfda5704ba226c73e4a1e661dd Version 0.0.23 drop ICMPv6 neighbour advertisement packets with hoplimit not 256 diff -r 798ac120a09e -r c5697bee6884 sbin/mbse-firewall --- a/sbin/mbse-firewall Thu Sep 01 19:01:21 2016 +0200 +++ b/sbin/mbse-firewall Wed Jul 12 22:21:28 2017 +0200 @@ -1,7 +1,7 @@ #!/bin/bash # --------------------------------------------------------------------------- -# Copyright (C) 2013-2016 by Michiel Broek. +# Copyright (C) 2013-2017 by Michiel Broek. # Homepage http://www.mbse.eu # Email mbse At mbse dOt eu # @@ -22,7 +22,7 @@ # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. # --------------------------------------------------------------------------- -MBSEFW_VERSION="0.0.22" +MBSEFW_VERSION="0.0.23" # Sanity checks if [ "$(id -u)" != "0" ]; then @@ -426,6 +426,7 @@ $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j DROP # Silent drop HOPLIMIT <> 255 $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT + $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j DROP # Silent drop HOPLIMIT <> 255 $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT