Mercurial > mbse-firewall / changeset

--- a/sbin/mbse-firewall	Sun Oct 25 11:33:03 2015 +0100
+++ b/sbin/mbse-firewall	Thu Sep 01 19:01:21 2016 +0200
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # ---------------------------------------------------------------------------
-# Copyright (C) 2013-2015 by Michiel Broek.
+# Copyright (C) 2013-2016 by Michiel Broek.
 # Homepage                   http://www.mbse.eu
 # Email                      mbse At mbse dOt eu
 #
@@ -22,7 +22,7 @@
 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
 # ---------------------------------------------------------------------------
 
-MBSEFW_VERSION="0.0.20"
+MBSEFW_VERSION="0.0.22"
 
 # Sanity checks
 if [ "$(id -u)" != "0" ]; then
@@ -409,6 +409,16 @@
       $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply   -m limit --limit 15/second -j ACCEPT
     fi
 
+    if [ -n "$IF_EXT6" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then
+      $IP6TABLES -A INPUT  -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP
+      $IP6TABLES -A OUTPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP
+    elif [ -n "$IF_EXT" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then
+      $IP6TABLES -A INPUT  -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP
+      $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP
+    fi
+    $IP6TABLES -A INPUT   -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT
+    $IP6TABLES -A OUTPUT  -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT
+
     # rules to permit IPv6 Neighbor discovery
     $IP6TABLES -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
     $IP6TABLES -A INPUT   -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j DROP	# Silent drop HOPLIMIT <> 255