Thu, 01 Sep 2016 19:01:21 +0200
Added icmpv6 code 132. Version 0.0.22
sbin/mbse-firewall | file | annotate | diff | comparison | revisions |
--- a/sbin/mbse-firewall Sun Oct 25 11:33:03 2015 +0100 +++ b/sbin/mbse-firewall Thu Sep 01 19:01:21 2016 +0200 @@ -1,7 +1,7 @@ #!/bin/bash # --------------------------------------------------------------------------- -# Copyright (C) 2013-2015 by Michiel Broek. +# Copyright (C) 2013-2016 by Michiel Broek. # Homepage http://www.mbse.eu # Email mbse At mbse dOt eu # @@ -22,7 +22,7 @@ # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. # --------------------------------------------------------------------------- -MBSEFW_VERSION="0.0.20" +MBSEFW_VERSION="0.0.22" # Sanity checks if [ "$(id -u)" != "0" ]; then @@ -409,6 +409,16 @@ $IP6TABLES -A FORWARD -p ipv6-icmp -m icmp6 --icmpv6-type echo-reply -m limit --limit 15/second -j ACCEPT fi + if [ -n "$IF_EXT6" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then + $IP6TABLES -A INPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP + $IP6TABLES -A OUTPUT -o $IF_EXT6 -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP + elif [ -n "$IF_EXT" -a "$IF_EXT_IS_BORDER_GW" = "1" ]; then + $IP6TABLES -A INPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP + $IP6TABLES -A OUTPUT -o $IF_EXT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j DROP + fi + $IP6TABLES -A INPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT + $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 132 -j ACCEPT + # rules to permit IPv6 Neighbor discovery $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j DROP # Silent drop HOPLIMIT <> 255