diff options
| author | ume <ume@FreeBSD.org> | 2001-07-24 13:37:06 +0000 |
|---|---|---|
| committer | ume <ume@FreeBSD.org> | 2001-07-24 13:37:06 +0000 |
| commit | b8992b149862a13f5e9589163c94e7ac8662325f (patch) | |
| tree | 5362665059ec91da1a94916aae4e674d3aa8fae7 /etc | |
| parent | 8024dc82e1e641c969378b300abd0163cbb83d6b (diff) | |
| download | FreeBSD-src-b8992b149862a13f5e9589163c94e7ac8662325f.zip FreeBSD-src-b8992b149862a13f5e9589163c94e7ac8662325f.tar.gz | |
pass any NS/NA/toobig.
Requested by: itojun
MFC after: 5 days
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/rc.firewall6 | 29 |
1 files changed, 10 insertions, 19 deletions
diff --git a/etc/rc.firewall6 b/etc/rc.firewall6 index 64c2c1d..b774ef9 100644 --- a/etc/rc.firewall6 +++ b/etc/rc.firewall6 @@ -145,9 +145,11 @@ case ${ipv6_firewall_type} in ${fw6cmd} add pass udp from any 123 to ${ip} ${fw6cmd} add pass udp from ${ip} to any 123 - # Allow ICMPv6 destination unreach and packet too big - ${fw6cmd} add pass ipv6-icmp from any to ${ip} icmptypes 1,2 - ${fw6cmd} add pass ipv6-icmp from ${ip} to any icmptypes 1,2 + # Allow ICMPv6 destination unreach + ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1 + + # Allow NS/NA/toobig (don't filter it out) + ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -253,22 +255,11 @@ case ${ipv6_firewall_type} in #${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521 #${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521 - # Allow ICMPv6 destination unreach and packet too big - ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 1,2 - - # Allow NS/NA - ${fw6cmd} add pass ipv6-icmp from ${inet}/${iprefixlen} to ff02::/16 \ - icmptypes 135 - ${fw6cmd} add pass ipv6-icmp from ${iip} to ${inet}/${iprefixlen} \ - icmptypes 135,136 - ${fw6cmd} add pass ipv6-icmp from ${inet}/${iprefixlen} to ${iip} \ - icmptypes 135,136 - ${fw6cmd} add pass ipv6-icmp from ${onet}/${oprefixlen} to ff02::/16 \ - icmptypes 135 - ${fw6cmd} add pass ipv6-icmp from ${oip} to ${onet}/${oprefixlen} \ - icmptypes 135,136 - ${fw6cmd} add pass ipv6-icmp from ${onet}/${oprefixlen} to ${oip} \ - icmptypes 135,136 + # Allow ICMPv6 destination unreach + ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2 + + # Allow NS/NA/toobig (don't filter it out) + ${fw6cmd} add pass ipv6-icmp from any to any icmptypes 2,135,136 # Everything else is denied by default, unless the # IPV6FIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel |
