diff options
author | Chris Buechler <cmb@pfsense.org> | 2009-04-05 22:20:53 -0400 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2009-04-05 22:20:53 -0400 |
commit | 910efe277f7dacadab9a8517e5b87b2be878a377 (patch) | |
tree | b31e27a913727392224f2c3b6402e55d9b34d973 /etc | |
parent | 354f1f01450976ef769941a3a26a9c5615d5a484 (diff) | |
download | pfsense-910efe277f7dacadab9a8517e5b87b2be878a377.zip pfsense-910efe277f7dacadab9a8517e5b87b2be878a377.tar.gz |
Block all IPv6 traffic by default, since IPv6 isn't supported, there isn't any way to add such rules in the GUI, and nearly all users won't want IPv6 to traverse their firewall at this point. Add "Allow IPv6" checkbox to disable this behavior.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index df6c226..b89628c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1678,6 +1678,17 @@ block out $log all label "Default deny rule" block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 + +EOD; + + if(!isset($config['system']['ipv6allow'])) { + $ipfrules .= "# Block all IPv6\n"; + $ipfrules .= "block in quick inet6 all\n"; + $ipfrules .= "block out quick inet6 all\n"; + } + + $ipfrules .= <<<EOD + # snort2c table <snort2c> persist block quick from <snort2c> to any label "Block snort2c hosts" @@ -2347,4 +2358,4 @@ EOD; return($ipfrules); } -?> +?>
\ No newline at end of file |