aboutsummaryrefslogtreecommitdiffstats
path: root/package/firewall
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2011-06-30 12:22:05 +0000
committerJo-Philipp Wich <jow@openwrt.org>2011-06-30 12:22:05 +0000
commit07abf4a81e88b8ee42d2bb79d4abf2250d098d78 (patch)
tree727d986e8a61fa0fba019b222b1e909df93a0123 /package/firewall
parentf9e4619b97c6db6d4003cc3475ad3cc285d10367 (diff)
downloadupstream-07abf4a81e88b8ee42d2bb79d4abf2250d098d78.tar.gz
upstream-07abf4a81e88b8ee42d2bb79d4abf2250d098d78.tar.bz2
upstream-07abf4a81e88b8ee42d2bb79d4abf2250d098d78.zip
firewall: refine default ICMPv6 rules to better conform with RFC4890, do not forward link local ICMP message types, allow parameter problem
SVN-Revision: 27321
Diffstat (limited to 'package/firewall')
-rw-r--r--package/firewall/files/firewall.config15
1 files changed, 2 insertions, 13 deletions
diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config
index c7bc798250..b47823fe2d 100644
--- a/package/firewall/files/firewall.config
+++ b/package/firewall/files/firewall.config
@@ -48,27 +48,16 @@ config rule
option src wan
option dest *
option proto icmp
- list icmp_type router-solicitation
- list icmp_type router-advertisement
- list icmp_type neighbour-solicitation
- list icmp_type neighbour-advertisement
list icmp_type echo-request
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
+ list icmp_type bad-header
+ list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
-# Drop leaking router advertisements on WAN
-config rule
- option src *
- option dest wan
- option proto icmp
- option icmp_type router-advertisement
- option family ipv6
- option target DROP
-
# include a file with users custom iptables rules
config include
option path /etc/firewall.user