IPv6 ICMP criticals

master
bbruns 2011-02-12 20:41:43 +00:00
parent 4b89a59d71
commit 261286113a
3 changed files with 19 additions and 1 deletions

View File

@ -1,6 +1,7 @@
0.9.12 - Brielle Bruns <bruns@2mbit.com>
- Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
block incoming to.
- Add support for allowing IPV6 critical ICMP messages, on by default
0.9.11 - Brielle Bruns <bruns@2mbit.com>
- Move some of the config clutter to conf/ - you can

View File

@ -817,6 +817,17 @@ fi
fi
fi
if [ "$IPV6_ICMP_OPT" ]; then
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
if [ "$IPV6_FORWARDRANGE" ]; then
$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
fi
fi
if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
. "$BASEDIR/include/ipv6_custom_mssclamp"

View File

@ -217,4 +217,10 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
# Allow critical ICMP messages to go through, such as packet too big.
# You should _really_ make sure you don't disable this if you have any
# kind of MTU changes inside or outside your network.
# Allows: time-exceeded packet-too-big
IPV6_ICMP_CRITICAL=1
# Allow other common IPV6 ICMP messages through the firewall. Though not
# really critical, these can help with general IPv6 usage/diagnostic
# Allows: destination-unreachable parameter-problem
#IPV6_ICMP_OPT=1