IPv6 ICMP criticals

master
bbruns 2011-02-12 20:20:11 +00:00
parent 192040ebf2
commit 4b89a59d71
3 changed files with 26 additions and 10 deletions

View File

@ -18,7 +18,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
FW_VERSION="0.9.11" FW_VERSION="0.9.12"
# These option is here to help pre-1.0 users easily upgrade, defines critical defaults # These option is here to help pre-1.0 users easily upgrade, defines critical defaults
# that would otherwise require remaking their options file. I leave this on by default, # that would otherwise require remaking their options file. I leave this on by default,
@ -801,11 +801,28 @@ if [ "$IPV6_BLOCKEDIP" ]; then
done done
fi fi
if [ "$IPV6_ICMP_CRITICAL" ]; then
# This is necessary to make sure that PMTU works
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
-j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
-j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
-j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
-j ACCEPT
if [ "$IPV6_FORWARDRANGE" ]; then
$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
fi
fi
if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
display_c YELLOW "Loading custom IPv6 MSS Clamp rules..." display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
. "$BASEDIR/include/ipv6_custom_mssclamp" . "$BASEDIR/include/ipv6_custom_mssclamp"
fi fi
if [ "$IPV6_CLAMPMSS" ]; then if [ "$IPV6_CLAMPMSS" ]; then
display_c YELLOW "Clamping IPV6 MSS to PMTU..." display_c YELLOW "Clamping IPV6 MSS to PMTU..."
for i in $IPV6_CLAMPMSS; do for i in $IPV6_CLAMPMSS; do
@ -815,15 +832,6 @@ fi
$IP6TABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \ $IP6TABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \ -j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
--mss 1280:1536 --mss 1280:1536
# This is necessary to make sure that PMTU works
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
-o $i -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
-i $i -j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
-o $i -j ACCEPT
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
-i $i -j ACCEPT
done done
fi fi

View File

@ -71,3 +71,6 @@ EXTIP="auto"
EXTIF="eth0" EXTIF="eth0"
EXTIF_FIND="$BASEDIR/bin/get_default_if" EXTIF_FIND="$BASEDIR/bin/get_default_if"
EXTIP_FIND="$BASEDIR/bin/get_default_ip" EXTIP_FIND="$BASEDIR/bin/get_default_ip"
# By default, we allow ipv6 critical icmp
IPV6_ICMP_CRITICAL=1

View File

@ -213,3 +213,8 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
# IPv6 range to forward # IPv6 range to forward
#IPV6_FORWARDRANGE="" #IPV6_FORWARDRANGE=""
# Allow critical ICMP messages to go through, such as packet too big.
# You should _really_ make sure you don't disable this if you have any
# kind of MTU changes inside or outside your network.
IPV6_ICMP_CRITICAL=1