Revision 1f321f66
Added by Seth Mos over 14 years ago
| etc/inc/filter.inc | ||
|---|---|---|
| 2087 | 2087 |
block in $log inet6 all label "Default deny rule IPv6" |
| 2088 | 2088 |
block out $log inet6 all label "Default deny rule IPv6" |
| 2089 | 2089 |
|
| 2090 |
# IPv6 ICMP is not auxilary, it is required for operation |
|
| 2091 |
#pass out quick proto ipv6-icmp from any to any keep state |
|
| 2092 |
# Allow only bare essential icmpv6 packets (NS, NA, and RA) |
|
| 2093 |
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {neighbradv,neighbrsol,routeradv}
|
|
| 2094 |
|
|
| 2090 | 2095 |
# We use the mighty pf, we cannot be fooled. |
| 2091 | 2096 |
block quick inet proto { tcp, udp } from any port = 0 to any
|
| 2092 | 2097 |
block quick inet proto { tcp, udp } from any to any port = 0
|
| ... | ... | |
| 2298 | 2303 |
pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself" |
| 2299 | 2304 |
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself" |
| 2300 | 2305 |
|
| 2301 |
# IPv6 ICMP is not auxilary, it is required for operation |
|
| 2302 |
#pass out quick proto ipv6-icmp from any to any keep state |
|
| 2303 |
# Allow only bare essential icmpv6 packets (NS, NA, and RA) |
|
| 2304 |
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {neighbradv,neighbrsol,routeradv}
|
|
| 2305 |
|
|
| 2306 | 2306 |
EOD; |
| 2307 | 2307 |
foreach ($FilterIflist as $ifdescr => $ifcfg) {
|
| 2308 | 2308 |
if(isset($ifcfg['virtual'])) |
Also available in: Unified diff
Move the ICMP rules further to the top in order for normal neighbour contact via icmp6 to work