IPv6 ICMP criticals
bbruns
parent
192040ebf2
commit
4b89a59d71
|
|
@ -18,7 +18,7 @@
|
|||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
FW_VERSION="0.9.11"
|
||||
FW_VERSION="0.9.12"
|
||||
|
||||
# These option is here to help pre-1.0 users easily upgrade, defines critical defaults
|
||||
# that would otherwise require remaking their options file. I leave this on by default,
|
||||
|
|
@ -801,11 +801,28 @@ if [ "$IPV6_BLOCKEDIP" ]; then
|
|||
done
|
||||
fi
|
||||
|
||||
if [ "$IPV6_ICMP_CRITICAL" ]; then
|
||||
# This is necessary to make sure that PMTU works
|
||||
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
|
||||
-j ACCEPT
|
||||
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
|
||||
-j ACCEPT
|
||||
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
|
||||
-j ACCEPT
|
||||
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
|
||||
-j ACCEPT
|
||||
if [ "$IPV6_FORWARDRANGE" ]; then
|
||||
$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
|
||||
$IP6TABLES -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -s "$BASEDIR/include/ipv6_custom_mssclamp" ]; then
|
||||
display_c YELLOW "Loading custom IPv6 MSS Clamp rules..."
|
||||
. "$BASEDIR/include/ipv6_custom_mssclamp"
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IPV6_CLAMPMSS" ]; then
|
||||
display_c YELLOW "Clamping IPV6 MSS to PMTU..."
|
||||
for i in $IPV6_CLAMPMSS; do
|
||||
|
|
@ -815,15 +832,6 @@ fi
|
|||
$IP6TABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \
|
||||
-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
|
||||
--mss 1280:1536
|
||||
# This is necessary to make sure that PMTU works
|
||||
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type time-exceeded \
|
||||
-o $i -j ACCEPT
|
||||
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type time-exceeded \
|
||||
-i $i -j ACCEPT
|
||||
$IP6TABLES -A OUTPUT -p icmpv6 --icmpv6-type packet-too-big \
|
||||
-o $i -j ACCEPT
|
||||
$IP6TABLES -A INPUT -p icmpv6 --icmpv6-type packet-too-big \
|
||||
-i $i -j ACCEPT
|
||||
done
|
||||
fi
|
||||
|
||||
|
|
|
|||
|
|
@ -71,3 +71,6 @@ EXTIP="auto"
|
|||
EXTIF="eth0"
|
||||
EXTIF_FIND="$BASEDIR/bin/get_default_if"
|
||||
EXTIP_FIND="$BASEDIR/bin/get_default_ip"
|
||||
|
||||
# By default, we allow ipv6 critical icmp
|
||||
IPV6_ICMP_CRITICAL=1
|
||||
|
|
|
|||
|
|
@ -213,3 +213,8 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
|
|||
|
||||
# IPv6 range to forward
|
||||
#IPV6_FORWARDRANGE=""
|
||||
|
||||
# Allow critical ICMP messages to go through, such as packet too big.
|
||||
# You should _really_ make sure you don't disable this if you have any
|
||||
# kind of MTU changes inside or outside your network.
|
||||
IPV6_ICMP_CRITICAL=1
|
||||
Loading…
Reference in New Issue