From ece001ddb55acd35667d27b8fc88155c37296717 Mon Sep 17 00:00:00 2001
From: "bruns@2mbit.com" <bruns@2mbit.com@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Sun, 23 Aug 2009 22:43:56 +0000
Subject: [PATCH] More IPv6 fixes

---
 options.default | 3 +++
 rc.firewall     | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/options.default b/options.default
index c387fa1..8725c85 100755
--- a/options.default
+++ b/options.default
@@ -70,6 +70,9 @@ IPV6BLOCKINCOMING=1
 # Interface IPv6 comes in on (either tunnel or real network interface)
 #IPV6INT=he-ipv6
 
+# LAN interface for IPv6
+#IPV6LAN=eth1
+
 # Trusted IPv6 ranges
 IPV6TRUSTED="::1"
 
diff --git a/rc.firewall b/rc.firewall
index 9aad703..afb5c4c 100755
--- a/rc.firewall
+++ b/rc.firewall
@@ -178,10 +178,10 @@ if [ $IPV6 ]; then
 	if [ $IPV6ROUTEDCLIENTBLOCK ]; then
 		$IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 		$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-		$IP6TABLES -A FORWARD -i $IPV6INT -p tcp --syn -j DROP
-		$IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
-		$IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP
-		$IP6TABLES -A FORWARD -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP
+		$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
+		$IP6TABLES -A INPUT -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
+		$IP6TABLES -A INPUT -i $IPV6INT -o $IPV6LAN -p udp ! --dport 32768:65535 -j DROP
+		$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p udp ! --dport 32768:65535 -j DROP
 	fi
 	
 	echo -n "Adding allowed IPv6 port: "