mirror of
https://github.com/firehol/firehol.git
synced 2024-06-27 09:28:18 +00:00
Update firehol ICMPv6 example
Simplifies setup and splits out the icmp part so users cannot get confused using src/dst addresses on their normal interfaces.
This commit is contained in:
Philip Whineray
parent
f1580c9c4f
commit
1c6b12a8f6
@ -1,26 +1,54 @@
|
||||
version 5
|
||||
version 6
|
||||
|
||||
#
|
||||
# Basic example for a directly connected host showing use of the ICMPv6
|
||||
# helper commands to allow correct operation of IPv6.
|
||||
# Basic template for a host, showing use of the ICMPv6 helper commands
|
||||
# to allow correct operation of IPv6.
|
||||
#
|
||||
lan=lan0
|
||||
wan=wan0
|
||||
|
||||
wan=wlan0
|
||||
# The following are needed for correct ipv6 operation on a host.
|
||||
#
|
||||
# We set up a firehol interface which matches any real interface
|
||||
# for icmpv6 traffic. This is given a policy of return so anything
|
||||
# not handled here will be processed in a normal firehol interace.
|
||||
#
|
||||
# The key provision is there is no src/dst supplied which will
|
||||
# interfere since can be sent to multicast addresses, even in
|
||||
# the case where they are not unsolicited.
|
||||
#
|
||||
# Note: DO NOT use 'client ipv6error accept' here
|
||||
ipv6 interface any ipv6interop proto icmpv6
|
||||
policy return
|
||||
client ipv6neigh accept
|
||||
server ipv6neigh accept
|
||||
client ipv6mld accept
|
||||
client ipv6router accept
|
||||
# If this machine is routing traffic, it will need to be able
|
||||
# to send Router Advertisment messages and Multicast Listener Queries
|
||||
#server ipv6router accept
|
||||
#server ipv6mld accept
|
||||
|
||||
# Normal error packets - is RELATED sufficient without this?
|
||||
server ipv6error accept
|
||||
|
||||
interface "$lan" lan
|
||||
policy reject
|
||||
|
||||
client all accept
|
||||
server ssh accept
|
||||
server ping accept
|
||||
|
||||
interface "$wan" wan
|
||||
protection strong
|
||||
policy deny
|
||||
|
||||
# The following are needed for correct ipv6 operation. Note:
|
||||
# do not use 'client ipv6error accept' (except as documented).
|
||||
server ipv6error accept
|
||||
client ipv6neigh accept
|
||||
server ipv6neigh accept
|
||||
client ipv6router accept
|
||||
|
||||
# Routers will need to send Router Advertisment messages
|
||||
#server ipv6router accept
|
||||
|
||||
# Allow all outgoing traffic with only incoming IPv4/IPv6 pings
|
||||
client all accept
|
||||
server ping accept
|
||||
|
||||
router lan2wan inface "$lan" outface "$wan"
|
||||
# Normal error packets - is RELATED sufficient without this?
|
||||
server ipv6error accept
|
||||
# Neighbour Discover / Router Disscovery packets should not
|
||||
# traverse a firewall normally. You may need to add some rules
|
||||
# if you are firewalling a bridge.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user