mirror of
https://github.com/firehol/firehol.git
synced 2024-06-29 18:32:16 +00:00
Update firehol ICMPv6 example
Simplifies setup and splits out the icmp part so users cannot get confused using src/dst addresses on their normal interfaces.
This commit is contained in:
parent
f1580c9c4f
commit
1c6b12a8f6
@ -1,26 +1,54 @@
|
|||||||
version 5
|
version 6
|
||||||
|
|
||||||
#
|
#
|
||||||
# Basic example for a directly connected host showing use of the ICMPv6
|
# Basic template for a host, showing use of the ICMPv6 helper commands
|
||||||
# helper commands to allow correct operation of IPv6.
|
# to allow correct operation of IPv6.
|
||||||
#
|
#
|
||||||
|
lan=lan0
|
||||||
|
wan=wan0
|
||||||
|
|
||||||
wan=wlan0
|
# The following are needed for correct ipv6 operation on a host.
|
||||||
|
#
|
||||||
|
# We set up a firehol interface which matches any real interface
|
||||||
|
# for icmpv6 traffic. This is given a policy of return so anything
|
||||||
|
# not handled here will be processed in a normal firehol interace.
|
||||||
|
#
|
||||||
|
# The key provision is there is no src/dst supplied which will
|
||||||
|
# interfere since can be sent to multicast addresses, even in
|
||||||
|
# the case where they are not unsolicited.
|
||||||
|
#
|
||||||
|
# Note: DO NOT use 'client ipv6error accept' here
|
||||||
|
ipv6 interface any ipv6interop proto icmpv6
|
||||||
|
policy return
|
||||||
|
client ipv6neigh accept
|
||||||
|
server ipv6neigh accept
|
||||||
|
client ipv6mld accept
|
||||||
|
client ipv6router accept
|
||||||
|
# If this machine is routing traffic, it will need to be able
|
||||||
|
# to send Router Advertisment messages and Multicast Listener Queries
|
||||||
|
#server ipv6router accept
|
||||||
|
#server ipv6mld accept
|
||||||
|
|
||||||
|
# Normal error packets - is RELATED sufficient without this?
|
||||||
|
server ipv6error accept
|
||||||
|
|
||||||
|
interface "$lan" lan
|
||||||
|
policy reject
|
||||||
|
|
||||||
|
client all accept
|
||||||
|
server ssh accept
|
||||||
|
server ping accept
|
||||||
|
|
||||||
interface "$wan" wan
|
interface "$wan" wan
|
||||||
protection strong
|
protection strong
|
||||||
policy deny
|
policy deny
|
||||||
|
|
||||||
# The following are needed for correct ipv6 operation. Note:
|
|
||||||
# do not use 'client ipv6error accept' (except as documented).
|
|
||||||
server ipv6error accept
|
|
||||||
client ipv6neigh accept
|
|
||||||
server ipv6neigh accept
|
|
||||||
client ipv6router accept
|
|
||||||
|
|
||||||
# Routers will need to send Router Advertisment messages
|
|
||||||
#server ipv6router accept
|
|
||||||
|
|
||||||
# Allow all outgoing traffic with only incoming IPv4/IPv6 pings
|
|
||||||
client all accept
|
client all accept
|
||||||
server ping accept
|
server ping accept
|
||||||
|
|
||||||
|
router lan2wan inface "$lan" outface "$wan"
|
||||||
|
# Normal error packets - is RELATED sufficient without this?
|
||||||
|
server ipv6error accept
|
||||||
|
# Neighbour Discover / Router Disscovery packets should not
|
||||||
|
# traverse a firewall normally. You may need to add some rules
|
||||||
|
# if you are firewalling a bridge.
|
||||||
|
Loading…
Reference in New Issue
Block a user