~mdw / firewall / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Overhaul address classification for link-local and non-unicast addresses.
[firewall] / icmp.m4
diff --git a/icmp.m4 b/icmp.m4
index 460c838..93c2973 100644 (file)
--- a/icmp.m4
+++ b/icmp.m4
@@ -33,21 +33,6 @@ for type in echo-request echo-reply; do
   run ip6tables -A check-icmp -p icmpv6 --icmpv6-type $type -j RETURN
 done
 
-## Certainly don't allow ping to broadcast or multicast addresses.
-case $forward in
-  1)
-    run iptables -A FORWARD -g forbidden \
-           -p icmp --icmp-type echo-request \
-           -m addrtype --dst-type BROADCAST
-    run iptables -A FORWARD -g forbidden \
-           -p icmp --icmp-type echo-request \
-           -d 224.0.0.0/8
-    run ip6tables -A FORWARD -g forbidden \
-           -p icmpv6 --icmpv6-type echo-request \
-           -d ff00::/16
-    ;;
-esac
-
 m4_divert(58)m4_dnl
 ## Other ICMP is basically benign, we claim.
 run ip46tables -A check-icmp -j ACCEPT
Firewall scripts for distorted.org.uk.