hosts: Allow incoming ident requests.

[firewall] / bookends.m4

diff --git a/bookends.m4 b/bookends.m4
index 6ba2827..cdc716e 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -52,16 +52,24 @@ setopt ip_local_port_range $open_port_min $open_port_max
 ## Deploy SYN-cookies if necessary.
 setopt tcp_syncookies 1
 
+## Allow broadcast and multicast ping, because it's a useful diagnostic tool.
+setopt icmp_echo_ignore_broadcasts 0
+
 ## Turn off iptables filtering for bridges.  We'll use ebtables if we need
 ## to; but right now the model is that we do filtering at the borders, and
 ## are tolerant of things which are local.
-for filter in arptables iptables ip6tables; do
-  run sysctl -q net/bridge/bridge-nf-call-$filter=0
-done
+if [ -x /sbin/brctl ]; then
+  modprobe bridge || :
+  if [ -d /proc/sys/net/bridge ]; then
+    for filter in arptables iptables ip6tables; do
+      run sysctl -q net.bridge.bridge-nf-call-$filter=0
+    done
+  fi
+fi
 
 ## Turn on the reverse-path filter, and log weird things.
-setdevopt rp_filter 1
-setdevopt log_martians 1
+setdevopt rp_filter $rp_filter
+setdevopt log_martians $log_martians
 
 ## Turn off things which can mess with our routing decisions.
 setdevopt accept_source_route 0