~mdw
/
firewall
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
classify.m4: Classify individual host routes correctly.
[firewall]
/
bookends.m4
diff --git
a/bookends.m4
b/bookends.m4
index
9757a38
..
699a966
100644
(file)
--- a/
bookends.m4
+++ b/
bookends.m4
@@
-115,7
+115,8
@@
esac
setopt ip_forward $forward
setdevopt forwarding $forward
for i in \
setopt ip_forward $forward
setdevopt forwarding $forward
for i in \
- accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen
+ accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \
+ accept_redirects
do
setdevopt $i $host
done
do
setdevopt $i $host
done
@@
-153,7
+154,7
@@
setdevopt log_martians 0
## Turn off things which can mess with our routing decisions.
setdevopt accept_source_route 0
## Turn off things which can mess with our routing decisions.
setdevopt accept_source_route 0
-setdevopt
accept_redirects 0
+setdevopt
secure_redirects 1
## If we're maent to stop the firewall, then now is the time to do it.
$exit_after_clearing
## If we're maent to stop the firewall, then now is the time to do it.
$exit_after_clearing
@@
-176,6
+177,10
@@
errorchain bad-source-address DROP
## Packet arrived on wrong interface for its source address. Drops the
## packet, since there's nowhere sensible to send an error.
## Packet arrived on wrong interface for its source address. Drops the
## packet, since there's nowhere sensible to send an error.
+errorchain dns-rate-limit DROP
+## Dropped incoming DNS query due to rate limiting. The source address is
+## suspicious, so don't produce ICMP.
+
errorchain bad-destination-address REJECT
## Packet arrived on non-loopback interface with loopback destination.
errorchain bad-destination-address REJECT
## Packet arrived on non-loopback interface with loopback destination.