local.m4: Fix whitespace oddity.

[firewall] / bookends.m4

diff --git a/bookends.m4 b/bookends.m4
index 9757a38..1004b76 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -115,7 +115,8 @@ esac
 setopt ip_forward $forward
 setdevopt forwarding $forward
 for i in \
-  accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen
+  accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \
+  accept_redirects
 do
   setdevopt $i $host
 done
@@ -136,13 +137,13 @@ setopt icmp_echo_ignore_broadcasts 0
 ## Turn off iptables filtering for bridges.  We'll use ebtables if we need
 ## to; but right now the model is that we do filtering at the borders, and
 ## are tolerant of things which are local.
-if [ -x /sbin/brctl ]; then
+if [ -x /sbin/brctl ] || [ -x /usr/sbin/brctl ]; then
   modprobe bridge || :
-  if [ -d /proc/sys/net/bridge ]; then
-    for filter in arptables iptables ip6tables; do
-      run sysctl -q net.bridge.bridge-nf-call-$filter=0
-    done
-  fi
+fi
+if [ -d /proc/sys/net/bridge ]; then
+  for filter in arptables iptables ip6tables; do
+    run sysctl -q net.bridge.bridge-nf-call-$filter=0
+  done
 fi
 
 ## Turn off the reverse-path filter.  It's basically useless: the filter does
@@ -153,7 +154,7 @@ setdevopt log_martians 0
 
 ## Turn off things which can mess with our routing decisions.
 setdevopt accept_source_route 0
-setdevopt accept_redirects 0
+setdevopt secure_redirects 1
 
 ## If we're maent to stop the firewall, then now is the time to do it.
 $exit_after_clearing
@@ -176,6 +177,10 @@ errorchain bad-source-address DROP
 ## Packet arrived on wrong interface for its source address.  Drops the
 ## packet, since there's nowhere sensible to send an error.
 
+errorchain dns-rate-limit DROP
+## Dropped incoming DNS query due to rate limiting.  The source address is
+## suspicious, so don't produce ICMP.
+
 errorchain bad-destination-address REJECT
 ## Packet arrived on non-loopback interface with loopback destination.