~mdw
/
firewall
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
local.m4: Load connection tracking modules as standard.
[firewall]
/
icmp.m4
diff --git
a/icmp.m4
b/icmp.m4
index
3de0483
..
3ccc6d9
100644
(file)
--- a/
icmp.m4
+++ b/
icmp.m4
@@
-30,20
+30,17
@@
clearchain check-icmp
## Ping needs inspecting on a host-by-host basis.
for type in echo-request echo-reply; do
run iptables -A check-icmp -p icmp --icmp-type $type -j RETURN
## Ping needs inspecting on a host-by-host basis.
for type in echo-request echo-reply; do
run iptables -A check-icmp -p icmp --icmp-type $type -j RETURN
+ run ip6tables -A check-icmp -p icmpv6 --icmpv6-type $type -j RETURN
done
done
-## Certainly don't allow ping to broadcast addresses.
-run iptables -A check-icmp -g forbidden \
- -p icmp --icmp-type echo-request \
- -m addrtype --dst-type BROADCAST
-
m4_divert(58)m4_dnl
## Other ICMP is basically benign, we claim.
m4_divert(58)m4_dnl
## Other ICMP is basically benign, we claim.
-run iptables -A check-icmp -j ACCEPT
+run ip
46
tables -A check-icmp -j ACCEPT
## Done.
## Done.
-for i in
INPUT FORWARD
; do
+for i in
$inchains
; do
run iptables -A $i -p icmp -j check-icmp
run iptables -A $i -p icmp -j check-icmp
+ run ip6tables -A $i -p icmpv6 -j check-icmp
done
m4_divert(-1)
done
m4_divert(-1)