## Set forwarding options. Apparently setting ip_forward clobbers other
## settings, so put this first.
case $host_type_<::>FWHOST in
- router) forward=1 ;;
- *) forward=0 ;;
+ router) forward=1 host=0 ;;
+ server) forward=0 host=0 ;;
+ client) forward=0 host=1 ;;
esac
setopt ip_forward $forward
setdevopt forwarding $forward
+for i in \
+ accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \
+ accept_redirects
+do
+ setdevopt $i $host
+done
case $forward in
0) inchains="INPUT" ;;
1) inchains="INPUT FORWARD" ;;
## Turn off things which can mess with our routing decisions.
setdevopt accept_source_route 0
-setdevopt accept_redirects 0
+setdevopt secure_redirects 1
## If we're maent to stop the firewall, then now is the time to do it.
$exit_after_clearing
## Packet arrived on wrong interface for its source address. Drops the
## packet, since there's nowhere sensible to send an error.
+errorchain dns-rate-limit DROP
+## Dropped incoming DNS query due to rate limiting. The source address is
+## suspicious, so don't produce ICMP.
+
errorchain bad-destination-address REJECT
## Packet arrived on non-loopback interface with loopback destination.