X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/1ee6211dcd0063197621004e6c7073bd801b8efe..429f4314d0d1be69f7500cf7f97671595804fdd0:/bookends.m4

diff --git a/bookends.m4 b/bookends.m4
index 8543f05..6ba2827 100644
--- a/bookends.m4
+++ b/bookends.m4
@@ -52,6 +52,13 @@ setopt ip_local_port_range $open_port_min $open_port_max
 ## Deploy SYN-cookies if necessary.
 setopt tcp_syncookies 1
 
+## Turn off iptables filtering for bridges.  We'll use ebtables if we need
+## to; but right now the model is that we do filtering at the borders, and
+## are tolerant of things which are local.
+for filter in arptables iptables ip6tables; do
+  run sysctl -q net/bridge/bridge-nf-call-$filter=0
+done
+
 ## Turn on the reverse-path filter, and log weird things.
 setdevopt rp_filter 1
 setdevopt log_martians 1
@@ -111,6 +118,18 @@ run ip6tables -A FORWARD -g bad-source-address \
 run ip6tables -A FORWARD -g bad-destination-address \
 	-d fe80::/10
 
+## Also, don't forward link-local broadcast or multicast.
+run iptables -A FORWARD -g bad-destination-address \
+	-d 255.255.255.255
+run iptables -A FORWARD -g bad-destination-address \
+	-m addrtype --dst-type BROADCAST
+run iptables -A FORWARD -g bad-destination-address \
+	-d 224.0.0.0/24
+for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
+  run ip6tables -A FORWARD -g bad-destination-address \
+	-d fe${x}2::/16
+done
+
 m4_divert(90)m4_dnl
 ###--------------------------------------------------------------------------
 ### Finishing touches.