X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/64de9249b91190ffe73b78f1aa6c74d1c88b3afc..490003e407d54c7f4c8612836bb601f6883c191f:/bookends.m4

diff --git a/bookends.m4 b/bookends.m4
index 9757a38..699a966 100644
--- a/bookends.m4
+++ b/bookends.m4
@@ -115,7 +115,8 @@ esac
 setopt ip_forward $forward
 setdevopt forwarding $forward
 for i in \
-  accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen
+  accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \
+  accept_redirects
 do
   setdevopt $i $host
 done
@@ -153,7 +154,7 @@ setdevopt log_martians 0
 
 ## Turn off things which can mess with our routing decisions.
 setdevopt accept_source_route 0
-setdevopt accept_redirects 0
+setdevopt secure_redirects 1
 
 ## If we're maent to stop the firewall, then now is the time to do it.
 $exit_after_clearing
@@ -176,6 +177,10 @@ errorchain bad-source-address DROP
 ## Packet arrived on wrong interface for its source address.  Drops the
 ## packet, since there's nowhere sensible to send an error.
 
+errorchain dns-rate-limit DROP
+## Dropped incoming DNS query due to rate limiting.  The source address is
+## suspicious, so don't produce ICMP.
+
 errorchain bad-destination-address REJECT
 ## Packet arrived on non-loopback interface with loopback destination.