X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/fb7845a892c48e5004dea115bdd6b8a17fea7935..78aaac07301dc78e7676a18be5f23f44f6a4ffe7:/bookends.m4

diff --git a/bookends.m4 b/bookends.m4
index f451c8d..699a966 100644
--- a/bookends.m4
+++ b/bookends.m4
@@ -108,11 +108,18 @@ m4_divert(32)m4_dnl
 ## Set forwarding options.  Apparently setting ip_forward clobbers other
 ## settings, so put this first.
 case $host_type_<::>FWHOST in
-  router) forward=1 ;;
-  *) forward=0 ;;
+  router) forward=1 host=0 ;;
+  server) forward=0 host=0 ;;
+  client) forward=0 host=1 ;;
 esac
 setopt ip_forward $forward
 setdevopt forwarding $forward
+for i in \
+  accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \
+  accept_redirects
+do
+  setdevopt $i $host
+done
 case $forward in
   0) inchains="INPUT" ;;
   1) inchains="INPUT FORWARD" ;;
@@ -147,7 +154,7 @@ setdevopt log_martians 0
 
 ## Turn off things which can mess with our routing decisions.
 setdevopt accept_source_route 0
-setdevopt accept_redirects 0
+setdevopt secure_redirects 1
 
 ## If we're maent to stop the firewall, then now is the time to do it.
 $exit_after_clearing
@@ -170,6 +177,10 @@ errorchain bad-source-address DROP
 ## Packet arrived on wrong interface for its source address.  Drops the
 ## packet, since there's nowhere sensible to send an error.
 
+errorchain dns-rate-limit DROP
+## Dropped incoming DNS query due to rate limiting.  The source address is
+## suspicious, so don't produce ICMP.
+
 errorchain bad-destination-address REJECT
 ## Packet arrived on non-loopback interface with loopback destination.