projects / openwrt.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
package/kernel: enable kmod-ata-core & kmod-scsi-core on x86
[openwrt.git] / package / firewall / files / firewall.config
diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config
index c7bc798..5a5dfd0 100644 (file)
--- a/package/firewall/files/firewall.config
+++ b/package/firewall/files/firewall.config
@@ -44,30 +44,35 @@ config rule
        option target           ACCEPT
 
 # Allow essential incoming IPv6 ICMP traffic
        option target           ACCEPT
 
 # Allow essential incoming IPv6 ICMP traffic
-config rule                                   
+config rule
        option src              wan
        option src              wan
-       option dest             *
-       option proto            icmp
-       list icmp_type          router-solicitation
-       list icmp_type          router-advertisement
-       list icmp_type          neighbour-solicitation
-       list icmp_type          neighbour-advertisement
+       option proto    icmp
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
+       list icmp_type          bad-header
+       list icmp_type          unknown-header-type
+       list icmp_type          router-solicitation
+       list icmp_type          neighbour-solicitation
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT
 
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT
 
-# Drop leaking router advertisements on WAN
-config rule
-       option src              *
-       option dest             wan
+# Allow essential forwarded IPv6 ICMP traffic
+config rule                                   
+       option src              wan
+       option dest             *
        option proto            icmp
        option proto            icmp
-       option icmp_type        router-advertisement
+       list icmp_type          echo-request
+       list icmp_type          destination-unreachable
+       list icmp_type          packet-too-big
+       list icmp_type          time-exceeded
+       list icmp_type          bad-header
+       list icmp_type          unknown-header-type
+       option limit            1000/sec
        option family           ipv6
        option family           ipv6
-       option target           DROP
+       option target           ACCEPT
 
 # include a file with users custom iptables rules
 config include
 
 # include a file with users custom iptables rules
 config include
Personal OpenWRT clone
This page took 0.026756 seconds and 4 git commands to generate.