AllowICMPs: allowing redirects is a security issue and not required

Also redirect source must be fe80::/10

Signed-off-by: Tuomo Soini <tis@foobar.fi>
This commit is contained in:
Tuomo Soini 2024-03-19 11:02:31 +02:00
parent aae5baedfd
commit 0de5e88018

View File

@ -23,7 +23,6 @@ DEFAULTS ACCEPT
@1 - - ipv6-icmp router-advertisement @1 - - ipv6-icmp router-advertisement
@1 - - ipv6-icmp neighbour-solicitation @1 - - ipv6-icmp neighbour-solicitation
@1 - - ipv6-icmp neighbour-advertisement @1 - - ipv6-icmp neighbour-advertisement
@1 - - ipv6-icmp 137 # Redirect
@1 - - ipv6-icmp 141 # Inverse neighbour discovery solicitation @1 - - ipv6-icmp 141 # Inverse neighbour discovery solicitation
@1 - - ipv6-icmp 142 # Inverse neighbour discovery advertisement @1 - - ipv6-icmp 142 # Inverse neighbour discovery advertisement