From 393cd5043d404a2c21132d992b0b2be0bc75ed76 Mon Sep 17 00:00:00 2001 From: Tuomo Soini Date: Tue, 19 Mar 2024 11:04:36 +0200 Subject: [PATCH] AllowICMPs: router-advertisment source must be fe80::/10 Signed-off-by: Tuomo Soini --- Shorewall/Actions/action.AllowICMPs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall/Actions/action.AllowICMPs b/Shorewall/Actions/action.AllowICMPs index 2d72ac5c7..65ae35233 100644 --- a/Shorewall/Actions/action.AllowICMPs +++ b/Shorewall/Actions/action.AllowICMPs @@ -20,16 +20,16 @@ DEFAULTS ACCEPT # The following should have a ttl of 255 and must be allowed to transit a bridge @1 - - ipv6-icmp router-solicitation - @1 - - ipv6-icmp router-advertisement @1 - - ipv6-icmp neighbour-solicitation @1 - - ipv6-icmp neighbour-advertisement @1 - - ipv6-icmp 141 # Inverse neighbour discovery solicitation @1 - - ipv6-icmp 142 # Inverse neighbour discovery advertisement -# The following should have a link local source address and must be allowed to transit a bridge +# The following must have a link local source address and must be allowed to transit a bridge @1 fe80::/10 - ipv6-icmp 130 # Listener query @1 fe80::/10 - ipv6-icmp 131 # Listener report @1 fe80::/10 - ipv6-icmp 132 # Listener done + @1 fe80::/10 - ipv6-icmp router-advertisement @1 fe80::/10 - ipv6-icmp 143 # Listener report v2 # The following should be received with a ttl of 255 and must be allowed to transit a bridge