# # Shorewall -- /usr/share/shorewall/action.AllowICMPs # # This action ACCEPTs needed ICMP types. # ############################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER DEFAULTS ACCEPT ?if __IPV4 @1 - - icmp fragmentation-needed {comment="Needed ICMP types"} @1 - - icmp time-exceeded {comment="Needed ICMP types"} ?else ?COMMENT Needed ICMP types (RFC4890) @1 - - ipv6-icmp destination-unreachable @1 - - ipv6-icmp packet-too-big @1 - - ipv6-icmp time-exceeded @1 - - ipv6-icmp parameter-problem # The following should have a ttl of 255 and must be allowed to transit a bridge @1 - - ipv6-icmp router-solicitation @1 - - ipv6-icmp router-advertisement @1 - - ipv6-icmp neighbour-solicitation @1 - - ipv6-icmp neighbour-advertisement @1 - - ipv6-icmp 137 # Redirect @1 - - ipv6-icmp 141 # Inverse neighbour discovery solicitation @1 - - ipv6-icmp 142 # Inverse neighbour discovery advertisement # The following should have a link local source address and must be allowed to transit a bridge @1 fe80::/10 - ipv6-icmp 130 # Listener query @1 fe80::/10 - ipv6-icmp 131 # Listener report @1 fe80::/10 - ipv6-icmp 132 # Listener done @1 fe80::/10 - ipv6-icmp 143 # Listener report v2 # The following should be received with a ttl of 255 and must be allowed to transit a bridge @1 - - ipv6-icmp 148 # Certificate path solicitation @1 - - ipv6-icmp 149 # Certificate path advertisement # The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge @1 fe80::/10 - ipv6-icmp 151 # Multicast router advertisement @1 fe80::/10 - ipv6-icmp 152 # Multicast router solicitation @1 fe80::/10 - ipv6-icmp 153 # Multicast router termination ?endif