From 0de5e8801813234cc2c104b2a26ad3e114ca777e Mon Sep 17 00:00:00 2001
From: Tuomo Soini <tis@foobar.fi>
Date: Tue, 19 Mar 2024 11:02:31 +0200
Subject: [PATCH] AllowICMPs: allowing redirects is a security issue and not
 required

Also redirect source must be fe80::/10

Signed-off-by: Tuomo Soini <tis@foobar.fi>
---
 Shorewall/Actions/action.AllowICMPs | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Shorewall/Actions/action.AllowICMPs b/Shorewall/Actions/action.AllowICMPs
index 83115bd69..2d72ac5c7 100644
--- a/Shorewall/Actions/action.AllowICMPs
+++ b/Shorewall/Actions/action.AllowICMPs
@@ -23,7 +23,6 @@ DEFAULTS ACCEPT
     @1	-		-	ipv6-icmp	router-advertisement
     @1	-		-	ipv6-icmp	neighbour-solicitation
     @1	-		-	ipv6-icmp	neighbour-advertisement
-    @1	-		-	ipv6-icmp	137	# Redirect
     @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
     @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement