Reverse the order of ICMP and Broadcast checking in the default actions

Signed-off-by: Tuomo Soini <tis@foobar.fi>
2016-04-12 10:12:29 +03:00 · 2016-04-12 10:12:29 +03:00 · 3e0b8c60a2
commit 3e0b8c60a2
parent 16afd880b2
2 changed files with 14 additions and 8 deletions
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@ -23,14 +23,17 @@ COUNT
 #
 Auth(A_DROP)
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
 # Don't log broadcasts
 #
 dropBcast(audit)
 #
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
--- a/Shorewall/action.A_Reject
+++ b/Shorewall/action.A_Reject
@ -18,15 +18,18 @@
 #
 COUNT
 #
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).