#
# Shorewall -- /usr/share/shorewall/action.AllowICMPs
#
# This action ACCEPTs needed ICMP types.
#
###############################################################################
#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER

DEFAULTS ACCEPT

?if __IPV4
    @1	-	-	icmp	fragmentation-needed	{comment="Needed ICMP types"}
    @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
?else
?COMMENT Needed ICMP types (RFC4890)
    @1	-		-	ipv6-icmp	destination-unreachable
    @1	-		-	ipv6-icmp	packet-too-big
    @1	-		-	ipv6-icmp	time-exceeded
    @1	-		-	ipv6-icmp	parameter-problem

# The following should have a ttl of 255 and must be allowed to transit a bridge
    @1	-		-	ipv6-icmp	router-solicitation
    @1	-		-	ipv6-icmp	router-advertisement
    @1	-		-	ipv6-icmp	neighbour-solicitation
    @1	-		-	ipv6-icmp	neighbour-advertisement
    @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
    @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement

# The following should have a link local source address and must be allowed to transit a bridge
    @1	fe80::/10	-	ipv6-icmp	130	# Listener query
    @1	fe80::/10	-	ipv6-icmp	131	# Listener report
    @1	fe80::/10	-	ipv6-icmp	132	# Listener done
    @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2

# The following should be received with a ttl of 255 and must be allowed to transit a bridge
    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
    @1	-		-	ipv6-icmp	149	# Certificate path advertisement

# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
    @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
    @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
    @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
?endif