Permalink
Browse files

better defaults for ICMP

  • Loading branch information...
1 parent 9978d6e commit b6a05b0e00bb7ecb6b173eadb60149fc1039db47 Lori Holden committed Feb 1, 2012
Showing with 47 additions and 4 deletions.
  1. +19 −3 firewall/inbound.sh
  2. +28 −1 firewall/outbound.sh
View
@@ -36,10 +36,26 @@ $command -A tcp_inbound -p TCP -j RETURN
###
# Chain: ICMP Inbound
###
-# $command -A icmp_inbound -p $icmp --${icmp}-type 8 -j ACCEPT # Echo Request
-# Time Exceeds
-$command -A icmp_inbound -p $icmp --${icmp}-type 11 -j ACCEPT
+if [[ "$command" = "ip6tables" ]]; then
+ $command -A icmp_inbound -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+ $command -A icmp_inbound -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+ $command -A icmp_inbound -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+ $command -A icmp_inbound -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+
+ $command -A icmp_inbound -p icmpv6 --icmpv6-type echo-request -m limit --limit 900/min -j ACCEPT
+ $command -A icmp_inbound -p icmpv6 --icmpv6-type echo-reply -m limit --limit 900/min -j ACCEPT
+
+ $command -A icmp_inbound -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
+ $command -A icmp_inbound -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
+ $command -A icmp_inbound -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
+ $command -A icmp_inbound -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT
+else
+ $command -A icmp_inbound -p icmp --icmp-type echo-request -m limit --limit 900/min -j ACCEPT
+ $command -A icmp_inbound -p icmp --icmp-type echo-reply -m limit --limit 900/min -j ACCEPT
+ $command -A icmp_inbound -p icmp --icmp-type destination-unreachable -j ACCEPT
+ $command -A icmp_inbound -p icmp --icmp-type time-exceeded -j ACCEPT
+fi
$command -A icmp_inbound -p $icmp -j RETURN
View
@@ -1,6 +1,33 @@
+###
+# Create filter chains
+###
+$command -N blacklisted_outbound
+$command -N icmp_outbound
+
###
# Chain: Outbound
###
-# To the internet!
+$command -A outbound -p ALL -j blacklisted_outbound
+$command -A outbound -p ALL -j icmp_outbound
+$command -A outbound -p ALL -o $iface -j ACCEPT
+$command -A outbound -j RETURN
+
+###
+# Chain: Blacklisted Outbound
+###
+$command -A blacklisted_outbound -j RETURN
+
+###
+# Chain: ICMP Outbound
+###
+if [[ "$command" = "ip6tables" ]]; then
+ $command -A icmp_outbound -p icmpv6 --icmpv6-type neighbour-solicitation -m hl --hl-eq 255 -j ACCEPT
+ $command -A icmp_outbound -p icmpv6 --icmpv6-type neighbour-advertisement -m hl --hl-eq 255 -j ACCEPT
+ $command -A icmp_outbound -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
+ $command -A icmp_outbound -p icmpv6 --icmpv6-type router-advertisement -j REJECT
+ $command -A icmp_outbound -p icmpv6 --icmpv6-type redirect -j REJECT
+fi
+$command -A icmp_outbound -j RETURN
+
$command -A outbound -p ALL -o $iface -j ACCEPT
$command -A outbound -j RETURN

0 comments on commit b6a05b0

Please sign in to comment.