Author: eelco
Date: Thu Mar 10 16:25:08 2011
New Revision: 26260
URL: https://svn.nixos.org/websvn/nix/?rev=26260&sc=1
Log:
* Add some more rules to allow ICMPv6 router/neighbour advertisements
in. Maybe we're better off accepting all ICMPv6 messages *except*
echo requests.
Modified:
nixos/trunk/modules/services/networking/firewall.nix
Modified: nixos/trunk/modules/services/networking/firewall.nix
==============================================================================
--- nixos/trunk/modules/services/networking/firewall.nix Thu Mar 10
15:06:54 2011 (r26259)
+++ nixos/trunk/modules/services/networking/firewall.nix Thu Mar 10
16:25:08 2011 (r26260)
@@ -158,10 +158,19 @@
# probably nobody is listening anyway.
iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT
- # Accept IPv6 ICMP packets on the local link. Otherwise
- # stuff like neighbor/router solicitation won't work.
+ # Accept IPv6 ICMP packets on the local link.
ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT
ip6tables -A INPUT -d fe80::/10 -p icmpv6 -j ACCEPT
+
+ # Accept neighbour solicitations from solicited-node
+ # addresses. Otherwise other nodes cannot reach us at
+ # all.
+ ip6tables -A INPUT -d ff02::1:ff00:0/104 -p icmpv6 --icmpv6-type
neighbour-solicitation -j ACCEPT
+
+ # Accept router and neighbour advertisements from
+ # anywhere. Would be nice to be more specific.
+ ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j
ACCEPT
+ ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement
-j ACCEPT
# Optionally respond to pings.
${optionalString cfg.allowPing ''
_______________________________________________
nix-commits mailing list
[email protected]
http://mail.cs.uu.nl/mailman/listinfo/nix-commits
