[Nix-commits] SVN commit: nix - r26270 - nixos/trunk/modules/services/networking

Fri, 11 Mar 2011 03:08:31 -0800 

Author: eelco
Date: Fri Mar 11 11:08:16 2011
New Revision: 26270
URL: https://svn.nixos.org/websvn/nix/?rev=26270&sc=1

Log:
* RFC 4890 says that local nodes should not filter pretty much any
  ICMPv6 messages (including echo requests), so don't do that.

Modified:
   nixos/trunk/modules/services/networking/firewall.nix

Modified: nixos/trunk/modules/services/networking/firewall.nix
==============================================================================
--- nixos/trunk/modules/services/networking/firewall.nix        Fri Mar 11 
09:11:02 2011        (r26269)
+++ nixos/trunk/modules/services/networking/firewall.nix        Fri Mar 11 
11:08:16 2011        (r26270)
@@ -82,7 +82,10 @@
       type = types.bool;
       description =
         ''
-          Whether to respond to incoming ICMP echo requests ("pings").
+          Whether to respond to incoming ICMPv4 echo requests
+          ("pings").  ICMPv6 pings are always allowed because the
+          larger address space of IPv6 makes network scanning much
+          less effective.
         '';
     };
   
@@ -158,26 +161,18 @@
             # probably nobody is listening anyway.
             iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT
 
-            # Accept IPv6 ICMP packets on the local link.
-            ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT
-            ip6tables -A INPUT -d fe80::/10 -p icmpv6 -j ACCEPT
-            
-            # Accept neighbour solicitations from solicited-node
-            # addresses.  Otherwise other nodes cannot reach us at
-            # all.
-            ip6tables -A INPUT -d ff02::1:ff00:0/104 -p icmpv6 --icmpv6-type 
neighbour-solicitation -j ACCEPT
-
-            # Accept router and neighbour advertisements from
-            # anywhere.  Would be nice to be more specific.
-            ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j 
ACCEPT
-            ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement 
-j ACCEPT
-
-            # Optionally respond to pings.
+            # Optionally respond to ICMPv4 pings.
             ${optionalString cfg.allowPing ''
               iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-              ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
             ''}
 
+            # Accept all ICMPv6 messages except redirects and node
+            # information queries (type 139).  See RFC 4890, section
+            # 4.4.
+            ip6tables -A INPUT -p icmpv6 --icmpv6-type redirect -j DROP
+            ip6tables -A INPUT -p icmpv6 --icmpv6-type 139 -j DROP
+            ip6tables -A INPUT -p icmpv6 -j ACCEPT
+
             # Reject/drop everything else.
             ip46tables -A INPUT -j FW_REFUSE
           '';
_______________________________________________
nix-commits mailing list
[email protected]
http://mail.cs.uu.nl/mailman/listinfo/nix-commits

Reply via email to