firewall: Allow IGMP and MLD input on WAN
The WAN port should at least respond to IGMP and MLD queries as otherwise a snooping bridge/switch might drop traffic. RFC4890 recommends to leave IGMP and MLD unfiltered as they are always link-scoped anyways. Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> SVN-Revision: 45613
This commit is contained in:
parent
336fc7a702
commit
d534883a52
@ -46,6 +46,13 @@ config rule
|
|||||||
option family ipv4
|
option family ipv4
|
||||||
option target ACCEPT
|
option target ACCEPT
|
||||||
|
|
||||||
|
config rule
|
||||||
|
option name Allow-IGMP
|
||||||
|
option src wan
|
||||||
|
option proto igmp
|
||||||
|
option family ipv4
|
||||||
|
option target ACCEPT
|
||||||
|
|
||||||
# Allow DHCPv6 replies
|
# Allow DHCPv6 replies
|
||||||
# see https://dev.openwrt.org/ticket/10381
|
# see https://dev.openwrt.org/ticket/10381
|
||||||
config rule
|
config rule
|
||||||
@ -59,6 +66,18 @@ config rule
|
|||||||
option family ipv6
|
option family ipv6
|
||||||
option target ACCEPT
|
option target ACCEPT
|
||||||
|
|
||||||
|
config rule
|
||||||
|
option name Allow-MLD
|
||||||
|
option src wan
|
||||||
|
option proto icmp
|
||||||
|
option src_ip fe80::/10
|
||||||
|
list icmp_type '130/0'
|
||||||
|
list icmp_type '131/0'
|
||||||
|
list icmp_type '132/0'
|
||||||
|
list icmp_type '143/0'
|
||||||
|
option family ipv6
|
||||||
|
option target ACCEPT
|
||||||
|
|
||||||
# Allow essential incoming IPv6 ICMP traffic
|
# Allow essential incoming IPv6 ICMP traffic
|
||||||
config rule
|
config rule
|
||||||
option name Allow-ICMPv6-Input
|
option name Allow-ICMPv6-Input
|
||||||
|
Loading…
Reference in New Issue
Block a user