Ticket #108: openrc-0.2.5-ipfw_haveip6.patch

File openrc-0.2.5-ipfw_haveip6.patch, 0 bytes (added by Dmitri Bogomolov <g1itch@i.ua>, 2 years ago)

ipfw.in patch

  • init.d/ipfw.in

    old new  
    44 
    55# This is based on /etc/rc.firewall and /etc/rc.firewall6 from FreeBSD 
    66 
     7HAVEIP6=true 
     8sysctl net.ipv6 2>/dev/null || HAVEIP6=false 
     9 
    710ipfw_ip_in=${ipfw_ip_in-any} 
    811ipfw_ports_in=${ipfw_ports_in-auth ssh} 
    912ipfw_ports_nolog=${ipfw_ports_nolog-135-139,445 1026,1027 1433,1434} 
     
    3639        ipfw add deny all from any to 127.0.0.0/8 
    3740        ipfw add deny ip from 127.0.0.0/8 to any 
    3841 
    39         ipfw add pass ip6 from any to any via lo0 
    40         ipfw add deny ip6 from any to ::1 
    41         ipfw add deny ip6 from ::1 to any 
     42        if ${HAVEIP6}; then  
     43                ipfw add pass ip6 from any to any via lo0 
     44                ipfw add deny ip6 from any to ::1 
     45                ipfw add deny ip6 from ::1 to any 
    4246         
    43         ipfw add pass ip6 from :: to ff02::/16 proto ipv6-icmp 
    44         ipfw add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp 
    45         ipfw add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp 
     47                ipfw add pass ip6 from :: to ff02::/16 proto ipv6-icmp 
     48                ipfw add pass ip6 from fe80::/10 to fe80::/10 proto ipv6-icmp 
     49                ipfw add pass ip6 from fe80::/10 to ff02::/16 proto ipv6-icmp 
     50        fi 
    4651} 
    4752 
    4853start() { 
     
    6267        ipfw add pass udp  from me  to any       keep-state 
    6368        ipfw add pass icmp from me  to any       keep-state 
    6469 
    65         ipfw add pass tcp  from me6 to any setup keep-state 
    66         ipfw add pass udp  from me6 to any       keep-state 
    67         ipfw add pass icmp from me6 to any       keep-state 
     70        if ${HAVEIP6}; then 
     71                ipfw add pass tcp  from me6 to any setup keep-state 
     72                ipfw add pass udp  from me6 to any       keep-state 
     73                ipfw add pass icmp from me6 to any       keep-state 
     74        fi 
    6875 
    6976        # Allow DHCP. 
    7077        ipfw add pass udp  from 0.0.0.0 68 to 255.255.255.255 67 out 
     
    7784        # Allow "mandatory" ICMP in. 
    7885        ipfw add pass icmp from any to any icmptype 3,4,11 
    7986 
    80         # Allow ICMPv6 destination unreach 
    81         ipfw add pass ip6 from any to any icmp6types 1 proto ipv6-icmp 
    82  
    83         # Allow NS/NA/toobig (don't filter it out) 
    84         ipfw add pass ip6 from any to any icmp6types 2,135,136 proto ipv6-icmp 
     87        if ${HAVEIP6}; then 
     88                # Allow ICMPv6 destination unreach 
     89                ipfw add pass ip6 from any to any icmp6types 1 proto ipv6-icmp 
     90         
     91                # Allow NS/NA/toobig (don't filter it out) 
     92                ipfw add pass ip6 from any to any icmp6types 2,135,136 proto ipv6-icmp 
     93        fi 
    8594         
    8695        # Add permits for this workstations published services below 
    8796        # Only IPs and nets in firewall_allowservices is allowed in.