diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2011-03-11 11:08:16 +0000 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2011-03-11 11:08:16 +0000 |
| commit | f672aa71bf0d0c14091d624df6d8c137b4df3602 (patch) | |
| tree | 3e7ca6e0e6621e35a9f87678511b7ed3dbaad3cf /modules/services/networking/firewall.nix | |
| parent | 0ea9f6611ab6024a03e44b0b3e61e06d6fb30e5c (diff) | |
| download | nixpkgs-f672aa71bf0d0c14091d624df6d8c137b4df3602.tar nixpkgs-f672aa71bf0d0c14091d624df6d8c137b4df3602.tar.gz nixpkgs-f672aa71bf0d0c14091d624df6d8c137b4df3602.tar.bz2 nixpkgs-f672aa71bf0d0c14091d624df6d8c137b4df3602.tar.lz nixpkgs-f672aa71bf0d0c14091d624df6d8c137b4df3602.tar.xz nixpkgs-f672aa71bf0d0c14091d624df6d8c137b4df3602.tar.zst nixpkgs-f672aa71bf0d0c14091d624df6d8c137b4df3602.zip | |
* RFC 4890 says that local nodes should not filter pretty much any
ICMPv6 messages (including echo requests), so don't do that. svn path=/nixos/trunk/; revision=26270
Diffstat (limited to 'modules/services/networking/firewall.nix')
| -rw-r--r-- | modules/services/networking/firewall.nix | 29 |
1 files changed, 12 insertions, 17 deletions
diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix index 44cb401c273..f719e6777a7 100644 --- a/modules/services/networking/firewall.nix +++ b/modules/services/networking/firewall.nix @@ -82,7 +82,10 @@ in type = types.bool; description = '' - Whether to respond to incoming ICMP echo requests ("pings"). + Whether to respond to incoming ICMPv4 echo requests + ("pings"). ICMPv6 pings are always allowed because the + larger address space of IPv6 makes network scanning much + less effective. ''; }; @@ -158,26 +161,18 @@ in # probably nobody is listening anyway. iptables -A INPUT -d 224.0.0.0/4 -j ACCEPT - # Accept IPv6 ICMP packets on the local link. - ip6tables -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT - ip6tables -A INPUT -d fe80::/10 -p icmpv6 -j ACCEPT - - # Accept neighbour solicitations from solicited-node - # addresses. Otherwise other nodes cannot reach us at - # all. - ip6tables -A INPUT -d ff02::1:ff00:0/104 -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT - - # Accept router and neighbour advertisements from - # anywhere. Would be nice to be more specific. - ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT - ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT - - # Optionally respond to pings. + # Optionally respond to ICMPv4 pings. ${optionalString cfg.allowPing '' iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT - ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT ''} + # Accept all ICMPv6 messages except redirects and node + # information queries (type 139). See RFC 4890, section + # 4.4. + ip6tables -A INPUT -p icmpv6 --icmpv6-type redirect -j DROP + ip6tables -A INPUT -p icmpv6 --icmpv6-type 139 -j DROP + ip6tables -A INPUT -p icmpv6 -j ACCEPT + # Reject/drop everything else. ip46tables -A INPUT -j FW_REFUSE ''; |