From c7d0d6820ba386e41ddc14ef609175ee42895429 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Mon, 7 Sep 2020 11:14:07 +0200 Subject: [PATCH] Simplification of the input ICMP et IGMP rules --- minifirewall-start.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/minifirewall-start.sh b/minifirewall-start.sh index fd700d4..fdfae3a 100755 --- a/minifirewall-start.sh +++ b/minifirewall-start.sh @@ -118,8 +118,8 @@ $NFT add rule inet minifirewall minifirewall_input ip saddr $INTLAN accept $NFT add rule inet minifirewall minifirewall_input ct state invalid drop # ICMP and IGMP traffic is accepted -$NFT add rule inet minifirewall minifirewall_input meta l4proto ipv6-icmp icmpv6 type '{ destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report }' accept -$NFT add rule inet minifirewall minifirewall_input meta l4proto icmp icmp type '{ destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem }' accept +$NFT add rule inet minifirewall minifirewall_input meta l4proto ipv6-icmp icmpv6 accept +$NFT add rule inet minifirewall minifirewall_input meta l4proto icmp icmp accept $NFT add rule inet minifirewall minifirewall_input ip protocol igmp accept # New UDP traffic from trusted IPs jumps to the private_udp_ports chain @@ -145,7 +145,6 @@ $NFT add rule inet minifirewall minifirewall_input 'meta l4proto tcp tcp flags & # Reject all traffic that was not processed by other rules $NFT add rule inet minifirewall minifirewall_input meta l4proto udp reject $NFT add rule inet minifirewall minifirewall_input meta l4proto tcp reject with tcp reset -$NFT add rule inet minifirewall minifirewall_input counter reject with icmpx type port-unreachable # Feed public_tcp_ports chain with public TCP ports for x in $SERVICESTCP1