2
# Shorewall6 version 4 - Audited AllowICMPs Action
4
# /usr/share/shorewall6/action.A_AllowICMPs
6
# This action A_ACCEPTs needed ICMP types
8
###############################################################################
9
#TARGET SOURCE DEST PROTO DEST
11
COMMENT Needed ICMP types (RFC4890)
13
A_ACCEPT - - ipv6-icmp destination-unreachable
14
A_ACCEPT - - ipv6-icmp packet-too-big
15
A_ACCEPT - - ipv6-icmp time-exceeded
16
A_ACCEPT - - ipv6-icmp parameter-problem
18
# The following should have a ttl of 255 and must be allowed to transit a bridge
19
A_ACCEPT - - ipv6-icmp router-solicitation
20
A_ACCEPT - - ipv6-icmp router-advertisement
21
A_ACCEPT - - ipv6-icmp neighbour-solicitation
22
A_ACCEPT - - ipv6-icmp neighbour-advertisement
23
A_ACCEPT - - ipv6-icmp 137 # Redirect
24
A_ACCEPT - - ipv6-icmp 141 # Inverse neighbour discovery solicitation
25
A_ACCEPT - - ipv6-icmp 142 # Inverse neighbour discovery advertisement
27
# The following should have a link local source address and must be allowed to transit a bridge
28
A_ACCEPT fe80::/10 - ipv6-icmp 130 # Listener query
29
A_ACCEPT fe80::/10 - ipv6-icmp 131 # Listener report
30
A_ACCEPT fe80::/10 - ipv6-icmp 132 # Listener done
31
A_ACCEPT fe80::/10 - ipv6-icmp 143 # Listener report v2
33
# The following should be received with a ttl of 255 and must be allowed to transit a bridge
34
A_ACCEPT - - ipv6-icmp 148 # Certificate path solicitation
35
A_ACCEPT - - ipv6-icmp 149 # Certificate path advertisement
37
# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
38
A_ACCEPT fe80::/10 - ipv6-icmp 151 # Multicast router advertisement
39
A_ACCEPT fe80::/10 - ipv6-icmp 152 # Multicast router solicitation
40
A_ACCEPT fe80::/10 - ipv6-icmp 153 # Multicast router termination