From 5d7297e498158641b71886f8f30de2facff78b4d Mon Sep 17 00:00:00 2001 From: Thermi Date: Fri, 26 Feb 2016 01:06:08 +0100 Subject: [PATCH 1/2] ip6tables.rules: rpfilter! Replaces the '-i if_lan' matches with '-m rpfilter' to show off the rpfilter module. --- rules-edge-router/ip6tables.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules-edge-router/ip6tables.rules b/rules-edge-router/ip6tables.rules index 8115084..5e78dd8 100644 --- a/rules-edge-router/ip6tables.rules +++ b/rules-edge-router/ip6tables.rules @@ -39,7 +39,7 @@ # -A INPUT -p tcp --dport 22 -j ACCEPT # -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT -# -A INPUT -p udp -i if_lan --dport 123 -j ACCEPT +# -A INPUT -p udp -m rpfilter -s 2001:db8:1234:abcd::/64 --dport 123 -j ACCEPT # ICMPv6 traffic is sent to its own chain to handle required traffic -A INPUT -p ipv6-icmp -j icmp_in @@ -53,7 +53,7 @@ # Allow the LAN to forward anywhere to reach upstream networks. # Multi-homed hosts may want to restrict this by -o (outbound interface) too. --A FORWARD -i if_lan -s 2001:db8:1234:abcd::/64 -j ACCEPT +-A FORWARD -m rpfilter -s 2001:db8:1234:abcd::/64 -j ACCEPT # ICMP errors should be forwarded back to LAN clients regardless of state as # defined in RFC4890; these won't be replied to, so there's no security issue. From a288a924561c8e52a4cd82ac9c857949718b9e35 Mon Sep 17 00:00:00 2001 From: Noel Kuntze Date: Tue, 27 Aug 2019 15:30:54 +0200 Subject: [PATCH 2/2] Revert "ip6tables.rules: rpfilter!" This reverts commit 5d7297e498158641b71886f8f30de2facff78b4d. --- rules-edge-router/ip6tables.rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules-edge-router/ip6tables.rules b/rules-edge-router/ip6tables.rules index 5e78dd8..8115084 100644 --- a/rules-edge-router/ip6tables.rules +++ b/rules-edge-router/ip6tables.rules @@ -39,7 +39,7 @@ # -A INPUT -p tcp --dport 22 -j ACCEPT # -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT -# -A INPUT -p udp -m rpfilter -s 2001:db8:1234:abcd::/64 --dport 123 -j ACCEPT +# -A INPUT -p udp -i if_lan --dport 123 -j ACCEPT # ICMPv6 traffic is sent to its own chain to handle required traffic -A INPUT -p ipv6-icmp -j icmp_in @@ -53,7 +53,7 @@ # Allow the LAN to forward anywhere to reach upstream networks. # Multi-homed hosts may want to restrict this by -o (outbound interface) too. --A FORWARD -m rpfilter -s 2001:db8:1234:abcd::/64 -j ACCEPT +-A FORWARD -i if_lan -s 2001:db8:1234:abcd::/64 -j ACCEPT # ICMP errors should be forwarded back to LAN clients regardless of state as # defined in RFC4890; these won't be replied to, so there's no security issue.