summaryrefslogtreecommitdiffstats
path: root/package/network/config/firewall/files
diff options
context:
space:
mode:
authorcyrus <cyrus@3c298f89-4303-0410-b956-a3cf2f4a3e73>2013-01-04 15:59:28 +0000
committercyrus <cyrus@3c298f89-4303-0410-b956-a3cf2f4a3e73>2013-01-04 15:59:28 +0000
commit767e0521dfcd49b4cab19989d3448c265c9ea33c (patch)
treee3b81c8f25b49464cef98cd021d2ddb55400be63 /package/network/config/firewall/files
parentb0c25645e53f791c0b72d42f0f0ac22f3e1ed60a (diff)
firewall: Add ULA site border for IPv6 traffic
This prevents private traffic from leaking out to the internet git-svn-id: svn://svn.openwrt.org/openwrt/trunk@35012 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/network/config/firewall/files')
-rw-r--r--package/network/config/firewall/files/firewall.config19
1 files changed, 19 insertions, 0 deletions
diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index a87413904..6acfe1e86 100644
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -95,6 +95,25 @@ config rule
option family ipv6
option target ACCEPT
+# Block ULA-traffic from leaking out
+config rule
+ option name Enforce-ULA-Border-Src
+ option src *
+ option dest wan
+ option proto all
+ option src_ip fc00::/7
+ option family ipv6
+ option target REJECT
+
+config rule
+ option name Enforce-ULA-Border-Dest
+ option src *
+ option dest wan
+ option proto all
+ option dest_ip fc00::/7
+ option family ipv6
+ option target REJECT
+
# include a file with users custom iptables rules
config include
option path /etc/firewall.user