diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2020-11-03 16:44:35 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2020-11-03 16:45:52 +0100 |
commit | 95d537cbc13ae8bfe6518fe73d45d4bdb1da37ed (patch) | |
tree | 6d7fdec44da0632eca660998ab810f8b73e925ab | |
parent | 297005c239408bf269b21a8828c6d5c479e9b8a1 (diff) |
Firewall: allow ICMP type 11 (time time-exceeded).
This is in particular needed for traceroutes and routing loop detection.
-rwxr-xr-x | roles/common/templates/etc/nftables.conf.j2 | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2 index bbc0e7c..c89a136 100755 --- a/roles/common/templates/etc/nftables.conf.j2 +++ b/roles/common/templates/etc/nftables.conf.j2 @@ -57,7 +57,7 @@ table netdev filter { ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept # rate-limiting is done directly by the kernel (net.ipv4.icmp_{ratelimit,ratemask} runtime options) - icmp type { echo-reply, echo-request, destination-unreachable } counter accept + icmp type { echo-reply, echo-request, destination-unreachable, time-exceeded } counter accept icmpv6 type { echo-reply, echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem } counter accept @@ -165,6 +165,7 @@ table inet filter { # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept + # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already meta l4proto { icmp, icmpv6 } counter accept udp sport 123 udp dport 123 ct state related,established accept |