summaryrefslogtreecommitdiffstats
path: root/roles/common
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-11-03 16:44:35 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-11-03 16:45:52 +0100
commit95d537cbc13ae8bfe6518fe73d45d4bdb1da37ed (patch)
tree6d7fdec44da0632eca660998ab810f8b73e925ab /roles/common
parent297005c239408bf269b21a8828c6d5c479e9b8a1 (diff)
Firewall: allow ICMP type 11 (time time-exceeded).
This is in particular needed for traceroutes and routing loop detection.
Diffstat (limited to 'roles/common')
-rwxr-xr-xroles/common/templates/etc/nftables.conf.j23
1 files changed, 2 insertions, 1 deletions
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index bbc0e7c..c89a136 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -57,7 +57,7 @@ table netdev filter {
ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept
# rate-limiting is done directly by the kernel (net.ipv4.icmp_{ratelimit,ratemask} runtime options)
- icmp type { echo-reply, echo-request, destination-unreachable } counter accept
+ icmp type { echo-reply, echo-request, destination-unreachable, time-exceeded } counter accept
icmpv6 type { echo-reply, echo-request, destination-unreachable,
packet-too-big, time-exceeded, parameter-problem } counter accept
@@ -165,6 +165,7 @@ table inet filter {
# ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept
ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept
+ # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already
meta l4proto { icmp, icmpv6 } counter accept
udp sport 123 udp dport 123 ct state related,established accept