Compare Pastes

Differences between the pastes #241982 (15.12.2021 18:26) and #281422 (09.11.2025 02:16).

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw6-before-input
#   ufw6-before-output
#   ufw6-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw6-before-input - [0:0]
:ufw6-before-output - [0:0]
:ufw6-before-forward - [0:0]
# End required lines


# allow all on loopback
-A ufw6-before-input -i lo -j ACCEPT
-A ufw6-before-output -o lo -j ACCEPT

# drop packets with RH0 headers
-A ufw6-before-input -m rt --rt-type 0 -j DROP
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
-A ufw6-before-output -m rt --rt-type 0 -j DROP

# quickly process packets for which we already have a connection
-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# multicast ping replies are part of the ok icmp codes for INPUT (rfc4890,
# 4.4.1 and 4.4.2), but don't have an associated connection and are otherwise
# be marked INVALID, so allow here instead.
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT (rfc4890, 4.4.1 and 4.4.2)
-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2 (echo-reply needs to be before INVALID, see above)
-A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
# IND solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
# IND advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
# MLD query
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
# MLD report
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
# MLD done
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
# MLD report v2
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
# SEND certificate path solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
# SEND certificate path advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
# MR advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR termination
-A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT

# ok icmp codes for OUTPUT (rfc4890, 4.4.1 and 4.4.2)
-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
-A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
# IND solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
# IND advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
# MLD query
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
# MLD report
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
# MLD done
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
# MLD report v2
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
# SEND certificate path solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
# SEND certificate path advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
# MR advertisement
-A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR solicitation
-A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
# MR termination
-A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT

# ok icmp codes for FORWARD (rfc4890, 4.3.1)
-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
# codes 0 and 1
-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# codes 0-2
-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
# ok icmp codes for FORWARD (rfc4890, 4.3.2)
# Home Agent Address Discovery Reques
-A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
# Home Agent Address Discovery Reply
-A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
# Mobile Prefix Solicitation
-A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
# Mobile Prefix Advertisement
-A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT

# allow dhcp client to work
-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT

# allow MULTICAST mDNS for service discovery
-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery
-A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed

1		#
2		# rules.before
3		#
4		# Rules that should be run before the ufw command line added rules. Custom
5		# rules should be added to one of these chains:
6		# ufw6-before-input
7		# ufw6-before-output
8		# ufw6-before-forward
9		#
10
11		# Don't delete these required lines, otherwise there will be errors
12		*filter
13		:ufw6-before-input - [0:0]
14		:ufw6-before-output - [0:0]
15		:ufw6-before-forward - [0:0]
16		# End required lines
17
18
19		# allow all on loopback
20		-A ufw6-before-input -i lo -j ACCEPT
21		-A ufw6-before-output -o lo -j ACCEPT
22
23		# drop packets with RH0 headers
24		-A ufw6-before-input -m rt --rt-type 0 -j DROP
25		-A ufw6-before-forward -m rt --rt-type 0 -j DROP
26		-A ufw6-before-output -m rt --rt-type 0 -j DROP
27
28		# quickly process packets for which we already have a connection
29		-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
30		-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
31		-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
32
33		# multicast ping replies are part of the ok icmp codes for INPUT (rfc4890,
34		# 4.4.1 and 4.4.2), but don't have an associated connection and are otherwise
35		# be marked INVALID, so allow here instead.
36		-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
37
38		# drop INVALID packets (logs these in loglevel medium and higher)
39		-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
40		-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
41
42		# ok icmp codes for INPUT (rfc4890, 4.4.1 and 4.4.2)
43		-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
44		-A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
45		# codes 0 and 1
46		-A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
47		# codes 0-2 (echo-reply needs to be before INVALID, see above)
48		-A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
49		-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
50		-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
51		-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
52		-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
53		-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
54		# IND solicitation
55		-A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
56		# IND advertisement
57		-A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
58		# MLD query
59		-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
60		# MLD report
61		-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
62		# MLD done
63		-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
64		# MLD report v2
65		-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
66		# SEND certificate path solicitation
67		-A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
68		# SEND certificate path advertisement
69		-A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
70		# MR advertisement
71		-A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
72		# MR solicitation
73		-A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
74		# MR termination
75		-A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
76
77		# ok icmp codes for OUTPUT (rfc4890, 4.4.1 and 4.4.2)
78		-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
79		-A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
80		# codes 0 and 1
81		-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
82		# codes 0-2
83		-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
84		-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
85		-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
86		-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
87		-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
88		-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
89		-A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
90		# IND solicitation
91		-A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
92		# IND advertisement
93		-A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
94		# MLD query
95		-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
96		# MLD report
97		-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
98		# MLD done
99		-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
100		# MLD report v2
101		-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
102		# SEND certificate path solicitation
103		-A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
104		# SEND certificate path advertisement
105		-A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
106		# MR advertisement
107		-A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
108		# MR solicitation
109		-A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
110		# MR termination
111		-A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
112
113		# ok icmp codes for FORWARD (rfc4890, 4.3.1)
114		-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
115		-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
116		# codes 0 and 1
117		-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
118		# codes 0-2
119		-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
120		-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
121		-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
122		# ok icmp codes for FORWARD (rfc4890, 4.3.2)
123		# Home Agent Address Discovery Reques
124		-A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
125		# Home Agent Address Discovery Reply
126		-A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
127		# Mobile Prefix Solicitation
128		-A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
129		# Mobile Prefix Advertisement
130		-A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT
131
132		# allow dhcp client to work
133		-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT
134
135		# allow MULTICAST mDNS for service discovery
136		-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT
137
138		# allow MULTICAST UPnP for service discovery
139		-A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT
140
141		# don't delete the 'COMMIT' line or these rules won't be processed