From 96b3e162fef0febb1f3704c1d2d44dbfc41e3ac1 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Thu, 29 Oct 2020 12:55:59 +0100
Subject: [PATCH] Fix error droping ICMP packets. fix error dropping private
 networks.

---
 ip6t-firewall-server | 23 ++++++++++++++---------
 ipt-firewall-server  |  3 ++-
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/ip6t-firewall-server b/ip6t-firewall-server
index b755a47..a930f88 100755
--- a/ip6t-firewall-server
+++ b/ip6t-firewall-server
@@ -620,7 +620,7 @@ echononl "\tBlock spoofed (private/reserved) packets"
 for _dev in ${ext_if_arr[@]} ; do
    if $log_spoofed || $log_all ; then
       $ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
-      $ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (Link Local Unicast): "
+      #$ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (Link Local Unicast): "
       $ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Multicast: "
    fi
 done
@@ -631,7 +631,11 @@ fi
 
 for _dev in ${ext_if_arr[@]} ; do
    $ip6t -t mangle -A PREROUTING -i $_dev -s $ula_block -j DROP
-   $ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j DROP
+
+   # !! Does NOT work !!
+   #
+   #$ip6t -t mangle -A PREROUTING -i $_dev -s $link_local_unicast_block -j DROP
+
    $ip6t -t mangle -A PREROUTING -i $_dev -s $multicast_ipv6 -j DROP
 done
 $ip6t -t mangle -A PREROUTING -s $loopback_ipv6 ! -i lo -j DROP
@@ -645,12 +649,13 @@ echo_done
 echononl "\tDrop all ICMP traffic.."
 if [[ -n "$drop_icmp" ]] && $drop_icmp ; then
    if $log_rejected || $log_all ; then
-      $ip6t -t mangle -A PREROUTING -p ipv6-icmp -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: "
+      $ip6t -t mangle -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j $LOG_TARGET $tag_log_prefix "$log_prefix Drop all ICMP traffic: "
    fi
-   $ip6t -t mangle -A PREROUTING -p ipv6-icmp -j DROP
+   $ip6t -t mangle -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j DROP
    echo_done
+else
+   echo_skipped
 fi
-echo_skipped
 
 
 # ---
@@ -662,12 +667,12 @@ echononl "\tDon't allow spoofing out from this server"
 if $log_spoofed_out || $log_all ; then
    for _dev in ${ext_if_arr[@]} ; do
       $ip6t -A OUTPUT -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
-      $ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
+      #$ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
       $ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
       $ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
       if $kernel_forward_between_interfaces ; then
          $ip6t -A FORWARD -o $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
-         $ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
+         #$ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
          $ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
          $ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix Spoofing Out: "
       fi
@@ -676,12 +681,12 @@ fi
 
 for _dev in ${ext_if_arr[@]} ; do
    $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
-   $ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j DROP
+   #$ip6t -A OUTPUT -o $_dev -s $link_local_unicast_block -j DROP
    $ip6t -A OUTPUT -o $_dev -s $multicast_ipv6 -j DROP
    $ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
    if $kernel_forward_between_interfaces ; then
       $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
-      $ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j DROP
+      #$ip6t -A FORWARD -o $_dev -s $link_local_unicast_block -j DROP
       $ip6t -A FORWARD -o $_dev -s $multicast_ipv6 -j DROP
       $ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
    fi
diff --git a/ipt-firewall-server b/ipt-firewall-server
index 2e48013..e626912 100755
--- a/ipt-firewall-server
+++ b/ipt-firewall-server
@@ -797,8 +797,9 @@ if [[ -n "$drop_icmp" ]] && $drop_icmp ; then
    fi
    $ipt -t mangle -A PREROUTING -p icmp -j DROP
    echo_done
+else
+   echo_skipped
 fi
-echo_skipped
 
 
 # ---