Add extra icmp6 notifications to firewall.

sample-rc.d/rc.firewall-float

@@ -2,7 +2,7 @@
 
 # The name of the main external interface.
 EX_IF="eth0"
-# The name of the VM-Private network interface.
+# The name of the Private network interface.
 PRI_IF="eth1"
 
 # IP addresses
@@ -49,7 +49,7 @@ iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
 iptables -A INPUT -i lo -j ACCEPT
 ip6tables -A INPUT -i lo -j ACCEPT
 
-# Allow all VM-Private network traffic.
+# Allow all Private network traffic.
 iptables -A INPUT -i "$PRI_IF" -j ACCEPT
 ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
 
@@ -79,6 +79,8 @@ ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
 iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
 ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
 ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
+#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
 
 # Always allow SSH.
 # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get

sample-rc.d/rc.firewall-guests

@@ -2,8 +2,8 @@
 
 # The name of the main external interface.
 EX_IF="eth0"
-# The name of the VM-Private network interface.
-VM_IF="eth1"
+# The name of the Private network interface.
+PRI_IF="eth1"
 
 # Disable ICMP redirects.
 # Note: Redirects are used when a router believes a packet is being routed sub optimally and it would like to inform
@@ -43,9 +43,9 @@ iptables -A INPUT -i "$EX_IF" -s 192.168.0.0/16 -j DROP
 iptables -A INPUT -i lo -j ACCEPT
 ip6tables -A INPUT -i lo -j ACCEPT
 
-# Allow all VM-Private network traffic.
-iptables -A INPUT -i "$VM_IF" -j ACCEPT
-ip6tables -A INPUT -i "$VM_IF" -j ACCEPT
+# Allow all Private network traffic.
+iptables -A INPUT -i "$PRI_IF" -j ACCEPT
+ip6tables -A INPUT -i "$PRI_IF" -j ACCEPT
 
 # Allow unrestricted access from our IPs.
 iptables -A INPUT -i "$EX_IF" -m iprange --src-range 91.109.244.7-91.109.244.11 -j ACCEPT
@@ -73,6 +73,8 @@ ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
 iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
 ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
 ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
+#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
 
 # Always allow SSH.
 # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get

sample-rc.d/rc.firewall-hosts

@@ -67,6 +67,8 @@ ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
 iptables -A INPUT -i "$EX_IF" -p icmp --icmp-type parameter-problem -j ACCEPT
 ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
 ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
+#ip6tables -A INPUT -i "$EX_IF" -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
 
 # Always allow SSH.
 # Note: We never want to be locked out of the system, so also accept on the standard ssh port, just in case things accidently get