From b077480a59a66f3ed970c6a0c5336e4c28f9a27d Mon Sep 17 00:00:00 2001
From: Steven Barth <cyrus@openwrt.org>
Date: Fri, 4 Jan 2013 15:59:28 +0000
Subject: firewall: Add ULA site border for IPv6 traffic This prevents private
 traffic from leaking out to the internet

SVN-Revision: 35012
---
 package/network/config/firewall/files/firewall.config | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'package/network/config/firewall/files')

diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index a874139..6acfe1e 100644
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -95,6 +95,25 @@ config rule
 	option family		ipv6
 	option target		ACCEPT
 
+# Block ULA-traffic from leaking out
+config rule
+	option name		Enforce-ULA-Border-Src
+	option src		*
+	option dest		wan
+	option proto		all
+	option src_ip		fc00::/7
+	option family		ipv6
+	option target		REJECT
+
+config rule
+	option name		Enforce-ULA-Border-Dest
+	option src		*
+	option dest		wan
+	option proto		all
+	option dest_ip		fc00::/7
+	option family		ipv6
+	option target		REJECT
+
 # include a file with users custom iptables rules
 config include
 	option path /etc/firewall.user
-- 
cgit v1.1