9
# Rules that should be run before the ufw command line added rules. Custom
11
# rules should be added to one of these chains:
23
# Don't delete these required lines, otherwise there will be errors
31
:ufw6-before-input - [0:0]
33
:ufw6-before-output - [0:0]
35
:ufw6-before-forward - [0:0]
43
# allow all on loopback
45
-A ufw6-before-input -i lo -j ACCEPT
47
-A ufw6-before-output -o lo -j ACCEPT
51
# drop packets with RH0 headers
53
-A ufw6-before-input -m rt --rt-type 0 -j DROP
55
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
57
-A ufw6-before-output -m rt --rt-type 0 -j DROP
61
# quickly process packets for which we already have a connection
63
-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
65
-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
67
-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
71
# multicast ping replies are part of the ok icmp codes for INPUT (rfc4890,
73
# 4.4.1 and 4.4.2), but don't have an associated connection and are otherwise
75
# be marked INVALID, so allow here instead.
77
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
81
# drop INVALID packets (logs these in loglevel medium and higher)
83
-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
85
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
89
# ok icmp codes for INPUT (rfc4890, 4.4.1 and 4.4.2)
91
-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
93
-A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
97
-A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
99
# codes 0-2 (echo-reply needs to be before INVALID, see above)
101
-A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
103
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
105
-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
107
-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
109
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
111
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
115
-A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
119
-A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
123
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
127
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
131
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
135
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
137
# SEND certificate path solicitation
139
-A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
141
# SEND certificate path advertisement
143
-A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
147
-A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
151
-A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
155
-A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
159
# ok icmp codes for OUTPUT (rfc4890, 4.4.1 and 4.4.2)
161
-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
163
-A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
167
-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
171
-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
173
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
175
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
177
-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
179
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
181
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
183
-A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
187
-A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
191
-A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
195
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
199
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
203
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
207
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
209
# SEND certificate path solicitation
211
-A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
213
# SEND certificate path advertisement
215
-A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
219
-A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
223
-A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
227
-A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
231
# ok icmp codes for FORWARD (rfc4890, 4.3.1)
233
-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
235
-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
239
-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
243
-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
245
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
247
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
249
# ok icmp codes for FORWARD (rfc4890, 4.3.2)
251
# Home Agent Address Discovery Reques
253
-A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
255
# Home Agent Address Discovery Reply
257
-A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
259
# Mobile Prefix Solicitation
261
-A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
263
# Mobile Prefix Advertisement
265
-A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT
269
# allow dhcp client to work
271
-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT
275
# allow MULTICAST mDNS for service discovery
277
-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT
281
# allow MULTICAST UPnP for service discovery
283
-A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT
287
#-A INPUT -i eth0 -p udp --dport 2023 -j ACCEPT
289
#-A FORWARD -i tun0 -o eth0 -s 2a05:8280:f:43aa::/64 -m state --state NEW -j ACCEPT
291
#-A FORWARD -i tun0 -o eth0 -s fd00::/64 -m state --state NEW -j ACCEPT
293
#-A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
295
# don't delete the 'COMMIT' line or these rules won't be processed
297
#-A INPUT -i lo -j ACCEPT
299
#-A INPUT -m conntrack — ctstate INVALID -j DROP
301
#-A INPUT -i tun0 -j ACCEPT
303
#A FORWARD -i tun0 -o eth0 -s 2a05:8280:f:43aa::/64 -m conntrack --ctstate NEW -j ACCEPT
305
#-A FORWARD -m conntrack — ctstate RELATED,ESTABLISHED -j ACCEPT
307
#-A INPUT -p ipv6-icmp -j ACCEPT
309
#-A FORWARD -p ipv6-icmp -j ACCEPT
311
#-A FORWARD -s 2a05:8280:f:43aa::/64 -j ACCEPT
313
#-A FORWARD -i tun0 -o eth0 -m state --state NEW -j ACCEPT
315
#-A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
2
:ufw6-before-input - [0:0]
3
:ufw6-before-output - [0:0]
4
:ufw6-before-forward - [0:0]
5
-A ufw6-before-input -i lo -j ACCEPT
6
-A ufw6-before-output -o lo -j ACCEPT
7
-A ufw6-before-input -m rt --rt-type 0 -j DROP
8
-A ufw6-before-forward -m rt --rt-type 0 -j DROP
9
-A ufw6-before-output -m rt --rt-type 0 -j DROP
10
-A ufw6-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
11
-A ufw6-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
12
-A ufw6-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
13
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
14
-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
15
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
16
-A ufw6-before-input -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
17
-A ufw6-before-input -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
18
-A ufw6-before-input -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
19
-A ufw6-before-input -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
20
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-request -j ACCEPT
21
-A ufw6-before-input -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
22
-A ufw6-before-input -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
23
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
24
-A ufw6-before-input -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
25
-A ufw6-before-input -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
26
-A ufw6-before-input -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
27
-A ufw6-before-input -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
28
-A ufw6-before-input -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
29
-A ufw6-before-input -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
30
-A ufw6-before-input -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
31
-A ufw6-before-input -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
32
-A ufw6-before-input -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
33
-A ufw6-before-input -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
34
-A ufw6-before-input -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
35
-A ufw6-before-input -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
36
-A ufw6-before-output -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
37
-A ufw6-before-output -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
38
-A ufw6-before-output -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
39
-A ufw6-before-output -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
40
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-request -j ACCEPT
41
-A ufw6-before-output -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
42
-A ufw6-before-output -p icmpv6 --icmpv6-type router-solicitation -m hl --hl-eq 255 -j ACCEPT
43
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
44
-A ufw6-before-output -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
45
-A ufw6-before-output -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
46
-A ufw6-before-output -p icmpv6 --icmpv6-type 141 -m hl --hl-eq 255 -j ACCEPT
47
-A ufw6-before-output -p icmpv6 --icmpv6-type 142 -m hl --hl-eq 255 -j ACCEPT
48
-A ufw6-before-output -p icmpv6 --icmpv6-type 130 -s fe80::/10 -j ACCEPT
49
-A ufw6-before-output -p icmpv6 --icmpv6-type 131 -s fe80::/10 -j ACCEPT
50
-A ufw6-before-output -p icmpv6 --icmpv6-type 132 -s fe80::/10 -j ACCEPT
51
-A ufw6-before-output -p icmpv6 --icmpv6-type 143 -s fe80::/10 -j ACCEPT
52
-A ufw6-before-output -p icmpv6 --icmpv6-type 148 -m hl --hl-eq 255 -j ACCEPT
53
-A ufw6-before-output -p icmpv6 --icmpv6-type 149 -m hl --hl-eq 255 -j ACCEPT
54
-A ufw6-before-output -p icmpv6 --icmpv6-type 151 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
55
-A ufw6-before-output -p icmpv6 --icmpv6-type 152 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
56
-A ufw6-before-output -p icmpv6 --icmpv6-type 153 -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
57
-A ufw6-before-forward -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
58
-A ufw6-before-forward -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
59
-A ufw6-before-forward -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
60
-A ufw6-before-forward -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
61
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-request -j ACCEPT
62
-A ufw6-before-forward -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
63
-A ufw6-before-input -p icmpv6 --icmpv6-type 144 -j ACCEPT
64
-A ufw6-before-input -p icmpv6 --icmpv6-type 145 -j ACCEPT
65
-A ufw6-before-input -p icmpv6 --icmpv6-type 146 -j ACCEPT
66
-A ufw6-before-input -p icmpv6 --icmpv6-type 147 -j ACCEPT
67
-A ufw6-before-input -p udp -s fe80::/10 --sport 547 -d fe80::/10 --dport 546 -j ACCEPT
68
-A ufw6-before-input -p udp -d ff02::fb --dport 5353 -j ACCEPT
69
-A ufw6-before-input -p udp -d ff02::f --dport 1900 -j ACCEPT