firewall: fix squid start with IPv6 disabled; fixes #271

While blocking IPv6 in this case is a good start, loopback traffic from internal to internal should never be blocked as some deamons like squid use it to probe and/or communicate.

firewall: fix squid start with IPv6 disabled; fixes #271
While blocking IPv6 in this case is a good start, loopback traffic from internal to internal should never be blocked as some deamons like squid use it to probe and/or communicate.
51219762 · Franco Fichtner · 7398977d · 51219762
Commit 51219762 authored Jul 30, 2015 by Franco Fichtner
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

filter.inc src/etc/inc/filter.inc +3 -3

No files found.
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -2609,9 +2609,9 @@ function filter_rules_generate()
 	if(isset($config['syslog']['nologdefaultpass']))
 		$log['pass'] = "log";

-
-	if(!isset($config['system']['ipv6allow'])) {
-		$ipfrules .= "\n# Block all IPv6\n";
+	if (!isset($config['system']['ipv6allow'])) {
+		$ipfrules .= "\n# Block all IPv6 except loopback traffic\n";
+		$ipfrules .= "pass quick inet6 from ::1 to ::1\n";
 		$ipfrules .= "block in {$log['block']} quick inet6 all  label \"Block all IPv6\"\n";
 		$ipfrules .= "block out {$log['block']} quick inet6 all label \"Block all IPv6\"\n";
 	}