diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/security.md | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/docs/security.md b/docs/security.md index c34a7d73a0..f5ea916386 100644 --- a/docs/security.md +++ b/docs/security.md @@ -64,10 +64,14 @@ The following network traffic is allowed or blocked independent of state: server) * Incoming UDP from `[fe80::]/10:547` to `[fe80::]/10:546` (server to client) -1. Router solicitation, advertisement and redirects (subset of NDP) is always allowed: +1. A subset of NDP is allowed: * Outgoing to `ff02::2`, but only ICMPv6 with type 133 and code 0 (Router solicitation) - * Incoming from `[fe80::]/10`, but only ICMPv6 type 134 and code 0 (Router advertisement) - * Incoming from `[fe80::]/10`, but only ICMPv6 type 137 and code 0 (Redirect) + * Incoming from `fe80::/10`, but only ICMPv6 type 134 and code 0 (Router advertisement) + * Incoming from `fe80::/10`, but only ICMPv6 type 137 and code 0 (Redirect) + * Outgoing to `ff02::1:ff00:0/104` and `fe80::/10`, but only ICMPv6 with type 135 and code 0 (Neighbor solicitation). + * Incoming from `fe80::/10`, but only ICMPv6 with type 135 and code 0 (Neighbor solicitation). + * Outgoing to `fe80::/10`, but only ICMPv6 with type 136 and code 0 (Neighbor advertisement). + * Incoming from `*`, but only ICMPv6 with type 136 and code 0 (Neighbor advertisement). 1. If the "Allow LAN" setting is enabled, the following is also allowed: * Outgoing to, and incoming from, any IP in an unroutable network, that means: |