Hello,
The initial IPv6 ruleset seems to be too relaxed. The initial IPv6 INPUT chain is the following:
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all * * ::/0 ::/0 rt type:0
2 1 56 ACCEPT all * * ::/0 ::/0 state RELATED,ESTABLISHED
3 0 0 ACCEPT 59 * * ::/0 ::/0 length 40
4 3 248 ACCEPT all br0 * ::/0 ::/0
5 0 0 ACCEPT all lo * ::/0 ::/0
6 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 1
7 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 2
8 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 3
9 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 4
10 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 128
11 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 129
12 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 130
13 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 131
14 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 132
15 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 133
16 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 134
17 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 135
18 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 136
19 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 141
20 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 142
21 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 143
22 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 148
23 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 149
24 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 151
25 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 152
26 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 153
As seen above, rule 4 is an all catch for the local interface. Rules 6-11 are the recommended "must have" types for IPv6 global access as per RFC-4890. The problem that I have is with rules 12-26. Those are the recommended rules for IPv6 local access. Apart from the fact that those are redundant (as we have the all catch rule 4 for local) they breach our external security by allowing remote icmpv6 types that are clearly only for local access to hit the router's ipv6 stack. The 12-26 group was introduced to the code by commit 75691f85. Not sure why this was introduced as the all catch rule commit precedes it. In my opinion it should be enclosed with a conditional to occur only when the router is operated in non-gateway mode (where the wan interface is "local"). A patch against Toastman-RT is available here: http://www.mediafire.com/?hut7rjx42p2hqiz
