Blocking IPv6 packets by extension headers
FortiOS can now block IPv6 packets based on the extension headers, using the CLI syntax: config firewall ipv6-eh-filter.
The following commands are now available:
- set hop-opt {disable | enable}: Block packets with Hop-by-Hop Options header. l set dest-opt {disable | enable}: Block packets with Destination Options header.
- set hdopt-type <integer>: Block specific Hop-by-Hop and/or Destination Option types (maximum 7 types, each between 0 and 255). l set routing {disable | enable}: Block packets with Routing header.
- set routing-type <integar>: Block specific Routing header types (maximum 7 types, each between 0 and 255).
- set fragment {disable | enable}: Block packets with Fragment header. l set auth {disable | enable}: Block packets with Authentication header. l set no-next {disable | enable}: Block packets with No Next header.