jem.m4: Remove SMB for untrusted hosts.

[firewall] / bookends.m4

diff --git a/bookends.m4 b/bookends.m4
index 1844139..7374cd3 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -1,4 +1,4 @@
-### -*-m4-*-
+### -*-sh-*-
 ###
 ### Initialization and finishing touches for firewall scripts
 ###
@@ -52,9 +52,24 @@ setopt ip_local_port_range $open_port_min $open_port_max
 ## Deploy SYN-cookies if necessary.
 setopt tcp_syncookies 1
 
+## Allow broadcast and multicast ping, because it's a useful diagnostic tool.
+setopt icmp_echo_ignore_broadcasts 0
+
+## Turn off iptables filtering for bridges.  We'll use ebtables if we need
+## to; but right now the model is that we do filtering at the borders, and
+## are tolerant of things which are local.
+if [ -x /sbin/brctl ]; then
+  modprobe bridge || :
+  if [ -d /proc/sys/net/bridge ]; then
+    for filter in arptables iptables ip6tables; do
+      run sysctl -q net.bridge.bridge-nf-call-$filter=0
+    done
+  fi
+fi
+
 ## Turn on the reverse-path filter, and log weird things.
-setdevopt rp_filter 1
-setdevopt log_martians 1
+setdevopt rp_filter $rp_filter
+setdevopt log_martians $log_martians
 
 ## Turn off things which can mess with our routing decisions.
 setdevopt accept_source_route 0
@@ -89,7 +104,7 @@ errorchain interesting ACCEPT
 
 m4_divert(36)m4_dnl
 ###--------------------------------------------------------------------------
-### Standard loopback stuff.
+### Standard filtering.
 
 ## Don't clobber local traffic
 run ip46tables -A INPUT -i lo -j ACCEPT
@@ -111,17 +126,33 @@ run ip6tables -A FORWARD -g bad-source-address \
 run ip6tables -A FORWARD -g bad-destination-address \
        -d fe80::/10
 
+## Also, don't forward link-local broadcast or multicast.
+run iptables -A FORWARD -g bad-destination-address \
+       -d 255.255.255.255
+run iptables -A FORWARD -g bad-destination-address \
+       -m addrtype --dst-type BROADCAST
+run iptables -A FORWARD -g bad-destination-address \
+       -d 224.0.0.0/24
+for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
+  run ip6tables -A FORWARD -g bad-destination-address \
+       -d fe${x}2::/16
+done
+
+## Add a hook for fail2ban.
+clearchain fail2ban
+run ip46tables -A INPUT -j fail2ban
+
 m4_divert(90)m4_dnl
 ###--------------------------------------------------------------------------
 ### Finishing touches.
 
 m4_divert(94)m4_dnl
 ## Locally generated packets are all OK.
-run iptables -P OUTPUT ACCEPT
+run ip46tables -P OUTPUT ACCEPT
 
 ## Other incoming things are forbidden.
 for chain in INPUT FORWARD; do
-  run iptables -A $chain -g forbidden
+  run ip46tables -A $chain -g forbidden
 done
 
 m4_divert(-1)