~mdw
/
firewall
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
eggle.m4, local.m4, local.mk: Add new VPS `eggle'.
[firewall]
/
bookends.m4
diff --git
a/bookends.m4
b/bookends.m4
index
6caad93
..
f567743
100644
(file)
--- a/
bookends.m4
+++ b/
bookends.m4
@@
-38,7
+38,9
@@
preserve_chains="filter:fail2ban filter:fail2ban-* $preserve_chains"
## Take the various IP versions in turn.
unref=nil
for ip in ip ip6; do
## Take the various IP versions in turn.
unref=nil
for ip in ip ip6; do
- for table in $(cat /proc/net/${ip}_tables_names); do
+ if [ "$FW_NOACT" ]; then break; fi
+
+ for table in filter mangle nat raw; do
## Step 1: clear out the builtin chains.
${ip}tables -nL -t $table |
## Step 1: clear out the builtin chains.
${ip}tables -nL -t $table |
@@
-106,11
+108,22
@@
m4_divert(32)m4_dnl
## Set forwarding options. Apparently setting ip_forward clobbers other
## settings, so put this first.
case $host_type_<::>FWHOST in
## Set forwarding options. Apparently setting ip_forward clobbers other
## settings, so put this first.
case $host_type_<::>FWHOST in
- router) forward=1 ;;
- *) forward=0 ;;
+ router) forward=1 host=0 ;;
+ server) forward=0 host=0 ;;
+ client) forward=0 host=1 ;;
esac
setopt ip_forward $forward
setdevopt forwarding $forward
esac
setopt ip_forward $forward
setdevopt forwarding $forward
+for i in \
+ accept_ra accept_ra_defrtr accept_ra_pinfo accept_ra_info_max_plen \
+ accept_redirects
+do
+ setdevopt $i $host
+done
+case $forward in
+ 0) inchains="INPUT" ;;
+ 1) inchains="INPUT FORWARD" ;;
+esac
## Set dynamic port allocation.
setopt ip_local_port_range $open_port_min $open_port_max
## Set dynamic port allocation.
setopt ip_local_port_range $open_port_min $open_port_max
@@
-124,13
+137,13
@@
setopt icmp_echo_ignore_broadcasts 0
## Turn off iptables filtering for bridges. We'll use ebtables if we need
## to; but right now the model is that we do filtering at the borders, and
## are tolerant of things which are local.
## Turn off iptables filtering for bridges. We'll use ebtables if we need
## to; but right now the model is that we do filtering at the borders, and
## are tolerant of things which are local.
-if [ -x /sbin/brctl ]; then
+if [ -x /sbin/brctl ]
|| [ -x /usr/sbin/brctl ]
; then
modprobe bridge || :
modprobe bridge || :
- if [ -d /proc/sys/net/bridge ]; then
- for filter in arptables iptables ip6tables; do
- run sysctl -q net.bridge.bridge-nf-call-$filter=0
- done
- fi
+fi
+if [ -d /proc/sys/net/bridge ]; then
+ for filter in arptables iptables ip6tables; do
+ run sysctl -q net.bridge.bridge-nf-call-$filter=0
+ done
fi
## Turn off the reverse-path filter. It's basically useless: the filter does
fi
## Turn off the reverse-path filter. It's basically useless: the filter does
@@
-141,7
+154,7
@@
setdevopt log_martians 0
## Turn off things which can mess with our routing decisions.
setdevopt accept_source_route 0
## Turn off things which can mess with our routing decisions.
setdevopt accept_source_route 0
-setdevopt
accept_redirects 0
+setdevopt
secure_redirects 1
## If we're maent to stop the firewall, then now is the time to do it.
$exit_after_clearing
## If we're maent to stop the firewall, then now is the time to do it.
$exit_after_clearing
@@
-164,6
+177,10
@@
errorchain bad-source-address DROP
## Packet arrived on wrong interface for its source address. Drops the
## packet, since there's nowhere sensible to send an error.
## Packet arrived on wrong interface for its source address. Drops the
## packet, since there's nowhere sensible to send an error.
+errorchain dns-rate-limit DROP
+## Dropped incoming DNS query due to rate limiting. The source address is
+## suspicious, so don't produce ICMP.
+
errorchain bad-destination-address REJECT
## Packet arrived on non-loopback interface with loopback destination.
errorchain bad-destination-address REJECT
## Packet arrived on non-loopback interface with loopback destination.
@@
-207,10
+224,12
@@
case $forward in
-m addrtype --dst-type BROADCAST
run iptables -A FORWARD -g bad-destination-address \
-d 224.0.0.0/24
-m addrtype --dst-type BROADCAST
run iptables -A FORWARD -g bad-destination-address \
-d 224.0.0.0/24
+ clearchain check-fwd-multi
for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
- run ip6tables -A
FORWARD
-g bad-destination-address \
- -d f
e
${x}2::/16
+ run ip6tables -A
check-fwd-multi
-g bad-destination-address \
+ -d f
f
${x}2::/16
done
done
+ run ip6tables -A FORWARD -j check-fwd-multi -d ff00::/8
;;
esac
;;
esac
@@
-233,8
+252,7
@@
done
## Allow stuff through unknown tables.
for ip in ip ip6; do
## Allow stuff through unknown tables.
for ip in ip ip6; do
- for table in $(cat /proc/net/${ip}_tables_names); do
- case $table in mangle | filter) continue ;; esac
+ for table in nat raw security; do
${ip}tables -nL -t $table |
sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
while read chain; do
${ip}tables -nL -t $table |
sed -n '/^Chain \([^ ]\+\) (policy .*$/ s//\1/p ' |
while read chain; do
@@
-243,5
+261,17
@@
for ip in ip ip6; do
done
done
done
done
+## Dump the resulting configuration.
+if [ "$FW_DEBUG" ]; then
+ for ip in ip ip6; do
+ for table in mangle filter; do
+ echo "----- $ip $table -----"
+ echo
+ ${ip}tables -t $table -nvL
+ echo
+ done
+ done
+fi
+
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
m4_divert(-1)
###----- That's all, folks --------------------------------------------------