-### -*-m4-*-
+### -*-sh-*-
###
### Initialization and finishing touches for firewall scripts
###
## everything going before anyone actually hits a timeout.
for t in mangle filter; do
for i in PREROUTING INPUT FORWARD OUTPUT POSTROUTING; do
- run iptables -t $t -P $i DROP 2>/dev/null || :
- run iptables -t $t -F $i 2>/dev/null || :
+ run ip46tables -t $t -P $i DROP 2>/dev/null || :
+ run ip46tables -t $t -F $i 2>/dev/null || :
done
- run iptables -t $t -F
- run iptables -t $t -X
+ run ip46tables -t $t -F
+ run ip46tables -t $t -X
done
m4_divert(32)m4_dnl
## Deploy SYN-cookies if necessary.
setopt tcp_syncookies 1
+## Turn off iptables filtering for bridges. We'll use ebtables if we need
+## to; but right now the model is that we do filtering at the borders, and
+## are tolerant of things which are local.
+for filter in arptables iptables ip6tables; do
+ run sysctl -q net/bridge/bridge-nf-call-$filter=0
+done
+
## Turn on the reverse-path filter, and log weird things.
setdevopt rp_filter 1
setdevopt log_martians 1
###--------------------------------------------------------------------------
### Establish error chains.
-errorchain forbidden REJECT --reject-with icmp-host-prohibited
-## Generic `not allowed' chain. Rejects with ICMP host-prohibited.
+errorchain forbidden REJECT
+## Generic `not allowed' chain.
-errorchain tcp-fragment REJECT --reject-with icmp-host-prohibited
-## Chain for logging fragmented TCP segements. Rejects with ICMP
-## host-prohibited.
+errorchain tcp-fragment REJECT
+## Chain for logging fragmented TCP segements.
errorchain bad-tcp REJECT -p tcp --reject-with tcp-reset
## Bad TCP segments (e.g., for unknown connections). Sends a TCP reset.
errorchain mangle:bad-source-address DROP
+errorchain bad-source-address DROP
## Packet arrived on wrong interface for its source address. Drops the
## packet, since there's nowhere sensible to send an error.
+errorchain bad-destination-address REJECT
+## Packet arrived on non-loopback interface with loopback destination.
+
errorchain interesting ACCEPT
## Not an error, just log interesting packets.
m4_divert(36)m4_dnl
###--------------------------------------------------------------------------
-### Don't clobber local traffic.
-
-run iptables -A INPUT -i lo -j ACCEPT
+### Standard loopback stuff.
+
+## Don't clobber local traffic
+run ip46tables -A INPUT -i lo -j ACCEPT
+
+## We really shouldn't see packets destined for localhost on any interface
+## other than the loopback.
+run iptables -A INPUT -g bad-destination-address \
+ -d 127.0.0.0/8
+run ip6tables -A INPUT -g bad-destination-address \
+ -d ::1
+
+## We shouldn't be asked to forward things with link-local addresses.
+run iptables -A FORWARD -g bad-source-address \
+ -s 169.254.0.0/16
+run iptables -A FORWARD -g bad-destination-address \
+ -d 169.254.0.0/16
+run ip6tables -A FORWARD -g bad-source-address \
+ -s fe80::/10
+run ip6tables -A FORWARD -g bad-destination-address \
+ -d fe80::/10
+
+## Also, don't forward link-local broadcast or multicast.
+run iptables -A FORWARD -g bad-destination-address \
+ -d 255.255.255.255
+run iptables -A FORWARD -g bad-destination-address \
+ -m addrtype --dst-type BROADCAST
+run iptables -A FORWARD -g bad-destination-address \
+ -d 224.0.0.0/24
+for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
+ run ip6tables -A FORWARD -g bad-destination-address \
+ -d fe${x}2::/16
+done
m4_divert(90)m4_dnl
###--------------------------------------------------------------------------
~mdw / firewall / blobdiff