Move the function definitions together; shift the host interface
definitions near the beginning of the file; and move the local filter
rules later to allow more room for built-in filtering.
14 files changed:
###--------------------------------------------------------------------------
### Network interfaces.
###--------------------------------------------------------------------------
### Network interfaces.
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
###--------------------------------------------------------------------------
### artist-specific rules.
###--------------------------------------------------------------------------
### artist-specific rules.
## Externally visible services.
allowservices inbound tcp \
ssh \
## Externally visible services.
allowservices inbound tcp \
ssh \
### Overall structure.
###
### 0 File header: shebang, do-not-edit warning. [base]
### Overall structure.
###
### 0 File header: shebang, do-not-edit warning. [base]
-### 5 Configuration. [config]
+### 4 Configuration. [config]
+### 6 Local settings. [local]
### 10 Prologue: command-line parsing and failsafe. [prologue]
### 20 Function definitions. [functions]
### 10 Prologue: command-line parsing and failsafe. [prologue]
### 20 Function definitions. [functions]
-### 25 Port numbers etc. [numbers]
+### 24 Port numbers etc. [numbers]
+### 26 Networks, hosts and interfaces. [local]
### 30 Initialization. [bookends]
### 30 Clear existing rules. [bookends]
### 32 Set safe IP options. [bookends]
### 34 Error chains. [bookends]
### 30 Initialization. [bookends]
### 30 Clear existing rules. [bookends]
### 32 Set safe IP options. [bookends]
### 34 Error chains. [bookends]
-### 36 Give loopback traffic a free pass. [bookends]
### 38 Utility chains. [functions]
### 40 Address classification. [classify]
### 42 Definition of address class policies. [local]
### 44 Definition of interfaces and addresses. [local]
### 46 Handling of default interface. [classify]
### 38 Utility chains. [functions]
### 40 Address classification. [classify]
### 42 Definition of address class policies. [local]
### 44 Definition of interfaces and addresses. [local]
### 46 Handling of default interface. [classify]
-### 50 ICMP filtering. [icmp]
-### 52 Local configuration. [local]
-### 58 Finally accept ICMP, hook onto INPUT and FORWARD. [icmp]
-### 60 Local configuration. [local]
+### 50 Packet filter. [bookends]
+### 60 ICMP filtering. [icmp]
+### 62 Local configuration. [local]
+### 68 Finally accept ICMP, hook onto INPUT and FORWARD. [icmp]
+### 80 Local configuration. [local]
+### 84 Locally bound packet inspection. [local]
+### 86 Per-host configuration. [HOST]
+### 88 Final filtering. [local]
### 90 Finishing touches. [bookends]
### 94 Set final policies. [bookends]
### 99 File footer: do-not-edit warning. [base]
### 90 Finishing touches. [bookends]
### 94 Set final policies. [bookends]
### 99 File footer: do-not-edit warning. [base]
errorchain interesting ACCEPT
## Not an error, just log interesting packets.
errorchain interesting ACCEPT
## Not an error, just log interesting packets.
###--------------------------------------------------------------------------
### Standard filtering.
###--------------------------------------------------------------------------
### Standard filtering.
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
### Configuration.
###--------------------------------------------------------------------------
### Configuration.
###--------------------------------------------------------------------------
### Network interfaces.
###--------------------------------------------------------------------------
### Network interfaces.
## Interface definitions.
if_untrusted=eth0
if_dmz=$if_untrusted
## Interface definitions.
if_untrusted=eth0
if_dmz=$if_untrusted
###--------------------------------------------------------------------------
### Utility chains (used by function definitions).
###--------------------------------------------------------------------------
### Utility chains (used by function definitions).
###--------------------------------------------------------------------------
### Basic chain constructions.
###--------------------------------------------------------------------------
### Basic chain constructions.
run ip46tables -t $table -A $chain -j DROP
}
run ip46tables -t $table -A $chain -j DROP
}
###--------------------------------------------------------------------------
### Basic option setting.
###--------------------------------------------------------------------------
### Basic option setting.
###--------------------------------------------------------------------------
### Packet filter construction.
###--------------------------------------------------------------------------
### Packet filter construction.
-m frag --fragfirst
run ip6tables -A accept-non-init-frag -j ACCEPT
-m frag --fragfirst
run ip6tables -A accept-non-init-frag -j ACCEPT
## allowservices CHAIN PROTO SERVICE ...
##
## Add rules to allow the SERVICES on the CHAIN.
## allowservices CHAIN PROTO SERVICE ...
##
## Add rules to allow the SERVICES on the CHAIN.
run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
}
run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2
}
###--------------------------------------------------------------------------
### Packet classification.
###--------------------------------------------------------------------------
### Packet classification.
###--------------------------------------------------------------------------
### Network interfaces.
###--------------------------------------------------------------------------
### Network interfaces.
## Interface definitions.
if_trusted=eth0
if_dmz=$if_trusted
## Interface definitions.
if_trusted=eth0
if_dmz=$if_trusted
###--------------------------------------------------------------------------
### gibson-specific rules.
###--------------------------------------------------------------------------
### gibson-specific rules.
## Externally visible services.
allowservices inbound tcp \
ssh \
## Externally visible services.
allowservices inbound tcp \
ssh \
###--------------------------------------------------------------------------
### Network interfaces.
###--------------------------------------------------------------------------
### Network interfaces.
## Interface definitions.
if_dmz=br-dmz
if_trusted=br-unsafe
## Interface definitions.
if_dmz=br-dmz
if_trusted=br-unsafe
###--------------------------------------------------------------------------
### ibanez-specific rules.
###--------------------------------------------------------------------------
### ibanez-specific rules.
## Externally visible services.
allowservices inbound tcp \
ssh \
## Externally visible services.
allowservices inbound tcp \
ssh \
###--------------------------------------------------------------------------
### Network interfaces.
###--------------------------------------------------------------------------
### Network interfaces.
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
###--------------------------------------------------------------------------
### jem-specific rules.
###--------------------------------------------------------------------------
### jem-specific rules.
## Set up the SAUCE sinbin. Unfortunately, ipset is a bit brittle. This
## isn't a completely critical part of the firewall security, so don't make
## this fail the entire script.
## Set up the SAUCE sinbin. Unfortunately, ipset is a bit brittle. This
## isn't a completely critical part of the firewall security, so don't make
## this fail the entire script.
defnetclass trusted untrusted trusted safe noloop
defnetclass safe trusted safe noloop
defnetclass noloop trusted safe
defnetclass trusted untrusted trusted safe noloop
defnetclass safe trusted safe noloop
defnetclass noloop trusted safe
###--------------------------------------------------------------------------
### Network layout.
###--------------------------------------------------------------------------
### Network layout.
-m4_divert(46)m4_dnl
-## Networks and routing.
-
+m4_divert(44)m4_dnl
+## Network definitions.
defiface $if_dmz \
trusted:62.49.204.144/28 \
trusted:172.29.199.0/25 \
defiface $if_dmz \
trusted:62.49.204.144/28 \
trusted:172.29.199.0/25 \
## Default NTP servers.
ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
## Default NTP servers.
ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232"
###--------------------------------------------------------------------------
### Special forwarding exemptions.
###--------------------------------------------------------------------------
### Special forwarding exemptions.
-m state --state ESTABLISHED
m4_divert(60)m4_dnl
-m state --state ESTABLISHED
m4_divert(60)m4_dnl
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
###--------------------------------------------------------------------------
### Kill things we don't understand properly.
###
run ip6tables -A FORWARD -g poorly-understood \
-d ff::/8
run ip6tables -A FORWARD -g poorly-understood \
-d ff::/8
###--------------------------------------------------------------------------
### Locally-bound packet inspection.
###--------------------------------------------------------------------------
### Locally-bound packet inspection.
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
### along with this program; if not, write to the Free Software Foundation,
### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
###--------------------------------------------------------------------------
### Magic numbers.
###--------------------------------------------------------------------------
### Magic numbers.
###--------------------------------------------------------------------------
### Network interfaces.
###--------------------------------------------------------------------------
### Network interfaces.
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
###--------------------------------------------------------------------------
### radius-specific rules.
###--------------------------------------------------------------------------
### radius-specific rules.
## Externally visible services.
allowservices inbound tcp \
ident \
## Externally visible services.
allowservices inbound tcp \
ident \
###--------------------------------------------------------------------------
### Network interfaces.
###--------------------------------------------------------------------------
### Network interfaces.
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
## Interface definitions.
if_dmz=eth0
if_trusted=eth1
###--------------------------------------------------------------------------
### roadstar-specific rules.
###--------------------------------------------------------------------------
### roadstar-specific rules.
## Externally visible services.
allowservices inbound tcp \
ssh \
## Externally visible services.
allowservices inbound tcp \
ssh \
###--------------------------------------------------------------------------
### Network interfaces.
###--------------------------------------------------------------------------
### Network interfaces.
## Interface definitions.
if_dmz=eth0.0
if_trusted=eth0.1
## Interface definitions.
if_dmz=eth0.0
if_trusted=eth0.1
###--------------------------------------------------------------------------
### vampire-specific rules.
###--------------------------------------------------------------------------
### vampire-specific rules.
## Externally visible services.
allowservices inbound tcp \
finger ident \
## Externally visible services.
allowservices inbound tcp \
finger ident \