From a4d8cae3892c13a32f941ef96b24eaa6930500cb Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Mon, 5 Mar 2012 22:35:27 +0000 Subject: [PATCH] Renumber the diversions. Move the function definitions together; shift the host interface definitions near the beginning of the file; and move the local filter rules later to allow more room for built-in filtering. --- artist.m4 | 4 ++-- base.m4 | 19 ++++++++++++------- bookends.m4 | 2 +- config.m4 | 2 +- fender.m4 | 2 +- functions.m4 | 10 +++++----- gibson.m4 | 4 ++-- ibanez.m4 | 4 ++-- jem.m4 | 4 ++-- local.m4 | 13 +++++++------ numbers.m4 | 2 +- radius.m4 | 4 ++-- roadstar.m4 | 4 ++-- vampire.m4 | 4 ++-- 14 files changed, 42 insertions(+), 36 deletions(-) diff --git a/artist.m4 b/artist.m4 index 1f97e73..24a4a1c 100644 --- a/artist.m4 +++ b/artist.m4 @@ -34,7 +34,7 @@ setconf(log_martians, 0) ###-------------------------------------------------------------------------- ### Network interfaces. -m4_divert(44)m4_dnl +m4_divert(28)m4_dnl ## Interface definitions. if_dmz=eth0 if_trusted=eth1 @@ -49,7 +49,7 @@ m4_divert(-1) ###-------------------------------------------------------------------------- ### artist-specific rules. -m4_divert(82)m4_dnl +m4_divert(84)m4_dnl ## Externally visible services. allowservices inbound tcp \ ssh \ diff --git a/base.m4 b/base.m4 index 3a0172d..8968025 100644 --- a/base.m4 +++ b/base.m4 @@ -29,24 +29,29 @@ m4_changecom(<:##:>) ### Overall structure. ### ### 0 File header: shebang, do-not-edit warning. [base] -### 5 Configuration. [config] +### 4 Configuration. [config] +### 6 Local settings. [local] ### 10 Prologue: command-line parsing and failsafe. [prologue] ### 20 Function definitions. [functions] -### 25 Port numbers etc. [numbers] +### 24 Port numbers etc. [numbers] +### 26 Networks, hosts and interfaces. [local] ### 30 Initialization. [bookends] ### 30 Clear existing rules. [bookends] ### 32 Set safe IP options. [bookends] ### 34 Error chains. [bookends] -### 36 Give loopback traffic a free pass. [bookends] ### 38 Utility chains. [functions] ### 40 Address classification. [classify] ### 42 Definition of address class policies. [local] ### 44 Definition of interfaces and addresses. [local] ### 46 Handling of default interface. [classify] -### 50 ICMP filtering. [icmp] -### 52 Local configuration. [local] -### 58 Finally accept ICMP, hook onto INPUT and FORWARD. [icmp] -### 60 Local configuration. [local] +### 50 Packet filter. [bookends] +### 60 ICMP filtering. [icmp] +### 62 Local configuration. [local] +### 68 Finally accept ICMP, hook onto INPUT and FORWARD. [icmp] +### 80 Local configuration. [local] +### 84 Locally bound packet inspection. [local] +### 86 Per-host configuration. [HOST] +### 88 Final filtering. [local] ### 90 Finishing touches. [bookends] ### 94 Set final policies. [bookends] ### 99 File footer: do-not-edit warning. [base] diff --git a/bookends.m4 b/bookends.m4 index b29047b..38b4e91 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -164,7 +164,7 @@ errorchain bad-destination-address REJECT errorchain interesting ACCEPT ## Not an error, just log interesting packets. -m4_divert(36)m4_dnl +m4_divert(50)m4_dnl ###-------------------------------------------------------------------------- ### Standard filtering. diff --git a/config.m4 b/config.m4 index 6756452..4b059df 100644 --- a/config.m4 +++ b/config.m4 @@ -21,7 +21,7 @@ ### along with this program; if not, write to the Free Software Foundation, ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -m4_divert(5)m4_dnl +m4_divert(4)m4_dnl ###-------------------------------------------------------------------------- ### Configuration. diff --git a/fender.m4 b/fender.m4 index ea0fb32..6161bd6 100644 --- a/fender.m4 +++ b/fender.m4 @@ -34,7 +34,7 @@ setconf(log_martians, 0) ###-------------------------------------------------------------------------- ### Network interfaces. -m4_divert(44)m4_dnl +m4_divert(28)m4_dnl ## Interface definitions. if_untrusted=eth0 if_dmz=$if_untrusted diff --git a/functions.m4 b/functions.m4 index 05decbf..555072e 100644 --- a/functions.m4 +++ b/functions.m4 @@ -62,7 +62,7 @@ m4_divert(38)m4_dnl ###-------------------------------------------------------------------------- ### Utility chains (used by function definitions). -m4_divert(22)m4_dnl +m4_divert(20)m4_dnl ###-------------------------------------------------------------------------- ### Basic chain constructions. @@ -122,7 +122,7 @@ errorchain () { run ip46tables -t $table -A $chain -j DROP } -m4_divert(24)m4_dnl +m4_divert(20)m4_dnl ###-------------------------------------------------------------------------- ### Basic option setting. @@ -178,7 +178,7 @@ setdevopt () { done } -m4_divert(26)m4_dnl +m4_divert(20)m4_dnl ###-------------------------------------------------------------------------- ### Packet filter construction. @@ -219,7 +219,7 @@ run ip6tables -A accept-non-init-frag -j RETURN \ -m frag --fragfirst run ip6tables -A accept-non-init-frag -j ACCEPT -m4_divert(26)m4_dnl +m4_divert(20)m4_dnl ## allowservices CHAIN PROTO SERVICE ... ## ## Add rules to allow the SERVICES on the CHAIN. @@ -306,7 +306,7 @@ openports () { run ip46tables -A $chain -p udp -g interesting --destination-port $1:$2 } -m4_divert(28)m4_dnl +m4_divert(20)m4_dnl ###-------------------------------------------------------------------------- ### Packet classification. diff --git a/gibson.m4 b/gibson.m4 index 1676153..22bfe57 100644 --- a/gibson.m4 +++ b/gibson.m4 @@ -30,7 +30,7 @@ setconf(forward, 0) ###-------------------------------------------------------------------------- ### Network interfaces. -m4_divert(44)m4_dnl +m4_divert(28)m4_dnl ## Interface definitions. if_trusted=eth0 if_dmz=$if_trusted @@ -45,7 +45,7 @@ m4_divert(-1) ###-------------------------------------------------------------------------- ### gibson-specific rules. -m4_divert(82)m4_dnl +m4_divert(84)m4_dnl ## Externally visible services. allowservices inbound tcp \ ssh \ diff --git a/ibanez.m4 b/ibanez.m4 index 2ec2c1c..b2c158e 100644 --- a/ibanez.m4 +++ b/ibanez.m4 @@ -34,7 +34,7 @@ setconf(log_martians, 0) ###-------------------------------------------------------------------------- ### Network interfaces. -m4_divert(44)m4_dnl +m4_divert(28)m4_dnl ## Interface definitions. if_dmz=br-dmz if_trusted=br-unsafe @@ -49,7 +49,7 @@ m4_divert(-1) ###-------------------------------------------------------------------------- ### ibanez-specific rules. -m4_divert(82)m4_dnl +m4_divert(84)m4_dnl ## Externally visible services. allowservices inbound tcp \ ssh \ diff --git a/jem.m4 b/jem.m4 index c91a104..1f74d59 100644 --- a/jem.m4 +++ b/jem.m4 @@ -34,7 +34,7 @@ setconf(log_martians, 0) ###-------------------------------------------------------------------------- ### Network interfaces. -m4_divert(44)m4_dnl +m4_divert(28)m4_dnl ## Interface definitions. if_dmz=eth0 if_trusted=eth1 @@ -49,7 +49,7 @@ m4_divert(-1) ###-------------------------------------------------------------------------- ### jem-specific rules. -m4_divert(82)m4_dnl +m4_divert(84)m4_dnl ## Set up the SAUCE sinbin. Unfortunately, ipset is a bit brittle. This ## isn't a completely critical part of the firewall security, so don't make ## this fail the entire script. diff --git a/local.m4 b/local.m4 index 2d880b9..399e69c 100644 --- a/local.m4 +++ b/local.m4 @@ -30,14 +30,14 @@ defnetclass untrusted untrusted trusted defnetclass trusted untrusted trusted safe noloop defnetclass safe trusted safe noloop defnetclass noloop trusted safe -m4_divert(-1)m4_dnl +m4_divert(-1) +m4_divert(26)m4_dnl ###-------------------------------------------------------------------------- ### Network layout. -m4_divert(46)m4_dnl -## Networks and routing. - +m4_divert(44)m4_dnl +## Network definitions. defiface $if_dmz \ trusted:62.49.204.144/28 \ trusted:172.29.199.0/25 \ @@ -58,7 +58,7 @@ defiface $if_its_pi safe:192.168.0.0/24 ## Default NTP servers. ntp_servers="158.152.1.76 158.152.1.204 194.159.253.2 195.173.57.232" -m4_divert(60)m4_dnl +m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- ### Special forwarding exemptions. @@ -105,6 +105,7 @@ run ip6tables -A fwd-spec-nofrag -j ACCEPT \ -m state --state ESTABLISHED m4_divert(60)m4_dnl +m4_divert(80)m4_dnl ###-------------------------------------------------------------------------- ### Kill things we don't understand properly. ### @@ -119,7 +120,7 @@ run iptables -A FORWARD -g poorly-understood \ run ip6tables -A FORWARD -g poorly-understood \ -d ff::/8 -m4_divert(80)m4_dnl +m4_divert(84)m4_dnl ###-------------------------------------------------------------------------- ### Locally-bound packet inspection. diff --git a/numbers.m4 b/numbers.m4 index ec86266..d5ab0c1 100644 --- a/numbers.m4 +++ b/numbers.m4 @@ -21,7 +21,7 @@ ### along with this program; if not, write to the Free Software Foundation, ### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -m4_divert(25)m4_dnl +m4_divert(24)m4_dnl ###-------------------------------------------------------------------------- ### Magic numbers. diff --git a/radius.m4 b/radius.m4 index 029d9f1..75a7700 100644 --- a/radius.m4 +++ b/radius.m4 @@ -31,7 +31,7 @@ setconf(log_martians, 0) ###-------------------------------------------------------------------------- ### Network interfaces. -m4_divert(44)m4_dnl +m4_divert(28)m4_dnl ## Interface definitions. if_dmz=eth0 if_trusted=eth1 @@ -46,7 +46,7 @@ m4_divert(-1) ###-------------------------------------------------------------------------- ### radius-specific rules. -m4_divert(82)m4_dnl +m4_divert(84)m4_dnl ## Externally visible services. allowservices inbound tcp \ ident \ diff --git a/roadstar.m4 b/roadstar.m4 index b2e3301..0269caa 100644 --- a/roadstar.m4 +++ b/roadstar.m4 @@ -34,7 +34,7 @@ setconf(log_martians, 0) ###-------------------------------------------------------------------------- ### Network interfaces. -m4_divert(44)m4_dnl +m4_divert(28)m4_dnl ## Interface definitions. if_dmz=eth0 if_trusted=eth1 @@ -49,7 +49,7 @@ m4_divert(-1) ###-------------------------------------------------------------------------- ### roadstar-specific rules. -m4_divert(82)m4_dnl +m4_divert(84)m4_dnl ## Externally visible services. allowservices inbound tcp \ ssh \ diff --git a/vampire.m4 b/vampire.m4 index e378447..8e9bb6a 100644 --- a/vampire.m4 +++ b/vampire.m4 @@ -31,7 +31,7 @@ setconf(log_martians, 0) ###-------------------------------------------------------------------------- ### Network interfaces. -m4_divert(44)m4_dnl +m4_divert(28)m4_dnl ## Interface definitions. if_dmz=eth0.0 if_trusted=eth0.1 @@ -46,7 +46,7 @@ m4_divert(-1) ###-------------------------------------------------------------------------- ### vampire-specific rules. -m4_divert(82)m4_dnl +m4_divert(86)m4_dnl ## Externally visible services. allowservices inbound tcp \ finger ident \ -- 2.11.0