2010-08-29 12:58:20 -06:00
|
|
|
#!/bin/bash
|
2010-08-21 20:19:28 -06:00
|
|
|
# By Brielle Bruns <bruns@2mbit.com>
|
|
|
|
|
# URL: http://www.sosdg.org/freestuff/firewall
|
|
|
|
|
# License: GPLv3
|
|
|
|
|
#
|
|
|
|
|
# Copyright (C) 2009 - 2010 Brielle Bruns
|
|
|
|
|
# Copyright (C) 2009 - 2010 The Summit Open Source Development Group
|
|
|
|
|
#
|
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# This file defines static variables that we will be using. Normally, you
|
2011-02-18 13:20:55 -07:00
|
|
|
# should not be needing to edit these. You can override them in your options
|
|
|
|
|
# file easily, thus avoiding problems with overwriting settings during upgrades.
|
|
|
|
|
|
|
|
|
|
# You should always make sure this file is from the most recent firewall package,
|
|
|
|
|
# as missing variables here could foul up the firewall's ability to setup rules
|
|
|
|
|
# correctly.
|
2010-08-21 20:19:28 -06:00
|
|
|
|
2010-08-25 12:00:48 -06:00
|
|
|
# These defines are here to help pre-1.0 users easily upgrade, defines critical defaults
|
|
|
|
|
# that would otherwise require remaking their options file. I leave this on by default,
|
|
|
|
|
# but if you want to make sure you have a current options file, define this to 0.
|
2010-11-15 23:07:31 -07:00
|
|
|
|
2010-10-06 12:54:05 -06:00
|
|
|
if [[ "$COMPAT_CONFIG" == "1" ]]; then
|
2010-08-25 12:00:48 -06:00
|
|
|
MODPROBE=`which modprobe`
|
2010-11-15 23:07:31 -07:00
|
|
|
PRERUN="$BASEDIR/prerun"
|
|
|
|
|
POSTRUN="$BASEDIR/postrun"
|
2010-08-25 12:00:48 -06:00
|
|
|
fi
|
|
|
|
|
|
2010-08-29 17:33:54 -06:00
|
|
|
|
2010-08-21 20:19:28 -06:00
|
|
|
# ANSI color sequences
|
|
|
|
|
BLUE="\E[34m"
|
|
|
|
|
GREEN="\E[32m"
|
|
|
|
|
RED="\E[31m"
|
|
|
|
|
YELLOW="\E[33m"
|
|
|
|
|
PURPLE="\E[35m"
|
|
|
|
|
AQUA="\E[36m"
|
|
|
|
|
WHITE="\E[1m"
|
|
|
|
|
GREY="\E[37m"
|
2010-08-25 11:43:57 -06:00
|
|
|
DEFAULT_COLOR="\E[39m"
|
|
|
|
|
|
|
|
|
|
# Module names that we may need to load
|
2010-09-24 20:49:43 -06:00
|
|
|
MOD_U32="xt_u32"
|
|
|
|
|
|
|
|
|
|
# Location of the ipv4 network conf in proc
|
2010-09-26 13:45:51 -06:00
|
|
|
PROC_NET_IPV4="/proc/sys/net/ipv4/conf"
|
|
|
|
|
|
2010-09-26 15:13:54 -06:00
|
|
|
# Multiport options - override in options
|
|
|
|
|
NF_MULTIPORT="xt_multiport"
|
2010-09-29 17:04:48 -06:00
|
|
|
NF_MULTIPORT_MAX_PORTS="7"
|
|
|
|
|
|
|
|
|
|
# RFC 1918 Space
|
2010-11-15 23:07:31 -07:00
|
|
|
RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
|
2010-11-25 11:11:12 -07:00
|
|
|
|
|
|
|
|
# By default, use conntrack instead of state
|
|
|
|
|
STATE_TYPE="conntrack"
|
2010-11-25 11:50:55 -07:00
|
|
|
|
2010-11-25 20:13:46 -07:00
|
|
|
# Auto detect multiport
|
|
|
|
|
IPTABLES_MULTIPORT=auto
|
|
|
|
|
|
2010-11-25 11:50:55 -07:00
|
|
|
# Where we store output of cached rules
|
|
|
|
|
RULE_CACHE=$BASEDIR/cache/ipt-rules
|
2010-11-25 11:58:30 -07:00
|
|
|
RULE_CACHE_V6=$BASEDIR/cache/ipt6-rules
|
2010-12-18 14:15:57 -07:00
|
|
|
|
2010-12-18 14:33:50 -07:00
|
|
|
EXTIP="auto"
|
2010-12-18 15:30:57 -07:00
|
|
|
EXTIF="eth0"
|
2010-12-18 14:53:35 -07:00
|
|
|
EXTIF_FIND="$BASEDIR/bin/get_default_if"
|
2010-12-18 15:30:57 -07:00
|
|
|
EXTIP_FIND="$BASEDIR/bin/get_default_ip"
|
2011-02-12 13:20:11 -07:00
|
|
|
|
|
|
|
|
# By default, we allow ipv6 critical icmp
|
|
|
|
|
IPV6_ICMP_CRITICAL=1
|
2011-02-18 10:53:36 -07:00
|
|
|
|
|
|
|
|
# IPv4 and IPv6 regex matches to determine if entry is valid. These may need
|
|
|
|
|
# to be tweaked over time. At the moment, we use by default the pattern here:
|
|
|
|
|
# http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
|
|
|
|
|
IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
|
|
|
|
|
IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
|
2011-02-18 13:09:54 -07:00
|
|
|
|
2011-02-18 10:53:36 -07:00
|
|
|
# At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32)
|
|
|
|
|
# If anyone wants to write these, feel free to!
|
|
|
|
|
IPV4_NETMASK_MATCH=""
|
2011-02-18 13:09:54 -07:00
|
|
|
IPV6_NETMASK_MATCH=""
|
|
|
|
|
|
|
|
|
|
# Default policies for IPv4 and IPv6. Make these ACCEPT by default, except for FORWARD,
|
|
|
|
|
# since one wrong configuration can lock someone out.
|
2011-02-18 13:17:13 -07:00
|
|
|
IPV4_PINPUT=ACCEPT
|
|
|
|
|
IPV4_POUTPUT=ACCEPT
|
|
|
|
|
IPV4_PFORWARD=DROP
|
|
|
|
|
IPV6_PINPUT=ACCEPT
|
|
|
|
|
IPV6_POUTPUT=ACCEPT
|
|
|
|
|
IPV6_PFORWARD=DROP
|
