Adjust routedclientblock options

master
bbruns 2011-02-09 07:08:51 +00:00
parent 979aa863c3
commit 192040ebf2
4 changed files with 35 additions and 27 deletions

View File

@ -1,4 +1,8 @@
0.9.11 - Brielle Bruns <bruns@2mbt.com>
0.9.12 - Brielle Bruns <bruns@2mbit.com>
- Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
block incoming to.
0.9.11 - Brielle Bruns <bruns@2mbit.com>
- Move some of the config clutter to conf/ - you can
put your config files anywhere, but by default, they're
now going to be in conf/

View File

@ -1,4 +1,4 @@
VERSION=0.9.11
VERSION=0.9.12
TAR=/usr/bin/tar
TARBALL="firewall-sosdg-$(VERSION).tar.bz2"

View File

@ -700,10 +700,28 @@ if [ $IPV6 ]; then
reset_color
if [ -s "$BASEDIR/include/ipv6_custom_blockip" ]; then
display_c YELLOW "Loading custom ip block rules..."
display_c YELLOW "Loading custom IPv6 block rules..."
. "$BASEDIR/include/ipv6_custom_blockip"
fi
if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
display_c YELLOW "Loading custom IPv6 conntrack rules..."
. "$BASEDIR/include/ipv6_custom_conntrack"
fi
if [ "$IPV6_CONNTRACK" ]; then
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
#$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
fi
if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.."
for i in $DNS_REQUESTS_OUT; do
@ -881,29 +899,14 @@ fi
done
echo -ne "\n"
fi
if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
display_c YELLOW "Loading custom IPv6 conntrack rules..."
. "$BASEDIR/include/ipv6_custom_conntrack"
fi
if [ "$IPV6_CONNTRACK" ]; then
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
#$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
fi
if [ $IPV6_ROUTEDCLIENTBLOCK ]; then
$IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p tcp --syn -j DROP
$IP6TABLES -A INPUT -i $IPV6_INT -p tcp --syn -j DROP
$IP6TABLES -A INPUT -i $IPV6_INT -p udp ! --dport 32768:65535 -j DROP
$IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p udp ! --dport 32768:65535 -j DROP
if [ "$IPV6_ROUTEDCLIENTBLOCK" ]; then
for i in $IPV6_ROUTEDCLIENTBLOCK; do
$IP6TABLES -A OUTPUT -d $i -p tcp --syn -j DROP
$IP6TABLES -A OUTPUT -d $i -p udp ! --dport 32768:65535 -j DROP
$IP6TABLES -A FORWARD -d $i -p tcp --syn -j DROP
$IP6TABLES -A FORWARD -d $i -p udp ! --dport 32768:65535 -j DROP
done
fi

View File

@ -179,8 +179,9 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
#IPV6_BLOCKINCOMING=1
# Special case for routers that have ipv6 clients behind them.
# Useful if clients do not have proper ipv6 firewalls.
#IPV6_ROUTEDCLIENTBLOCK=1
# Useful if clients do not have proper ipv6 firewalls. Give list
# of IPv6 netblocks to enable this on.
#IPV6_ROUTEDCLIENTBLOCK=""
# IP range(s) to forward
#IPV6_ROUTING=$BASEDIR/conf/ipv6-routing