Adjust routedclientblock options
parent
979aa863c3
commit
192040ebf2
|
@ -1,4 +1,8 @@
|
|||
0.9.11 - Brielle Bruns <bruns@2mbt.com>
|
||||
0.9.12 - Brielle Bruns <bruns@2mbit.com>
|
||||
- Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
|
||||
block incoming to.
|
||||
|
||||
0.9.11 - Brielle Bruns <bruns@2mbit.com>
|
||||
- Move some of the config clutter to conf/ - you can
|
||||
put your config files anywhere, but by default, they're
|
||||
now going to be in conf/
|
||||
|
|
2
Makefile
2
Makefile
|
@ -1,4 +1,4 @@
|
|||
VERSION=0.9.11
|
||||
VERSION=0.9.12
|
||||
TAR=/usr/bin/tar
|
||||
TARBALL="firewall-sosdg-$(VERSION).tar.bz2"
|
||||
|
||||
|
|
|
@ -700,10 +700,28 @@ if [ $IPV6 ]; then
|
|||
reset_color
|
||||
|
||||
if [ -s "$BASEDIR/include/ipv6_custom_blockip" ]; then
|
||||
display_c YELLOW "Loading custom ip block rules..."
|
||||
display_c YELLOW "Loading custom IPv6 block rules..."
|
||||
. "$BASEDIR/include/ipv6_custom_blockip"
|
||||
fi
|
||||
|
||||
|
||||
if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
|
||||
display_c YELLOW "Loading custom IPv6 conntrack rules..."
|
||||
. "$BASEDIR/include/ipv6_custom_conntrack"
|
||||
fi
|
||||
|
||||
if [ "$IPV6_CONNTRACK" ]; then
|
||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
#$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
fi
|
||||
|
||||
if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
|
||||
display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.."
|
||||
for i in $DNS_REQUESTS_OUT; do
|
||||
|
@ -881,29 +899,14 @@ fi
|
|||
done
|
||||
echo -ne "\n"
|
||||
fi
|
||||
|
||||
if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
|
||||
display_c YELLOW "Loading custom IPv6 conntrack rules..."
|
||||
. "$BASEDIR/include/ipv6_custom_conntrack"
|
||||
fi
|
||||
|
||||
if [ "$IPV6_CONNTRACK" ]; then
|
||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
#$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||
fi
|
||||
|
||||
if [ $IPV6_ROUTEDCLIENTBLOCK ]; then
|
||||
$IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p tcp --syn -j DROP
|
||||
$IP6TABLES -A INPUT -i $IPV6_INT -p tcp --syn -j DROP
|
||||
$IP6TABLES -A INPUT -i $IPV6_INT -p udp ! --dport 32768:65535 -j DROP
|
||||
$IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p udp ! --dport 32768:65535 -j DROP
|
||||
if [ "$IPV6_ROUTEDCLIENTBLOCK" ]; then
|
||||
for i in $IPV6_ROUTEDCLIENTBLOCK; do
|
||||
$IP6TABLES -A OUTPUT -d $i -p tcp --syn -j DROP
|
||||
$IP6TABLES -A OUTPUT -d $i -p udp ! --dport 32768:65535 -j DROP
|
||||
$IP6TABLES -A FORWARD -d $i -p tcp --syn -j DROP
|
||||
$IP6TABLES -A FORWARD -d $i -p udp ! --dport 32768:65535 -j DROP
|
||||
done
|
||||
fi
|
||||
|
||||
|
||||
|
|
|
@ -179,8 +179,9 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
|
|||
#IPV6_BLOCKINCOMING=1
|
||||
|
||||
# Special case for routers that have ipv6 clients behind them.
|
||||
# Useful if clients do not have proper ipv6 firewalls.
|
||||
#IPV6_ROUTEDCLIENTBLOCK=1
|
||||
# Useful if clients do not have proper ipv6 firewalls. Give list
|
||||
# of IPv6 netblocks to enable this on.
|
||||
#IPV6_ROUTEDCLIENTBLOCK=""
|
||||
|
||||
# IP range(s) to forward
|
||||
#IPV6_ROUTING=$BASEDIR/conf/ipv6-routing
|
||||
|
|
Loading…
Reference in New Issue