diff --git a/ChangeLog b/ChangeLog index 1c46b0f..12aad8a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ -0.9.11 - Brielle Bruns +0.9.12 - Brielle Bruns + - Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to + block incoming to. + +0.9.11 - Brielle Bruns - Move some of the config clutter to conf/ - you can put your config files anywhere, but by default, they're now going to be in conf/ diff --git a/Makefile b/Makefile index 5a81edc..0028e2a 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VERSION=0.9.11 +VERSION=0.9.12 TAR=/usr/bin/tar TARBALL="firewall-sosdg-$(VERSION).tar.bz2" diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 7ab57fe..499677a 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -700,10 +700,28 @@ if [ $IPV6 ]; then reset_color if [ -s "$BASEDIR/include/ipv6_custom_blockip" ]; then - display_c YELLOW "Loading custom ip block rules..." + display_c YELLOW "Loading custom IPv6 block rules..." . "$BASEDIR/include/ipv6_custom_blockip" fi + +if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then + display_c YELLOW "Loading custom IPv6 conntrack rules..." + . "$BASEDIR/include/ipv6_custom_conntrack" +fi + +if [ "$IPV6_CONNTRACK" ]; then + $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT + $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT + $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT + #$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT + $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT + $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT + $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP + $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP + $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP +fi + if [ "$IPV6_DNS_REQUESTS_OUT" ]; then display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.." for i in $DNS_REQUESTS_OUT; do @@ -881,29 +899,14 @@ fi done echo -ne "\n" fi - - if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then - display_c YELLOW "Loading custom IPv6 conntrack rules..." - . "$BASEDIR/include/ipv6_custom_conntrack" - fi - if [ "$IPV6_CONNTRACK" ]; then - $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT - $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT - $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT - #$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT - $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT - $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT - $IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP - $IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP - $IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP - fi - - if [ $IPV6_ROUTEDCLIENTBLOCK ]; then - $IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p tcp --syn -j DROP - $IP6TABLES -A INPUT -i $IPV6_INT -p tcp --syn -j DROP - $IP6TABLES -A INPUT -i $IPV6_INT -p udp ! --dport 32768:65535 -j DROP - $IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p udp ! --dport 32768:65535 -j DROP + if [ "$IPV6_ROUTEDCLIENTBLOCK" ]; then + for i in $IPV6_ROUTEDCLIENTBLOCK; do + $IP6TABLES -A OUTPUT -d $i -p tcp --syn -j DROP + $IP6TABLES -A OUTPUT -d $i -p udp ! --dport 32768:65535 -j DROP + $IP6TABLES -A FORWARD -d $i -p tcp --syn -j DROP + $IP6TABLES -A FORWARD -d $i -p udp ! --dport 32768:65535 -j DROP + done fi diff --git a/options.default b/options.default index 349de01..89e7f07 100755 --- a/options.default +++ b/options.default @@ -179,8 +179,9 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked #IPV6_BLOCKINCOMING=1 # Special case for routers that have ipv6 clients behind them. -# Useful if clients do not have proper ipv6 firewalls. -#IPV6_ROUTEDCLIENTBLOCK=1 +# Useful if clients do not have proper ipv6 firewalls. Give list +# of IPv6 netblocks to enable this on. +#IPV6_ROUTEDCLIENTBLOCK="" # IP range(s) to forward #IPV6_ROUTING=$BASEDIR/conf/ipv6-routing