Adjust routedclientblock options
parent
979aa863c3
commit
192040ebf2
|
@ -1,4 +1,8 @@
|
||||||
0.9.11 - Brielle Bruns <bruns@2mbt.com>
|
0.9.12 - Brielle Bruns <bruns@2mbit.com>
|
||||||
|
- Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
|
||||||
|
block incoming to.
|
||||||
|
|
||||||
|
0.9.11 - Brielle Bruns <bruns@2mbit.com>
|
||||||
- Move some of the config clutter to conf/ - you can
|
- Move some of the config clutter to conf/ - you can
|
||||||
put your config files anywhere, but by default, they're
|
put your config files anywhere, but by default, they're
|
||||||
now going to be in conf/
|
now going to be in conf/
|
||||||
|
|
2
Makefile
2
Makefile
|
@ -1,4 +1,4 @@
|
||||||
VERSION=0.9.11
|
VERSION=0.9.12
|
||||||
TAR=/usr/bin/tar
|
TAR=/usr/bin/tar
|
||||||
TARBALL="firewall-sosdg-$(VERSION).tar.bz2"
|
TARBALL="firewall-sosdg-$(VERSION).tar.bz2"
|
||||||
|
|
||||||
|
|
|
@ -700,10 +700,28 @@ if [ $IPV6 ]; then
|
||||||
reset_color
|
reset_color
|
||||||
|
|
||||||
if [ -s "$BASEDIR/include/ipv6_custom_blockip" ]; then
|
if [ -s "$BASEDIR/include/ipv6_custom_blockip" ]; then
|
||||||
display_c YELLOW "Loading custom ip block rules..."
|
display_c YELLOW "Loading custom IPv6 block rules..."
|
||||||
. "$BASEDIR/include/ipv6_custom_blockip"
|
. "$BASEDIR/include/ipv6_custom_blockip"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
|
||||||
|
display_c YELLOW "Loading custom IPv6 conntrack rules..."
|
||||||
|
. "$BASEDIR/include/ipv6_custom_conntrack"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$IPV6_CONNTRACK" ]; then
|
||||||
|
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||||
|
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
#$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||||
|
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
||||||
|
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||||
|
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||||
|
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
|
if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
|
||||||
display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.."
|
display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.."
|
||||||
for i in $DNS_REQUESTS_OUT; do
|
for i in $DNS_REQUESTS_OUT; do
|
||||||
|
@ -882,28 +900,13 @@ fi
|
||||||
echo -ne "\n"
|
echo -ne "\n"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
|
if [ "$IPV6_ROUTEDCLIENTBLOCK" ]; then
|
||||||
display_c YELLOW "Loading custom IPv6 conntrack rules..."
|
for i in $IPV6_ROUTEDCLIENTBLOCK; do
|
||||||
. "$BASEDIR/include/ipv6_custom_conntrack"
|
$IP6TABLES -A OUTPUT -d $i -p tcp --syn -j DROP
|
||||||
fi
|
$IP6TABLES -A OUTPUT -d $i -p udp ! --dport 32768:65535 -j DROP
|
||||||
|
$IP6TABLES -A FORWARD -d $i -p tcp --syn -j DROP
|
||||||
if [ "$IPV6_CONNTRACK" ]; then
|
$IP6TABLES -A FORWARD -d $i -p udp ! --dport 32768:65535 -j DROP
|
||||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
done
|
||||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
#$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
|
||||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
|
|
||||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
|
|
||||||
$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
|
||||||
$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
|
|
||||||
$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ $IPV6_ROUTEDCLIENTBLOCK ]; then
|
|
||||||
$IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p tcp --syn -j DROP
|
|
||||||
$IP6TABLES -A INPUT -i $IPV6_INT -p tcp --syn -j DROP
|
|
||||||
$IP6TABLES -A INPUT -i $IPV6_INT -p udp ! --dport 32768:65535 -j DROP
|
|
||||||
$IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p udp ! --dport 32768:65535 -j DROP
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -179,8 +179,9 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
|
||||||
#IPV6_BLOCKINCOMING=1
|
#IPV6_BLOCKINCOMING=1
|
||||||
|
|
||||||
# Special case for routers that have ipv6 clients behind them.
|
# Special case for routers that have ipv6 clients behind them.
|
||||||
# Useful if clients do not have proper ipv6 firewalls.
|
# Useful if clients do not have proper ipv6 firewalls. Give list
|
||||||
#IPV6_ROUTEDCLIENTBLOCK=1
|
# of IPv6 netblocks to enable this on.
|
||||||
|
#IPV6_ROUTEDCLIENTBLOCK=""
|
||||||
|
|
||||||
# IP range(s) to forward
|
# IP range(s) to forward
|
||||||
#IPV6_ROUTING=$BASEDIR/conf/ipv6-routing
|
#IPV6_ROUTING=$BASEDIR/conf/ipv6-routing
|
||||||
|
|
Loading…
Reference in New Issue