diff --git a/ChangeLog b/ChangeLog index bec7994..d605b65 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +0.9.8 - Brielle Bruns + - Almost at v1.0 quality for my tastes + - BLOCK_(INCOMING/OUTGOING)_RFC1918 options to help sure up security of LAN space leakage + 0.9.7 - Brielle Bruns - Support for marking packets, uses new config file and IPv4_MARK file option diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 70fcefe..b08721b 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -18,7 +18,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -FW_VERSION="0.9.7" +FW_VERSION="0.9.8" # These option is here to help pre-1.0 users easily upgrade, defines critical defaults # that would otherwise require remaking their options file. I leave this on by default, @@ -145,6 +145,33 @@ if [ $BLOCKEDIP ]; then echo -ne "\n" fi + +if [ "$BLOCK_OUTGOING_RFC1918" ]; then + display_c YELLOW "Blocking RFC1918 space going out on: " N + for i in $BLOCK_OUTGOING_RFC1918; do + display_c BLUE "$i" N + for x in $RFC1918_SPACE; do + $IPTABLES -A OUTPUT -d $i -s $x -j DROP + $IPTABLES -A FORWARD -d $i -s $x -j DROP + done + done + echo -ne "\n" + unset i x +fi + +if [ "$BLOCK_INCOMING_RFC1918" ]; then + display_c YELLOW "Blocking RFC1918 space coming in on: " N + for i in $BLOCK_INCOMING_RFC1918; do + display_c BLUE "$i" N + for x in $RFC1918_SPACE; do + $IPTABLES -A OUTPUT -s $i -s $x -j DROP + $IPTABLES -A FORWARD -s $i -s $x -j DROP + done + done + echo -ne "\n" + unset i x +fi + if [ "$STRIPECN" ]; then display_c YELLOW "Stripping ECN off of TCP packets to " N for i in $STRIPECN; do diff --git a/include/static b/include/static index 7e23681..c6dd4a6 100644 --- a/include/static +++ b/include/static @@ -51,4 +51,7 @@ PROC_NET_IPV4="/proc/sys/net/ipv4/conf" # Multiport options - override in options NF_MULTIPORT="xt_multiport" -NF_MULTIPORT_MAX_PORTS="7" \ No newline at end of file +NF_MULTIPORT_MAX_PORTS="7" + +# RFC 1918 Space +RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" \ No newline at end of file diff --git a/options.default b/options.default index 8d8bd96..7a370c4 100755 --- a/options.default +++ b/options.default @@ -82,7 +82,6 @@ IPv4_MARK=$BASEDIR/ipv4-marks # HACK_IPV4="NS-IN-DDOS" - #============== # Obsolete - DO NOT USE ANYMORE. Will be removed in 1.0 # IP ranges(s) to NAT using SNAT. @@ -97,7 +96,6 @@ HACK_IPV4="NS-IN-DDOS" # MASQ::: #NAT_RANGE= - # IP Ranges to block all traffic incoming/outgoing BLOCKEDIP=$BASEDIR/blocked @@ -109,6 +107,20 @@ BLOCKEDIP=$BASEDIR/blocked # Either individual IPs or 0.0.0.0/0 STRIPECN="0.0.0.0/0" +# Block private LAN traffic (RFC reserved space) going OUT on these interfaces +# for security reasons. This has the potential to cause issues if your +# provider uses private IP space for uplinks in PPPoE/PPPoA, so don't use it +# and use BLOCK_INCOMING_RFC1981 instead. +#BLOCK_OUTGOING_RFC1918="ppp0" + +# Block private LAN traffic (RFC reserved space) coming IN on these interfaces +# for security reasons. This is a bit more safer to use if your provider uses +# private IP space for the other end of PPP links. +#BLOCK_INCOMING_RFC1918="ppp0" + +# RFC1918 Space override, don't change or uncomment this unless you absolutely need to +#RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8" + # IPv6 related features. Commenting out IPV6 variable disables ALL # IPv6 related items