From 604df44c2f550cc4c61b026c502070471e53f50a Mon Sep 17 00:00:00 2001 From: bbruns Date: Wed, 13 Oct 2010 20:14:46 +0000 Subject: [PATCH] Non-conntrack udp DNS reply option --- ChangeLog | 4 ++++ Makefile | 2 +- bin/firewall-sosdg | 24 +++++++++++++++++++++++- options.default | 5 +++++ 4 files changed, 33 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3403bdd..52dee30 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +0.9.9 - Brielle Bruns + - Loadable module support during firewall loading + - More init script fixes. + 0.9.8a - Brielle Bruns - Fixing executable file permission issues - Use /bin/bash in initscript cause dash does not recognize diff --git a/Makefile b/Makefile index f387712..c52403f 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VERSION=0.9.8a +VERSION=0.9.9 TAR=/usr/bin/tar TARBALL="firewall-sosdg-$(VERSION).tar.bz2" diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index f74f801..369ca15 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -18,7 +18,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -FW_VERSION="0.9.8" +FW_VERSION="0.9.9" # These option is here to help pre-1.0 users easily upgrade, defines critical defaults # that would otherwise require remaking their options file. I leave this on by default, @@ -139,6 +139,28 @@ if [ "$TRUSTEDIP" ]; then echo -ne "\n" fi +if [ "$DNS_REQUESTS_OUT" ]; then + display_c YELLOW "Adding DNS reply allows for trusted DNS servers.." + for i in $DNS_REQUESTS_OUT; do + if [[ "$i" =~ "|" ]]; then + echo "Original variable: ${DNS_REQUESTS_OUT}" + IFS_OLD=${IFS};IFS=\| + DNSREQ=($i) + IFS=${IFS_OLD} + SRCIF=${DNSREQ[0]} + DNSIP_NUM=${#DNSREQ[@]} + DNSIP_COUNT_CURR=1 + for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do + if [ ${DNSREQ[$i]} ]; then + ${IPTABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT + fi + done + else + {$IPTABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT + fi + done +fi + if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then display_c YELLOW "Loading custom ip block rules..." . "$BASEDIR/include/ipv4_custom_blockip" diff --git a/options.default b/options.default index 1df7fee..03b4c6c 100755 --- a/options.default +++ b/options.default @@ -52,6 +52,11 @@ IPTABLES_MULTIPORT=auto #NF_MULTIPORT="xt_multiport" #NF_MULTIPORT_MAX_PORTS="7" +# Allow outgoing DNS requests - important if you did not activate connection +# tracking. Set this to the interfaces you wish to use for outgoing requests +# plus the IP addresses of your upstream servers (up to 3) if you need to. +#DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1" + # TCP/UDP/Protocol to allow TCPPORTS="20 21 22 53 80 113 123 443" UDPPORTS="53"