brielle
/
Firewall-SOSDG
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Non-conntrack udp DNS reply option

master
bbruns 2010-10-13 20:14:46 +00:00
parent 8e3df29bf4
commit 604df44c2f
4 changed files with 33 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -1,3 +1,7 @@
0.9.9 - Brielle Bruns <bruns@2mbit.com>
- Loadable module support during firewall loading
- More init script fixes.
0.9.8a - Brielle Bruns <bruns@2mbit.com> 0.9.8a - Brielle Bruns <bruns@2mbit.com>
- Fixing executable file permission issues - Fixing executable file permission issues
- Use /bin/bash in initscript cause dash does not recognize - Use /bin/bash in initscript cause dash does not recognize

2
Makefile
View File

@ -1,4 +1,4 @@
VERSION=0.9.8a VERSION=0.9.9
TAR=/usr/bin/tar TAR=/usr/bin/tar
TARBALL="firewall-sosdg-$(VERSION).tar.bz2" TARBALL="firewall-sosdg-$(VERSION).tar.bz2"

24
bin/firewall-sosdg
View File

@ -18,7 +18,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
FW_VERSION="0.9.8" FW_VERSION="0.9.9"
# These option is here to help pre-1.0 users easily upgrade, defines critical defaults # These option is here to help pre-1.0 users easily upgrade, defines critical defaults
# that would otherwise require remaking their options file. I leave this on by default, # that would otherwise require remaking their options file. I leave this on by default,
@ -139,6 +139,28 @@ if [ "$TRUSTEDIP" ]; then
echo -ne "\n" echo -ne "\n"
fi fi
if [ "$DNS_REQUESTS_OUT" ]; then
display_c YELLOW "Adding DNS reply allows for trusted DNS servers.."
for i in $DNS_REQUESTS_OUT; do
if [[ "$i" =~ "|" ]]; then
echo "Original variable: ${DNS_REQUESTS_OUT}"
IFS_OLD=${IFS};IFS=\|
DNSREQ=($i)
IFS=${IFS_OLD}
SRCIF=${DNSREQ[0]}
DNSIP_NUM=${#DNSREQ[@]}
DNSIP_COUNT_CURR=1
for ((i=$DNSIP_COUNT_CURR; i <= $DNSIP_NUM; i++)); do
if [ ${DNSREQ[$i]} ]; then
${IPTABLES} -A INPUT -i ${SRCIF} -p udp --sport 53 -s ${DNSREQ[$i]} --destination-port 1024:65535 -j ACCEPT
fi
done
else
{$IPTABLES} -A INPUT -i $i -p udp --sport 53 --destination-port 1024:65535 -j ACCEPT
fi
done
fi
if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then if [ -s "$BASEDIR/include/ipv4_custom_blockip" ]; then
display_c YELLOW "Loading custom ip block rules..." display_c YELLOW "Loading custom ip block rules..."
. "$BASEDIR/include/ipv4_custom_blockip" . "$BASEDIR/include/ipv4_custom_blockip"

5
options.default
View File

@ -52,6 +52,11 @@ IPTABLES_MULTIPORT=auto
#NF_MULTIPORT="xt_multiport" #NF_MULTIPORT="xt_multiport"
#NF_MULTIPORT_MAX_PORTS="7" #NF_MULTIPORT_MAX_PORTS="7"
# Allow outgoing DNS requests - important if you did not activate connection
# tracking. Set this to the interfaces you wish to use for outgoing requests
# plus the IP addresses of your upstream servers (up to 3) if you need to.
#DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1"
# TCP/UDP/Protocol to allow # TCP/UDP/Protocol to allow
TCPPORTS="20 21 22 53 80 113 123 443" TCPPORTS="20 21 22 53 80 113 123 443"
UDPPORTS="53" UDPPORTS="53"