Policy settings, fix location of ipv6 closing fi
parent
d0bf4ac683
commit
ab10d17e3b
|
@ -3,8 +3,8 @@
|
||||||
# URL: http://www.sosdg.org/freestuff/firewall
|
# URL: http://www.sosdg.org/freestuff/firewall
|
||||||
# License: GPLv3
|
# License: GPLv3
|
||||||
#
|
#
|
||||||
# Copyright (C) 2009 - 2010 Brielle Bruns
|
# Copyright (C) 2009 - 2011 Brielle Bruns
|
||||||
# Copyright (C) 2009 - 2010 The Summit Open Source Development Group
|
# Copyright (C) 2009 - 2011 The Summit Open Source Development Group
|
||||||
#
|
#
|
||||||
# This program is free software: you can redistribute it and/or modify
|
# This program is free software: you can redistribute it and/or modify
|
||||||
# it under the terms of the GNU General Public License as published by
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
@ -18,7 +18,7 @@
|
||||||
# You should have received a copy of the GNU General Public License
|
# You should have received a copy of the GNU General Public License
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
FW_VERSION="0.9.12"
|
FW_VERSION="0.9.13"
|
||||||
|
|
||||||
# These option is here to help pre-1.0 users easily upgrade, defines critical defaults
|
# These option is here to help pre-1.0 users easily upgrade, defines critical defaults
|
||||||
# that would otherwise require remaking their options file. I leave this on by default,
|
# that would otherwise require remaking their options file. I leave this on by default,
|
||||||
|
@ -699,9 +699,9 @@ if [ $NAT ]; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
$IPTABLES --policy INPUT ACCEPT
|
$IPTABLES --policy INPUT ${IPV4_INPUT}
|
||||||
$IPTABLES --policy OUTPUT ACCEPT
|
$IPTABLES --policy OUTPUT ${IPV4_OUTPUT}
|
||||||
$IPTABLES --policy FORWARD DROP
|
$IPTABLES --policy FORWARD ${IPV4_FORWARD}
|
||||||
|
|
||||||
|
|
||||||
if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then
|
if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then
|
||||||
|
@ -928,7 +928,6 @@ fi
|
||||||
fi
|
fi
|
||||||
reset_color
|
reset_color
|
||||||
fi
|
fi
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -s "$BASEDIR/include/ipv6_custom_mark" ]; then
|
if [ -s "$BASEDIR/include/ipv6_custom_mark" ]; then
|
||||||
display_c YELLOW "Loading custom IPv6 mark rules..."
|
display_c YELLOW "Loading custom IPv6 mark rules..."
|
||||||
|
@ -971,7 +970,6 @@ fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then
|
if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then
|
||||||
display_c YELLOW "Loading custom IPv6 routing rules..."
|
display_c YELLOW "Loading custom IPv6 routing rules..."
|
||||||
. "$BASEDIR/include/ipv6_custom_routing"
|
. "$BASEDIR/include/ipv6_custom_routing"
|
||||||
|
@ -991,6 +989,10 @@ fi
|
||||||
$IP6TABLES -A INPUT -p tcp --syn -j DROP
|
$IP6TABLES -A INPUT -p tcp --syn -j DROP
|
||||||
$IP6TABLES -A INPUT -p udp -j DROP
|
$IP6TABLES -A INPUT -p udp -j DROP
|
||||||
fi
|
fi
|
||||||
|
$IP6TABLES --policy INPUT ${IPV6_INPUT}
|
||||||
|
$IP6TABLES --policy OUTPUT ${IPV6_OUTPUT}
|
||||||
|
$IP6TABLES --policy FORWARD ${IPV6_FORWARD}
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $TWEAKS ]; then
|
if [ $TWEAKS ]; then
|
||||||
for i in `grep -v "\#" $TWEAKS`; do
|
for i in `grep -v "\#" $TWEAKS`; do
|
||||||
|
|
|
@ -80,7 +80,17 @@ IPV6_ICMP_CRITICAL=1
|
||||||
# http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
|
# http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
|
||||||
IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
|
IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
|
||||||
IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
|
IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
|
||||||
|
|
||||||
# At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32)
|
# At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32)
|
||||||
# If anyone wants to write these, feel free to!
|
# If anyone wants to write these, feel free to!
|
||||||
IPV4_NETMASK_MATCH=""
|
IPV4_NETMASK_MATCH=""
|
||||||
IPV6_NETMASK_MATCH=""
|
IPV6_NETMASK_MATCH=""
|
||||||
|
|
||||||
|
# Default policies for IPv4 and IPv6. Make these ACCEPT by default, except for FORWARD,
|
||||||
|
# since one wrong configuration can lock someone out.
|
||||||
|
IPV4_INPUT=ACCEPT
|
||||||
|
IPV4_OUTPUT=ACCEPT
|
||||||
|
IPV4_FORWARD=DROP
|
||||||
|
IPV6_INPUT=ACCEPT
|
||||||
|
IPV6_OUTPUT=ACCEPT
|
||||||
|
IPV6_FORWARD=DROP
|
|
@ -41,6 +41,16 @@ POSTRUN="$BASEDIR/conf/postrun"
|
||||||
# Space separated list of interfaces to apply this on
|
# Space separated list of interfaces to apply this on
|
||||||
#CLAMPMSS="ppp0 eth0"
|
#CLAMPMSS="ppp0 eth0"
|
||||||
|
|
||||||
|
|
||||||
|
# Default IPv4 policies
|
||||||
|
# IPV4_INPUT set to DROP is different from BLOCKINCOMING,
|
||||||
|
# as BLOCKINCOMING only blocks syn packets for TCP while still
|
||||||
|
# allowing established connections even if connection tracking is off.
|
||||||
|
# BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does.
|
||||||
|
IPV4_INPUT=ACCEPT
|
||||||
|
IPV4_OUTPUT=ACCEPT
|
||||||
|
IPV4_FORWARD=DROP
|
||||||
|
|
||||||
# Do we run a LAN DHCP server? Put the interfaces here
|
# Do we run a LAN DHCP server? Put the interfaces here
|
||||||
# where this server is providing services.
|
# where this server is providing services.
|
||||||
#LANDHCPSERVER="eth0 eth1"
|
#LANDHCPSERVER="eth0 eth1"
|
||||||
|
@ -173,6 +183,15 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
|
||||||
#IPV6_FORWARD=1
|
#IPV6_FORWARD=1
|
||||||
#IPV6_CONNTRACK=1
|
#IPV6_CONNTRACK=1
|
||||||
|
|
||||||
|
# Default IPv6 policies
|
||||||
|
# IPV6_INPUT set to DROP is different from IPV6_BLOCKINCOMING,
|
||||||
|
# as BLOCKINCOMING only blocks syn packets for TCP while still
|
||||||
|
# allowing established connections even if connection tracking is off.
|
||||||
|
# BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does.
|
||||||
|
IPV6_INPUT=ALLOW
|
||||||
|
IPV6_OUTPUT=ALLOW
|
||||||
|
IPV6_FORWARD=DROP
|
||||||
|
|
||||||
# Allow outgoing DNS requests - important if you did not activate connection
|
# Allow outgoing DNS requests - important if you did not activate connection
|
||||||
# tracking. Set this to the interfaces you wish to use for outgoing requests
|
# tracking. Set this to the interfaces you wish to use for outgoing requests
|
||||||
# plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
|
# plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
|
||||||
|
|
Loading…
Reference in New Issue