Policy settings, fix location of ipv6 closing fi

master
bbruns 2011-02-18 20:09:54 +00:00
parent d0bf4ac683
commit ab10d17e3b
3 changed files with 40 additions and 9 deletions

View File

@ -3,8 +3,8 @@
# URL: http://www.sosdg.org/freestuff/firewall # URL: http://www.sosdg.org/freestuff/firewall
# License: GPLv3 # License: GPLv3
# #
# Copyright (C) 2009 - 2010 Brielle Bruns # Copyright (C) 2009 - 2011 Brielle Bruns
# Copyright (C) 2009 - 2010 The Summit Open Source Development Group # Copyright (C) 2009 - 2011 The Summit Open Source Development Group
# #
# This program is free software: you can redistribute it and/or modify # This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by # it under the terms of the GNU General Public License as published by
@ -18,7 +18,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
FW_VERSION="0.9.12" FW_VERSION="0.9.13"
# These option is here to help pre-1.0 users easily upgrade, defines critical defaults # These option is here to help pre-1.0 users easily upgrade, defines critical defaults
# that would otherwise require remaking their options file. I leave this on by default, # that would otherwise require remaking their options file. I leave this on by default,
@ -699,9 +699,9 @@ if [ $NAT ]; then
fi fi
fi fi
$IPTABLES --policy INPUT ACCEPT $IPTABLES --policy INPUT ${IPV4_INPUT}
$IPTABLES --policy OUTPUT ACCEPT $IPTABLES --policy OUTPUT ${IPV4_OUTPUT}
$IPTABLES --policy FORWARD DROP $IPTABLES --policy FORWARD ${IPV4_FORWARD}
if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then
@ -928,7 +928,6 @@ fi
fi fi
reset_color reset_color
fi fi
fi
if [ -s "$BASEDIR/include/ipv6_custom_mark" ]; then if [ -s "$BASEDIR/include/ipv6_custom_mark" ]; then
display_c YELLOW "Loading custom IPv6 mark rules..." display_c YELLOW "Loading custom IPv6 mark rules..."
@ -971,7 +970,6 @@ fi
fi fi
if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then
display_c YELLOW "Loading custom IPv6 routing rules..." display_c YELLOW "Loading custom IPv6 routing rules..."
. "$BASEDIR/include/ipv6_custom_routing" . "$BASEDIR/include/ipv6_custom_routing"
@ -991,6 +989,10 @@ fi
$IP6TABLES -A INPUT -p tcp --syn -j DROP $IP6TABLES -A INPUT -p tcp --syn -j DROP
$IP6TABLES -A INPUT -p udp -j DROP $IP6TABLES -A INPUT -p udp -j DROP
fi fi
$IP6TABLES --policy INPUT ${IPV6_INPUT}
$IP6TABLES --policy OUTPUT ${IPV6_OUTPUT}
$IP6TABLES --policy FORWARD ${IPV6_FORWARD}
fi
if [ $TWEAKS ]; then if [ $TWEAKS ]; then
for i in `grep -v "\#" $TWEAKS`; do for i in `grep -v "\#" $TWEAKS`; do

View File

@ -80,7 +80,17 @@ IPV6_ICMP_CRITICAL=1
# http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses # http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses
IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))" IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))" IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))"
# At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32) # At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32)
# If anyone wants to write these, feel free to! # If anyone wants to write these, feel free to!
IPV4_NETMASK_MATCH="" IPV4_NETMASK_MATCH=""
IPV6_NETMASK_MATCH="" IPV6_NETMASK_MATCH=""
# Default policies for IPv4 and IPv6. Make these ACCEPT by default, except for FORWARD,
# since one wrong configuration can lock someone out.
IPV4_INPUT=ACCEPT
IPV4_OUTPUT=ACCEPT
IPV4_FORWARD=DROP
IPV6_INPUT=ACCEPT
IPV6_OUTPUT=ACCEPT
IPV6_FORWARD=DROP

View File

@ -41,6 +41,16 @@ POSTRUN="$BASEDIR/conf/postrun"
# Space separated list of interfaces to apply this on # Space separated list of interfaces to apply this on
#CLAMPMSS="ppp0 eth0" #CLAMPMSS="ppp0 eth0"
# Default IPv4 policies
# IPV4_INPUT set to DROP is different from BLOCKINCOMING,
# as BLOCKINCOMING only blocks syn packets for TCP while still
# allowing established connections even if connection tracking is off.
# BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does.
IPV4_INPUT=ACCEPT
IPV4_OUTPUT=ACCEPT
IPV4_FORWARD=DROP
# Do we run a LAN DHCP server? Put the interfaces here # Do we run a LAN DHCP server? Put the interfaces here
# where this server is providing services. # where this server is providing services.
#LANDHCPSERVER="eth0 eth1" #LANDHCPSERVER="eth0 eth1"
@ -173,6 +183,15 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
#IPV6_FORWARD=1 #IPV6_FORWARD=1
#IPV6_CONNTRACK=1 #IPV6_CONNTRACK=1
# Default IPv6 policies
# IPV6_INPUT set to DROP is different from IPV6_BLOCKINCOMING,
# as BLOCKINCOMING only blocks syn packets for TCP while still
# allowing established connections even if connection tracking is off.
# BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does.
IPV6_INPUT=ALLOW
IPV6_OUTPUT=ALLOW
IPV6_FORWARD=DROP
# Allow outgoing DNS requests - important if you did not activate connection # Allow outgoing DNS requests - important if you did not activate connection
# tracking. Set this to the interfaces you wish to use for outgoing requests # tracking. Set this to the interfaces you wish to use for outgoing requests
# plus the IP addresses of your upstream servers (recommended up to 3) if you need to. # plus the IP addresses of your upstream servers (recommended up to 3) if you need to.