From fc6b4ed4cef9552d6eb1ab058f47880b1cf9ed2a Mon Sep 17 00:00:00 2001 From: bbruns Date: Wed, 13 Oct 2010 21:15:10 +0000 Subject: [PATCH] IPv6 variable rename plus compattibility settings in static --- ChangeLog | 3 ++- bin/firewall-sosdg | 59 +++++++++++++++++----------------------------- include/static | 13 ++++++++++ options.default | 42 ++++++++++++++------------------- 4 files changed, 54 insertions(+), 63 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2b4b4d3..35af82b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,8 +3,9 @@ - More init script fixes. - Non-conntracked DNS reply packets allow options - Slightly improved IPv6 support to start to bring - it up to par with IPv4 support.Ã + it up to par with IPv4 support. - ipv6 marking support, changed ipv4 to use | instead of : + - Renamed IPV6 variables, compatibility in place for now in static file 0.9.8a - Brielle Bruns - Fixing executable file permission issues diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index fbfb5d1..d98907d 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -618,10 +618,14 @@ if [ "$IPV6_DNS_REQUESTS_OUT" ]; then fi done fi - -if [ "$BLOCKEDIPV6" ]; then + if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then + display_c YELLOW "Loading custom IPv6 blocked outbound port rules..." + . "$BASEDIR/include/ipv6_custom_blockoutports" + fi + +if [ "$IPV6_BLOCKEDIP" ]; then display_c YELLOW "Adding blocked IPv6 addresses... " - for i in `grep -v "\#" $BLOCKEDIPV6`; do + for i in `grep -v "\#" $IPV6_BLOCKEDIP`; do if [[ "$i" =~ "|" ]]; then IFS_OLD=${IFS};IFS=\| ADVBLKIP=($i) @@ -678,9 +682,9 @@ fi . "$BASEDIR/include/ipv6_custom_mssclamp" fi - if [ "$CLAMPMSSIPV6" ]; then + if [ "$IPV6_CLAMPMSS" ]; then display_c YELLOW "Clamping IPV6 MSS to PMTU..." - for i in $CLAMPMSSIPV6; do + for i in $IPV6_CLAMPMSS; do $IP6TABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \ --mss 1280:1536 @@ -699,36 +703,15 @@ fi done fi - if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then - display_c YELLOW "Loading custom IPv6 blocked outbound port rules..." - . "$BASEDIR/include/ipv6_custom_blockoutports" - fi - if [ "$BLOCKIPV6TCPPORTS" ] || [ "$BLOCKIPV6UDPPORTS" ]; then - display_c YELLOW "Blocking outbound port: " N - if [ "$BLOCKIPV6TCPPORTS" ]; then - for i in $BLOCKIPV6TCPPORTS; do - echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i " - $IP6TABLES -A OUTPUT -p tcp --dport $i --syn -j DROP - done - fi - if [ "$BLOCKIPV6UDPPORTS" ]; then - for i in $BLOCKIPV6UDPPORTS; do - echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i " - $IP6TABLES -A OUTPUT -p udp --dport $i -j DROP - done - fi - reset_color - fi - if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then display_c YELLOW "Loading custom IPv6 allowed port rules..." . "$BASEDIR/include/ipv6_custom_allowedports" fi - if [ "$IPV6TCP" ] || [ "$IPV6UDP" ]; then + if [ "$IPV6_TCPPORTS" ] || [ "$IPV6_UDPPORTS" ]; then display_c YELLOW "Adding allowed IPv6 port: " N - if [ "$IPV6TCP" ]; then + if [ "$IPV6_TCPPORTS" ]; then if [ "$IPTABLES_MULTIPORT" == "yes" ] && [ "$NF_MULTIPORT_MAX_PORTS" ]; then - IPV6TCP=($IPV6TCP) + IPV6_TCPPORTS=($IPV6_TCPPORTS) PORTS_COUNT=${#IPV6TCP[@]} PORTS_COUNT_CURR=0 while (( "$PORTS_COUNT_CURR" < "$PORTS_COUNT" )); do @@ -750,8 +733,8 @@ fi $IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT done fi - if [ "$IPV6UDP" ]; then - for i in $IPV6UDP; do + if [ "$IPV6_UDPPORTS" ]; then + for i in $IPV6_UDPPORTS; do echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i " $IP6TABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT $IP6TABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT @@ -767,9 +750,9 @@ fi . "$BASEDIR/include/ipv6_custom_mark" fi - if [ -r "$IPv6_MARK" ]; then + if [ -r "$IPV6_MARK" ]; then display_c YELLOW "Adding IPv6 mark: " - for i in `grep -v "\#" $IPv6_MARK`; do + for i in `grep -v "\#" $IPV6_MARK`; do MARK=( ${i//|/ } ) INIF=${MARK[0]} INIP=${MARK[1]} @@ -798,7 +781,7 @@ fi . "$BASEDIR/include/ipv6_custom_conntrack" fi - if [ "$IPV6CONNTRACK" ]; then + if [ "$IPV6_CONNTRACK" ]; then $IP6TABLES -A INPUT -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT @@ -810,7 +793,7 @@ fi $IP6TABLES -A FORWARD -m state --state INVALID -j DROP fi - if [ $IPV6ROUTEDCLIENTBLOCK ]; then + if [ $IPV6_ROUTEDCLIENTBLOCK ]; then $IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP $IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP $IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP @@ -823,8 +806,8 @@ fi display_c YELLOW "Loading custom IPv6 routing rules..." . "$BASEDIR/include/ipv6_custom_routing" fi - if [ "$IPV6FORWARDRANGE" ]; then - for i in $IPV6FORWARDRANGE; do + if [ "$IPV6_FORWARDRANGE" ]; then + for i in $IPV6_FORWARDRANGE; do $IP6TABLES -A FORWARD -s $i -j ACCEPT $IP6TABLES -A FORWARD -d $i -j ACCEPT done @@ -834,7 +817,7 @@ fi display_c YELLOW "Loading custom IPv6 incoming blocked port rules..." . "$BASEDIR/include/ipv6_custom_blockincoming" fi - if [ $IPV6BLOCKINCOMING ]; then + if [ $IPV6_BLOCKINCOMING ]; then $IP6TABLES -A INPUT -p tcp --syn -j DROP $IP6TABLES -A INPUT -p udp -j DROP fi diff --git a/include/static b/include/static index 12a128c..4ec3fef 100755 --- a/include/static +++ b/include/static @@ -27,6 +27,19 @@ # but if you want to make sure you have a current options file, define this to 0. if [[ "$COMPAT_CONFIG" == "1" ]]; then MODPROBE=`which modprobe` + # These are temp compatibility with old config files with IPv6 + IPV6_FORWARD=${IPV6_FORWARD=$IPV6FORWARD} + IPV6_CONNTRACK=${IPV6_CONNTRACK=$IPV6CONNTRACK} + IPV6_BLOCKINCOMING=${$IPV6_BLOCKINCOMING=$IPV6BLOCKINCOMING} + IPV6_MARK=${IPV6_MARK=$IPv6_MARK} + IPV6_BLOCKED=${IPV6_BLOCKED=$BLOCKEDIPV6} + IPV6_CLAMPMSS=${IPV6_CLAMPMSS=$CLAMPMSSIPV6} + IPV6_INT=${IPV6_INT=$IPV6INT} + IPV6_LAN=${IPV6_LAN=$IPV6LAN} + IPV6_TRUSTED=${IPV6_TRUSTED=$IPV6TRUSTED} + IPV6_TCPPORTS=${IPV6_TCPPORTS=$IPV6TCP} + IPV6_UDPPORTS=${IPV6_UDPPORTS=$IPV6UDP} + IPV6_FORWARDRANGE=${IPV6_FORWARDRANGE=$IPV6FORWARDRANGE} fi PRERUN="$BASEDIR/prerun" diff --git a/options.default b/options.default index d755ff6..1f635fb 100755 --- a/options.default +++ b/options.default @@ -98,14 +98,9 @@ HACK_IPV4="NS-IN-DDOS" # New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS BLOCKEDIP=$BASEDIR/ipv4-blocked -# Block outgoing traffic on these TCP/UDP ports -# Obsoleted: Use BLOCKEDIP above in new format. Going away in 1.0 -#BLOCKTCPPORTS="6881" -#BLOCKUDPPORTS="6881" - # Strip ECN off of packets - helps with blackholes # Either individual IPs or 0.0.0.0/0 -STRIPECN="0.0.0.0/0" +#STRIPECN="0.0.0.0/0" # Block private LAN traffic (RFC reserved space) going OUT on these interfaces # for security reasons. This has the potential to cause issues if your @@ -124,11 +119,11 @@ STRIPECN="0.0.0.0/0" # IPv6 related features. Commenting out IPV6 variable disables ALL # IPv6 related items -IPV6=1 +#IPV6=1 # Do we want IPv6 FORWARD and Connection tracking features? -#IPV6FORWARD=1 -#IPV6CONNTRACK=1 +#IPV6_FORWARD=1 +#IPV6_CONNTRACK=1 # Allow outgoing DNS requests - important if you did not activate connection # tracking. Set this to the interfaces you wish to use for outgoing requests @@ -136,40 +131,39 @@ IPV6=1 #IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1" # Default block all incoming ipv6 connections? -IPV6BLOCKINCOMING=1 +#IPV6_BLOCKINCOMING=1 # Special case for routers that have ipv6 clients behind them. # Useful if clients do not have proper ipv6 firewalls. -#IPV6ROUTEDCLIENTBLOCK=1 +#IPV6_ROUTEDCLIENTBLOCK=1 + +# IP range(s) to forward +#IPV6_ROUTING=$BASEDIR/ipv6-routing # Mark ipv6 packets for advanced purposes -#IPv6_MARK=$BASEDIR/ipv6-marks +#IPV6_MARK=$BASEDIR/ipv6-marks # IPv6 Ranges to block all traffic incoming/outgoing -#BLOCKEDIPV6=$BASEDIR/ipv6-blocked +#IPV6_BLOCKEDIP=$BASEDIR/ipv6-blocked # Clamp MSS, useful on DSL/VPN links # Space separated list of interfaces to apply this on # it may be used eventually. -#CLAMPMSSIPV6="he-ipv6" +#IPV6_CLAMPMSS="he-ipv6" # Interface IPv6 comes in on (either tunnel or real network interface) -#IPV6INT=he-ipv6 +#IPV6_INT=he-ipv6 # LAN interface for IPv6 -#IPV6LAN=eth1 +#IPV6_LAN=eth1 # Trusted IPv6 ranges -IPV6TRUSTED="::1" +#IPV6_TRUSTED="::1" # Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to # have same for both ipv4 and ipv6) -IPV6TCP=$TCPPORTS -IPV6UDP=$UDPPORTS +#IPV6_TCPPORTS=$TCPPORTS +#IPV6_UDPPORTS=$UDPPORTS # IPv6 range to forward -#IPV6FORWARDRANGE="" - -# Block outgoing IPv6 traffic on these TCP/UDP ports -#BLOCKIPV6TCPPORTS=$BLOCKTCPPORTS -#BLOCKIPV6UDPPORTS=$BLOCKUDPPORTS +#IPV6_FORWARDRANGE=""