brielle
/
Firewall-SOSDG
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

IPv6 variable rename plus compattibility settings in static

master
bbruns 2010-10-13 21:15:10 +00:00
parent c2dc9a4fd6
commit fc6b4ed4ce
4 changed files with 54 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -3,8 +3,9 @@
- More init script fixes. - More init script fixes.
- Non-conntracked DNS reply packets allow options - Non-conntracked DNS reply packets allow options
- Slightly improved IPv6 support to start to bring - Slightly improved IPv6 support to start to bring
it up to par with IPv4 support.Ã it up to par with IPv4 support.
- ipv6 marking support, changed ipv4 to use | instead of : - ipv6 marking support, changed ipv4 to use | instead of :
- Renamed IPV6 variables, compatibility in place for now in static file
0.9.8a - Brielle Bruns <bruns@2mbit.com> 0.9.8a - Brielle Bruns <bruns@2mbit.com>
- Fixing executable file permission issues - Fixing executable file permission issues

59
bin/firewall-sosdg
View File

@ -618,10 +618,14 @@ if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
fi fi
done done
fi fi
if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
if [ "$BLOCKEDIPV6" ]; then display_c YELLOW "Loading custom IPv6 blocked outbound port rules..."
. "$BASEDIR/include/ipv6_custom_blockoutports"
fi
if [ "$IPV6_BLOCKEDIP" ]; then
display_c YELLOW "Adding blocked IPv6 addresses... " display_c YELLOW "Adding blocked IPv6 addresses... "
for i in `grep -v "\#" $BLOCKEDIPV6`; do for i in `grep -v "\#" $IPV6_BLOCKEDIP`; do
if [[ "$i" =~ "|" ]]; then if [[ "$i" =~ "|" ]]; then
IFS_OLD=${IFS};IFS=\| IFS_OLD=${IFS};IFS=\|
ADVBLKIP=($i) ADVBLKIP=($i)
@ -678,9 +682,9 @@ fi
. "$BASEDIR/include/ipv6_custom_mssclamp" . "$BASEDIR/include/ipv6_custom_mssclamp"
fi fi
if [ "$CLAMPMSSIPV6" ]; then if [ "$IPV6_CLAMPMSS" ]; then
display_c YELLOW "Clamping IPV6 MSS to PMTU..." display_c YELLOW "Clamping IPV6 MSS to PMTU..."
for i in $CLAMPMSSIPV6; do for i in $IPV6_CLAMPMSS; do
$IP6TABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ $IP6TABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \ -j TCPMSS --clamp-mss-to-pmtu -o $i -m tcpmss \
--mss 1280:1536 --mss 1280:1536
@ -699,36 +703,15 @@ fi
done done
fi fi
if [ -s "$BASEDIR/include/ipv6_custom_blockoutports" ]; then
display_c YELLOW "Loading custom IPv6 blocked outbound port rules..."
. "$BASEDIR/include/ipv6_custom_blockoutports"
fi
if [ "$BLOCKIPV6TCPPORTS" ] || [ "$BLOCKIPV6UDPPORTS" ]; then
display_c YELLOW "Blocking outbound port: " N
if [ "$BLOCKIPV6TCPPORTS" ]; then
for i in $BLOCKIPV6TCPPORTS; do
echo -en "${PURPLE}TCP${DEFAULT_COLOR}/${GREEN}$i "
$IP6TABLES -A OUTPUT -p tcp --dport $i --syn -j DROP
done
fi
if [ "$BLOCKIPV6UDPPORTS" ]; then
for i in $BLOCKIPV6UDPPORTS; do
echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
$IP6TABLES -A OUTPUT -p udp --dport $i -j DROP
done
fi
reset_color
fi
if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then if [ -s "$BASEDIR/include/ipv6_custom_allowedports" ]; then
display_c YELLOW "Loading custom IPv6 allowed port rules..." display_c YELLOW "Loading custom IPv6 allowed port rules..."
. "$BASEDIR/include/ipv6_custom_allowedports" . "$BASEDIR/include/ipv6_custom_allowedports"
fi fi
if [ "$IPV6TCP" ] || [ "$IPV6UDP" ]; then if [ "$IPV6_TCPPORTS" ] || [ "$IPV6_UDPPORTS" ]; then
display_c YELLOW "Adding allowed IPv6 port: " N display_c YELLOW "Adding allowed IPv6 port: " N
if [ "$IPV6TCP" ]; then if [ "$IPV6_TCPPORTS" ]; then
if [ "$IPTABLES_MULTIPORT" == "yes" ] && [ "$NF_MULTIPORT_MAX_PORTS" ]; then if [ "$IPTABLES_MULTIPORT" == "yes" ] && [ "$NF_MULTIPORT_MAX_PORTS" ]; then
IPV6TCP=($IPV6TCP) IPV6_TCPPORTS=($IPV6_TCPPORTS)
PORTS_COUNT=${#IPV6TCP[@]} PORTS_COUNT=${#IPV6TCP[@]}
PORTS_COUNT_CURR=0 PORTS_COUNT_CURR=0
while (( "$PORTS_COUNT_CURR" < "$PORTS_COUNT" )); do while (( "$PORTS_COUNT_CURR" < "$PORTS_COUNT" )); do
@ -750,8 +733,8 @@ fi
$IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT $IP6TABLES -A INPUT -p tcp --dport $i -j ACCEPT
done done
fi fi
if [ "$IPV6UDP" ]; then if [ "$IPV6_UDPPORTS" ]; then
for i in $IPV6UDP; do for i in $IPV6_UDPPORTS; do
echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i " echo -en "${BLUE}UDP${DEFAULT_COLOR}/${GREEN}$i "
$IP6TABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT $IP6TABLES -A OUTPUT -p udp --sport 1:65535 --dport $i -j ACCEPT
$IP6TABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT $IP6TABLES -A INPUT -p udp --dport $i --sport 1:65535 -j ACCEPT
@ -767,9 +750,9 @@ fi
. "$BASEDIR/include/ipv6_custom_mark" . "$BASEDIR/include/ipv6_custom_mark"
fi fi
if [ -r "$IPv6_MARK" ]; then if [ -r "$IPV6_MARK" ]; then
display_c YELLOW "Adding IPv6 mark: " display_c YELLOW "Adding IPv6 mark: "
for i in `grep -v "\#" $IPv6_MARK`; do for i in `grep -v "\#" $IPV6_MARK`; do
MARK=( ${i//|/ } ) MARK=( ${i//|/ } )
INIF=${MARK[0]} INIF=${MARK[0]}
INIP=${MARK[1]} INIP=${MARK[1]}
@ -798,7 +781,7 @@ fi
. "$BASEDIR/include/ipv6_custom_conntrack" . "$BASEDIR/include/ipv6_custom_conntrack"
fi fi
if [ "$IPV6CONNTRACK" ]; then if [ "$IPV6_CONNTRACK" ]; then
$IP6TABLES -A INPUT -m state --state NEW -j ACCEPT $IP6TABLES -A INPUT -m state --state NEW -j ACCEPT
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $IP6TABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
@ -810,7 +793,7 @@ fi
$IP6TABLES -A FORWARD -m state --state INVALID -j DROP $IP6TABLES -A FORWARD -m state --state INVALID -j DROP
fi fi
if [ $IPV6ROUTEDCLIENTBLOCK ]; then if [ $IPV6_ROUTEDCLIENTBLOCK ]; then
$IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP $IP6TABLES -A FORWARD -i $IPV6INT -o $IPV6LAN -p tcp --syn -j DROP
$IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP $IP6TABLES -A INPUT -i $IPV6INT -p tcp --syn -j DROP
$IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP $IP6TABLES -A INPUT -i $IPV6INT -p udp ! --dport 32768:65535 -j DROP
@ -823,8 +806,8 @@ fi
display_c YELLOW "Loading custom IPv6 routing rules..." display_c YELLOW "Loading custom IPv6 routing rules..."
. "$BASEDIR/include/ipv6_custom_routing" . "$BASEDIR/include/ipv6_custom_routing"
fi fi
if [ "$IPV6FORWARDRANGE" ]; then if [ "$IPV6_FORWARDRANGE" ]; then
for i in $IPV6FORWARDRANGE; do for i in $IPV6_FORWARDRANGE; do
$IP6TABLES -A FORWARD -s $i -j ACCEPT $IP6TABLES -A FORWARD -s $i -j ACCEPT
$IP6TABLES -A FORWARD -d $i -j ACCEPT $IP6TABLES -A FORWARD -d $i -j ACCEPT
done done
@ -834,7 +817,7 @@ fi
display_c YELLOW "Loading custom IPv6 incoming blocked port rules..." display_c YELLOW "Loading custom IPv6 incoming blocked port rules..."
. "$BASEDIR/include/ipv6_custom_blockincoming" . "$BASEDIR/include/ipv6_custom_blockincoming"
fi fi
if [ $IPV6BLOCKINCOMING ]; then if [ $IPV6_BLOCKINCOMING ]; then
$IP6TABLES -A INPUT -p tcp --syn -j DROP $IP6TABLES -A INPUT -p tcp --syn -j DROP
$IP6TABLES -A INPUT -p udp -j DROP $IP6TABLES -A INPUT -p udp -j DROP
fi fi

13
include/static
View File

@ -27,6 +27,19 @@
# but if you want to make sure you have a current options file, define this to 0. # but if you want to make sure you have a current options file, define this to 0.
if [[ "$COMPAT_CONFIG" == "1" ]]; then if [[ "$COMPAT_CONFIG" == "1" ]]; then
MODPROBE=`which modprobe` MODPROBE=`which modprobe`
# These are temp compatibility with old config files with IPv6
IPV6_FORWARD=${IPV6_FORWARD=$IPV6FORWARD}
IPV6_CONNTRACK=${IPV6_CONNTRACK=$IPV6CONNTRACK}
IPV6_BLOCKINCOMING=${$IPV6_BLOCKINCOMING=$IPV6BLOCKINCOMING}
IPV6_MARK=${IPV6_MARK=$IPv6_MARK}
IPV6_BLOCKED=${IPV6_BLOCKED=$BLOCKEDIPV6}
IPV6_CLAMPMSS=${IPV6_CLAMPMSS=$CLAMPMSSIPV6}
IPV6_INT=${IPV6_INT=$IPV6INT}
IPV6_LAN=${IPV6_LAN=$IPV6LAN}
IPV6_TRUSTED=${IPV6_TRUSTED=$IPV6TRUSTED}
IPV6_TCPPORTS=${IPV6_TCPPORTS=$IPV6TCP}
IPV6_UDPPORTS=${IPV6_UDPPORTS=$IPV6UDP}
IPV6_FORWARDRANGE=${IPV6_FORWARDRANGE=$IPV6FORWARDRANGE}
fi fi
PRERUN="$BASEDIR/prerun" PRERUN="$BASEDIR/prerun"

42
options.default
View File

@ -98,14 +98,9 @@ HACK_IPV4="NS-IN-DDOS"
# New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS # New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS
BLOCKEDIP=$BASEDIR/ipv4-blocked BLOCKEDIP=$BASEDIR/ipv4-blocked
# Block outgoing traffic on these TCP/UDP ports
# Obsoleted: Use BLOCKEDIP above in new format. Going away in 1.0
#BLOCKTCPPORTS="6881"
#BLOCKUDPPORTS="6881"
# Strip ECN off of packets - helps with blackholes # Strip ECN off of packets - helps with blackholes
# Either individual IPs or 0.0.0.0/0 # Either individual IPs or 0.0.0.0/0
STRIPECN="0.0.0.0/0" #STRIPECN="0.0.0.0/0"
# Block private LAN traffic (RFC reserved space) going OUT on these interfaces # Block private LAN traffic (RFC reserved space) going OUT on these interfaces
# for security reasons. This has the potential to cause issues if your # for security reasons. This has the potential to cause issues if your
@ -124,11 +119,11 @@ STRIPECN="0.0.0.0/0"
# IPv6 related features. Commenting out IPV6 variable disables ALL # IPv6 related features. Commenting out IPV6 variable disables ALL
# IPv6 related items # IPv6 related items
IPV6=1 #IPV6=1
# Do we want IPv6 FORWARD and Connection tracking features? # Do we want IPv6 FORWARD and Connection tracking features?
#IPV6FORWARD=1 #IPV6_FORWARD=1
#IPV6CONNTRACK=1 #IPV6_CONNTRACK=1
# Allow outgoing DNS requests - important if you did not activate connection # Allow outgoing DNS requests - important if you did not activate connection
# tracking. Set this to the interfaces you wish to use for outgoing requests # tracking. Set this to the interfaces you wish to use for outgoing requests
@ -136,40 +131,39 @@ IPV6=1
#IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1" #IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1"
# Default block all incoming ipv6 connections? # Default block all incoming ipv6 connections?
IPV6BLOCKINCOMING=1 #IPV6_BLOCKINCOMING=1
# Special case for routers that have ipv6 clients behind them. # Special case for routers that have ipv6 clients behind them.
# Useful if clients do not have proper ipv6 firewalls. # Useful if clients do not have proper ipv6 firewalls.
#IPV6ROUTEDCLIENTBLOCK=1 #IPV6_ROUTEDCLIENTBLOCK=1
# IP range(s) to forward
#IPV6_ROUTING=$BASEDIR/ipv6-routing
# Mark ipv6 packets for advanced purposes # Mark ipv6 packets for advanced purposes
#IPv6_MARK=$BASEDIR/ipv6-marks #IPV6_MARK=$BASEDIR/ipv6-marks
# IPv6 Ranges to block all traffic incoming/outgoing # IPv6 Ranges to block all traffic incoming/outgoing
#BLOCKEDIPV6=$BASEDIR/ipv6-blocked #IPV6_BLOCKEDIP=$BASEDIR/ipv6-blocked
# Clamp MSS, useful on DSL/VPN links # Clamp MSS, useful on DSL/VPN links
# Space separated list of interfaces to apply this on # Space separated list of interfaces to apply this on
# it may be used eventually. # it may be used eventually.
#CLAMPMSSIPV6="he-ipv6" #IPV6_CLAMPMSS="he-ipv6"
# Interface IPv6 comes in on (either tunnel or real network interface) # Interface IPv6 comes in on (either tunnel or real network interface)
#IPV6INT=he-ipv6 #IPV6_INT=he-ipv6
# LAN interface for IPv6 # LAN interface for IPv6
#IPV6LAN=eth1 #IPV6_LAN=eth1
# Trusted IPv6 ranges # Trusted IPv6 ranges
IPV6TRUSTED="::1" #IPV6_TRUSTED="::1"
# Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to # Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to
# have same for both ipv4 and ipv6) # have same for both ipv4 and ipv6)
IPV6TCP=$TCPPORTS #IPV6_TCPPORTS=$TCPPORTS
IPV6UDP=$UDPPORTS #IPV6_UDPPORTS=$UDPPORTS
# IPv6 range to forward # IPv6 range to forward
#IPV6FORWARDRANGE="" #IPV6_FORWARDRANGE=""
# Block outgoing IPv6 traffic on these TCP/UDP ports
#BLOCKIPV6TCPPORTS=$BLOCKTCPPORTS
#BLOCKIPV6UDPPORTS=$BLOCKUDPPORTS