brielle
/
SRFirewall
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

master
bbruns@gmail.com 2014-03-30 19:18:45 +00:00
parent 4f6b6772bf
commit 4c8d5ab520
5 changed files with 58 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -1,9 +1,10 @@
2.00 Alpha 1 2.00 Alpha 1
- Complete code rewrite and restructure to solve some long standing issues with v1 - Complete code rewrite and restructure to solve some long standing issues with v1
- Separate out functions into support files for easier grouping of what they do - Separate out functions into support files for easier grouping of what they do
- Make more compatible with debian filesystem layout, including separating out into - Make more compatible with multiple disto file layouts
/etc/firewall-sosdg for configs only, /usr/sbin for actual scripts, and - Basic functionality implemented:
/usr/lib/firewall-sosdg for include/functions/etc that don't belong in config - Trusted IP source (IPv4/IPv6) - 3/30/2014
- MSS Clamping (IPv4/IPv6) - 3/30/2014
=-=-=-=-= PRE 2.0 REWRITE =-=-=-=-= =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
1.1 - Brielle Bruns <bruns@2mbit.com> 1.1 - Brielle Bruns <bruns@2mbit.com>

2
bin/srfirewall
View File

@ -149,6 +149,7 @@ if [ "${EnableIPv4}" == "yes" ]; then
[ "${AllowAllv4Loopback}" == "yes" ] && allow_all_loopback ipv4 [ "${AllowAllv4Loopback}" == "yes" ] && allow_all_loopback ipv4
[ "${EnableTrustedv4Hosts}" == "yes" ] && allow_trusted_hosts ipv4 [ "${EnableTrustedv4Hosts}" == "yes" ] && allow_trusted_hosts ipv4
[ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4 [ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4
[ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4
fi fi
# Do IPv6 IPTables Rules # Do IPv6 IPTables Rules
@ -163,5 +164,6 @@ if [ "${EnableIPv6}" == "yes" ]; then
[ "${AllowAllv6Loopback}" == "yes" ] && allow_all_loopback ipv6 [ "${AllowAllv6Loopback}" == "yes" ] && allow_all_loopback ipv6
[ "${EnableTrustedv6Hosts}" == "yes" ] && allow_trusted_hosts ipv6 [ "${EnableTrustedv6Hosts}" == "yes" ] && allow_trusted_hosts ipv6
[ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6 [ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6
[ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6
fi fi

13
etc/ipv4.conf
View File

@ -21,4 +21,17 @@ EnableTrustedv4Hosts="yes"
# Enable MSS clamping to work around MTU size issues # Enable MSS clamping to work around MTU size issues
# on network links such as PPPoE and wireless # on network links such as PPPoE and wireless
# Config file: ipv4/mss-clamp.conf # Config file: ipv4/mss-clamp.conf
# Values: no | yes (default)
Enablev4MSSClamp="yes" Enablev4MSSClamp="yes"
# Use /etc/resolv.conf as source for DNS servers that we communicate
# with as a client. If you turn this off (recommended if on static IP),
# then you will need to manually define the DNS servers you use.
# Without conntrack rules allowing established/related, DNS traffic may
# be blocked and cause issues.
# Values: no | yes (default)
DNSClientUsev4ResolvConf="yes"
ResolvConfv4File="/etc/resolv.conf"
# Uncomment below if you set above to no.
#DNSClientManualv4Servers=""

13
etc/ipv6.conf
View File

@ -21,4 +21,17 @@ EnableTrustedv6Hosts="yes"
# Enable MSS clamping to work around MTU size issues # Enable MSS clamping to work around MTU size issues
# on network links such as PPPoE and wireless # on network links such as PPPoE and wireless
# Config file: ipv6/mss-clamp.conf # Config file: ipv6/mss-clamp.conf
# Values: no | yes (default)
Enablev6MSSClamp="yes" Enablev6MSSClamp="yes"
# Use /etc/resolv.conf as source for DNS servers that we communicate
# with as a client. If you turn this off (recommended if on static IP),
# then you will need to manually define the DNS servers you use.
# Without conntrack rules allowing established/related, DNS traffic may
# be blocked and cause issues.
# Values: no | yes (default)
DNSClientUsev6ResolvConf="yes"
ResolvConfv6File="/etc/resolv.conf"
# Uncomment below if you set above to no.
#DNSClientManualv6Servers=""

24
lib/iptables.inc
View File

@ -183,3 +183,27 @@ function enable_mss_clamp {
${debug} ${DebugColor} "${FUNCNAME}: failed" ${debug} ${DebugColor} "${FUNCNAME}: failed"
fi fi
} }
function allow_resolvconf_servers {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
${debug} ${DebugColor} "${FUNCNAME}: loading"
[[ ${IP_VERSION} = "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
[[ ${IP_VERSION} = "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
${debug} ${DebugColor} "${FUNCNAME}: Using ${ResolvConfFile} as resolv.conf"
while read -r type server; do
[[ ${type} != "nameserver" ]] && continue
# If we see a : in the server variable, we are most likely dealing with an ipv6 address
([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
${debug} ${DebugColor} "${FUNCNAME}: Added ${server} to DNS client trusted list"
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
done < "${ResolvConfFile}"
}