From d71e8794c650c2660041a8a646a879eb9b6dfd9f Mon Sep 17 00:00:00 2001 From: bbruns Date: Thu, 10 Apr 2014 02:21:41 +0000 Subject: [PATCH] Default policy support, which I believe makes this release Alpha 1 quality --- bin/srfirewall | 8 ++++++++ etc/ipv4.conf | 12 +++++++++++- etc/ipv6.conf | 12 +++++++++++- lib/iptables.inc | 18 ++++++++++-------- 4 files changed, 40 insertions(+), 10 deletions(-) diff --git a/bin/srfirewall b/bin/srfirewall index 923ba92..8b98620 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -175,6 +175,10 @@ if [ "${EnableIPv4}" == "yes" ]; then [[ ${AllowAllv4Loopback} == "yes" ]] && allow_all_loopback ipv4 [[ ${EnableTrustedv4Hosts} == "yes" ]] && allow_trusted_hosts ipv4 + Defaultv4InPolicy=${Defaultv4InPolicy=ACCEPT} + Defaultv4OutPolicy=${Defaultv4OutPolicy=ACCEPT} + Defaultv4FwdPolicy=${Defaultv4FwdPolicy=ACCEPT} + default_policy_set ipv4 ${Defaultv4InPolicy} ${Defaultv4OutPolicy} ${Defaultv4FwdPolicy} [[ ${Enablev4MSSClamp} == "yes" ]] && enable_mss_clamp ipv4 ([[ ${Enablev4ConnTrackInterfaces} != "none" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]]) \ && enable_conntrack_int ipv4 "${Enablev4ConnTrackInterfaces}" @@ -200,6 +204,10 @@ if [ "${EnableIPv6}" == "yes" ]; then [[ ${AllowAllv6Loopback} == "yes" ]] && allow_all_loopback ipv6 [[ ${EnableTrustedv6Hosts} == "yes" ]] && allow_trusted_hosts ipv6 + Defaultv6InPolicy=${Defaultv6InPolicy=ACCEPT} + Defaultv6OutPolicy=${Defaultv6OutPolicy=ACCEPT} + Defaultv6FwdPolicy=${Defaultv6FwdPolicy=ACCEPT} + default_policy_set ipv6 ${Defaultv6InPolicy} ${Defaultv6OutPolicy} ${Defaultv6FwdPolicy} [[ ${Enablev6MSSClamp} == "yes" ]] && enable_mss_clamp ipv6 ([[ ${Enablev6ConnTrackInterfaces} != "none" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]]) \ && enable_conntrack_int ipv6 "${Enablev6ConnTrackInterfaces}" diff --git a/etc/ipv4.conf b/etc/ipv4.conf index df95a5a..e443b4c 100644 --- a/etc/ipv4.conf +++ b/etc/ipv4.conf @@ -95,4 +95,14 @@ Enablev4NAT="yes" # external access to internal machines # Config file: ipv4/portfw.conf # Values: no | yes (default) -Enablev4PortForwarding="yes" \ No newline at end of file +Enablev4PortForwarding="yes" + +# Default policy for filtering rules +# netfilter/iptables has a default policy that can be set, such as +# DROP all unless it is explicitly allowed via rules. +# Values: ACCEPT (default) | DROP +# Please note if you do not specify policies, they will default to +# ACCEPT, which may not be what you want. +Defaultv4InPolicy="ACCEPT" +Defaultv4OutPolicy="ACCEPT" +Defaultv4FwdPolicy="ACCEPT" \ No newline at end of file diff --git a/etc/ipv6.conf b/etc/ipv6.conf index f7343ca..f9c4f8f 100644 --- a/etc/ipv6.conf +++ b/etc/ipv6.conf @@ -95,4 +95,14 @@ Enablev6NAT="yes" # external access to internal machines # Config file: ipv6/portfw.conf # Values: no | yes (default) -Enablev6PortForwarding="yes" \ No newline at end of file +Enablev6PortForwarding="yes" + +# Default policy for filtering rules +# netfilter/iptables has a default policy that can be set, such as +# DROP all unless it is explicitly allowed via rules. +# Values: ACCEPT (default) | DROP +# Please note if you do not specify policies, they will default to +# ACCEPT, which may not be what you want. +Defaultv6InPolicy="ACCEPT" +Defaultv6OutPolicy="ACCEPT" +Defaultv6FwdPolicy="ACCEPT" \ No newline at end of file diff --git a/lib/iptables.inc b/lib/iptables.inc index c30dc87..6245399 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -30,6 +30,9 @@ function iptables_rules_flush { ipv4|*) VER_IPTABLES=${IPTABLES} ; TABLE_NAMES=/proc/net/ip_tables_names ;; esac ${display} GREEN "Flushing ${IP_VERSION} rules..." + ${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null + ${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null + ${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null ${VER_IPTABLES} -F &>/dev/null ${VER_IPTABLES} -X &>/dev/null ${VER_IPTABLES} -F INPUT &>/dev/null @@ -39,9 +42,6 @@ function iptables_rules_flush { ${VER_IPTABLES} -t nat -X &>/dev/null ${VER_IPTABLES} -t mangle -F &>/dev/null ${VER_IPTABLES} -t mangle -X &>/dev/null - ${VER_IPTABLES} -P INPUT ACCEPT &>/dev/null - ${VER_IPTABLES} -P OUTPUT ACCEPT &>/dev/null - ${VER_IPTABLES} -P FORWARD ACCEPT &>/dev/null #for i in `cat $TABLE_NAMES`; do # ${VER_IPTABLES} -F -t $i &>/dev/null #done @@ -51,17 +51,19 @@ function iptables_rules_flush { # iptables_policy_set (ipv6|ipv4) (ACCEPT|DROP) # Sets all policy rules to either ACCEPT or DROP for ipv4 or ipv6 # If no policy given, assume ACCEPT -function iptables_policy_reset { +function default_policy_set { IP_VERSION=$1 - SET_POLICY=${2=ACCEPT} + INPOLICY=${2=ACCEPT} + OUTPOLICY=${3=ACCEPT} + FWDPOLICY=${4=ACCEPT} case $IP_VERSION in ipv6) VER_IPTABLES=${IP6TABLES} ;; ipv4|*) VER_IPTABLES=${IPTABLES} ;; esac ${display_c} RED "Setting ${IP_VERSION} policies to ${SET_POLICY}..." - ${VER_IPTABLES} --policy INPUT ${SET_POLICY} - ${VER_IPTABLES} --policy OUTPUT ${SET_POLICY} - ${VER_IPTABLES} --policy FORWARD ${SET_POLICY} + ${VER_IPTABLES} --policy INPUT ${INPOLICY} + ${VER_IPTABLES} --policy OUTPUT ${OUTPOLICY} + ${VER_IPTABLES} --policy FORWARD ${FWDPOLICY} } # setup_iptables_chains (ipv4|ipv6)