#!/bin/sh #------------------------------------------------------------------------------ # /etc/rc.d/rc360.fwrules.new - configure firewall # # Creation: jw5 # Last Update: $Id$ #------------------------------------------------------------------------------ pf_in_default_rules= pf_in_add_default () { pf_in_default_rules="$pf_in_default_rules $1" } pf_fwd_default_rules= pf_fwd_add_default () { pf_fwd_default_rules="$pf_fwd_default_rules $1" } pf_iterate () { pfi_table=$1 pfi_chain=$2 pfi_name=$3 pfi_postfix=$4 eval val=\$${pfi_name}${pfi_postfix}_N [ 0$val -eq 0 ] || for idx in `seq 1 $val` do eval rule=\$${pfi_name}${pfi_postfix}_$idx eval comment=\$${pfi_name}${pfi_postfix}_${idx}_COMMENT if [ -z "$comment" ]; then add_rule $pfi_table $pfi_chain "$rule" "${pfi_name}${pfi_postfix}_$idx='$rule'" else add_rule $pfi_table $pfi_chain "$rule" "$comment" fi done } add_established () { usr_nat= iptables -nL usr-nat-helper > /dev/null 2>&1 && usr_nat=yes if [ 0"$MASQ_MODULE_N" -eq 0 -o "$usr_nat" = yes ]; then [ "$1" = FORWARD ] && \ add_rule filter ${1} "prot:icmp state:RELATED ACCEPT" PF_${1}_ACCEPT_DEF [ "$usr_nat" = yes ] && \ add_rule filter ${1} "state:RELATED usr-nat-helper" PF_${1}_ACCEPT_DEF add_rule filter ${1} "state:ESTABLISHED ACCEPT" PF_${1}_ACCEPT_DEF else add_rule filter ${1} "state:ESTABLISHED,RELATED ACCEPT" PF_${1}_ACCEPT_DEF fi } case ${PF_NEW_CONFIG}${PF_ORIG_CONFIG} in *yes*) begin_script FWRULES "configuring firewall ..." # get helper functions . /etc/rc.d/fwrules-helper $IPTABLES -F FORWARD $IPTABLES -F INPUT $IPTABLES -F OUTPUT do_modprobe_if_exists kernel/net/netfilter nf_conntrack acct=1 $IPTABLES -t nat -F POSTROUTING $IPTABLES -t nat -F PREROUTING $IPTABLES -P FORWARD DROP # forward policy is drop $IPTABLES -P INPUT DROP # REJECT is not possible here :-( $IPTABLES -P OUTPUT ACCEPT # output policy is accept [ "$MASQ_MODULE_N" -eq 0 ] || for idx in `seq 1 $MASQ_MODULE_N` do eval drv='$MASQ_MODULE_'$idx eval options='$MASQ_MODULE_'$idx'_OPTION' do_modprobe ip_conntrack_$drv $options do_modprobe ip_nat_$drv $options done # setup logging : ${PF_INPUT_REJ_LIMIT:="1/second:5"} : ${PF_INPUT_UDP_REJ_LIMIT:="1/second:5"} : ${PF_FORWARD_REJ_LIMIT:="1/second:5"} : ${PF_FORWARD_UDP_REJ_LIMIT:="1/second:5"} setup_logging "$PF_INPUT_LOG" INPUT fw-input "$PF_INPUT_LOG_LIMIT" "$PF_INPUT_REJ_LIMIT" "$PF_INPUT_UDP_REJ_LIMIT" $PF_LOG_LEVEL setup_logging "$PF_FORWARD_LOG" FORWARD fw-forward "$PF_FORWARD_LOG_LIMIT" "$PF_FORWARD_REJ_LIMIT" "$PF_FORWARD_UDP_REJ_LIMIT" $PF_LOG_LEVEL #---------------------------------------------------------------------------- # running chain commands from additional packages # these rules comes first in the chain - so beware of bloated rulesets which # are used uncommonly #---------------------------------------------------------------------------- for ext in /etc/rc.d/fwrules.pre[0-9][0-9][0-9].* /etc/rc.d/fwrules.pre.* do if [ -f "$ext" ] then . $ext fi done # create user defined chains if [ 0$PF_USR_CHAIN_N -ne 0 ]; then for idx in `seq 1 $PF_USR_CHAIN_N` do eval add_chain \$PF_USR_CHAIN_${idx}_NAME done for idx in `seq 1 $PF_USR_CHAIN_N` do eval pf_iterate filter \$PF_USR_CHAIN_${idx}_NAME PF_USR_CHAIN_${idx} _RULE done fi # input chain get_defaults INPUT if [ "$PF_INPUT_ACCEPT_DEF" = 'yes' ] then case x$PF_INPUT_ICMP_ECHO_REQ_LIMIT in xnone) limit= ;; x) limit="limit:1/second:5" ;; *) limit="limit:$PF_INPUT_ICMP_ECHO_REQ_LIMIT" esac add_chain in-icmp add_rule filter in-icmp "prot:icmp:8 length:0-100 $limit ACCEPT" PF_INPUT_ACCEPT_DEF add_rule filter in-icmp "state:RELATED ACCEPT" PF_INPUT_ACCEPT_DEF add_rule filter INPUT "prot:icmp in-icmp" PF_INPUT_ACCEPT_DEF add_established INPUT # XXX consider dropping invalid incoming packets # add_rule filter INPUT "state:INVALID DROP" PF_INPUT_ACCEPT_DEF add_rule filter INPUT "if:lo:any ACCEPT" PF_INPUT_ACCEPT_DEF add_rule filter INPUT "state:NEW 127.0.0.1 DROP BIDIRECTIONAL" PF_INPUT_ACCEPT_DEF for i in $pf_in_default_rules; do $i done fi set_count INPUT pf_iterate filter INPUT PF_INPUT # forward chain get_defaults FORWARD if [ "$PF_FORWARD_ACCEPT_DEF" = 'yes' ] then add_established FORWARD add_rule filter FORWARD "state:INVALID DROP" PF_FORWARD_ACCEPT_DEF add_rule filter FORWARD "state:NEW 127.0.0.1 DROP BIDIRECTIONAL" PF_FORWARD_ACCEPT_DEF for i in $pf_fwd_default_rules; do $i done fi set_count FORWARD # consider dropping outgoing invalid packets # add_rule filter OUTPUT "state:INVALID DROP" PF_FORWARD_ACCEPT_DEF pf_iterate filter FORWARD PF_FORWARD pf_iterate nat POSTROUTING PF_POSTROUTING [ 0$PF_PREROUTING_N -eq 0 ] || for idx in `seq 1 $PF_PREROUTING_N` do eval rule='$PF_PREROUTING_'$idx eval rule_comment='$PF_PREROUTING_'$idx'_COMMENT' if [ "x$rule_comment" = "x" ] then echo "$rule" >> /etc/portfw.conf else echo "$rule #$rule_comment" >> /etc/portfw.conf fi done #---------------------------------------------------------------------------- # running chain commands from additional packages # these rules are added in the end of the ACCEPT rules # put uncommon rulesets here #---------------------------------------------------------------------------- for ext in /etc/rc.d/fwrules.post.* do if [ -f "$ext" ] then . $ext fi done # close input chain and forward chain # default policy of input and forward is DROP close_chain INPUT $PF_INPUT_POLICY close_chain FORWARD $PF_FORWARD_POLICY #------------------------------------------------------------------------- # setting ip_contrack_max #------------------------------------------------------------------------- if [ "$IP_CONNTRACK_MAX" != "" ]; then if [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then echo "$IP_CONNTRACK_MAX" >/proc/sys/net/ipv4/ip_conntrack_max elif [ -f /proc/sys/net/netfilter/nf_conntrack_max ]; then echo "$IP_CONNTRACK_MAX" >/proc/sys/net/netfilter/nf_conntrack_max else log_error " missing /proc/sys/net/ipv4/ip_conntrack_max" fi fi #---------------------------------------------------------------------------- # enable forwarding and setup anti-spoofing measures #---------------------------------------------------------------------------- for j in /proc/sys/net/ipv4/conf/* do echo 1 > $j/rp_filter # anti-spoofing done echo 1 > /proc/sys/net/ipv4/route/flush echo 1 > /proc/sys/net/ipv4/ip_forward set | grep -e "^IP_NET" -e "^IP_ROUTE" > /var/run/ip_net.conf end_script ;; esac