#!/bin/sh #------------------------------------------------------------------------------ # /etc/rc.d/rc360.fwrules.new - configure firewall __FLI4LVER__ # # Creation: jw5 # Last Update: $Id$ #------------------------------------------------------------------------------ pf6_in_default_rules= pf6_in_add_default () { pf6_in_default_rules="$pf6_in_default_rules $1" } pf6_fwd_default_rules= pf6_fwd_add_default () { pf6_fwd_default_rules="$pf6_fwd_default_rules $1" } pf6_iterate () { pfi_table=$1 pfi_chain=$2 pfi_name=$3 pfi_postfix=$4 eval val=\$${pfi_name}${pfi_postfix}_N [ 0$val -eq 0 ] || for idx in `seq 1 $val` do eval rule=\$${pfi_name}${pfi_postfix}_$idx eval comment=\$${pfi_name}${pfi_postfix}_${idx}_COMMENT if [ -z "$comment" ]; then add_rule6 $pfi_table $pfi_chain "$rule" "${pfi_name}${pfi_postfix}_$idx='$rule'" else add_rule6 $pfi_table $pfi_chain "$rule" "$comment" fi done } case ${PF_NEW_CONFIG}${PF_ORIG_CONFIG} in *yes*) begin_script FWRULES "configuring firewall (IPv6) ..." # get helper functions . /etc/rc.d/fwrules-helper.ipv6 $IP6TABLES -F FORWARD $IP6TABLES -F INPUT $IP6TABLES -F OUTPUT $IP6TABLES -P FORWARD DROP # forward policy is drop $IP6TABLES -P INPUT DROP # REJECT is not possible here :-( $IP6TABLES -P OUTPUT ACCEPT # output policy is accept # setup logging : ${PF6_INPUT_REJ_LIMIT:="1/second 5"} : ${PF6_INPUT_UDP_REJ_LIMIT:="1/second 5"} : ${PF6_FORWARD_REJ_LIMIT:="1/second 5"} : ${PF6_FORWARD_UDP_REJ_LIMIT:="1/second 5"} setup_logging6 "$PF6_INPUT_LOG" INPUT fw-input "$PF6_INPUT_LOG_LIMIT" "$PF6_INPUT_REJ_LIMIT" "$PF6_INPUT_UDP_REJ_LIMIT" setup_logging6 "$PF6_FORWARD_LOG" FORWARD fw-forward "$PF6_FORWARD_LOG_LIMIT" "$PF6_FORWARD_REJ_LIMIT" "$PF6_FORWARD_UDP_REJ_LIMIT" #---------------------------------------------------------------------------- # running chain commands from additional packages # these rules comes first in the chain - so beware of bloated rulesets which # are used uncommonly #---------------------------------------------------------------------------- for ext in /etc/rc.d/fwrules.ipv6.pre[0-9][0-9][0-9].* /etc/rc.d/fwrules.ipv6.pre.* do if [ -f "$ext" ] then . $ext fi done # create user defined chains if [ 0$PF6_USR_CHAIN_N -ne 0 ]; then for idx in `seq 1 $PF6_USR_CHAIN_N` do eval add_chain6 \$PF6_USR_CHAIN_${idx}_NAME done for idx in `seq 1 $PF6_USR_CHAIN_N` do eval pf6_iterate filter \$PF6_USR_CHAIN_${idx}_NAME PF6_USR_CHAIN_${idx} _RULE done fi # input chain get_defaults6 INPUT if [ "$PF6_INPUT_ACCEPT_DEF" = 'yes' ] then add_chain6 in-icmp add_rule6 filter in-icmp "prot:icmpv6:1 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:2 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:3 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:4 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:echo-request length:0-150 limit:1/second:5 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:133 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:135 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter in-icmp "prot:icmpv6:136 ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter INPUT "state:ESTABLISHED,RELATED ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter INPUT "prot:icmpv6 in-icmp" PF6_INPUT_ACCEPT_DEF add_rule6 filter INPUT "if:lo:any ACCEPT" PF6_INPUT_ACCEPT_DEF add_rule6 filter INPUT "state:NEW ::1 DROP BIDIRECTIONAL" PF6_INPUT_ACCEPT_DEF for i in $pf6_in_default_rules; do $i done fi if lsmod | grep -q ipt_REDIRECT then add_chain6 PORTREDIRACCESS # add chain if not already there add_rule6 filter INPUT "state:NEW PORTREDIRACCESS" fi set_count6 INPUT pf6_iterate filter INPUT PF6_INPUT # forward chain get_defaults6 FORWARD if [ "$PF6_FORWARD_ACCEPT_DEF" = 'yes' ] then add_chain6 fwd-icmp add_rule6 filter fwd-icmp "prot:icmpv6:echo-request length:0-150 limit:1/second:5 ACCEPT" PF6_FORWARD_ACCEPT_DEF add_rule6 filter FORWARD "state:ESTABLISHED,RELATED ACCEPT" PF6_FORWARD_ACCEPT_DEF add_rule6 filter FORWARD "prot:icmpv6 fwd-icmp" PF6_FORWARD_ACCEPT_DEF add_rule6 filter FORWARD "state:NEW ::1 DROP BIDIRECTIONAL" PF6_FORWARD_ACCEPT_DEF for i in $pf6_fwd_default_rules; do $i done fi set_count6 FORWARD pf6_iterate filter FORWARD PF6_FORWARD #---------------------------------------------------------------------------- # running chain commands from additional packages # these rules are added in the end of the ACCEPT rules # put uncommon rulesets here #---------------------------------------------------------------------------- for ext in /etc/rc.d/fwrules.ipv6.post.* do if [ -f "$ext" ] then . $ext fi done # close input chain and forward chain # default policy of input and forward is DROP close_chain6 INPUT $PF6_INPUT_POLICY close_chain6 FORWARD $PF6_FORWARD_POLICY #---------------------------------------------------------------------------- # enable forwarding #---------------------------------------------------------------------------- echo "1" > /proc/sys/net/ipv6/conf/all/forwarding set | grep -e "^IPV6_NET" -e "^IPV6_ROUTE" > /var/run/ip6_net.conf end_script ;; esac