Adjust routedclientblock options

ChangeLog

@@ -1,4 +1,8 @@
-0.9.11 - Brielle Bruns <bruns@2mbt.com>
+0.9.12 - Brielle Bruns <bruns@2mbit.com>
+	- Change IPV6_ROUTEDCLIENTBLOCK so you can specify ranges to
+	  block incoming to.
+
+0.9.11 - Brielle Bruns <bruns@2mbit.com>
 	- Move some of the config clutter to conf/ - you can
 	  put your config files anywhere, but by default, they're
 	  now going to be in conf/

Makefile

@@ -1,4 +1,4 @@
-VERSION=0.9.11
+VERSION=0.9.12
 TAR=/usr/bin/tar
 TARBALL="firewall-sosdg-$(VERSION).tar.bz2"
 

bin/firewall-sosdg

@@ -700,10 +700,28 @@ if [ $IPV6 ]; then
 	reset_color
 	
 	if [ -s "$BASEDIR/include/ipv6_custom_blockip" ]; then
-	display_c YELLOW "Loading custom ip block rules..."
+	display_c YELLOW "Loading custom IPv6 block rules..."
 	. "$BASEDIR/include/ipv6_custom_blockip"
 fi
 
+
+if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
+	display_c YELLOW "Loading custom IPv6 conntrack rules..."
+	. "$BASEDIR/include/ipv6_custom_conntrack"
+fi
+
+if [ "$IPV6_CONNTRACK" ]; then
+	$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
+	$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
+	$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
+	#$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
+	$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT 
+	$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
+	$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
+	$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
+	$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
+fi
+
 if [ "$IPV6_DNS_REQUESTS_OUT" ]; then
 	display_c YELLOW "Adding IPv6 DNS reply allows for trusted DNS servers.."
 	for i in $DNS_REQUESTS_OUT; do
@@ -881,29 +899,14 @@ fi
 		done
 	echo -ne "\n"
 	fi
-	
-	if [ -s "$BASEDIR/include/ipv6_custom_conntrack" ]; then
-		display_c YELLOW "Loading custom IPv6 conntrack rules..."
-		. "$BASEDIR/include/ipv6_custom_conntrack"
-	fi
 
-	if [ "$IPV6_CONNTRACK" ]; then
-		$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
-		$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
-		$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT
-		#$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} NEW -j ACCEPT
-		$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} RELATED,ESTABLISHED -j ACCEPT 
-		$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} NEW -j ACCEPT
-		$IP6TABLES -A INPUT ${M_STATE} ${C_STATE} INVALID -j DROP
-		$IP6TABLES -A OUTPUT ${M_STATE} ${C_STATE} INVALID -j DROP
-		$IP6TABLES -A FORWARD ${M_STATE} ${C_STATE} INVALID -j DROP
-	fi
-
-	if [ $IPV6_ROUTEDCLIENTBLOCK ]; then
-		$IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p tcp --syn -j DROP
-		$IP6TABLES -A INPUT -i $IPV6_INT -p tcp --syn -j DROP
-		$IP6TABLES -A INPUT -i $IPV6_INT -p udp ! --dport 32768:65535 -j DROP
-		$IP6TABLES -A FORWARD -i $IPV6_INT -o $IPV6_LAN -p udp ! --dport 32768:65535 -j DROP
+	if [ "$IPV6_ROUTEDCLIENTBLOCK" ]; then
+		for i in $IPV6_ROUTEDCLIENTBLOCK; do
+			$IP6TABLES -A OUTPUT -d $i -p tcp --syn -j DROP
+			$IP6TABLES -A OUTPUT -d $i -p udp ! --dport 32768:65535 -j DROP
+			$IP6TABLES -A FORWARD -d $i -p tcp --syn -j DROP
+			$IP6TABLES -A FORWARD -d $i -p udp ! --dport 32768:65535 -j DROP
+		done
 	fi
 	
 

options.default

@@ -179,8 +179,9 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
 #IPV6_BLOCKINCOMING=1
 
 # Special case for routers that have ipv6 clients behind them.
-# Useful if clients do not have proper ipv6 firewalls.
-#IPV6_ROUTEDCLIENTBLOCK=1
+# Useful if clients do not have proper ipv6 firewalls.  Give list
+# of IPv6 netblocks to enable this on.
+#IPV6_ROUTEDCLIENTBLOCK=""
 
 # IP range(s) to forward
 #IPV6_ROUTING=$BASEDIR/conf/ipv6-routing