From 97dd5fa6f00d35cc79914eb82fc0e3e5a00a867f Mon Sep 17 00:00:00 2001
From: bbruns <bbruns@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Tue, 24 Aug 2010 01:35:36 +0000
Subject: [PATCH] HACK_IPV4 Option

---
 include/functions | 19 ++++++++++++++++++-
 options.default   | 15 ++++++++++++---
 rc.firewall       |  6 ++++--
 3 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/include/functions b/include/functions
index 9bc3dd3..fbf0466 100644
--- a/include/functions
+++ b/include/functions
@@ -117,4 +117,21 @@ function show_help {
 	 echo "Firewall/SOSDG ${FW_VERSION} - Brielle Bruns <bruns@2mbit.com>"
  	 echo -e "\t--help\t\tShows this info"
  	 echo -e "\t--flush\t\tFlushes all rules back to default ACCEPT"
- }
\ No newline at end of file
+ }
+ 
+ 
+ 
+# apply_ipv4_hack $HACKS
+function apply_ipv4_hack {
+	display_c YELLOW "Applying IPv4 hack/fix:" N
+	while [ $# -gt 0 ]; do
+		case "$1" in
+		NS-IN-DDOS)
+			display_c PURPLE " ./NS/IN-DDOS-FIX"
+			$IPTABLES -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
+			"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
+		;;	
+		esac
+		shift
+	done
+}
\ No newline at end of file
diff --git a/options.default b/options.default
index e78abd6..7fc6062 100755
--- a/options.default
+++ b/options.default
@@ -12,9 +12,9 @@ IP6TABLES=/bin/true
 # options you don't want to use, uncomment them to use them.
 
 # Do we want NAT/Conntrack/Forward features?
-NAT=1
-CONNTRACK=1
-FORWARD=1
+#NAT=1
+#CONNTRACK=1
+#FORWARD=1
 
 # Blocking incoming connections by default?
 BLOCKINCOMING=1
@@ -49,6 +49,15 @@ DONTTRACK="127.0.0.1"
 # IP range(s) to forward
 ROUTING=$BASEDIR/ipv4-routing
 
+
+# Hacks to either block specific kinds of attacks or fix problems
+#
+# NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
+# http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
+#
+HACK_IPV4="NS-IN-DDOS"
+
+
 #==============
 # Obsolete - DO NOT USE ANYMORE. Will be removed in 1.0
 # IP ranges(s) to NAT using SNAT.
diff --git a/rc.firewall b/rc.firewall
index c5604ab..6f2cffb 100755
--- a/rc.firewall
+++ b/rc.firewall
@@ -136,8 +136,10 @@ if [ "$CLAMPMSS" ]; then
 echo -en "\n"
 fi
 
-$IPTABLES -A INPUT -j DROP -p udp --dport domain -m u32 --u32 \
-"0>>22&0x3C@12>>16=1&&0>>22&0x3C@20>>24=0&&0>>22&0x3C@21=0x00020001"
+
+if [ $HACK_IPV4 ]; then
+	apply_ipv4_hack $HACK_IPV4
+fi
 
 if [ -s "$BASEDIR/include/ipv4_custom_conntrack" ]; then
 	display_c YELLOW "Loading custom conntrack rules..."