diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 8d895ba..d7e4d24 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -3,8 +3,8 @@ # URL: http://www.sosdg.org/freestuff/firewall # License: GPLv3 # -# Copyright (C) 2009 - 2010 Brielle Bruns -# Copyright (C) 2009 - 2010 The Summit Open Source Development Group +# Copyright (C) 2009 - 2011 Brielle Bruns +# Copyright (C) 2009 - 2011 The Summit Open Source Development Group # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -18,7 +18,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -FW_VERSION="0.9.12" +FW_VERSION="0.9.13" # These option is here to help pre-1.0 users easily upgrade, defines critical defaults # that would otherwise require remaking their options file. I leave this on by default, @@ -699,9 +699,9 @@ if [ $NAT ]; then fi fi -$IPTABLES --policy INPUT ACCEPT -$IPTABLES --policy OUTPUT ACCEPT -$IPTABLES --policy FORWARD DROP +$IPTABLES --policy INPUT ${IPV4_INPUT} +$IPTABLES --policy OUTPUT ${IPV4_OUTPUT} +$IPTABLES --policy FORWARD ${IPV4_FORWARD} if [ -s "$BASEDIR/include/ipv4_custom_blockincoming" ]; then @@ -928,7 +928,6 @@ fi fi reset_color fi - fi if [ -s "$BASEDIR/include/ipv6_custom_mark" ]; then display_c YELLOW "Loading custom IPv6 mark rules..." @@ -971,7 +970,6 @@ fi fi - if [ -s "$BASEDIR/include/ipv6_custom_routing" ]; then display_c YELLOW "Loading custom IPv6 routing rules..." . "$BASEDIR/include/ipv6_custom_routing" @@ -991,6 +989,10 @@ fi $IP6TABLES -A INPUT -p tcp --syn -j DROP $IP6TABLES -A INPUT -p udp -j DROP fi + $IP6TABLES --policy INPUT ${IPV6_INPUT} + $IP6TABLES --policy OUTPUT ${IPV6_OUTPUT} + $IP6TABLES --policy FORWARD ${IPV6_FORWARD} +fi if [ $TWEAKS ]; then for i in `grep -v "\#" $TWEAKS`; do diff --git a/include/static b/include/static index fea50b2..a614e90 100755 --- a/include/static +++ b/include/static @@ -80,7 +80,17 @@ IPV6_ICMP_CRITICAL=1 # http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses IPV4_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))" IPV6_MATCH="(?:(?>(?>([a-f0-9]{1,4})(?>:(?1)){7})|(?>(?!(?:.*[a-f0-9](?>:|$)){8,})((?1)(?>:(?1)){0,6})?::(?2)?))|(?>(?>(?>(?1)(?>:(?1)){5}:)|(?>(?!(?:.*[a-f0-9]:){6,})((?1)(?>:(?1)){0,4})?::(?>(?3):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3}))" + # At the moment I don't have a valid way of verifying ranges within a certain constraint (ie /0 through /32) # If anyone wants to write these, feel free to! IPV4_NETMASK_MATCH="" -IPV6_NETMASK_MATCH="" \ No newline at end of file +IPV6_NETMASK_MATCH="" + +# Default policies for IPv4 and IPv6. Make these ACCEPT by default, except for FORWARD, +# since one wrong configuration can lock someone out. +IPV4_INPUT=ACCEPT +IPV4_OUTPUT=ACCEPT +IPV4_FORWARD=DROP +IPV6_INPUT=ACCEPT +IPV6_OUTPUT=ACCEPT +IPV6_FORWARD=DROP \ No newline at end of file diff --git a/options.default b/options.default index 501b4d9..828862a 100755 --- a/options.default +++ b/options.default @@ -41,6 +41,16 @@ POSTRUN="$BASEDIR/conf/postrun" # Space separated list of interfaces to apply this on #CLAMPMSS="ppp0 eth0" + +# Default IPv4 policies +# IPV4_INPUT set to DROP is different from BLOCKINCOMING, +# as BLOCKINCOMING only blocks syn packets for TCP while still +# allowing established connections even if connection tracking is off. +# BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does. +IPV4_INPUT=ACCEPT +IPV4_OUTPUT=ACCEPT +IPV4_FORWARD=DROP + # Do we run a LAN DHCP server? Put the interfaces here # where this server is providing services. #LANDHCPSERVER="eth0 eth1" @@ -173,6 +183,15 @@ BLOCKEDIP=$BASEDIR/conf/ipv4-blocked #IPV6_FORWARD=1 #IPV6_CONNTRACK=1 +# Default IPv6 policies +# IPV6_INPUT set to DROP is different from IPV6_BLOCKINCOMING, +# as BLOCKINCOMING only blocks syn packets for TCP while still +# allowing established connections even if connection tracking is off. +# BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does. +IPV6_INPUT=ALLOW +IPV6_OUTPUT=ALLOW +IPV6_FORWARD=DROP + # Allow outgoing DNS requests - important if you did not activate connection # tracking. Set this to the interfaces you wish to use for outgoing requests # plus the IP addresses of your upstream servers (recommended up to 3) if you need to.