bbruns@gmail.com 2014-03-30 19:18:45 +00:00
parent 4f6b6772bf
commit 4c8d5ab520
5 changed files with 58 additions and 5 deletions

View File

@ -1,9 +1,10 @@
2.00 Alpha 1
- Complete code rewrite and restructure to solve some long standing issues with v1
- Separate out functions into support files for easier grouping of what they do
- Make more compatible with debian filesystem layout, including separating out into
/etc/firewall-sosdg for configs only, /usr/sbin for actual scripts, and
/usr/lib/firewall-sosdg for include/functions/etc that don't belong in config
- Make more compatible with multiple disto file layouts
- Basic functionality implemented:
- Trusted IP source (IPv4/IPv6) - 3/30/2014
- MSS Clamping (IPv4/IPv6) - 3/30/2014
=-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
1.1 - Brielle Bruns <bruns@2mbit.com>

View File

@ -149,6 +149,7 @@ if [ "${EnableIPv4}" == "yes" ]; then
[ "${AllowAllv4Loopback}" == "yes" ] && allow_all_loopback ipv4
[ "${EnableTrustedv4Hosts}" == "yes" ] && allow_trusted_hosts ipv4
[ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4
[ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4
fi
# Do IPv6 IPTables Rules
@ -163,5 +164,6 @@ if [ "${EnableIPv6}" == "yes" ]; then
[ "${AllowAllv6Loopback}" == "yes" ] && allow_all_loopback ipv6
[ "${EnableTrustedv6Hosts}" == "yes" ] && allow_trusted_hosts ipv6
[ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6
[ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6
fi

View File

@ -21,4 +21,17 @@ EnableTrustedv4Hosts="yes"
# Enable MSS clamping to work around MTU size issues
# on network links such as PPPoE and wireless
# Config file: ipv4/mss-clamp.conf
Enablev4MSSClamp="yes"
# Values: no | yes (default)
Enablev4MSSClamp="yes"
# Use /etc/resolv.conf as source for DNS servers that we communicate
# with as a client. If you turn this off (recommended if on static IP),
# then you will need to manually define the DNS servers you use.
# Without conntrack rules allowing established/related, DNS traffic may
# be blocked and cause issues.
# Values: no | yes (default)
DNSClientUsev4ResolvConf="yes"
ResolvConfv4File="/etc/resolv.conf"
# Uncomment below if you set above to no.
#DNSClientManualv4Servers=""

View File

@ -21,4 +21,17 @@ EnableTrustedv6Hosts="yes"
# Enable MSS clamping to work around MTU size issues
# on network links such as PPPoE and wireless
# Config file: ipv6/mss-clamp.conf
Enablev6MSSClamp="yes"
# Values: no | yes (default)
Enablev6MSSClamp="yes"
# Use /etc/resolv.conf as source for DNS servers that we communicate
# with as a client. If you turn this off (recommended if on static IP),
# then you will need to manually define the DNS servers you use.
# Without conntrack rules allowing established/related, DNS traffic may
# be blocked and cause issues.
# Values: no | yes (default)
DNSClientUsev6ResolvConf="yes"
ResolvConfv6File="/etc/resolv.conf"
# Uncomment below if you set above to no.
#DNSClientManualv6Servers=""

View File

@ -182,4 +182,28 @@ function enable_mss_clamp {
${display} RED "Error: can not load mss clamp file."
${debug} ${DebugColor} "${FUNCNAME}: failed"
fi
}
function allow_resolvconf_servers {
IP_VERSION=$1
case $IP_VERSION in
ipv6) VER_IPTABLES=${IP6TABLES};
IPVER="6" ;;
ipv4|*) VER_IPTABLES=${IPTABLES}
IPVER="4" ;;
esac
${debug} ${DebugColor} "${FUNCNAME}: loading"
[[ ${IP_VERSION} = "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
[[ ${IP_VERSION} = "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
${debug} ${DebugColor} "${FUNCNAME}: Using ${ResolvConfFile} as resolv.conf"
while read -r type server; do
[[ ${type} != "nameserver" ]] && continue
# If we see a : in the server variable, we are most likely dealing with an ipv6 address
([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
${debug} ${DebugColor} "${FUNCNAME}: Added ${server} to DNS client trusted list"
${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
done < "${ResolvConfFile}"
}