From 4c8d5ab520cb123aecfbb05a30f7fcb00f7b0d9c Mon Sep 17 00:00:00 2001
From: "bbruns@gmail.com"
 <bbruns@gmail.com@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Sun, 30 Mar 2014 19:18:45 +0000
Subject: [PATCH]

---
 ChangeLog        |  7 ++++---
 bin/srfirewall   |  2 ++
 etc/ipv4.conf    | 15 ++++++++++++++-
 etc/ipv6.conf    | 15 ++++++++++++++-
 lib/iptables.inc | 24 ++++++++++++++++++++++++
 5 files changed, 58 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9dbfcf5..2366b48 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,9 +1,10 @@
 2.00 Alpha 1
 	- Complete code rewrite and restructure to solve some long standing issues with v1
 	- Separate out functions into support files for easier grouping of what they do
-	- Make more compatible with debian filesystem layout, including separating out into
-		/etc/firewall-sosdg for configs only, /usr/sbin for actual scripts, and
-		/usr/lib/firewall-sosdg for include/functions/etc that don't belong in config
+	- Make more compatible with multiple disto file layouts
+	- Basic functionality implemented:
+		- Trusted IP source (IPv4/IPv6) - 3/30/2014
+		- MSS Clamping (IPv4/IPv6) - 3/30/2014
 		
 =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
 1.1 - Brielle Bruns <bruns@2mbit.com>
diff --git a/bin/srfirewall b/bin/srfirewall
index 1a5c6b0..5a16934 100755
--- a/bin/srfirewall
+++ b/bin/srfirewall
@@ -149,6 +149,7 @@ if [ "${EnableIPv4}" == "yes" ]; then
 	[ "${AllowAllv4Loopback}" == "yes" ] && allow_all_loopback ipv4
 	[ "${EnableTrustedv4Hosts}" == "yes" ] && allow_trusted_hosts ipv4
 	[ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4
+	[ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4
 fi
 
 # Do IPv6 IPTables Rules
@@ -163,5 +164,6 @@ if [ "${EnableIPv6}" == "yes" ]; then
 	[ "${AllowAllv6Loopback}" == "yes" ] && allow_all_loopback ipv6
 	[ "${EnableTrustedv6Hosts}" == "yes" ] && allow_trusted_hosts ipv6
 	[ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6
+	[ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6
 fi
 
diff --git a/etc/ipv4.conf b/etc/ipv4.conf
index 499721e..e366490 100644
--- a/etc/ipv4.conf
+++ b/etc/ipv4.conf
@@ -21,4 +21,17 @@ EnableTrustedv4Hosts="yes"
 # Enable MSS clamping to work around MTU size issues
 # on network links such as PPPoE and wireless
 # Config file: ipv4/mss-clamp.conf
-Enablev4MSSClamp="yes"
\ No newline at end of file
+# Values: no | yes (default)
+Enablev4MSSClamp="yes"
+
+# Use /etc/resolv.conf as source for DNS servers that we communicate
+# with as a client.  If you turn this off (recommended if on static IP),
+# then you will need to manually define the DNS servers you use.
+# Without conntrack rules allowing established/related, DNS traffic may
+# be blocked and cause issues.
+# Values: no | yes (default)
+DNSClientUsev4ResolvConf="yes"
+ResolvConfv4File="/etc/resolv.conf"
+
+# Uncomment below if you set above to no.
+#DNSClientManualv4Servers=""
\ No newline at end of file
diff --git a/etc/ipv6.conf b/etc/ipv6.conf
index ff1ee40..dc3f5c4 100644
--- a/etc/ipv6.conf
+++ b/etc/ipv6.conf
@@ -21,4 +21,17 @@ EnableTrustedv6Hosts="yes"
 # Enable MSS clamping to work around MTU size issues
 # on network links such as PPPoE and wireless
 # Config file: ipv6/mss-clamp.conf
-Enablev6MSSClamp="yes"
\ No newline at end of file
+# Values: no | yes (default)
+Enablev6MSSClamp="yes"
+
+# Use /etc/resolv.conf as source for DNS servers that we communicate
+# with as a client.  If you turn this off (recommended if on static IP),
+# then you will need to manually define the DNS servers you use.
+# Without conntrack rules allowing established/related, DNS traffic may
+# be blocked and cause issues.
+# Values: no | yes (default)
+DNSClientUsev6ResolvConf="yes"
+ResolvConfv6File="/etc/resolv.conf"
+
+# Uncomment below if you set above to no.
+#DNSClientManualv6Servers=""
\ No newline at end of file
diff --git a/lib/iptables.inc b/lib/iptables.inc
index 47742a4..53b99d8 100644
--- a/lib/iptables.inc
+++ b/lib/iptables.inc
@@ -182,4 +182,28 @@ function enable_mss_clamp {
 		${display} RED "Error: can not load mss clamp file."
 		${debug} ${DebugColor} "${FUNCNAME}: failed"
 	fi
+}
+
+function allow_resolvconf_servers {
+		IP_VERSION=$1
+		case $IP_VERSION in
+		ipv6) VER_IPTABLES=${IP6TABLES};
+				IPVER="6" ;;
+		ipv4|*) VER_IPTABLES=${IPTABLES}
+				IPVER="4" ;;
+	esac
+	${debug} ${DebugColor} "${FUNCNAME}: loading"
+	[[ ${IP_VERSION} = "ipv4" ]] && ResolvConfFile="${ResolvConfv4File}"
+	[[ ${IP_VERSION} = "ipv6" ]] && ResolvConfFile="${ResolvConfv6File}"
+	${debug} ${DebugColor} "${FUNCNAME}: Using ${ResolvConfFile} as resolv.conf"
+	while read -r type server; do
+		[[ ${type} != "nameserver" ]] && continue
+		# If we see a : in the server variable, we are most likely dealing with an ipv6 address
+		([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
+		${debug} ${DebugColor} "${FUNCNAME}: Added ${server} to DNS client trusted list"
+		${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
+		${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
+		${VER_IPTABLES} -A ${OutPreRules} -p tcp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
+		${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
+	done < "${ResolvConfFile}"
 }
\ No newline at end of file