7 years ago · e190e321d0
--- a/+ 1
+++ b/+ 1
@@ -5,6 +5,7 @@
 	- Basic functionality implemented:
 		- Trusted IP source (IPv4/IPv6) - 3/30/2014
 		- MSS Clamping (IPv4/IPv6) - 3/30/2014
 		- Trusted DNS server as client (IPv4/IPv6) - 3/30/2014
 		
 =-=-=-=-= PRE 2.0 REWRITE =-=-=-=-=
 1.1 - Brielle Bruns <bruns@2mbit.com>
--- a/bin/srfirewall
+++ b/bin/srfirewall
@@ -151,6 +151,8 @@ if [ "${EnableIPv4}" == "yes" ]; then
 	[ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4
 	[ "${DNSClientUsev4ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv4
 	[ "${DNSClientManualv4Servers}" ] && allow_dnsclient_manual ipv4 "${DNSClientManualv4Servers}"
 	[ "${Enablev4EasyBlock}" == "yes" ] && enable_easyblock ipv4
 	
 fi

 # Do IPv6 IPTables Rules
@@ -167,5 +169,6 @@ if [ "${EnableIPv6}" == "yes" ]; then
 	[ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6
 	[ "${DNSClientUsev6ResolvConf}" == "yes" ] && allow_resolvconf_servers ipv6
 	[ "${DNSClientManualv6Servers}" ] && allow_dnsclient_manual ipv6 "${DNSClientManualv6Servers}"
 	[ "${Enablev6EasyBlock" == "yes" ] && enable_easyblock ipv6
 fi

--- a/etc/ipv4.conf
+++ b/etc/ipv4.conf
@@ -36,4 +36,12 @@ ResolvConfv4File="/etc/resolv.conf"
 # Uncomment below if you set above to no.  You can still manually define your servers
 # here if you want.  Useful at times.
 # Values: space separated IP list of DNS servers
 #DNSClientManualv4Servers=""
 #DNSClientManualv4Servers=""

 # Enable the EasyBlock access list
 # This is a simple/easy way to block traffic in or out,
 # no complex options.  Use the Filter options for more
 # complex ACLs
 # Config file: ipv4/easyblock.conf
 # Values: no | yes (default)
 Enablev4EasyBlock="yes"
--- a/etc/ipv6.conf
+++ b/etc/ipv6.conf
@@ -36,4 +36,12 @@ ResolvConfv6File="/etc/resolv.conf"
 # Uncomment below if you set above to no.  You can still manually define your servers
 # here if you want.  Useful at times.
 # Values: space separated IP list of DNS servers
 #DNSClientManualv6Servers=""
 #DNSClientManualv6Servers=""

 # Enable the EasyBlock access list
 # This is a simple/easy way to block traffic in or out,
 # no complex options.  Use the Filter options for more
 # complex ACLs
 # Config file: ipv6/easyblock.conf
 # Values: no | yes (default)
 Enablev6EasyBlock="yes"
--- a/lib/iptables.inc
+++ b/lib/iptables.inc
@@ -200,6 +200,7 @@ function allow_resolvconf_servers {
 		[[ ${type} != "nameserver" ]] && continue
 		# If we see a : in the server variable, we are most likely dealing with an ipv6 address
 		([[ ${server} =~ ":" ]] && [[ ${IP_VERSION} = "ipv4" ]]) && continue
 		([[ ${server} !~ ":" ]] && [[ ${IP_VERSION} = "ipv6" ]]) && continue
 		${debug} ${DebugColor} "${FUNCNAME}: Added ${server} to DNS client trusted list"
 		${VER_IPTABLES} -A ${OutPreRules} -p udp -s ${server} --sport 1024:65535 --dport 53 -j ACCEPT
 		${VER_IPTABLES} -A ${InPreRules} -p udp -d ${server} --dport 1024:65535 --sport 53 -j ACCEPT
@@ -227,4 +228,42 @@ function allow_dnsclient_manual {
 		${VER_IPTABLES} -A ${InPreRules} -p tcp -d ${i} --dport 1024:65535 --sport 53 -j ACCEPT
 	done
 	${debug} ${DebugColor} "${FUNCNAME}: done"
 }

 function enable_easyblock {
 	IP_VERSION=$1
 		case $IP_VERSION in
 		ipv6) VER_IPTABLES=${IP6TABLES};
 				IPVER="6" ;;
 		ipv4|*) VER_IPTABLES=${IPTABLES}
 				IPVER="4" ;;
 	esac
 	${debug} ${DebugColor} "${FUNCNAME}: loading"
 	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf" ]; then
 		${debug} ${DebugColor} "${FUNCNAME}: read ${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf successful"
 		while read -r direction interface address port; do
 			[[ ${direction} = \#* ]] && continue
 			
 			# Do some creative work with variables to make building the iptables rules fairly painless
 			[[ ${port} != "-" ]] && port="--dport ${port}"
 			([[ ${address} != "-" ]] && [[ ${direction} == "IN" ]] && address="-s ${address}"
 			([[ ${address} != "-" ]] && [[ ${direction} == "OUT" ]] && address="-d ${address}"
 			([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]] && interface="-i ${interface}"
 			([[ ${interface} != "-" ]] && [[ ${direction} == "OUT" ]] && interface="-o ${interface}"
 			[[ ${direction} == "OUT" ]] && chain="${OutEasyBlock}"
 			[[ ${direction} == "IN" ]] && chain="${InEasyBlock}"
 			
 			${debug} ${DebugColor} "${FUNCNAME}: Read: ${direction} ${interface} ${address} ${port}"
 			
 			# Blank variables that we're not going to use.
 			[[ ${interface} == "-" ]] && interface=""
 			[[ ${port} == "-" ]] && port=""
 			[[ ${address} == "-" ]] && address=""
 			
 			
 			${VER_IPTABLES} -A ${chain} ${interface} ${address} ${port}
 		done < "${FWCONFIGDIR}/ipv${IPVER}/easyblock.conf"

 		${debug} ${DebugColor} "${FUNCNAME}: done"
 	
 }