-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirewall.config
218 lines (170 loc) · 6.74 KB
/
firewall.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
#!/bin/sh
# (C) Martin V\"ath <martin at mvath.de>
# SPDX-License-Identifier: BSD-3-Clause
# This is the config file for Martin V\"ath's firewall script.
#
# More precisely, this script is used by the firewall script if
# 1. It is /etc/firewall.config
# 2. It is /usr/lib/firewall/firewall.config or /lib/firewall/firewall.config
# and the earlier mentioned files are not readable.
# This file honours the existence/nonexistence of the following files:
# /etc/firewall.d/dhcp-client If this exists, DHCP clients are allowed
# /etc/firewall.d/lan-trust If this exists, lan is completely trusted
# /etc/firewall.d/routing If this exists, routing is enabled
# /etc/firewall.d/dhcpdns-server If this exists, DHCP/DNS servers are allowed
# Some things may become clearer if you look at the default
# In order to configure, one might need the active sshd port "$SSHPORT":
# This port is read from /etc/ssh/sshd_config (default: "ssh")
SSHPORT=`sed -n -e 's/^ *Port *\([0123456789]*\) *$/\1/p' \
/etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf 2>/dev/null` \
&& [ -n "${SSHPORT:++}" ] || SSHPORT='ssh'
# We setup an example how $SSHPORT can be reached from outside after
# a corresponding knocking sequence was provided:
# If you had used http://www.zeroflux.org/knock/
# you might want instead to use instead its config file.
# If we cannot read this file, we use an example sequence:
test -r /etc/knockd.conf \
&& KNOCKSEQ=`sed -n -e '/sequence/{s/[^0123456789,]//g;s/,/ /g;p}' /etc/knockd.conf` \
&& [ -n "${KNOCKSEQ:++}" ] && Push -c KNOCKSEQ $KNOCKSEQ "$SSHPORT" \
|| Push -c KNOCKSEQ 8000 4000 3000 7000 6000 9000 2000 "$SSHPORT"
# Drop these destinations for all except for "trusted interfaces" from outside
# as an anti-spoofing measurement, and allow always output:
if test -r /etc/firewall.d/lan-trust
then Push -c LOCALNETSIN '192.168.0.0/16'
else Push -c LOCALNETSIN
# We read the trusted port from the openrc (Gentoo) configuration:
set +f
for i in /etc/conf.d/*net
do test -r "$i" || continue
j=`. "$i" && echo ${ifconfig_eth0-} ${ifconfig_lan0-} ${ifconfig_net0-}` \
&& j="${j%% *}" && j="${j%%
*}" && case ${j:-x} in
*[!0123456789.]*)
:;;
*)
Push -c LOCALNETSIN "$j"
break;;
esac
done
fi
# Who may phone outside?
# The root group may always:
Push -c OUTONLYGID 0
# All groups listed in /etc/firewall.d/phoneout.groups may phone outside.
phoneoutgroups=`sed -n -e '/^[^#]/p' -- /etc/firewall.d/phoneout.groups 2>/dev/null` \
|| phoneoutgroups=
# If no group is listed there, we choose "users":
: ${phoneoutgroups:=users}
# In addition, we always allow the following groups if the exist:
phoneoutgroups=$phoneoutgroups' ddclient'
phoneoutgroups=$phoneoutgroups' ez-ipupd'
phoneoutgroups=$phoneoutgroups' pdnsd'
phoneoutgroups=$phoneoutgroups' privoxy'
phoneoutgroups=$phoneoutgroups' tor'
phoneoutgroups=$phoneoutgroups' unbound'
phoneoutgroups=$phoneoutgroups' tlsdate'
phoneoutgroups=$phoneoutgroups' wwwoffle'
phoneoutgroups=$phoneoutgroups' portage'
for i in $phoneoutgroups
do Push OUTONLYGID `id -g "$i" 2>/dev/null`
done
# To LOCALNETSOUT everybody may "phone":
Push -c LOCALNETSOUT '192.168.0.0/16'
# Tacitly drop the following protocols:
Push -c DROP_PROTO 'igmp'
# Never reject but drop those ports which are typically called by
# learn-resistant programs (which will not react on reject anyway).
# Moreover, these addresses are locked out for some period.
# This means that you should not include ports here which you use as a
# knocking sequence since otherwise the knocking host can get locked out
# before he can complete the sequence.
# Each (space separated) argument produces a different rule, while commas
# as separators make use of the multiport module. The latter is faster.
Push -c DROP_NOT_REJECT_NORMAL
#Push -c DROP_NOT_REJECT_NORMAL 135,137:139,445
# As above, but do not lock out the addresses.
# For instance, if you have windows machines in the local network and do
# not want to lock out that machines but drop the annoying regular requests
# you can list the ports here.
Push -c DROP_NOT_REJECT_OK 135,137:139,445
# Reject/Drop without logging those ports which are typically called
# by learn-resistant programs (this saves a lot of log space).
# Each (space separated) argument produces a different rule, while commas
# as separators make use of the multiport module. The latter is faster.
Push -c REJECT_TACITLY 135,137:139,445,1024:1031,5000
# Allow for everybody:
# Each (space separated) argument produces a different rule, while commas
# as separators make use of the multiport module. The latter is faster.
ALLOWTCP=4662:4663 # cvspserver rsync 4662:4663(torrent)
ALLOWUDP=60001:60998 # cvspserver 60001:60998(mosh)
allowdhcpports=false
if test -r /etc/firewall.d/dhcp-server
then allowdhcpports=:
fi
if test -r /etc/firewall.d/dhcp-client
then # Allow ipsec:
ALLOWUDP=500${ALLOWUDP:+,}$ALLOWUDP
Push ALLOWPROTOCOL esp ah
fi
if test -r /etc/firewall.d/allow-tun
then Push ALLOWIF 'tun+'
Push FORWARDALLOWIF 'tun+'
fi
if test -r /etc/firewall.d/allow-tap
then Push ALLOWIF 'tap+'
Push FORWARDALLOWIF 'tap+'
fi
if test -r /etc/firewall.d/dhcpdns-server
then allowdhcpports=:
# Allow DNS requests:
ALLOWUDP=53${ALLOWUDP:+,}$ALLOWUDP
# Allow outgoing traffic of the DNS server's group
Push OUTONLYGID $(id -g dnsmasq 2>/dev/null)
fi
if $allowdhcpports
then ALLOWUDP=67:68${ALLOWUDP:+,}$ALLOWUDP
# DHCP requests are broadcasts, so we must accept them to accept DHCP requests:
BROADCASTS='accept'
fi
AddLine() {
case ${2:-#} in
'#'*|';'*|'/'*)
return;;
esac
eval "$1=\$2\${$1:+,}\$$1"
}
AddFiles() {
addfilesvar=$1
shift
for addfiles
do test -r "$addfiles" && test -f "$addfiles" || continue
while addfilesline=
read addfilesline
do AddLine "$addfilesvar" "$addfilesline"
done <"$addfiles"
AddLine "$addfilesvar" "$addfilesline"
done
}
AddFiles ALLOWUDP /etc/firewall.d/allowudp.d/* /etc/firewall.d/allowudp
AddFiles ALLOWTCP /etc/firewall.d/allowtcp.d/* /etc/firewall.d/allowtcp
Push -c ALLOWTCP "$ALLOWTCP"
Push -c ALLOWUDP "$ALLOWUDP"
# Allow for "trusted interfaces" in addition:
Push TRUSTEDTCP "$SSHPORT"
# The above "trusted interfaces" (you may use the "+" wildcard like "net+").
# Our default supports eth* names as well as renames lan* or net*
# (e.g. by eudev or udev rules); otherwise please change correspondingly:
! test -r /etc/firewall.d/lan-trust || Push TRUSTEDIF 'eth+' 'lan+' 'net+'
# Do we want routing?
if test -r /etc/firewall.d/routing
then ROUTING=:
Push SYSCTLON 'ppp*' 'ippp*' 'dsl*'
Push SYSCTLOFF 'ppp*' 'ippp*' 'dsl*'
# The interface to forward (you may use the "+" wildcard like "net+").
# Again, we support eth* as well as renames let* and net*;
# otherwise please change correspondingly:
Push -c ROUTESOURCEIF 'eth+' 'lan+' 'net+'
else ROUTING=false
fi
# We do not want ip6tables:
IPT6=false