[hcoop/zz_old/fwtool.git] / closed.conf


option clearall
option createchains
option automod

############# Define variables
def $IFCONFIG = "/sbin/ifconfig";
def $AWK      = "/usr/bin/awk";
def $GREP     = "/bin/grep";
def $CAT      = "/bin/cat";
def $SED      = "/bin/sed";

def $MASK     = 29;  # Our netmask is /29 = 255.255.255.248
def $IPS      = 64.20.38.170;
def $IFS      = eth0;
def $IPSPEC   = "64.20.38.170/$MASK";

def $NSIP     = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`;
#set NTPIP	   `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'`

def $BADGUYS  = `/etc/firewall/print_badguys`;

############# Port/protocol combinations we allow in and out
def $TCP_IN              = (ssh smtp auth www ssmtp https imap imaps pop3 pop3s);
def $TCP_OUT_DELAY       = (ssh ftp auth);
def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain);
def $TCP_OUT_THROUGHPUT  = (ftp-data);
#set TCP_OUT_COST	   ""

def $UDP_IN              = (ntp domain);
def $UDP_OUT             = 1:65535;

def $ICMP_IN             = (ping pong destination-unreachable source-quench time-exceeded parameter-problem);
def $ICMP_OUT            = (ping pong fragmentation-needed source-quench parameter-problem);


# Make us insensitive to the environment
table mangle chain FORWARD policy DROP;
table filter chain FORWARD policy DROP;
table filter chain (INPUT OUTPUT) policy DROP;

# Allow traffic in areas outside of our scope
table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT;
table nat    chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT;

######################################################################
# Built-in chains that jump to our custom ones

chain INPUT {
	state INVALID goto ldrop;
	fragment goto ldrop;
#	goto IANA_BAN;
#	goto LOCAL_BAN;
	#goto PORTSCAN; # Do we need this? There are better, dedicated tools

	state (ESTABLISHED RELATED) ACCEPT;

	if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
	if lo saddr $IPSPEC     daddr $IPSPEC     ACCEPT;
	if lo goto ldrop;

	#incoming traffic
	goto badguys;
	protocol tcp goto fw_tcp;
	protocol udp goto fw_udp;
	protocol icmp goto fw_icmp;

	goto ldrop;
}

chain OUTPUT {
	state INVALID goto lreject;
	fragment goto lreject;

	state (ESTABLISHED RELATED) ACCEPT;

	of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
	of lo saddr $IPSPEC                       ACCEPT;
	of lo goto lreject;

	# queueing goes here, maybe some special fw rules as well
	proto tcp goto tosqueue; # ACCEPT must be handled here

	proto udp dport $UDP_OUT ACCEPT;
	proto icmp icmp-type $ICMP_OUT ACCEPT;

	goto lreject;
}

#####################################################################
# Deal with known offenders right away
# Make difference between notorious ones and unusual ones
chain badguys {
	saddr $BADGUYS REJECT;
}

#####################################################################
# TCP traffic
chain fw_tcp proto tcp {
	# Standard allowances
	syn dport $TCP_IN sport 1024: {
		limit 5/s ACCEPT;
		limit 20/m LOG log-prefix "SYN flood attack:";
		goto ldrop;
	}

	# deny scanning via DNS port
	sport domain {
		dport domain ACCEPT;
		syn goto ldrop;
	}

	# special case to allow active ftp transfers to our machine!
	sport ftp-data dport 1024: {
		ACCEPT;
	}

	include 'users_tcp_in.conf';

	# awkward incoming connections
	syn {
		goto ldrop;
	}
}

#####################################################################
# UDP traffic
chain fw_udp proto udp {
	# Standard allowances
	dport $UDP_IN sport 1024: {
		ACCEPT;
	}

	# again no dns fumbling around
	sport domain dport domain saddr $NSIP {
		ACCEPT;
	}
}


#####################################################################
# ICMP traffic
chain fw_icmp proto icmp {
	# Standard allowances
	icmp-type $ICMP_IN {
		ACCEPT;
	}

	#icmp-type echo-request limit 1/s ACCEPT;
	#icmptype ( ping pong destination-unreachable time-exceeded) {
	#	ACCEPT;
	#}
	# never seen hits on this one:
}


#####################################################################
# TOS (Type-of-service) adjustments
chain tosqueue {
	protocol tcp {
		# rapid response protocols
#		dport $TCP_OUT_DELAY settos min-delay ACCEPT;
		dport $TCP_OUT_DELAY ACCEPT;
		sport $TCP_OUT_DELAY ACCEPT;
		# keep these from timing out
#		dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
		dport $TCP_OUT_RELIABILITY ACCEPT;
		sport $TCP_OUT_RELIABILITY ACCEPT;
		# bulk stuff
#		dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
		dport $TCP_OUT_THROUGHPUT ACCEPT;
		sport $TCP_OUT_THROUGHPUT ACCEPT;
#    dport (ftp-data 8888 6699) settos max-throughput ACCEPT;
    dport (ftp-data 8888 6699) ACCEPT;
    sport (ftp-data 8888 6699) ACCEPT;
	}

#	proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT;

	include 'users_tcp_out.conf';

	goto lreject;
}

#####################################################################
# Supporting targets
chain ldrop {
	LOG {
		log-level info log-prefix "Dropped";
		log-level warn fragment log-prefix "FRAGMENT Dropped";
	}
	REJECT;
}

chain lreject {
	LOG {
		log-level info proto tcp log-prefix "Denied";
		log-level warn fragment log-prefix "FRAGMENT Denied";
	}
	REJECT;
}

include 'users.conf';
Commit	Line	Data
17bb0bf0	1
17bb0bf0 DO	2	option clearall
	3	option createchains
	4	option automod
	5
	6	############# Define variables
9b2115e2 AC	7	def $IFCONFIG = "/sbin/ifconfig";
	8	def $AWK = "/usr/bin/awk";
	9	def $GREP = "/bin/grep";
	10	def $CAT = "/bin/cat";
	11	def $SED = "/bin/sed";
17bb0bf0	12
9b2115e2 AC	13	def $MASK = 29; # Our netmask is /29 = 255.255.255.248
	14	def $IPS = 64.20.38.170;
	15	def $IFS = eth0;
	16	def $IPSPEC = "64.20.38.170/$MASK";
17bb0bf0	17
9b2115e2 AC	18	def $NSIP = `/bin/cat /etc/resolv.conf \| /bin/grep nameserver \| /usr/bin/awk '{print $2}'`;
	19	#set NTPIP `$CAT /etc/ntp.conf \| $GREP server \| $AWK '{print $2}'`
	20
	21	def $BADGUYS = `/etc/firewall/print_badguys`;
17bb0bf0 DO	22
17bb0bf0 DO	23	############# Port/protocol combinations we allow in and out
9b2115e2 AC	24	def $TCP_IN = (ssh smtp auth www ssmtp https imap imaps pop3 pop3s);
	25	def $TCP_OUT_DELAY = (ssh ftp auth);
	26	def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain);
	27	def $TCP_OUT_THROUGHPUT = (ftp-data);
9132939d	28	#set TCP_OUT_COST ""
7a910192	29
9b2115e2 AC	30	def $UDP_IN = (ntp domain);
9b2115e2 AC	31	def $UDP_OUT = 1:65535;
7a910192	32
9b2115e2 AC	33	def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem);
9b2115e2 AC	34	def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem);
17bb0bf0 DO	35
	36
	37	# Make us insensitive to the environment
9b2115e2 AC	38	table mangle chain FORWARD policy DROP;
	39	table filter chain FORWARD policy DROP;
	40	table filter chain (INPUT OUTPUT) policy DROP;
9132939d DO	41
9132939d DO	42	# Allow traffic in areas outside of our scope
9b2115e2 AC	43	table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT;
9b2115e2 AC	44	table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT;
17bb0bf0	45
17bb0bf0 DO	46	######################################################################
	47	# Built-in chains that jump to our custom ones
	48
	49	chain INPUT {
9b2115e2 AC	50	state INVALID goto ldrop;
9b2115e2 AC	51	fragment goto ldrop;
17bb0bf0 DO	52	# goto IANA_BAN;
17bb0bf0 DO	53	# goto LOCAL_BAN;
9132939d	54	#goto PORTSCAN; # Do we need this? There are better, dedicated tools
17bb0bf0	55
9b2115e2	56	state (ESTABLISHED RELATED) ACCEPT;
17bb0bf0 DO	57
17bb0bf0 DO	58	if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
9b2115e2 AC	59	if lo saddr $IPSPEC daddr $IPSPEC ACCEPT;
9b2115e2 AC	60	if lo goto ldrop;
9132939d DO	61
	62	#incoming traffic
	63	goto badguys;
	64	protocol tcp goto fw_tcp;
	65	protocol udp goto fw_udp;
	66	protocol icmp goto fw_icmp;
	67
9b2115e2	68	goto ldrop;
17bb0bf0 DO	69	}
	70
	71	chain OUTPUT {
9b2115e2 AC	72	state INVALID goto lreject;
9b2115e2 AC	73	fragment goto lreject;
17bb0bf0	74
9b2115e2	75	state (ESTABLISHED RELATED) ACCEPT;
17bb0bf0 DO	76
17bb0bf0 DO	77	of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
9b2115e2 AC	78	of lo saddr $IPSPEC ACCEPT;
9b2115e2 AC	79	of lo goto lreject;
17bb0bf0	80
17bb0bf0 DO	81	# queueing goes here, maybe some special fw rules as well
	82	proto tcp goto tosqueue; # ACCEPT must be handled here
	83
9b2115e2 AC	84	proto udp dport $UDP_OUT ACCEPT;
9b2115e2 AC	85	proto icmp icmp-type $ICMP_OUT ACCEPT;
9132939d	86
9b2115e2	87	goto lreject;
17bb0bf0 DO	88	}
	89
	90	#####################################################################
	91	# Deal with known offenders right away
	92	# Make difference between notorious ones and unusual ones
	93	chain badguys {
9b2115e2	94	saddr $BADGUYS REJECT;
17bb0bf0 DO	95	}
	96
	97	#####################################################################
	98	# TCP traffic
	99	chain fw_tcp proto tcp {
17bb0bf0	100	# Standard allowances
9b2115e2	101	syn dport $TCP_IN sport 1024: {
9132939d	102	limit 5/s ACCEPT;
9b2115e2 AC	103	limit 20/m LOG log-prefix "SYN flood attack:";
9b2115e2 AC	104	goto ldrop;
17bb0bf0 DO	105	}
17bb0bf0 DO	106
17bb0bf0 DO	107	# deny scanning via DNS port
	108	sport domain {
	109	dport domain ACCEPT;
9b2115e2	110	syn goto ldrop;
17bb0bf0 DO	111	}
	112
	113	# special case to allow active ftp transfers to our machine!
	114	sport ftp-data dport 1024: {
	115	ACCEPT;
	116	}
	117
9b2115e2 AC	118	include 'users_tcp_in.conf';
9b2115e2 AC	119
17bb0bf0 DO	120	# awkward incoming connections
17bb0bf0 DO	121	syn {
9b2115e2	122	goto ldrop;
17bb0bf0	123	}
9132939d	124	}
17bb0bf0 DO	125
	126	#####################################################################
	127	# UDP traffic
	128	chain fw_udp proto udp {
17bb0bf0	129	# Standard allowances
9b2115e2	130	dport $UDP_IN sport 1024: {
17bb0bf0 DO	131	ACCEPT;
	132	}
	133
	134	# again no dns fumbling around
9b2115e2	135	sport domain dport domain saddr $NSIP {
7a910192 DO	136	ACCEPT;
7a910192 DO	137	}
17bb0bf0 DO	138	}
	139
	140
	141	#####################################################################
	142	# ICMP traffic
	143	chain fw_icmp proto icmp {
17bb0bf0	144	# Standard allowances
9b2115e2	145	icmp-type $ICMP_IN {
17bb0bf0 DO	146	ACCEPT;
	147	}
	148
	149	#icmp-type echo-request limit 1/s ACCEPT;
	150	#icmptype ( ping pong destination-unreachable time-exceeded) {
	151	# ACCEPT;
	152	#}
	153	# never seen hits on this one:
17bb0bf0 DO	154	}
	155
	156
	157	#####################################################################
	158	# TOS (Type-of-service) adjustments
	159	chain tosqueue {
9132939d	160	protocol tcp {
17bb0bf0	161	# rapid response protocols
9b2115e2 AC	162	# dport $TCP_OUT_DELAY settos min-delay ACCEPT;
	163	dport $TCP_OUT_DELAY ACCEPT;
	164	sport $TCP_OUT_DELAY ACCEPT;
17bb0bf0	165	# keep these from timing out
9b2115e2 AC	166	# dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
	167	dport $TCP_OUT_RELIABILITY ACCEPT;
	168	sport $TCP_OUT_RELIABILITY ACCEPT;
17bb0bf0	169	# bulk stuff
9b2115e2 AC	170	# dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
	171	dport $TCP_OUT_THROUGHPUT ACCEPT;
	172	sport $TCP_OUT_THROUGHPUT ACCEPT;
	173	# dport (ftp-data 8888 6699) settos max-throughput ACCEPT;
	174	dport (ftp-data 8888 6699) ACCEPT;
	175	sport (ftp-data 8888 6699) ACCEPT;
17bb0bf0 DO	176	}
17bb0bf0 DO	177
9b2115e2 AC	178	# proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT;
	179
	180	include 'users_tcp_out.conf';
	181
	182	goto lreject;
17bb0bf0 DO	183	}
	184
	185	#####################################################################
	186	# Supporting targets
9b2115e2	187	chain ldrop {
17bb0bf0	188	LOG {
9b2115e2	189	log-level info log-prefix "Dropped";
17bb0bf0 DO	190	log-level warn fragment log-prefix "FRAGMENT Dropped";
17bb0bf0 DO	191	}
9b2115e2	192	REJECT;
17bb0bf0 DO	193	}
17bb0bf0 DO	194
9b2115e2	195	chain lreject {
17bb0bf0	196	LOG {
9b2115e2	197	log-level info proto tcp log-prefix "Denied";
17bb0bf0 DO	198	log-level warn fragment log-prefix "FRAGMENT Denied";
17bb0bf0 DO	199	}
9b2115e2	200	REJECT;
17bb0bf0 DO	201	}
17bb0bf0 DO	202
9b2115e2	203	include 'users.conf';