HCoop / hcoop / zz_old / fwtool.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bug fixes
[hcoop/zz_old/fwtool.git] / closed.conf
1
2 option clearall
3 option createchains
4 option automod
5
6 ############# Define variables
7 def $IFCONFIG = "/sbin/ifconfig";
8 def $AWK = "/usr/bin/awk";
9 def $GREP = "/bin/grep";
10 def $CAT = "/bin/cat";
11 def $SED = "/bin/sed";
12
13 def $MASK = 29; # Our netmask is /29 = 255.255.255.248
14 def $IPS = 64.20.38.170;
15 def $IFS = eth0;
16 def $IPSPEC = "64.20.38.170/$MASK";
17 def $WE = (127.0.0.1/8 $IPSPEC);
18
19 def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`;
20 #set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'`
21
22 def $BADGUYS = `/etc/firewall/print_badguys`;
23
24 ############# Port/protocol combinations we allow in and out
25 def $TCP_IN = (ssh smtp 26 auth www ssmtp https imap imaps pop3 pop3s 10000 20000);
26 # 10000 is webmin; 20000 is usermin
27 def $TCP_OUT_DELAY = (ssh ftp auth);
28 def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain);
29 def $TCP_OUT_THROUGHPUT = (ftp-data);
30 #set TCP_OUT_COST ""
31
32 def $UDP_IN = (ntp domain);
33 def $UDP_OUT = 1:65535;
34
35 def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem);
36 def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem);
37
38
39 # Make us insensitive to the environment
40 table mangle chain FORWARD policy DROP;
41 table filter chain FORWARD policy DROP;
42 table filter chain (INPUT OUTPUT) policy DROP;
43
44 # Allow traffic in areas outside of our scope
45 table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT;
46 table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT;
47
48 ######################################################################
49 # Built-in chains that jump to our custom ones
50
51 chain INPUT {
52 state INVALID goto ldrop;
53 fragment goto ldrop;
54 # goto IANA_BAN;
55 # goto LOCAL_BAN;
56 #goto PORTSCAN; # Do we need this? There are better, dedicated tools
57
58 state (ESTABLISHED RELATED) ACCEPT;
59
60 proto tcp if lo saddr 127.0.0.1/8 sport :1023 daddr 127.0.0.1/8 ACCEPT;
61 proto tcp if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 dport :1023 ACCEPT;
62 proto (tcp udp) saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT;
63 if lo saddr $IPSPEC daddr $IPSPEC ACCEPT;
64 # if lo goto ldrop;
65
66 #incoming traffic
67 goto badguys;
68 protocol tcp goto fw_tcp;
69 protocol udp goto fw_udp;
70 protocol icmp goto fw_icmp;
71
72 goto ldrop;
73 }
74
75 chain OUTPUT {
76 state INVALID goto lreject;
77 fragment goto lreject;
78
79 state (ESTABLISHED RELATED) ACCEPT;
80
81 proto tcp of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
82 saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT;
83 of lo saddr $IPSPEC ACCEPT;
84 # of lo goto lreject;
85
86 # queueing goes here, maybe some special fw rules as well
87 proto tcp goto tosqueue; # ACCEPT must be handled here
88
89 proto udp dport $UDP_OUT ACCEPT;
90 proto icmp icmp-type $ICMP_OUT ACCEPT;
91
92 goto lreject;
93 }
94
95 #####################################################################
96 # Deal with known offenders right away
97 # Make difference between notorious ones and unusual ones
98 chain badguys {
99 saddr $BADGUYS REJECT;
100 }
101
102 #####################################################################
103 # TCP traffic
104 chain fw_tcp proto tcp {
105 # Standard allowances
106 syn dport $TCP_IN sport 1024: {
107 limit 5/s ACCEPT;
108 limit 20/m LOG log-prefix "SYN flood attack:";
109 goto ldrop;
110 }
111
112 # deny scanning via DNS port
113 sport domain {
114 dport domain ACCEPT;
115 syn goto ldrop;
116 }
117
118 # special case to allow active ftp transfers to our machine!
119 sport ftp-data dport 1024: {
120 ACCEPT;
121 }
122
123 include 'users_tcp_in.conf';
124
125 # awkward incoming connections
126 syn {
127 goto ldrop;
128 }
129 }
130
131 #####################################################################
132 # UDP traffic
133 chain fw_udp proto udp {
134 # Standard allowances
135 dport $UDP_IN sport 1024: {
136 ACCEPT;
137 }
138
139 # again no dns fumbling around
140 sport domain dport domain saddr $NSIP {
141 ACCEPT;
142 }
143 }
144
145
146 #####################################################################
147 # ICMP traffic
148 chain fw_icmp proto icmp {
149 # Standard allowances
150 icmp-type $ICMP_IN {
151 ACCEPT;
152 }
153
154 #icmp-type echo-request limit 1/s ACCEPT;
155 #icmptype ( ping pong destination-unreachable time-exceeded) {
156 # ACCEPT;
157 #}
158 # never seen hits on this one:
159 }
160
161
162 #####################################################################
163 # TOS (Type-of-service) adjustments
164 chain tosqueue {
165 protocol tcp {
166 # rapid response protocols
167 # dport $TCP_OUT_DELAY settos min-delay ACCEPT;
168 dport $TCP_OUT_DELAY ACCEPT;
169 sport $TCP_OUT_DELAY ACCEPT;
170 # keep these from timing out
171 # dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
172 dport $TCP_OUT_RELIABILITY ACCEPT;
173 sport $TCP_OUT_RELIABILITY ACCEPT;
174 # bulk stuff
175 # dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
176 dport $TCP_OUT_THROUGHPUT ACCEPT;
177 sport $TCP_OUT_THROUGHPUT ACCEPT;
178 # dport (ftp-data 8888 6699) settos max-throughput ACCEPT;
179 dport (ftp-data 8888 6699) ACCEPT;
180 sport (ftp-data 8888 6699) ACCEPT;
181 }
182
183 # proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT;
184
185 include 'users_tcp_out.conf';
186
187 goto lreject;
188 }
189
190 #####################################################################
191 # Supporting targets
192 chain ldrop {
193 LOG {
194 log-level info log-prefix "Dropped";
195 log-level warn fragment log-prefix "FRAGMENT Dropped";
196 }
197 REJECT;
198 }
199
200 chain lreject {
201 LOG {
202 log-level info proto tcp log-prefix "Denied";
203 log-level warn fragment log-prefix "FRAGMENT Denied";
204 }
205 REJECT;
206 }
207
208 include 'users.conf';
Unnamed repository; edit this file to name it for gitweb.