[hcoop/zz_old/fwtool.git] / closed.conf


option clearall
option createchains
option automod

############# Define variables
def $IFCONFIG = "/sbin/ifconfig";
def $AWK      = "/usr/bin/awk";
def $GREP     = "/bin/grep";
def $CAT      = "/bin/cat";
def $SED      = "/bin/sed";

def $MASK     = 29;  # Our netmask is /29 = 255.255.255.248
def $IPS      = 64.20.38.170;
def $IFS      = eth0;
def $IPSPEC   = "64.20.38.170/$MASK";
def $WE       = (127.0.0.1/8 $IPSPEC);

def $NSIP     = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`;
#set NTPIP	   `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'`

def $BADGUYS  = `/etc/firewall/print_badguys`;

############# Port/protocol combinations we allow in and out
def $TCP_IN              = (ssh smtp 26 auth www ssmtp https imap imaps pop3 pop3s 10000 20000);
# 10000 is webmin; 20000 is usermin
def $TCP_OUT_DELAY       = (ssh ftp auth);
def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain);
def $TCP_OUT_THROUGHPUT  = (ftp-data);
#set TCP_OUT_COST	   ""

def $UDP_IN              = (ntp domain);
def $UDP_OUT             = 1:65535;

def $ICMP_IN             = (ping pong destination-unreachable source-quench time-exceeded parameter-problem);
def $ICMP_OUT            = (ping pong fragmentation-needed source-quench parameter-problem);


# Make us insensitive to the environment
table mangle chain FORWARD policy DROP;
table filter chain FORWARD policy DROP;
table filter chain (INPUT OUTPUT) policy DROP;

# Allow traffic in areas outside of our scope
table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT;
table nat    chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT;

######################################################################
# Built-in chains that jump to our custom ones

chain INPUT {
	state INVALID goto ldrop;
	fragment goto ldrop;
#	goto IANA_BAN;
#	goto LOCAL_BAN;
	#goto PORTSCAN; # Do we need this? There are better, dedicated tools

	state (ESTABLISHED RELATED) ACCEPT;

	proto tcp if lo saddr 127.0.0.1/8 sport :1023 daddr 127.0.0.1/8 ACCEPT;
	proto tcp if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 dport :1023 ACCEPT;
	proto (tcp udp) saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT;
	if lo saddr $IPSPEC     daddr $IPSPEC     ACCEPT;
#	if lo goto ldrop;

	#incoming traffic
	goto badguys;
	protocol tcp goto fw_tcp;
	protocol udp goto fw_udp;
	protocol icmp goto fw_icmp;

	goto ldrop;
}

chain OUTPUT {
	state INVALID goto lreject;
	fragment goto lreject;

	state (ESTABLISHED RELATED) ACCEPT;

	proto tcp of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
	saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT;
	of lo saddr $IPSPEC                       ACCEPT;
#	of lo goto lreject;

	# queueing goes here, maybe some special fw rules as well
	proto tcp goto tosqueue; # ACCEPT must be handled here

	proto udp dport $UDP_OUT ACCEPT;
	proto icmp icmp-type $ICMP_OUT ACCEPT;

	goto lreject;
}

#####################################################################
# Deal with known offenders right away
# Make difference between notorious ones and unusual ones
chain badguys {
	saddr $BADGUYS REJECT;
}

#####################################################################
# TCP traffic
chain fw_tcp proto tcp {
	# Standard allowances
	syn dport $TCP_IN sport 1024: {
		limit 5/s ACCEPT;
		limit 20/m LOG log-prefix "SYN flood attack:";
		goto ldrop;
	}

	# deny scanning via DNS port
	sport domain {
		dport domain ACCEPT;
		syn goto ldrop;
	}

	# special case to allow active ftp transfers to our machine!
	sport ftp-data dport 1024: {
		ACCEPT;
	}

	include 'users_tcp_in.conf';

	# awkward incoming connections
	syn {
		goto ldrop;
	}
}

#####################################################################
# UDP traffic
chain fw_udp proto udp {
	# Standard allowances
	dport $UDP_IN sport 1024: {
		ACCEPT;
	}

	# again no dns fumbling around
	sport domain dport domain saddr $NSIP {
		ACCEPT;
	}
}


#####################################################################
# ICMP traffic
chain fw_icmp proto icmp {
	# Standard allowances
	icmp-type $ICMP_IN {
		ACCEPT;
	}

	#icmp-type echo-request limit 1/s ACCEPT;
	#icmptype ( ping pong destination-unreachable time-exceeded) {
	#	ACCEPT;
	#}
	# never seen hits on this one:
}


#####################################################################
# TOS (Type-of-service) adjustments
chain tosqueue {
	protocol tcp {
		# rapid response protocols
#		dport $TCP_OUT_DELAY settos min-delay ACCEPT;
		dport $TCP_OUT_DELAY ACCEPT;
		sport $TCP_OUT_DELAY ACCEPT;
		# keep these from timing out
#		dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
		dport $TCP_OUT_RELIABILITY ACCEPT;
		sport $TCP_OUT_RELIABILITY ACCEPT;
		# bulk stuff
#		dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
		dport $TCP_OUT_THROUGHPUT ACCEPT;
		sport $TCP_OUT_THROUGHPUT ACCEPT;
#    dport (ftp-data 8888 6699) settos max-throughput ACCEPT;
    dport (ftp-data 8888 6699) ACCEPT;
    sport (ftp-data 8888 6699) ACCEPT;
	}

#	proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT;

	include 'users_tcp_out.conf';

	goto lreject;
}

#####################################################################
# Supporting targets
chain ldrop {
	LOG {
		log-level info log-prefix "Dropped";
		log-level warn fragment log-prefix "FRAGMENT Dropped";
	}
	REJECT;
}

chain lreject {
	LOG {
		log-level info proto tcp log-prefix "Denied";
		log-level warn fragment log-prefix "FRAGMENT Denied";
	}
	REJECT;
}

include 'users.conf';
Commit	Line	Data
17bb0bf0	1
17bb0bf0 DO	2	option clearall
	3	option createchains
	4	option automod
	5
	6	############# Define variables
9b2115e2 AC	7	def $IFCONFIG = "/sbin/ifconfig";
	8	def $AWK = "/usr/bin/awk";
	9	def $GREP = "/bin/grep";
	10	def $CAT = "/bin/cat";
	11	def $SED = "/bin/sed";
17bb0bf0	12
9b2115e2 AC	13	def $MASK = 29; # Our netmask is /29 = 255.255.255.248
	14	def $IPS = 64.20.38.170;
	15	def $IFS = eth0;
	16	def $IPSPEC = "64.20.38.170/$MASK";
d901c26a	17	def $WE = (127.0.0.1/8 $IPSPEC);
17bb0bf0	18
9b2115e2 AC	19	def $NSIP = `/bin/cat /etc/resolv.conf \| /bin/grep nameserver \| /usr/bin/awk '{print $2}'`;
	20	#set NTPIP `$CAT /etc/ntp.conf \| $GREP server \| $AWK '{print $2}'`
	21
	22	def $BADGUYS = `/etc/firewall/print_badguys`;
17bb0bf0 DO	23
17bb0bf0 DO	24	############# Port/protocol combinations we allow in and out
d901c26a AC	25	def $TCP_IN = (ssh smtp 26 auth www ssmtp https imap imaps pop3 pop3s 10000 20000);
d901c26a AC	26	# 10000 is webmin; 20000 is usermin
9b2115e2 AC	27	def $TCP_OUT_DELAY = (ssh ftp auth);
	28	def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain);
	29	def $TCP_OUT_THROUGHPUT = (ftp-data);
9132939d	30	#set TCP_OUT_COST ""
7a910192	31
9b2115e2 AC	32	def $UDP_IN = (ntp domain);
9b2115e2 AC	33	def $UDP_OUT = 1:65535;
7a910192	34
9b2115e2 AC	35	def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem);
9b2115e2 AC	36	def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem);
17bb0bf0 DO	37
	38
	39	# Make us insensitive to the environment
9b2115e2 AC	40	table mangle chain FORWARD policy DROP;
	41	table filter chain FORWARD policy DROP;
	42	table filter chain (INPUT OUTPUT) policy DROP;
9132939d DO	43
9132939d DO	44	# Allow traffic in areas outside of our scope
9b2115e2 AC	45	table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT;
9b2115e2 AC	46	table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT;
17bb0bf0	47
17bb0bf0 DO	48	######################################################################
	49	# Built-in chains that jump to our custom ones
	50
	51	chain INPUT {
9b2115e2 AC	52	state INVALID goto ldrop;
9b2115e2 AC	53	fragment goto ldrop;
17bb0bf0 DO	54	# goto IANA_BAN;
17bb0bf0 DO	55	# goto LOCAL_BAN;
9132939d	56	#goto PORTSCAN; # Do we need this? There are better, dedicated tools
17bb0bf0	57
9b2115e2	58	state (ESTABLISHED RELATED) ACCEPT;
17bb0bf0	59
d901c26a AC	60	proto tcp if lo saddr 127.0.0.1/8 sport :1023 daddr 127.0.0.1/8 ACCEPT;
	61	proto tcp if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 dport :1023 ACCEPT;
	62	proto (tcp udp) saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT;
9b2115e2	63	if lo saddr $IPSPEC daddr $IPSPEC ACCEPT;
d901c26a	64	# if lo goto ldrop;
9132939d DO	65
	66	#incoming traffic
	67	goto badguys;
	68	protocol tcp goto fw_tcp;
	69	protocol udp goto fw_udp;
	70	protocol icmp goto fw_icmp;
	71
9b2115e2	72	goto ldrop;
17bb0bf0 DO	73	}
	74
	75	chain OUTPUT {
9b2115e2 AC	76	state INVALID goto lreject;
9b2115e2 AC	77	fragment goto lreject;
17bb0bf0	78
9b2115e2	79	state (ESTABLISHED RELATED) ACCEPT;
17bb0bf0	80
d901c26a AC	81	proto tcp of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
d901c26a AC	82	saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT;
9b2115e2	83	of lo saddr $IPSPEC ACCEPT;
d901c26a	84	# of lo goto lreject;
17bb0bf0	85
17bb0bf0 DO	86	# queueing goes here, maybe some special fw rules as well
	87	proto tcp goto tosqueue; # ACCEPT must be handled here
	88
9b2115e2 AC	89	proto udp dport $UDP_OUT ACCEPT;
9b2115e2 AC	90	proto icmp icmp-type $ICMP_OUT ACCEPT;
9132939d	91
9b2115e2	92	goto lreject;
17bb0bf0 DO	93	}
	94
	95	#####################################################################
	96	# Deal with known offenders right away
	97	# Make difference between notorious ones and unusual ones
	98	chain badguys {
9b2115e2	99	saddr $BADGUYS REJECT;
17bb0bf0 DO	100	}
	101
	102	#####################################################################
	103	# TCP traffic
	104	chain fw_tcp proto tcp {
17bb0bf0	105	# Standard allowances
9b2115e2	106	syn dport $TCP_IN sport 1024: {
9132939d	107	limit 5/s ACCEPT;
9b2115e2 AC	108	limit 20/m LOG log-prefix "SYN flood attack:";
9b2115e2 AC	109	goto ldrop;
17bb0bf0 DO	110	}
17bb0bf0 DO	111
17bb0bf0 DO	112	# deny scanning via DNS port
	113	sport domain {
	114	dport domain ACCEPT;
9b2115e2	115	syn goto ldrop;
17bb0bf0 DO	116	}
	117
	118	# special case to allow active ftp transfers to our machine!
	119	sport ftp-data dport 1024: {
	120	ACCEPT;
	121	}
	122
9b2115e2 AC	123	include 'users_tcp_in.conf';
9b2115e2 AC	124
17bb0bf0 DO	125	# awkward incoming connections
17bb0bf0 DO	126	syn {
9b2115e2	127	goto ldrop;
17bb0bf0	128	}
9132939d	129	}
17bb0bf0 DO	130
	131	#####################################################################
	132	# UDP traffic
	133	chain fw_udp proto udp {
17bb0bf0	134	# Standard allowances
9b2115e2	135	dport $UDP_IN sport 1024: {
17bb0bf0 DO	136	ACCEPT;
	137	}
	138
	139	# again no dns fumbling around
9b2115e2	140	sport domain dport domain saddr $NSIP {
7a910192 DO	141	ACCEPT;
7a910192 DO	142	}
17bb0bf0 DO	143	}
	144
	145
	146	#####################################################################
	147	# ICMP traffic
	148	chain fw_icmp proto icmp {
17bb0bf0	149	# Standard allowances
9b2115e2	150	icmp-type $ICMP_IN {
17bb0bf0 DO	151	ACCEPT;
	152	}
	153
	154	#icmp-type echo-request limit 1/s ACCEPT;
	155	#icmptype ( ping pong destination-unreachable time-exceeded) {
	156	# ACCEPT;
	157	#}
	158	# never seen hits on this one:
17bb0bf0 DO	159	}
	160
	161
	162	#####################################################################
	163	# TOS (Type-of-service) adjustments
	164	chain tosqueue {
9132939d	165	protocol tcp {
17bb0bf0	166	# rapid response protocols
9b2115e2 AC	167	# dport $TCP_OUT_DELAY settos min-delay ACCEPT;
	168	dport $TCP_OUT_DELAY ACCEPT;
	169	sport $TCP_OUT_DELAY ACCEPT;
17bb0bf0	170	# keep these from timing out
9b2115e2 AC	171	# dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
	172	dport $TCP_OUT_RELIABILITY ACCEPT;
	173	sport $TCP_OUT_RELIABILITY ACCEPT;
17bb0bf0	174	# bulk stuff
9b2115e2 AC	175	# dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
	176	dport $TCP_OUT_THROUGHPUT ACCEPT;
	177	sport $TCP_OUT_THROUGHPUT ACCEPT;
	178	# dport (ftp-data 8888 6699) settos max-throughput ACCEPT;
	179	dport (ftp-data 8888 6699) ACCEPT;
	180	sport (ftp-data 8888 6699) ACCEPT;
17bb0bf0 DO	181	}
17bb0bf0 DO	182
9b2115e2 AC	183	# proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT;
	184
	185	include 'users_tcp_out.conf';
	186
	187	goto lreject;
17bb0bf0 DO	188	}
	189
	190	#####################################################################
	191	# Supporting targets
9b2115e2	192	chain ldrop {
17bb0bf0	193	LOG {
9b2115e2	194	log-level info log-prefix "Dropped";
17bb0bf0 DO	195	log-level warn fragment log-prefix "FRAGMENT Dropped";
17bb0bf0 DO	196	}
9b2115e2	197	REJECT;
17bb0bf0 DO	198	}
17bb0bf0 DO	199
9b2115e2	200	chain lreject {
17bb0bf0	201	LOG {
9b2115e2	202	log-level info proto tcp log-prefix "Denied";
17bb0bf0 DO	203	log-level warn fragment log-prefix "FRAGMENT Denied";
17bb0bf0 DO	204	}
9b2115e2	205	REJECT;
17bb0bf0 DO	206	}
17bb0bf0 DO	207
9b2115e2	208	include 'users.conf';