HCoop / hcoop / zz_old / fwtool.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Migrate to newer ferm version and implement preliminary per-user rules
[hcoop/zz_old/fwtool.git] / closed.conf
1
2 option clearall
3 option createchains
4 option automod
5
6 ############# Define variables
7 def $IFCONFIG = "/sbin/ifconfig";
8 def $AWK = "/usr/bin/awk";
9 def $GREP = "/bin/grep";
10 def $CAT = "/bin/cat";
11 def $SED = "/bin/sed";
12
13 def $MASK = 29; # Our netmask is /29 = 255.255.255.248
14 def $IPS = 64.20.38.170;
15 def $IFS = eth0;
16 def $IPSPEC = "64.20.38.170/$MASK";
17
18 def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`;
19 #set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'`
20
21 def $BADGUYS = `/etc/firewall/print_badguys`;
22
23 ############# Port/protocol combinations we allow in and out
24 def $TCP_IN = (ssh smtp auth www ssmtp https imap imaps pop3 pop3s);
25 def $TCP_OUT_DELAY = (ssh ftp auth);
26 def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain);
27 def $TCP_OUT_THROUGHPUT = (ftp-data);
28 #set TCP_OUT_COST ""
29
30 def $UDP_IN = (ntp domain);
31 def $UDP_OUT = 1:65535;
32
33 def $ICMP_IN = (ping pong destination-unreachable source-quench time-exceeded parameter-problem);
34 def $ICMP_OUT = (ping pong fragmentation-needed source-quench parameter-problem);
35
36
37 # Make us insensitive to the environment
38 table mangle chain FORWARD policy DROP;
39 table filter chain FORWARD policy DROP;
40 table filter chain (INPUT OUTPUT) policy DROP;
41
42 # Allow traffic in areas outside of our scope
43 table mangle chain (PREROUTING INPUT OUTPUT POSTROUTING) policy ACCEPT;
44 table nat chain (PREROUTING OUTPUT POSTROUTING) policy ACCEPT;
45
46 ######################################################################
47 # Built-in chains that jump to our custom ones
48
49 chain INPUT {
50 state INVALID goto ldrop;
51 fragment goto ldrop;
52 # goto IANA_BAN;
53 # goto LOCAL_BAN;
54 #goto PORTSCAN; # Do we need this? There are better, dedicated tools
55
56 state (ESTABLISHED RELATED) ACCEPT;
57
58 if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
59 if lo saddr $IPSPEC daddr $IPSPEC ACCEPT;
60 if lo goto ldrop;
61
62 #incoming traffic
63 goto badguys;
64 protocol tcp goto fw_tcp;
65 protocol udp goto fw_udp;
66 protocol icmp goto fw_icmp;
67
68 goto ldrop;
69 }
70
71 chain OUTPUT {
72 state INVALID goto lreject;
73 fragment goto lreject;
74
75 state (ESTABLISHED RELATED) ACCEPT;
76
77 of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
78 of lo saddr $IPSPEC ACCEPT;
79 of lo goto lreject;
80
81 # queueing goes here, maybe some special fw rules as well
82 proto tcp goto tosqueue; # ACCEPT must be handled here
83
84 proto udp dport $UDP_OUT ACCEPT;
85 proto icmp icmp-type $ICMP_OUT ACCEPT;
86
87 goto lreject;
88 }
89
90 #####################################################################
91 # Deal with known offenders right away
92 # Make difference between notorious ones and unusual ones
93 chain badguys {
94 saddr $BADGUYS REJECT;
95 }
96
97 #####################################################################
98 # TCP traffic
99 chain fw_tcp proto tcp {
100 # Standard allowances
101 syn dport $TCP_IN sport 1024: {
102 limit 5/s ACCEPT;
103 limit 20/m LOG log-prefix "SYN flood attack:";
104 goto ldrop;
105 }
106
107 # deny scanning via DNS port
108 sport domain {
109 dport domain ACCEPT;
110 syn goto ldrop;
111 }
112
113 # special case to allow active ftp transfers to our machine!
114 sport ftp-data dport 1024: {
115 ACCEPT;
116 }
117
118 include 'users_tcp_in.conf';
119
120 # awkward incoming connections
121 syn {
122 goto ldrop;
123 }
124 }
125
126 #####################################################################
127 # UDP traffic
128 chain fw_udp proto udp {
129 # Standard allowances
130 dport $UDP_IN sport 1024: {
131 ACCEPT;
132 }
133
134 # again no dns fumbling around
135 sport domain dport domain saddr $NSIP {
136 ACCEPT;
137 }
138 }
139
140
141 #####################################################################
142 # ICMP traffic
143 chain fw_icmp proto icmp {
144 # Standard allowances
145 icmp-type $ICMP_IN {
146 ACCEPT;
147 }
148
149 #icmp-type echo-request limit 1/s ACCEPT;
150 #icmptype ( ping pong destination-unreachable time-exceeded) {
151 # ACCEPT;
152 #}
153 # never seen hits on this one:
154 }
155
156
157 #####################################################################
158 # TOS (Type-of-service) adjustments
159 chain tosqueue {
160 protocol tcp {
161 # rapid response protocols
162 # dport $TCP_OUT_DELAY settos min-delay ACCEPT;
163 dport $TCP_OUT_DELAY ACCEPT;
164 sport $TCP_OUT_DELAY ACCEPT;
165 # keep these from timing out
166 # dport $TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
167 dport $TCP_OUT_RELIABILITY ACCEPT;
168 sport $TCP_OUT_RELIABILITY ACCEPT;
169 # bulk stuff
170 # dport $TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
171 dport $TCP_OUT_THROUGHPUT ACCEPT;
172 sport $TCP_OUT_THROUGHPUT ACCEPT;
173 # dport (ftp-data 8888 6699) settos max-throughput ACCEPT;
174 dport (ftp-data 8888 6699) ACCEPT;
175 sport (ftp-data 8888 6699) ACCEPT;
176 }
177
178 # proto tcp dport $TCP_OUT_COST settos min-cost ACCEPT;
179
180 include 'users_tcp_out.conf';
181
182 goto lreject;
183 }
184
185 #####################################################################
186 # Supporting targets
187 chain ldrop {
188 LOG {
189 log-level info log-prefix "Dropped";
190 log-level warn fragment log-prefix "FRAGMENT Dropped";
191 }
192 REJECT;
193 }
194
195 chain lreject {
196 LOG {
197 log-level info proto tcp log-prefix "Denied";
198 log-level warn fragment log-prefix "FRAGMENT Denied";
199 }
200 REJECT;
201 }
202
203 include 'users.conf';
Unnamed repository; edit this file to name it for gitweb.