• file
• latest
• revisions
• annotate
• diff
• comparison
• raw

etc/firewall.conf@92045b0e8e17 (annotated)

etc/firewall.conf

Thu, 18 Dec 2014 16:56:55 +0100

author

Michiel Broek <mbroek@mbse.eu>

date

Thu, 18 Dec 2014 16:56:55 +0100

changeset 4

92045b0e8e17

parent 0

d4d23e51be4f

child 7

c846ebedfff3

permissions

-rw-r--r--

ipset now adds the hostname to the blocklists so that the firewall scripts works on hosts and Linux Container clients without conflicts. The ipset tables are visible on the host and in the lxc clients. Then, silently drop icmpv6 router sollicitaion and neighbour sollicitation messages that come in with the hoplimit field not set to 255. Some Windows systems do this. Version 0.0.16

0 d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	1	# /etc/mbse-firewall/firewall.conf
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	2
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	3	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	4	# Copyright (C) 2013-2014 by Michiel Broek.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	5	# Homepage http://www.mbse.eu
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	6	# Email mbse At mbse dOt eu
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	7	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	8	# This file is part of mbse-firewall.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	9	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	10	# This program is free software; you can redistribute it and/or modify it
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	11	# under the terms of the GNU General Public License as published by the
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	12	# Free Software Foundation; either version 2, or (at your option) any
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	13	# later version.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	14	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	15	# This program is distributed in the hope that it will be useful, but
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	16	# WITHOUT ANY WARRANTY; without even the implied warranty of
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	17	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	18	# General Public License for more details.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	19	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	20	# You should have received a copy of the GNU General Public License
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	21	# along with this program; see the file COPYING. If not, write to the Free
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	22	# Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	23	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	24
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	25
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	26	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	27	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	28	# Interface settings
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	29	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	30	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	31
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	32	# External interface that will be protected as internet connection.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	33	# If this is a server on a DMZ network, use this too.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	34	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	35	IF_EXT="eth0"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	36
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	37	# External IPv6 tunnel interface that will be protected as internet connection.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	38	# Enable this if you use a tunnel broker for IPv6.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	39	#IF_EXT6="six0"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	40
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	41	# If the external gateway is a border gateway, (your internet connection) then
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	42	# set the next option. Certain protocols are disabled in this case, and some
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	43	# are just enabled.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	44	#IF_EXT_IS_BORDER_GW="1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	45
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	46	# Enable automatic blacklisting of hosts that do any kind portscanning.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	47	# This is tested by any rules not matched on the external interface(s) INPUT
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	48	# or FORWARD chain and is a repeated undefined port from the same IP.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	49	# These hosts are blocked using ipset for one hour.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	50	#IF_EXT_AUTO_BLOCK="1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	51
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	52	# Block time in seconds when a host is blocked. Default is 3600.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	53	#IF_EXT_AUTO_TO=172800
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	54
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	55	# Average detect limit, default 5/hour
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	56	#IF_EXT_AUTO_LIMIT="2/hour"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	57
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	58	# Burst detect limit, default 10
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	59	#IF_EXT_AUTO_BURST="2"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	60
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	61	# Trunk networks. All other interfaces are set here. They should start
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	62	# with 0 and there should be no gaps.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	63	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	64	#IF_TRUNK[0]="eth1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	65	#IF_TRUNK[1]="tap0"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	66	#IF_TRUNK[2]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	67	#IF_TRUNK[3]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	68	#IF_TRUNK[4]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	69	#IF_TRUNK[5]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	70	#IF_TRUNK[6]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	71	#IF_TRUNK[7]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	72	#IF_TRUNK[8]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	73	#IF_TRUNK[9]=""
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	74
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	75
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	76
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	77	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	78	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	79	# Global settings
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	80	#
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	81	# ---------------------------------------------------------------------------
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	82
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	83
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	84	# On hosts leave this undefined or 0. On routers uncomment and set to 1
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	85	FW_FORWARD="0"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	86
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	87	# Add rules to allow traceroute
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	88	FW_TRACEROUTE="1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	89
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	90	# If you have a bridged interface like br0 with physical interfaces eth0 and
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	91	# tap0 for example, you need to add iptables rules to forward traffic between
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	92	# these interfaces. You can turn this off by setting the next variable.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	93	# If this variable is set, then all bridged interfaces are seen as one physical
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	94	# interface. See http://ebtables.sourceforge.net/documentation/bridge-nf.html
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	95	# for more details.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	96	#FW_NO_BRIDGE_NF_CALL="1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	97
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	98	# Install a ssh backdoor from this IP. The examples show an exact IP address,
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	99	# but you can use networks if you like. Exact is better of course.
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	100	# for IPv4 use: 2.3.4.5/32
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	101	#IPV4_BACKDOOR_SSH="10.1.1.231/32"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	102	# for IPv6 use: 2001:dead:beef::1/128
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	103	#IPV6_BACKDOOR_SSH="2001:1af8:dead:beef::e7/128"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	104
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	105	# Mangle, should be 1 on routers
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	106	#CLAMP_MSS_TO_PMTU="1"
d4d23e51be4f Initial import Michiel Broek <mbroek@mbse.eu> parents: diff changeset	107