chiark / gitweb /
~mdw / firewall / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | compact (merge: f98dfdf ecdca13)
Merge branch 'master' of metalzone:public-git/firewall
authorMark Wooding <mdw@distorted.org.uk>
Sat, 17 Apr 2010 15:37:28 +0000 (16:37 +0100)
committerMark Wooding <mdw@distorted.org.uk>
Sat, 17 Apr 2010 15:37:28 +0000 (16:37 +0100)
* 'master' of metalzone:public-git/firewall:
  functions.m4, local.m4: Handle fragments in a useful way.
  classify.m4: Correct summary line at the top.
  vampire.m4: Remove the magical DNS DDoS hack.

1  2 
local.m4 patch | diff1 | diff2 | blob | history
vampire.m4 patch | diff1 | diff2 | blob | history

diff --combined local.m4
index 52dc94ce13d0a1fe1b234672f95cce10fc65ffe7,2b1b898198f49ca0c5fb52de51471a5fc8f20194..b321cde9f86d341fda8be5f657ef4823d52e6a32
--- 1/local.m4
--- 2/local.m4
+++ b/local.m4
@@@ -43,10 -43,9 +43,10 @@@ defiface $if_trusted 
        safe:172.29.199.64/27 \
        untrusted:default
  defiface $if_untrusted \
 -      untrusted:172.29.198.0/24
 +      untrusted:172.29.198.0/25
  defvpn $if_vpn safe 172.29.199.128/27 \
        crybaby:172.29.199.129
 +defiface $if_iodine untrusted:172.29.198.128/28
  defiface $if_its_mz safe:172.29.199.160/30
  defiface $if_its_pi safe:192.168.0.0/24
  
@@@ -56,19 -55,19 +56,19 @@@ m4_divert(60)m4_dn
  
  ## Allow ping from safe/noloop to untrusted networks.
  run iptables -A FORWARD -j ACCEPT \
-       -p icmp --icmp-type echo-request \
+       -p icmp ! -f --icmp-type echo-request \
        -m mark --mark $to_untrusted/$MASK_TO
  run iptables -A FORWARD -j ACCEPT \
-       -p icmp --icmp-type echo-reply \
+       -p icmp ! -f --icmp-type echo-reply \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
  
  ## Allow SSH from safe/noloop to untrusted networks.
  run iptables -A FORWARD -j ACCEPT \
-       -p tcp --destination-port $port_ssh \
+       -p tcp ! -f --destination-port $port_ssh \
        -m mark --mark $to_untrusted/$MASK_TO
  run iptables -A FORWARD -j ACCEPT \
-       -p tcp --source-port $port_ssh \
+       -p tcp ! -f --source-port $port_ssh \
        -m mark --mark $from_untrusted/$MASK_FROM \
        -m state --state ESTABLISHED
  
@@@ -79,6 -78,7 +79,7 @@@ m4_divert(80)m4_dn
  clearchain inbound
  
  ## Track connections.
+ commonrules inbound
  conntrack inbound
  
  ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
diff --combined vampire.m4
index e5ab346c1f6f1fb68ef0ad7311c9926c0955dde0,13e37bd6477ea550b2ec6054c6ac8bcdae396a8a..2f8c105c28743befd910824b679845de866f3ed4
--- 1/vampire.m4
--- 2/vampire.m4
+++ b/vampire.m4
@@@ -29,7 -29,6 +29,7 @@@ m4_divert(44)m4_dn
  if_untrusted=eth0.1
  if_trusted=eth0.0
  if_vpn=vpn-+
 +if_iodine=dns+
  if_its_mz=eth0.0
  if_its_pi=eth0.0
  
@@@ -37,34 -36,22 +37,23 @@@ m4_divert(-1
  ###--------------------------------------------------------------------------
  ### vampire-specific rules.
  
- m4_divert(35)m4_dnl
- errorchain ddos-evil-dns DROP
- ## Invalid DNS request with probably-forged sender address, with intent to
- ## cause DDOS.
  m4_divert(82)m4_dnl
- ## Repelling evil DDos attack.
- run ipset -N ddos-evil-dns iphash 2>/dev/null || :
- run iptables -A inbound -g ddos-evil-dns \
-       -m set --set ddos-evil-dns src \
-       -p udp --destination-port $port_dns
  ## Externally visible services.
  allowservices inbound tcp \
        finger ident \
 -      dns \
 +      dns iodine \
        ssh \
        smtp \
        gnutella_svc \
        ftp ftp_data \
        rsync \
 +      disorder \
        http https \
        git     
  allowservices inbound tcp \
        tor_public tor_directory
  allowservices inbound udp \
 -      dns \
 +      dns iodine \
        tripe \
        gnutella_svc
  
Firewall scripts for distorted.org.uk.