From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 17 Apr 2010 15:37:28 +0000 (+0100)
Subject: Merge branch 'master' of metalzone:public-git/firewall
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/firewall/commitdiff_plain/4d0888c3de7cc02ae6cc6556358eff7b86bf46d3?ds=sidebyside;hp=-c

Merge branch 'master' of metalzone:public-git/firewall

* 'master' of metalzone:public-git/firewall:
  functions.m4, local.m4: Handle fragments in a useful way.
  classify.m4: Correct summary line at the top.
  vampire.m4: Remove the magical DNS DDoS hack.
---

4d0888c3de7cc02ae6cc6556358eff7b86bf46d3
diff --combined local.m4
index 52dc94c,2b1b898..b321cde
--- a/local.m4
+++ b/local.m4
@@@ -43,10 -43,9 +43,10 @@@ defiface $if_trusted 
  	safe:172.29.199.64/27 \
  	untrusted:default
  defiface $if_untrusted \
 -	untrusted:172.29.198.0/24
 +	untrusted:172.29.198.0/25
  defvpn $if_vpn safe 172.29.199.128/27 \
  	crybaby:172.29.199.129
 +defiface $if_iodine untrusted:172.29.198.128/28
  defiface $if_its_mz safe:172.29.199.160/30
  defiface $if_its_pi safe:192.168.0.0/24
  
@@@ -56,19 -55,19 +56,19 @@@ m4_divert(60)m4_dn
  
  ## Allow ping from safe/noloop to untrusted networks.
  run iptables -A FORWARD -j ACCEPT \
- 	-p icmp --icmp-type echo-request \
+ 	-p icmp ! -f --icmp-type echo-request \
  	-m mark --mark $to_untrusted/$MASK_TO
  run iptables -A FORWARD -j ACCEPT \
- 	-p icmp --icmp-type echo-reply \
+ 	-p icmp ! -f --icmp-type echo-reply \
  	-m mark --mark $from_untrusted/$MASK_FROM \
  	-m state --state ESTABLISHED
  
  ## Allow SSH from safe/noloop to untrusted networks.
  run iptables -A FORWARD -j ACCEPT \
-     	-p tcp --destination-port $port_ssh \
+     	-p tcp ! -f --destination-port $port_ssh \
  	-m mark --mark $to_untrusted/$MASK_TO
  run iptables -A FORWARD -j ACCEPT \
- 	-p tcp --source-port $port_ssh \
+ 	-p tcp ! -f --source-port $port_ssh \
  	-m mark --mark $from_untrusted/$MASK_FROM \
  	-m state --state ESTABLISHED
  
@@@ -79,6 -78,7 +79,7 @@@ m4_divert(80)m4_dn
  clearchain inbound
  
  ## Track connections.
+ commonrules inbound
  conntrack inbound
  
  ## Allow incoming bootp.  Bootp won't be forwarded, so this is obviously a
diff --combined vampire.m4
index e5ab346,13e37bd..2f8c105
--- a/vampire.m4
+++ b/vampire.m4
@@@ -29,7 -29,6 +29,7 @@@ m4_divert(44)m4_dn
  if_untrusted=eth0.1
  if_trusted=eth0.0
  if_vpn=vpn-+
 +if_iodine=dns+
  if_its_mz=eth0.0
  if_its_pi=eth0.0
  
@@@ -37,34 -36,22 +37,23 @@@ m4_divert(-1
  ###--------------------------------------------------------------------------
  ### vampire-specific rules.
  
- m4_divert(35)m4_dnl
- errorchain ddos-evil-dns DROP
- ## Invalid DNS request with probably-forged sender address, with intent to
- ## cause DDOS.
- 
  m4_divert(82)m4_dnl
- ## Repelling evil DDos attack.
- run ipset -N ddos-evil-dns iphash 2>/dev/null || :
- run iptables -A inbound -g ddos-evil-dns \
- 	-m set --set ddos-evil-dns src \
- 	-p udp --destination-port $port_dns
- 
  ## Externally visible services.
  allowservices inbound tcp \
  	finger ident \
 -	dns \
 +	dns iodine \
  	ssh \
  	smtp \
  	gnutella_svc \
  	ftp ftp_data \
  	rsync \
 +	disorder \
  	http https \
  	git	
  allowservices inbound tcp \
  	tor_public tor_directory
  allowservices inbound udp \
 -	dns \
 +	dns iodine \
  	tripe \
  	gnutella_svc