2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2012 IPFire Network Development Team #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
22 # High-level function which will create a ruleset for the current firewall
23 # configuration and load it into the kernel.
24 function firewall_start
() {
28 while [ $# -gt 0 ]; do
38 log INFO
"Test mode enabled."
39 log INFO
"The firewall ruleset will not be loaded."
44 # Initialize an empty iptables ruleset.
48 firewall_tcp_state_flags
49 firewall_connection_tracking
50 firewall_tcp_clamp_mss
52 # Add policies for every zone.
56 for zone
in $
(zones_get_all
); do
57 policy_add_zone
${zone}
60 # Load the new ruleset.
66 function firewall_stop
() {
69 # Initialize an empty firewall ruleset
70 # with default policy ACCEPT.
79 function firewall_show
() {
80 # Shows the ruleset that is currently loaded.
86 function firewall_panic
() {
87 local admin_hosts
="$@"
91 # Drop all communications.
94 # If an admin host is provided, some administrative
95 # things will be allowed from there.
97 for admin_host
in ${admin_hosts}; do
98 iptables
-A INPUT
-s ${admin_host} -j ACCEPT
99 iptables
-A OUTPUT
-d ${admin_host} -j ACCEPT
105 firewall_lock_release
108 function firewall_lock_acquire
() {
109 lock_acquire
${RUN_DIR}/.firewall_lock
111 # Make sure the lock is released after the firewall
112 # script has crashed or exited early.
113 trap firewall_lock_release EXIT TERM KILL
115 # Create a directory where we can put our
116 # temporary data in the most secure way as possible.
117 IPTABLES_TMPDIR
=$
(mktemp
-d)
120 function firewall_lock_release
() {
121 if isset IPTABLES_TMPDIR
; then
122 # Remove all temporary data.
123 rm -rf ${IPTABLES_TMPDIR}
125 # Reset the tempdir variable.
130 trap true EXIT TERM KILL
132 lock_release
${RUN_DIR}/.firewall_lock
135 function firewall_tcp_state_flags
() {
136 log INFO
"Creating TCP State Flags chain..."
137 iptables_chain_create BADTCP_LOG
138 iptables
-A BADTCP_LOG
-p tcp
-j $
(iptables_LOG
"Illegal TCP state: ")
139 iptables
-A BADTCP_LOG
-j DROP
141 iptables_chain_create BADTCP
142 iptables
-A BADTCP
-p tcp
--tcp-flags ALL NONE
-j BADTCP_LOG
143 iptables
-A BADTCP
-p tcp
--tcp-flags SYN
,FIN SYN
,FIN
-j BADTCP_LOG
144 iptables
-A BADTCP
-p tcp
--tcp-flags SYN
,RST SYN
,RST
-j BADTCP_LOG
145 iptables
-A BADTCP
-p tcp
--tcp-flags FIN
,RST FIN
,RST
-j BADTCP_LOG
146 iptables
-A BADTCP
-p tcp
--tcp-flags ACK
,FIN FIN
-j BADTCP_LOG
147 iptables
-A BADTCP
-p tcp
--tcp-flags ACK
,PSH PSH
-j BADTCP_LOG
148 iptables
-A BADTCP
-p tcp
--tcp-flags ACK
,URG URG
-j BADTCP_LOG
150 iptables
-A INPUT
-p tcp
-j BADTCP
151 iptables
-A OUTPUT
-p tcp
-j BADTCP
152 iptables
-A FORWARD
-p tcp
-j BADTCP
155 function firewall_tcp_clamp_mss
() {
156 # Do nothing if this has been disabled.
157 enabled FIREWALL_CLAMP_PATH_MTU ||
return ${EXIT_OK}
159 log DEBUG
"Adding rules to clamp MSS to path MTU..."
160 iptables
-t mangle
-A FORWARD \
161 -p tcp
--tcp-flags SYN
,RST SYN
-j TCPMSS
--clamp-mss-to-pmtu
164 function firewall_connection_tracking
() {
165 log INFO
"Creating Connection Tracking chain..."
166 iptables_chain_create CONNTRACK
167 iptables
-A CONNTRACK
-m state
--state ESTABLISHED
,RELATED
-j ACCEPT
168 iptables
-A CONNTRACK
-m state
--state INVALID
-j $
(iptables_LOG
"INVALID packet: ")
169 iptables
-A CONNTRACK
-m state
--state INVALID
-j DROP
171 iptables
-A INPUT
-j CONNTRACK
172 iptables
-A OUTPUT
-j CONNTRACK
173 iptables
-A FORWARD
-j CONNTRACK
176 function firewall_import_rules
() {
180 local protocol
="ipv6"
183 while [ $# -gt 0 ]; do
186 table
=$
(cli_get_val
${1})
189 protocol
=$
(cli_get_val
${1})
194 assert isoneof protocol ipv4 ipv6
195 assert isoneof table $
(iptables_table
${protocol})
200 while read src dst proto
; do
207 done < ${FIREWALL_CONFIG_RULES}