# man pages
MAN_PAGES = \
+ man/firewall-config.8 \
man/network.8 \
man/network-config.8 \
man/network-device.8 \
-mkdir -pv $(DESTDIR)$(tmpfilesdir)
-mkdir -pv $(DESTDIR)$(datadir)/firewall
+ install -m 755 -v firewall-config $(DESTDIR)$(sbindir)
install -m 755 -v firewall6 $(DESTDIR)$(sbindir)
install -m 755 -v firewall4 $(DESTDIR)$(sbindir)
install -m 755 -v network $(DESTDIR)$(sbindir)
+#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
# #
###############################################################################
-# Enable connection tracking accounting.
-net.netfilter.nf_conntrack_acct=1
+. /usr/lib/network/functions
+
+# Read firewall configuration.
+firewall_config_read
+
+firewall_cli_config "$@"
+
+exit ${EXIT_ERROR}
. /usr/lib/network/functions
# Read firewall configuration.
-firewall_config_read "ipv4"
+firewall_config_read
firewall_cli "ipv4" "$@"
. /usr/lib/network/functions
# Read firewall configuration.
-firewall_config_read "ipv6"
+firewall_config_read
firewall_cli "ipv6" "$@"
echo "${@#*=}"
}
+function cli_get_bool() {
+ local value="$(cli_get_val "$@")"
+
+ if enabled value; then
+ print "true"
+ return ${EXIT_TRUE}
+ fi
+
+ print "false"
+ return ${EXIT_FALSE}
+}
+
function cli_usage() {
local command="$@"
local basename="$(basename ${0})"
firewall_cli_panic "${protocol}" "$@"
;;
- config)
- firewall_cli_config "${protocol}" $@
- ;;
-
zone)
firewall_cli_zone $@
;;
}
function firewall_cli_config() {
- local protocol="${1}"
- assert isset protocol
- shift
-
if cli_help_requested $@; then
- cli_usage root-config
+ cli_show_man firewall-config
exit ${EXIT_OK}
fi
if [ -n "${1}" ]; then
config_set "$@"
- firewall_config_write "${protocol}"
+ firewall_config_write
else
- firewall_config_print "${protocol}"
+ firewall_config_print
fi
}
local param
for param in $(listsort $@); do
- printf "%-24s = %s\n" "${param}" "${!param}"
+ printf "%-32s = %s\n" "${param}" "${!param}"
done
}
config_print ${NETWORK_CONFIG_FILE_PARAMS}
}
-function firewall_config_file() {
- local protocol="${1}"
- assert isset protocol
-
- local file
- case "${protocol}" in
- ipv6)
- file="${FIREWALL6_CONFIG_FILE}"
- ;;
- ipv4)
- file="${FIREWALL4_CONFIG_FILE}"
- ;;
- esac
- assert isset file
-
- print "${file}"
- return ${EXIT_OK}
-}
-
-function firewall_config_env() {
- local protocol="${1}"
- assert isset protocol
-
- case "${protocol}" in
- ipv6)
- file="${FIREWALL6_CONFIG_FILE}"
- params="${FIREWALL6_CONFIG_PARAMS}"
- ;;
- ipv4)
- file="${FIREWALL4_CONFIG_FILE}"
- params="${FIREWALL4_CONFIG_PARAMS}"
- ;;
- esac
- assert isset file
- assert isset params
-}
-
function firewall_config_read() {
- local file params
- firewall_config_env "$@"
-
- config_read "${file}" "${params}"
+ config_read "${FIREWALL_CONFIG_FILE}" "${FIREWALL_CONFIG_PARAMS}"
}
function firewall_config_write() {
- local file params
- firewall_config_env "$@"
-
- config_write "${file}" "${params}"
+ config_write "${FIREWALL_CONFIG_FILE}" "${FIREWALL_CONFIG_PARAMS}"
}
function firewall_config_print() {
- local file params
- firewall_config_env "$@"
-
- config_print "${params}"
+ config_print "${FIREWALL_CONFIG_PARAMS}"
}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 IPFire Network Development Team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+# Accounting
+
+function conntrack_get_accounting() {
+ sysctl_get "net.netfilter.nf_conntrack_acct"
+}
+
+function conntrack_set_accounting() {
+ local value="${1}"
+ assert isset value
+
+ # Convert boolean values into 0 and 1.
+ if enabled value; then
+ log INFO "Enabling connection tracking accounting"
+ value="1"
+ else
+ log INFO "Disabling connection tracking accounting"
+ value="0"
+ fi
+
+ sysctl_set "net.netfilter.nf_conntrack_acct" "${value}"
+}
+
+# Max. connections
+
+function conntrack_get_max_connections() {
+ sysctl_get "net.netfilter.nf_conntrack_max"
+}
+
+function conntrack_set_max_connections() {
+ local value="${1}"
+ assert isinteger value
+
+ log INFO "Conntrack: Setting max. amount of concurrent connections to ${value}"
+ sysctl_set "net.netfilter.nf_conntrack_max" "${value}"
+}
+
+# UDP timeout
+
+function conntrack_get_udp_timeout() {
+ sysctl_get "net.netfilter.nf_conntrack_udp_timeout"
+}
+
+function conntrack_set_udp_timeout() {
+ local value="${1}"
+ assert isinteger value
+
+ log INFO "Conntrack: Setting UDP timeout to ${value}s"
+ sysctl_set "net.netfilter.nf_conntrack_udp_timeout" "${value}"
+}
EXIT_OK=0
EXIT_ERROR=1
EXIT_CONF_ERROR=2
+EXIT_COMMAND_NOT_FOUND=127
EXIT_ERROR_ASSERT=128
EXIT_TRUE=0
FIREWALL_CONFIG_DIR="/etc/firewall"
FIREWALL_ZONES_DIR="${FIREWALL_CONFIG_DIR}/zones"
-FIREWALL4_CONFIG_FILE="${FIREWALL_CONFIG_DIR}/config4"
-FIREWALL6_CONFIG_FILE="${FIREWALL_CONFIG_DIR}/config6"
+FIREWALL_CONFIG_FILE="${FIREWALL_CONFIG_DIR}/config"
FIREWALL_CONFIG_RULES="${FIREWALL_CONFIG_DIR}/rules"
FIREWALL_MACROS_DIRS="${FIREWALL_CONFIG_DIR}/macros"
FIREWALL_CLAMP_PATH_MTU="false"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_CLAMP_PATH_MTU"
-FIREWALL4_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS}"
-FIREWALL6_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS}"
+# Conntrack: Max. amount of simultaneous connections.
+CONNTRACK_MAX_CONNECTIONS="16384"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_MAX_CONNECTIONS"
+
+# Conntrack: UDP timeout
+CONNTRACK_UDP_TIMEOUT="60"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_UDP_TIMEOUT"
+
+# Use SYN cookies or not
+FIREWALL_SYN_COOKIES="true"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_SYN_COOKIES"
+
+# rp_filter
+FIREWALL_RP_FILTER="true"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_RP_FILTER"
+
+# Log martians
+FIREWALL_LOG_MARTIANS="false"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_MARTIANS"
+
+# Accept ICMP redirects
+FIREWALL_ACCEPT_ICMP_REDIRECTS="false"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_ACCEPT_ICMP_REDIRECTS"
+
+# ECN (Explicit Congestion Notification)
+FIREWALL_USE_ECN="false"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_USE_ECN"
+
+# Path MTU discovery
+FIREWALL_PMTU_DISCOVERY="true"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_PMTU_DISCOVERY"
+
+# Default TTL
+FIREWALL_DEFAULT_TTL="64"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_DEFAULT_TTL"
+
+# Log stealth scans
+FIREWALL_LOG_STEALTH_SCANS="true"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_STEALTH_SCANS"
+
+# Log packets with bad TCP flags
+FIREWALL_LOG_BAD_TCP_FLAGS="true"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_BAD_TCP_FLAGS"
+
+# Log INVALID TCP packets
+FIREWALL_LOG_INVALID_TCP="true"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_TCP"
+
+# Log INVALID UDP packets
+FIREWALL_LOG_INVALID_UDP="true"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_UDP"
+
+# Log INVALID ICMP packets
+FIREWALL_LOG_INVALID_ICMP="true"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_INVALID_ICMP"
FIREWALL_SUPPORTED_PROTOCOLS="tcp udp icmp igmp esp ah gre"
FIREWALL_PROTOCOLS_SUPPORTING_PORTS="tcp udp"
assert isset file
local hostname=${HOSTNAME%%.*}
+ local prefix_delegation="false"
local vendor=$(distro_get_pretty_name)
while [ $# -gt 0 ]; do
--hostname=*)
hostname=$(cli_get_val ${1})
;;
+ --prefix-delegation=*)
+ prefix_delegation="$(cli_get_bool "${1}")"
+ ;;
--vendor=*)
vendor=$(cli_get_val ${1})
;;
if isset hostname; then
echo " send host-name \"${hostname}\";"
+ print
+ fi
+
+ # Prefix delegation (IPv6).
+ if enabled prefix_delegation; then
+ print " # Prefix delegation"
+ print " also request dhcp6.ia-pd 1;"
+ print " send dhcp6.ia-na 1;"
+ print
fi
echo "}"
# #
###############################################################################
+# This function initializes all kernel parameters that need to be adjusted
+# to run this firewall properly.
+function firewall_kernel_init() {
+ log INFO "Configuring kernel parameters..."
+ local option
+
+ # Enable conntrack accounting
+ conntrack_set_accounting "true"
+
+ # Adjust max. amount of simultaneous connections
+ conntrack_set_max_connections "${CONNTRACK_MAX_CONNECTIONS}"
+
+ # Increase UDP connection timeout (fixes DNS)
+ conntrack_set_udp_timeout "${CONNTRACK_UDP_TIMEOUT}"
+
+ # Disable sending redirects
+ log INFO "Disabling sending redirects"
+ sysctl_set_recursively "net.ipv6.conf" "send_redirects" 0
+ sysctl_set_recursively "net.ipv4.conf" "send_redirects" 0
+
+ # Enable source route protection
+ log INFO "Enabling source route protection"
+ sysctl_set_recursively "net.ipv6.conf" "accept_source_route" 0
+ sysctl_set_recursively "net.ipv4.conf" "accept_source_route" 0
+
+ # ICMP broadcast protection (smurf amplifier protection)
+ log INFO "Enabling ICMP broadcast protection (smurf amplifier protection)"
+ sysctl_set "net.ipv4.icmp_echo_ignore_broadcasts" 1
+
+ # ICMP Dead Error Message protection
+ log INFO "Enabling ICMP dead error message protection"
+ sysctl_set "net.ipv4.icmp_ignore_bogus_error_responses" 0
+
+ # Enable packet forwarding
+ log INFO "Enabling packet forwarding"
+ sysctl_set_recursively "net.ipv6.conf" "forwarding" 1
+ sysctl_set_recursively "net.ipv4.conf" "forwarding" 1
+
+ # Setting some kernel performance options
+ log INFO "Setting some kernel performance options"
+ for option in window_scaling timestamps sack dsack fack; do
+ sysctl_set "net.ipv4.tcp_${option}" 1
+ done
+ sysctl_set "net.ipv4.tcp_low_latency" 0
+
+ # Reduce DoS ability by reducing timeouts
+ log INFO "Reducing DoS ability"
+ sysctl_set "net.ipv4.tcp_fin_timeout" 30
+ sysctl_set "net.ipv4.tcp_keepalive_time" 1800
+
+ # Set number of times to retry SYN in a new connection
+ sysctl_set "net.ipv4.tcp_syn_retries" 3
+
+ # Set number of times to retry a SYN-ACK in a half-open new connection
+ sysctl_set "net.ipv4.tcp_synack_retries" 2
+
+ # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
+ sysctl_set "net.ipv4.tcp_rfc1337" 1
+
+ # SYN-flood protection
+ if enabled FIREWALL_SYN_COOKIES; then
+ log INFO "Enabling SYN-flood protection via SYN-cookies"
+ sysctl_set_bool "net.ipv4.tcp_syncookies" 1
+ else
+ log INFO "Disabling SYN-flood protection via SYN-cookies"
+ sysctl_set_bool "net.ipv4.tcp_syncookies" 0
+ fi
+
+ # rp_filter
+ if enabled FIREWALL_RP_FILTER; then
+ log INFO "Enabling anti-spoof from non-routable IP addresses"
+ sysctl_set_recursively "net.ipv4.conf" "rp_filter" 1
+ else
+ log INFO "Disabling anti-spoof from non-routable IP addresses"
+ sysctl_set_recursively "net.ipv4.conf" "rp_filter" 0
+ fi
+
+ # Log martians
+ if enabled FIREWALL_LOG_MARTIANS; then
+ log INFO "Enabling the logging of martians"
+ sysctl_set_recursively "net.ipv4.conf" "log_martians" 1
+ else
+ log INFO "Disabling the logging of martians"
+ sysctl_set_recursively "net.ipv4.conf" "log_martians" 0
+ fi
+
+ # ICMP redirect messages
+ if enabled FIREWALL_ACCEPT_ICMP_REDIRECTS; then
+ log INFO "Enabling accepting ICMP-redirect messages"
+ sysctl_set_recursively "net.ipv6.conf" "accept_redirects" 1
+ sysctl_set_recursively "net.ipv4.conf" "accept_redirects" 1
+ else
+ log INFO "Disabling accepting ICMP-redirect messages"
+ sysctl_set_recursively "net.ipv6.conf" "accept_redirects" 0
+ sysctl_set_recursively "net.ipv4.conf" "accept_redirects" 0
+ fi
+
+ # Explicit Congestion Notification
+ if enabled FIREWALL_USE_ECN; then
+ log INFO "Enabling ECN (Explicit Congestion Notification)"
+ sysctl_set "net.ipv4.tcp_ecn" 1
+ else
+ log INFO "Disabling ECN (Explicit Congestion Notification)"
+ sysctl_set "net.ipv4.tcp_ecn" 2
+ fi
+
+ # Dynamic IP address hacking
+ log INFO "Enabling kernel support for dynamic IP addresses"
+ sysctl_set "net.ipv4.ip_dynaddr" 1
+
+ if enabled FIREWALL_PMTU_DISCOVERY; then
+ log INFO "Enabling PMTU discovery"
+ sysctl_set "net.ipv4.ip_no_pmtu_disc" 0
+ else
+ log INFO "Disabling PMTU discovery"
+ sysctl_set "net.ipv4.ip_no_pmtu_disc" 1
+ fi
+
+ # TTL
+ if ipv4_ttl_valid "${FIREWALL_DEFAULT_TTL}"; then
+ log INFO "Setting default TTL to ${FIREWALL_DEFAULT_TTL}"
+ sysctl_set "net.ipv4.ip_default_ttl" "${FIREWALL_DEFAULT_TTL}"
+ else
+ log ERROR "Invalid value for default TTL '${FIREWALL_DEFAULT_TTL}'"
+ log ERROR " Must be between 10 and 255!"
+ fi
+
+ return ${EXIT_OK}
+}
+
# High-level function which will create a ruleset for the current firewall
# configuration and load it into the kernel.
function firewall_start() {
iptables_init "${protocol}" "DROP"
# Add default chains.
- firewall_tcp_state_flags "${protocol}"
+ firewall_filter_rh0_headers "${protocol}"
+ firewall_filter_icmp "${protocol}"
+ firewall_filter_invalid_packets "${protocol}"
firewall_custom_chains "${protocol}"
firewall_connection_tracking "${protocol}"
firewall_tcp_clamp_mss "${protocol}"
iptables "${protocol}" -t nat -A OUTPUT -j CUSTOMOUTPUT
}
-function firewall_tcp_state_flags() {
+function firewall_filter_invalid_packets() {
local protocol="${1}"
assert isset protocol
- log INFO "Creating TCP State Flags chain..."
+ local log_limit="-m limit --limit 5/m --limit-burst 10"
+
+ # Create a chain
+ iptables_chain_create "${protocol}" FILTER_INVALID
+ iptables "${protocol}" -A INPUT -j FILTER_INVALID
+ iptables "${protocol}" -A OUTPUT -j FILTER_INVALID
+ iptables "${protocol}" -A FORWARD -j FILTER_INVALID
+
+ # Create a chain where only TCP packets go
+ iptables_chain_create "${protocol}" FILTER_INVALID_TCP
+ iptables "${protocol}" -A FILTER_INVALID -p tcp -j FILTER_INVALID_TCP
+
+ # Create a chain where only UDP packets go
+ iptables_chain_create "${protocol}" FILTER_INVALID_UDP
+ iptables "${protocol}" -A FILTER_INVALID -p udp -j FILTER_INVALID_UDP
+
+ # Create a chain where only ICMP packets go
+ iptables_chain_create "${protocol}" FILTER_INVALID_ICMP
+ iptables "${protocol}" -A FILTER_INVALID -p icmp -j FILTER_INVALID_ICMP
+
+
+ # Optionally log all port scans
+
+ if enabled FIREWALL_LOG_STEALTH_SCANS; then
+ log INFO "Logging of stealth scans enabled"
+
+ # NMAP FIN/URG/PSH - XMAS scan
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL FIN,URG,PSH \
+ "${log_limit}" -j "$(iptables_LOG "Stealth XMAS scan")"
+
+ # SYN/RST/ACK/FIN/URG
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
+ "${log_limit}" -j "$(iptables_LOG "Stealth XMAS-PSH scan")"
+
+ # ALL/ALL
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL ALL \
+ "${log_limit}" -j "$(iptables_LOG "Stealth XMAS-ALL scan")"
+
+ # NMAP FIN Stealth
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL FIN \
+ "${log_limit}" -j "$(iptables_LOG "Stealth FIN scan")"
+
+ # SYN/RST
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags SYN,RST SYN,RST \
+ "${log_limit}" -j "$(iptables_LOG "Stealth SYN/RST scan")"
+
+ # SYN/FIN
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags SYN,FIN SYN,FIN \
+ "${log_limit}" -j "$(iptables_LOG "Stealth SYN/FIN scan")"
+
+ # Null scan
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL NONE \
+ "${log_limit}" -j "$(iptables_LOG "Stealth NULL scan")"
+ else
+ log INFO "Logging of stealth scans disabled"
+ fi
+
+
+ # Drop scan packets
+
+ # NMAP FIN/URG/PSH
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+
+ # SYN/RST/ACK/FIN/URG
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+ # ALL/ALL
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL ALL -j DROP
+
+ # NMAP FIN Stealth
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL FIN -j DROP
+
+ # SYN/RST
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables_chain_create "${protocol}" BADTCP_LOG
- iptables "${protocol}" -A BADTCP_LOG -p tcp -j "$(iptables_LOG "Illegal TCP state: ")"
- iptables "${protocol}" -A BADTCP_LOG -j DROP
+ # SYN/FIN
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- iptables_chain_create "${protocol}" BADTCP
- iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
- iptables "${protocol}" -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
- iptables "${protocol}" -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
- iptables "${protocol}" -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
- iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG
- iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG
- iptables "${protocol}" -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG
+ # Null scan
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-flags ALL NONE -j DROP
- iptables "${protocol}" -A INPUT -p tcp -j BADTCP
- iptables "${protocol}" -A OUTPUT -p tcp -j BADTCP
- iptables "${protocol}" -A FORWARD -p tcp -j BADTCP
+
+ # Log packets with bad flags
+
+ if enabled FIREWALL_LOG_BAD_TCP_FLAGS; then
+ log INFO "Logging of packets with bad TCP flags enabled"
+
+ # Option 64
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-option 64 \
+ "${log_limit}" -j "$(iptables_LOG "Bad TCP flag(64)")"
+
+ # Option 128
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-option 128 \
+ "${log_limit}" -j "$(iptables_LOG "Bad TCP flag(128)")"
+ else
+ log INFO "Logging of packets with bad TCP flags disabled"
+ fi
+
+ # Drop packets with bad flags
+
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-option 64 -j DROP
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp --tcp-option 128 -j DROP
+
+
+ # Log invalid packets
+
+ if enabled FIREWALL_LOG_INVALID_TCP; then
+ log INFO "Logging of INVALID TCP packets enabled"
+
+ iptables "${protocol}" -A FILTER_INVALID_TCP -p tcp -m conntrack --ctstate INVALID \
+ "${log_limit}" -j "$(iptables_LOG "INVALID TCP")"
+ else
+ log INFO "Logging of INVALID TCP packets disabled"
+ fi
+
+ if enabled FIREWALL_LOG_INVALID_UDP; then
+ log INFO "Logging of INVALID UDP packets enabled"
+
+ iptables "${protocol}" -A FILTER_INVALID_UDP -p udp -m conntrack --ctstate INVALID \
+ "${log_limit}" -j "$(iptables_LOG "INVALID UDP")"
+ else
+ log INFO "Logging of INVALID UDP packets disabled"
+ fi
+
+ if enabled FIREWALL_LOG_INVALID_ICMP; then
+ log INFO "Logging of INVALID ICMP packets enabled"
+
+ iptables "${protocol}" -A FILTER_INVALID_ICMP -p icmp -m conntrack --ctstate INVALID \
+ "${log_limit}" -j "$(iptables_LOG "INVALID ICMP")"
+ else
+ log INFO "Logging of INVALID ICMP packets disabled"
+ fi
+
+ # Drop all INVALID packets
+ iptables "${protocol}" -A FILTER_INVALID -m conntrack --ctstate INVALID -j DROP
}
function firewall_tcp_clamp_mss() {
log DEBUG "Creating firewall chains for localhost..."
# Accept everything on lo
- iptables "${protocol}" -A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT
- iptables "${protocol}" -A OUTPUT -o lo -m conntrack --ctstate NEW -j ACCEPT
+ iptables "${protocol}" -A INPUT -i lo -j ACCEPT
+ iptables "${protocol}" -A OUTPUT -o lo -j ACCEPT
+}
+
+function firewall_filter_rh0_headers() {
+ local protocol="${1}"
+ assert isset protocol
+
+ # Only IPv6.
+ [ "${protocol}" = "ipv6" ] || return ${EXIT_OK}
+
+ # Filter all packets that have RH0 headers
+ # http://www.ietf.org/rfc/rfc5095.txt
+ iptables_chain_create "${protocol}" FILTER_RH0
+ iptables "${protocol}" -A FILTER_RH0 -m rt --rt-type 0 -j DROP
+
+ iptables "${protocol}" -A INPUT -j FILTER_RH0
+ iptables "${protocol}" -A FORWARD -j FILTER_RH0
+ iptables "${protocol}" -A OUTPUT -j FILTER_RH0
+}
+
+function firewall_filter_icmp() {
+ local protocol="${1}"
+ assert isset protocol
+
+ # Only IPv6.
+ [ "${protocol}" = "ipv6" ] || return ${EXIT_OK}
+
+ local chain="FILTER_ICMPV6"
+
+ # Create an extra chain for handling ICMP packets.
+ iptables_chain_create "${protocol}" "${chain}_COMMON"
+
+ local suffix
+ for suffix in INC FWD OUT; do
+ iptables_chain_create "${protocol}" "${chain}_${suffix}"
+ iptables "${protocol}" -A "${chain}_${suffix}" -j "${chain}_COMMON"
+ done
+ iptables "${protocol}" -A INPUT -p icmpv6 -j "${chain}_INC"
+ iptables "${protocol}" -A FORWARD -p icmpv6 -j "${chain}_FWD"
+ iptables "${protocol}" -A OUTPUT -p icmpv6 -j "${chain}_OUT"
+
+ # Packets that must always pass the firewall.
+ # Type 4: Parameter Problem
+ local type
+ for type in ttl-zero-during-reassembly bad-header; do
+ iptables "${protocol}" -A "${chain}_COMMON" \
+ -p icmpv6 --icmpv6-type "${type}" -j ACCEPT
+ done
+
+ # Packets that are accepted if they belong to an existing connection.
+ for type in echo-reply destination-unreachable packet-too-big \
+ unknown-header-type unknown-option; do
+ iptables "${protocol}" -A "${chain}_COMMON" \
+ -m conntrack --ctstate ESTABLISHED,RELATED \
+ -p icmpv6 --icmpv6-type "${type}" -j ACCEPT
+ done
+
+ # Packets that are always discarded.
+ # Type 100, 101, 200, 201: Private Experimentation
+ for type in 100 101 200 201; do
+ iptables "${protocol}" -A "${chain}_COMMON" \
+ -p icmpv6 --icmpv6-type "${type}" -j DROP
+ done
+
+ # Discard packets from local networks with hop limit smaller than $hoplimit.
+ # Type 148: Path solicitation
+ # Type 149: Path advertisement
+ local hoplimit=255
+ for type in {router,neighbour}-{advertisement,solicitation} 148 149; do
+ iptables "${protocol}" -A "${chain}_INC" \
+ -p icmpv6 --icmpv6-type "${type}" \
+ -m hl --hl-lt "${hoplimit}" -j DROP
+ done
+
+ # The firewall is always allowed to send ICMP echo requests.
+ iptables "${protocol}" -A "${chain}_OUT" \
+ -p icmpv6 --icmpv6-type echo-request -j ACCEPT
+
+ return ${EXIT_OK}
}
function firewall_zone_create_chains() {
# #
###############################################################################
+HOOK_COMMANDS_CONFIG="hook_create hook_down hook_status hook_up"
+
+HOOK_COMMANDS_PORT="hook_create hook_down hook_hotplug hook_hotplug_rename \
+ hook_info hook_status hook_up"
+
+HOOK_COMMANDS_ZONE="hook_create hook_discover hook_down hook_edit hook_help \
+ hook_info hook_remove hook_status hook_up \
+ \
+ hook_config_create hook_config_edit hook_config_remove hook_config_show \
+ \
+ hook_port hook_port_add hook_port_edit hook_port_remove hook_port_show \
+ hook_port_status hook_port_up hook_port_down \
+ \
+ hook_ppp_ip_pre_up hook_ppp_ipv4_down hook_ppp_ipv4_up \
+ hook_ipv6_down hook_ipv6_up hook_ppp_write_config"
+
function hook_dir() {
local type=${1}
}
function hook_exec() {
- local type=${1}
- local hook=${2}
- local cmd=${3}
- shift 3
-
+ local type="${1}"
assert isset type
+
+ local hook="${2}"
assert isset hook
+
+ local cmd="${3}"
assert isset cmd
assert hook_exists "${type}" "${hook}"
+ shift 3
+
+ # Complete the hook command by prepending "hook_"
+ local hook_cmd="hook_${cmd}"
+
+ # Check if the hook action is valid.
+ local valid_commands
+ case "${type}" in
+ "config")
+ valid_commands="${HOOK_COMMANDS_CONFIG}"
+ ;;
+ "port")
+ valid_commands="${HOOK_COMMANDS_PORT}"
+ ;;
+ "zone")
+ valid_commands="${HOOK_COMMANDS_ZONE}"
+ ;;
+ esac
+ isset valid_commands && assert list_match "${hook_cmd}" ${valid_commands}
+
+ local hook_path="$(hook_dir ${type})/${hook}"
# For performance reasons, all hooks are executed
# in a subshell and so will inherit the currently
HOOK=$(basename ${hook})
# Source the code of the hook.
- source "$(hook_dir ${type})/${hook}"
+ source "${hook_path}"
# Make sure HOOK is still properly set.
assert isset HOOK
# Execute the requested command.
- _${cmd} $@
+ cmd "${hook_cmd}" "$@"
)
local ret=$?
- if [ ${ret} -eq ${EXIT_ERROR_ASSERT} ]; then
- log ERROR "Hook exited with an assertion error."
- exit ${ret}
- fi
+ case "${ret}" in
+ ${EXIT_COMMAND_NOT_FOUND})
+ log ERROR "Hook command not implemented: ${hook_command} ($@)"
+ exit ${EXIT_COMMAND_NOT_FOUND}
+ ;;
+ ${EXIT_ERROR_ASSERT})
+ log ERROR "Hook exited with an assertion error."
+ exit ${EXIT_ERROR_ASSERT}
+ ;;
+ esac
return ${ret}
}
assert isoneof table ${IPTABLES_TABLES}
;;
+
+ # Automatically convert ICMP to ICMPv6 for IPv6
+ --protocol|-p)
+ local proto="${2}"
+
+ if [ "${protocol}" = "ipv6" -a "${proto}" = "icmp" ]; then
+ proto="icmpv6"
+ fi
+
+ list_append args "${1} ${proto}"
+ shift 2
+ ;;
*)
list_append args "${1}"
}
function iptables_LOG() {
- local prefix=${1}
+ local prefix="${1}"
local ret
+ # Automatically append a colon and whitespace.
+ case "${prefix}" in
+ # Everything is fine.
+ "*: ") ;;
+
+ # Ends with colon, add whitespace only.
+ "*:")
+ prefix="${prefix} "
+ ;;
+
+ # Append both.
+ *)
+ prefix="${prefix}: "
+ ;;
+ esac
+
case "${FIREWALL_LOG_METHOD}" in
nflog)
ret="NFLOG --nflog-threshold ${FIREWALL_NFLOG_THRESHOLD}"
return ${EXIT_FALSE}
}
+
+function ipv4_ttl_valid() {
+ local ttl="${1}"
+
+ isinteger ttl || return ${EXIT_FALSE}
+
+ # Must be between 10 and 255.
+ [ "${ttl}" -lt 10 ] && return ${EXIT_FALSE}
+ [ "${ttl}" -gt 255 ] && return ${EXIT_FALSE}
+
+ return ${EXIT_TRUE}
+}
IP_SUPPORTED_PROTOCOLS="${IP_SUPPORTED_PROTOCOLS} ipv6"
-function ipv6_init() {
- log INFO "Initializing IPv6 networking."
-
- # Enable forwarding on all devices
- #ipv6_device_forwarding_disable all
- #ipv6_device_forwarding_disable default
-
- # Disable autoconfiguration on all devices per default
- #ipv6_device_autoconf_disable all
- #ipv6_device_autoconf_disable default
-
- # XXX do we need this?
- #local device
- #for device in $(devices_get_all); do
- # ipv6_device_forwarding_disable ${device}
- # ipv6_device_autoconf_disable ${device}
- #done
-}
-
-init_register ipv6_init
-
function ipv6_device_autoconf_enable() {
- local device=${1}
+ local device="${1}"
+ assert device_exists "${device}"
- assert isset device
-
- # Allow setting default and all settings
- if ! isoneof device all default; then
- assert device_exists ${device}
- fi
-
- local val
- for val in accept_ra accept_redirects; do
- echo 1 > /proc/sys/net/ipv6/conf/${device}/${val}
- done
+ sysctl_set "net.ipv6.conf.${device}.accept_ra" 1
+ sysctl_set "net.ipv6.conf.${device}.autoconf" 1
}
function ipv6_device_autoconf_disable() {
- local device=${1}
-
- assert isset device
-
- # Allow setting default and all settings
- if ! isoneof device all default; then
- assert device_exists ${device}
- fi
-
- local val
- for val in accept_ra accept_redirects; do
- echo 0 > /proc/sys/net/ipv6/conf/${device}/${val}
- done
-}
-
-function ipv6_device_forwarding_enable() {
- local device=${1}
-
- assert isset device
-
- # Allow setting default and all settings
- if ! isoneof device all default; then
- assert device_exists ${device}
- fi
+ local device="${1}"
+ assert device_exists "${device}"
- echo 1 > /proc/sys/net/ipv6/conf/${device}/forwarding
-}
-
-function ipv6_device_forwarding_disable() {
- local device=${1}
-
- assert isset device
-
- # Allow setting default and all settings
- if ! isoneof device all default; then
- assert device_exists ${device}
- fi
-
- echo 0 > /proc/sys/net/ipv6/conf/${device}/forwarding
+ sysctl_set "net.ipv6.conf.${device}.accept_ra" 0
+ sysctl_set "net.ipv6.conf.${device}.autoconf" 0
}
# Enable IPv6 RFC3041 privacy extensions if desired
function ipv6_device_privacy_extensions_enable() {
- local device=${1}
- local type=${2}
-
- assert isset device
- assert device_exists ${device}
-
- # Default value is rfc3041
- if [ -z "${type}" ]; then
- type="rfc3041"
- fi
+ local device="${1}"
+ assert device_exists "${device}"
- assert isset type
-
- case "${type}" in
- rfc3041)
- echo 2 > /proc/sys/net/ipv6/conf/${device}/use_tempaddr
- ;;
- *)
- error_log "Given type '${type}' is not supported."
- return ${EXIT_ERROR}
- ;;
- esac
-
- return ${EXIT_OK}
+ sysctl_set "net.ipv6.conf.${device}.use_tempaddr" 2
}
function ipv6_device_privacy_extensions_disable() {
- local device=${1}
-
- assert isset device
- assert device_exists ${device}
+ local device="${1}"
+ assert device_exists "${device}"
- echo 0 > /proc/sys/net/ipv6/conf/${device}/use_tempaddr
+ sysctl_set "net.ipv6.conf.${device}.use_tempaddr" 0
}
function ipv6_is_valid() {
return ${EXIT_OK}
}
-function ppp_common_ip_up() {
+function ppp_common_ipv4_up() {
local zone=${1}
shift
return ${EXIT_OK}
}
-function ppp_common_ip_down() {
+function ppp_common_ipv4_down() {
local zone=${1}
shift
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 IPFire Network Development Team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+SYSCTL_PATH="/proc/sys"
+
+function sysctl_key_to_path() {
+ local key="${1}"
+ assert isset key
+
+ print "${SYSCTL_PATH}/${key//.//}"
+
+ return ${EXIT_OK}
+}
+
+function sysctl_key_exists() {
+ local key="${1}"
+ assert isset key
+
+ local path="$(sysctl_key_to_path "${key}")"
+
+ [ -e "${path}" ] && return ${EXIT_OK}
+ return ${EXIT_ERROR}
+}
+
+function sysctl_get() {
+ local key="${1}"
+ assert isset key
+
+ fread "$(sysctl_key_to_path "${key}")" || return $?
+ return ${EXIT_OK}
+}
+
+function sysctl_set() {
+ local key="${1}"
+ assert isset key
+
+ local value="${2}"
+
+ fwrite "$(sysctl_key_to_path "${key}")" "${value}" || return $?
+ return ${EXIT_OK}
+}
+
+function sysctl_set_bool() {
+ local key="${1}"
+
+ local value="${2}"
+ if enabled value; then
+ value="1"
+ else
+ value="0"
+ fi
+
+ sysctl_set "${key}" "${value}"
+}
+
+function sysctl_set_recursively() {
+ local basekey="${1}"
+ assert isset basekey
+
+ local subkey="${2}"
+ assert isset subkey
+
+ local value="${3}"
+
+ local basepath="$(sysctl_key_to_path "${basekey}")"
+ local subpath="/${subkey//\.//}"
+
+ local path
+ for path in $(find "${basepath}" -type f); do
+ [[ ${path} =~ ${subpath}$ ]] || continue
+
+ fwrite "${path}" "${value}"
+ done
+
+ return ${EXIT_OK}
+}
exit ${EXIT_ERROR}
}
+function cmd_not_implemented() {
+ assert false "not implemented"
+}
+
function seq() {
if [ $# -eq 2 ]; then
eval echo {${1}..${2}}
# into the system and got its correct name.
# The function is intended to create child ports and things
# like that.
-function _hotplug() {
+function hook_hotplug() {
exit ${EXIT_OK}
}
# The first argument is the port which should be tested
# against the second argument which is the device that
# has been plugged in.
-function _hotplug_rename() {
+function hook_hotplug_rename() {
exit ${EXIT_FALSE}
}
-function _info() {
- local port=${1}
- shift
-
+function hook_info() {
+ local port="${1}"
assert isset port
+ shift
- config_read $(port_file ${port})
+ config_read "$(port_file ${port})"
- local key
- local val
+ local key val
for key in PORT_PARENTS PORT_CHILDREN; do
val="${key}_VAR"
val=${!val}
exit ${ERROR_OK}
}
-function _status() {
- local port=${1}
+function hook_status() {
+ local port="${1}"
assert isset port
- cli_device_headline ${port} --long
+ cli_device_headline "${port}" --long
exit ${EXIT_OK}
}
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
-#
-# Notes:
-# - All functions in this scope must start with an underline (_) to not
-# conflict with any functions that were defined somewhere else.
-#
-
-# _notimplemented
-# Returns a soft error if a function was not implemented, yet.
-#
-function _notimplemented() {
- warning "'$@' was not implemented."
- exit ${EXIT_CONF_ERROR}
-}
-function _info() {
+function hook_info() {
echo "HOOK=\"${HOOK}\""
}
-function _create() {
- local zone=${1}
+function hook_create() {
+ local zone="${1}"
+ assert isset zone
shift
config_read $(zone_dir ${zone})/settings
- _parse_cmdline $@
+ hook_parse_cmdline $@
config_write $(zone_dir ${zone})/settings ${HOOK_SETTINGS}
exit ${EXIT_OK}
}
-function _edit() {
- _create $@
+function hook_edit() {
+ hook_create $@
}
-function _rem() {
- _notimplemented _rem
+function hook_remove() {
+ cmd_not_implemented
}
-function _status() {
- local zone=${1}
+function hook_status() {
+ local zone="${1}"
+ assert isset zone
if device_is_up ${zone}; then
exit ${STATUS_UP}
exit ${STATUS_DOWN}
}
-function _up() {
- _notimplemented _up
+function hook_up() {
+ cmd_not_implemented
}
-function _down() {
- _notimplemented _down
+function hook_down() {
+ cmd_not_implemented
}
-function _discover() {
+function hook_discover() {
# This hook does not support a discovery
exit ${DISCOVER_NOT_SUPPORTED}
}
# The default help function.
-function _help() {
+function hook_help() {
# If no man page has been configured, we print an error message.
if [ -z "${HOOK_MANPAGE}" ]; then
error "There is no help available for hook '${HOOK}'. Exiting."
return ${EXIT_OK}
}
-function _port() {
- local zone=${1}
- local action=${2}
+function hook_port() {
+ local zone="${1}"
+ assert isset zone
+
+ local action="${2}"
shift 2
local ret
-
case "${action}" in
add|create|edit|rem|show)
- _port_${action} ${zone} $@
+ hook_port_${action} "${zone}" $@
ret=$?
;;
*)
exit ${ret}
}
-function _port_add() {
- _port_cmd add $@
+function hook_port_add() {
+ hook_port_cmd add "$@"
}
-function _port_edit() {
- _port_cmd edit $@
+function hook_port_edit() {
+ _port_cmd edit "$@"
}
-function _port_rem() {
- _port_cmd rem $@
+function hook_port_rem() {
+ hook_port_cmd remove "$@"
}
-function _port_show() {
- _notimplemented _port_show
+function hook_port_show() {
+ cmd_not_implemented
}
-function _port_status() {
- _port_cmd status $@
+function hook_port_status() {
+ hook_port_cmd status "$@"
}
-function _port_cmd() {
- local cmd=${1}
- local zone=${2}
- local port=${3}
- shift 3
-
+function hook_port_cmd() {
+ local cmd="${1}"
assert isset cmd
+
+ local zone="${2}"
assert isset zone
+
+ local port="${3}"
assert isset port
- local hook_zone=$(zone_get_hook ${zone})
- local hook_port=$(port_get_hook ${port})
+ shift 3
+ local hook_zone="$(zone_get_hook ${zone})"
assert isset hook_zone
+
+ local hook_port="$(port_get_hook ${port})"
assert isset hook_port
- if ! listmatch ${hook_port} $(zone_get_supported_port_hooks ${zone}); then
- error_log "Zone '${zone}' does not support port of type '${hook_port}'."
+ if ! listmatch "${hook_port}" $(zone_get_supported_port_hooks ${zone}); then
+ log ERROR "Zone '${zone}' does not support port of type '${hook_port}'."
exit ${EXIT_ERROR}
fi
- hook_zone_port_exec ${hook_zone} ${hook_port} ${cmd} ${zone} ${port} $@
-
+ hook_zone_port_exec "${hook_zone}" "${hook_port}" "${cmd}" "${zone}" "${port}" "$@"
exit $?
}
-function _port_up() {
- _port_cmd up $@
+function hook_port_up() {
+ hook_port_cmd up "$@"
}
-function _port_down() {
- _port_cmd down $@
+function hook_port_down() {
+ hook_port_cmd down "$@"
}
-function _config() {
- local zone=${1}
- local action=${2}
+function hook_config() {
+ local zone="${1}"
+ assert isset zone
+
+ local action="${2}"
+ assert isset action
shift 2
local ret
-
case "${action}" in
create|edit|rem|show)
- _config_${action} ${zone} $@
- ret=$?
+ hook_config_${action} "${zone}" "$@"
+ exit $?
;;
*)
error "Unrecognized argument: '${action}'"
exit ${EXIT_ERROR}
;;
esac
-
- exit ${ret}
}
-# This function is not a public one
-function __configcmd() {
- local cmd=${1}
- local zone=${2}
- local hook_config=${3}
- shift 3
+function hook_config_cmd() {
+ local cmd="${1}"
+ assert isset cmd
- local hook_zone=$(zone_get_hook ${zone})
+ local zone="${2}"
+ assert isset zone
- if ! hook_zone_exists ${hook_zone}; then
- error "Hook '${hook}' does not exist."
+ local hook_config="${3}"
+ assert isset hook_config
+
+ shift 3
+
+ local hook_zone="$(zone_get_hook "${zone}")"
+ if ! hook_zone_exists "${hook_zone}"; then
+ log ERROR "Hook '${hook}' does not exist."
exit ${EXIT_ERROR}
fi
- if ! hook_config_exists ${hook_zone} ${hook_config}; then
- error "Hook '${hook_config}' is not supported for zone '${zone}'."
+ if ! hook_config_exists "${hook_zone}" "${hook_config}"; then
+ log ERROR "Hook '${hook_config}' is not supported for zone '${zone}'."
exit ${EXIT_ERROR}
fi
- hook_zone_config_exec ${hook_zone} ${hook_config} ${cmd} ${zone} $@
+ hook_zone_config_exec "${hook_zone}" "${hook_config}" "${cmd}" "${zone}" "$@"
}
-function _config_create() {
- local zone=${1}
- local hook_config=${2}
- shift 2
-
+function hook_config_create() {
+ local zone="${1}"
assert isset zone
+
+ local hook_config="${2}"
assert isset hook_config
- assert zone_exists ${zone}
- if ! listmatch ${hook_config} $(zone_get_supported_config_hooks ${zone}); then
- error_log "Zone '${zone}' does not support configuration of type '${hook_config}'."
+ shift 2
+
+ if ! listmatch "${hook_config}" $(zone_get_supported_config_hooks ${zone}); then
+ log ERROR "Zone '${zone}' does not support configuration of type '${hook_config}'."
exit ${EXIT_ERROR}
fi
- local hook_zone=$(zone_get_hook ${zone})
+ local hook_zone="$(zone_get_hook "${zone}")"
assert isset hook_zone
- hook_zone_config_exec ${hook_zone} ${hook_config} create ${zone} $@
-
+ hook_zone_config_exec "${hook_zone}" "${hook_config}" create "${zone}" "$@"
exit $?
}
-function _config_edit() {
- __configcmd edit $@
+function hook_config_edit() {
+ hook_config_cmd edit "$@"
}
-function _config_rem() {
- _notimplemented _config_rem
+function hook_config_remove() {
+ cmd_not_implemented
}
-function _config_show() {
- _notimplemented _config_show
+function hook_config_show() {
+ cmd_not_implemented
}
-function _ppp-write-config() {
- _notimplemented _ppp_write_config
+function hook_ppp_write_config() {
+ cmd_not_implemented
# Arguments: <zone> <filename>
}
-function _ppp-ip-pre-up() {
- local zone=${1}
+function hook_ppp_ip_pre_up() {
+ local zone="${1}"
+ assert isset zone
shift
- if ! zone_exists ${zone}; then
- error "Zone '${zone}' does not exist."
+ if ! zone_exists "${zone}"; then
+ log ERROR "Zone '${zone}' does not exist."
exit ${EXIT_ERROR}
fi
- ppp_common_ip_pre_up ${zone} $@
-
+ ppp_common_ip_pre_up "${zone}" "$@"
exit $?
}
-function _ppp-ip-up() {
- local zone=${1}
+function hook_ppp_ipv4_up() {
+ local zone="${1}"
+ assert isset zone
shift
- if ! zone_exists ${zone}; then
- error "Zone '${zone}' does not exist."
+ if ! zone_exists "${zone}"; then
+ log ERROR "Zone '${zone}' does not exist."
exit ${EXIT_ERROR}
fi
- ppp_common_ip_up ${zone} $@
-
+ ppp_common_ipv4_up "${zone}" "$@"
exit $?
}
-function _ppp-ip-down() {
- local zone=${1}
+function hook_ppp_ipv4_down() {
+ local zone="${1}"
+ assert isset zone
shift
- if ! zone_exists ${zone}; then
- error "Zone '${zone}' does not exist."
+ if ! zone_exists "${zone}"; then
+ log ERROR "Zone '${zone}' does not exist."
exit ${EXIT_ERROR}
fi
- ppp_common_ip_down ${zone} $@
-
+ ppp_common_ipv4_down "${zone}" "$@"
exit $?
}
-function _ppp-ipv6-up() {
- local zone=${1}
+function hook_ppp_ipv6_up() {
+ local zone="${1}"
+ assert isset zone
shift
- if ! zone_exists ${zone}; then
+ if ! zone_exists "${zone}"; then
error "Zone '${zone}' does not exist."
exit ${EXIT_ERROR}
fi
- ppp_common_ipv6_up ${zone} $@
-
+ ppp_common_ipv6_up "${zone}" "$@"
exit $?
}
-function _ppp-ipv6-down() {
- local zone=${1}
+function hook_ppp_ipv6_down() {
+ local zone="${1}"
+ assert isset zone
shift
- if ! zone_exists ${zone}; then
+ if ! zone_exists "${zone}"; then
error "Zone '${zone}' does not exist."
exit ${EXIT_ERROR}
fi
- ppp_common_ipv6_down ${zone} $@
-
+ ppp_common_ipv6_down "${zone}" "$@"
exit $?
}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2012 IPFire Network Development Team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+. /usr/lib/network/functions
+
+# Read firewall configuration.
+firewall_config_read
+
+# Initialize kernel parameters for the firewall.
+firewall_kernel_init
+
+exit ${EXIT_OK}
ADDRESS=$(mac_generate)
SLAVES=
-function _check() {
+function hook_check() {
assert isset ADDRESS
assert ismac ADDRESS
}
-function _create() {
+function hook_create() {
while [ $# -gt 0 ]; do
case "${1}" in
--address=*)
exit ${EXIT_OK}
}
-function _edit() {
+function hook_edit() {
local port=${1}
assert isset port
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _hotplug() {
+function hook_hotplug() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local port=${1}
assert isset port
# to 1528, that normal ethernet packets with 1500 bytes can pass the network.
MTU=1528
-function _check() {
+function hook_check() {
assert isset ADDRESS
assert ismac ADDRESS
assert isset CHANNEL
assert isset SSID
}
-function _create() {
+function hook_create() {
while [ $# -gt 0 ]; do
case "${1}" in
--address=*)
exit ${EXIT_OK}
}
-function _edit() {
+function hook_edit() {
local port=${1}
assert isset port
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _hotplug() {
+function hook_hotplug() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _find_parent() {
+function hook_find_parent() {
local port=${1}
assert isset port
SLAVES=""
MIIMON=100
-function _check() {
+function hook_check() {
assert isset ADDRESS
assert ismac ADDRESS
assert isinteger MIIMON
}
-function _create() {
+function hook_create() {
_edit $@
}
-function _edit() {
+function hook_edit() {
local port=${1}
assert isset port
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local device=${1}
assert isset device
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local device=${1}
bonding_remove ${device}
HOOK_SETTINGS="HOOK ADDRESS"
-function _check() {
+function hook_check() {
assert ismac ADDRESS
}
-function _create() {
+function hook_create() {
while [ $# -gt 0 ]; do
case "${1}" in
--address=*)
exit ${EXIT_OK}
}
-function _edit() {
+function hook_edit() {
local port=${1}
assert isset port
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _hotplug_rename() {
+function hook_hotplug_rename() {
local port=${1}
assert isset port
HOOK_SETTINGS="HOOK ADDRESS DEVICE"
-function _check() {
+function hook_check() {
assert ismac DEVICE
if isset ADDRESS; then
fi
}
-function _create() {
+function hook_create() {
local port=${1}
assert isset port
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _hotplug_rename() {
+function hook_hotplug_rename() {
local port=${1}
assert isset port
HOOK_SETTINGS="HOOK ADDRESS PARENT"
-function _check() {
+function hook_check() {
assert isset PARENT
assert ismac ADDRESS
}
-function _create() {
+function hook_create() {
while [ $# -gt 0 ]; do
case "${1}" in
--parent-device=*)
exit ${EXIT_OK}
}
-function _edit() {
+function hook_edit() {
local port=${1}
assert isset port
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local port=${1}
assert isset port
PORT_PARENTS_VAR="PARENT"
-function _check() {
+function hook_check() {
assert isset PARENT_DEVICE
assert isinteger TAG
done
}
-function _create() {
+function hook_create() {
while [ $# -gt 0 ]; do
case "${1}" in
--parent-device=*)
exit ${EXIT_OK}
}
-function _edit() {
+function hook_edit() {
local port=${1}
assert isset port
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local port=${1}
assert isset port
MODE="g"
SSID=
-function _check() {
+function hook_check() {
assert isset ADDRESS
assert ismac ADDRESS
assert isset BROADCAST_SSID
fi
}
-function _create() {
+function hook_create() {
while [ $# -gt 0 ]; do
case "${1}" in
--broadcast-ssid=*)
exit ${EXIT_OK}
}
-function _edit() {
+function hook_edit() {
local port=${1}
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local port=${1}
assert isset port
exit ${EXIT_OK}
}
-function _hotplug() {
+function hook_hotplug() {
local port=${1}
assert isset port
USERNAME=
PASSWORD=
-function _check() {
+function hook_check() {
assert isset SERVER_ADDRESS
assert isset LOCAL_ADDRESS
assert isset LOCAL_ADDRESS6
fi
}
-function _parse_cmdline() {
+function hook_parse_cmdline() {
local value
while [ $# -gt 0 ]; do
done
}
-function _up() {
+function hook_up() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
assert isset zone
TUNNEL_ID=
REQUIRE_TLS="true"
-function _check() {
+function hook_check() {
assert isset USERNAME
assert isset PASSWORD
assert isset SERVER
fi
}
-function _parse_cmdline() {
+function hook_parse_cmdline() {
local value
while [ $# -gt 0 ]; do
done
}
-function _up() {
+function hook_up() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
assert isset zone
STP_MAXAGE=20
STP_PRIORITY=512
-function _check() {
+function hook_check() {
assert ismac MAC
assert isbool STP
assert isoneof STP_MODE stp rstp
assert isinteger MTU
}
-function _parse_cmdline() {
+function hook_parse_cmdline() {
while [ $# -gt 0 ]; do
case "${1}" in
--stp=*)
done
}
-function _up() {
+function hook_up() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
assert isset zone
# Default settings.
DELAY=0
-function _check() {
+function hook_check() {
assert isset DELAY
assert isinteger DELAY
}
-function _create() {
+function hook_create() {
local zone=${1}
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local zone=${1}
local config=${2}
shift 2
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
local config=${2}
shift 2
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
local config=${2}
shift 2
HOOK_SETTINGS="HOOK ADDRESS PREFIX GATEWAY"
-function _check() {
+function hook_check() {
assert isset ADDRESS
assert isinteger PREFIX
fi
}
-function _create() {
+function hook_create() {
local zone=${1}
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local zone=${1}
local config=${2}
shift 2
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
local config=${2}
shift 2
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
local config=${2}
shift 2
HOOK_SETTINGS="HOOK ADDRESS PREFIX GATEWAY"
-function _check() {
+function hook_check() {
assert isset ADDRESS
assert isinteger PREFIX
fi
}
-function _create() {
+function hook_create() {
local zone=${1}
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local zone=${1}
local config=${2}
shift 2
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
local config=${2}
shift 2
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
local config=${2}
shift 2
# 0 = unlimited.
MAX_SESSIONS=0
-function _check() {
+function hook_check() {
assert isset MTU
assert isset SUBNET
assert isset MAX_SESSIONS
}
-function _create() {
+function hook_create() {
local zone=${1}
shift
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local zone=${1}
local config=${2}
shift 2
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
local config=${2}
shift 2
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
local config=${2}
shift 2
HOOK_SETTINGS="COST PRIORITY"
-function _check() {
+function hook_check() {
local i
for i in COST PRIORITY; do
if isset ${i}; then
done
}
-function _add() {
+function hook_add() {
local zone=${1}
local port=${2}
shift 2
exit ${EXIT_OK}
}
-function _edit() {
- _add $@
+function hook_edit() {
+ hook_add $@
}
-function _rem() {
+function hook_remove() {
local zone=${1}
local port=${2}
exit ${EXIT_OK}
}
-function _up() {
+function hook_up() {
local zone=${1}
local port=${2}
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
local port=${2}
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
local port=${2}
ISDN_ALLOWED_AUTHS="chap pap"
-function _check() {
+function hook_check() {
assert isset USER
assert isset SECRET
assert isset LINKNAME
isset AUTH && assert isoneof AUTH ${ISDN_ALLOWED_AUTHS}
}
-function _parse_cmdline() {
+function hook_parse_cmdline() {
local value
while [ $# -gt 0 ]; do
done
}
-function _up() {
+function hook_up() {
local zone=${1}
shift
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
shift
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
assert isset zone
MODE="persistent"
-function _check() {
+function hook_check() {
assert isset LOCAL_ADDRESS
assert isset REMOTE_ADDRESS
isset AUTH && assert isoneof AUTH ${ISDN_ALLOWED_AUTHS}
}
-function _parse_cmdline() {
+function hook_parse_cmdline() {
local value
while [ $# -gt 0 ]; do
done
}
-function _up() {
+function hook_up() {
local zone=${1}
shift
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
shift
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
assert isset zone
PHONE_NUMBER=
HOOK_SETTINGS="${HOOK_SETTINGS} PHONE_NUMBER"
-function _check() {
+function hook_check() {
assert isset DEVICE
assert isset PHONE_NUMBER
isset AUTH && assert isoneof AUTH ${MODEM_ALLOWED_AUTH_METHODS}
}
-function _parse_cmdline() {
+function hook_parse_cmdline() {
local value
while [ $# -gt 0 ]; do
done
}
-function _up() {
+function hook_up() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _ppp_write_config() {
+function hook_ppp_write_config() {
local zone=${1}
assert isset zone
. /usr/lib/network/header-zone
HOOK_SETTINGS="HOOK ACCESS_CONCENTRATOR AUTH USERNAME PASSWORD"
-HOOK_SETTINGS="${HOOK_SETTINGS} SERVICE_NAME MTU PORT"
+HOOK_SETTINGS="${HOOK_SETTINGS} SERVICE_NAME MTU PORT IPV6 PREFIX_DELEGATION"
# User credentials for the dialin.
USERNAME=""
PPPOE_SUPPORTED_AUTH_METHODS="${PPP_SUPPORTED_AUTH_METHODS}"
PPPOE_PLUGIN="rp-pppoe.so"
-function _check() {
+# Request an IPv6 address.
+IPV6="true"
+
+# Use IPv6 prefix delegation.
+PREFIX_DELEGATION="false"
+
+function hook_check() {
assert isset USERNAME
assert isset PASSWORD
# Check for a valid port setting.
assert isset PORT
assert port_exists ${PORT}
+
+ assert isset IPV6
+ assert isset PREFIX_DELEGATION
}
-function _parse_cmdline() {
+function hook_parse_cmdline() {
while [ $# -gt 0 ]; do
case "${1}" in
--access-concentrator=*)
--auth=*)
AUTH=$(cli_get_val ${1})
;;
+ --ipv6=*)
+ local value="$(cli_get_val "${1}")"
+ if enabled value; then
+ IPV6="true"
+ else
+ IPV6="false"
+ fi
+ ;;
--mtu=*)
MTU=$(cli_get_val ${1})
;;
--port=*)
PORT=$(cli_get_val ${1})
;;
+ --prefix-delegation=*)
+ PREFIX_DELEGATION="$(cli_get_bool "${1}")"
+ ;;
--service-name=*)
SERVICE_NAME=$(cli_get_val ${1})
;;
done
}
-function _up() {
+function hook_up() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _discover() {
+function hook_discover() {
local device=${1}
if [ "$(device_get_type ${device})" != "real" ]; then
exit ${DISCOVER_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _ppp_write_config() {
+function hook_ppp_write_config() {
local zone=${1}
assert isset zone
--password="${PASSWORD}" \
--mtu="${MTU}" \
--auth="${AUTH}" \
+ --ipv6="${IPV6}" \
\
--plugin="${PPPOE_PLUGIN}" \
--plugin-options="${plugin_options}"
MAC=$(mac_generate)
MTU=1500
-function _check() {
+function hook_check() {
assert ismac MAC
assert isinteger MTU
}
-function _parse_cmdline() {
+function hook_parse_cmdline() {
while [ $# -gt 0 ]; do
case "${1}" in
--mtu=*)
done
}
-function _up() {
+function hook_up() {
local zone=${1}
shift
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
shift
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
assert isset zone
SERVER=""
-function _check() {
+function hook_check() {
assert isset SERVER
}
-function _parse_cmdline() {
+function hook_parse_cmdline() {
local value
while [ $# -gt 0 ]; do
done
}
-function _up() {
+function hook_up() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
assert isset zone
KEY=
ENCRYPTION_MODE=
-function _check() {
+function hook_check() {
assert isset SSID
if isset ADDRESS; then
fi
}
-function _parse_cmdline() {
+function hook_parse_cmdline() {
while [ $# -gt 0 ]; do
case "${1}" in
--phy=*|--parent-device=*)
PHY=$(phy_get_address ${PHY})
}
-function _up() {
+function hook_up() {
local zone=${1}
assert isset zone
exit ${EXIT_OK}
}
-function _down() {
+function hook_down() {
local zone=${1}
shift
exit ${EXIT_OK}
}
-function _status() {
+function hook_status() {
local zone=${1}
assert isset zone
--- /dev/null
+<?xml version="1.0"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<refentry id="firewall-config">
+ <refentryinfo>
+ <title>firewall-config</title>
+ <productname>network</productname>
+
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>Michael</firstname>
+ <surname>Tremer</surname>
+ <email>michael.tremer@ipfire.org</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>firewall-config</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>firewall-config</refname>
+ <refpurpose>Firewall Configuration Control Program</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>firewall-config</command>
+ </cmdsynopsis>
+
+ <cmdsynopsis>
+ <command>firewall-config <replaceable>KEY=VALUE</replaceable></command>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para>
+ The <command>firewall-config</command> command may be used to set
+ global firewall configuration options.
+ </para>
+ <para>
+ Please have a look at the individual man pages for more options.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>Commands</title>
+
+ <para>
+ If no additional argument is given, running the command will
+ dump a list of all configuration variables and their current values.
+ </para>
+
+ <para>
+ You may set a new value by adding the variable name and the new
+ value to the command line.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>Variables</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>
+ <varname>CONNTRACK_MAX_CONNECTIONS</varname> = <replaceable>16384</replaceable>
+ </term>
+
+ <listitem>
+ <para>
+ Limits the max. number of simultaneous connections.
+ </para>
+ <para>
+ Modify this if you want to handle a larger number of concurrent
+ connections. Every connection will use approx. 16 kBytes of memory.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>CONNTRACK_UDP_TIMEOUT</varname> = <replaceable>60</replaceable>
+ </term>
+
+ <listitem>
+ <para>
+ Defines the timeout (in seconds) the kernel will wait until
+ a half-assured UDP connection is fully established.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_ACCEPT_ICMP_REDIRECTS</varname> = [true|<emphasis>false</emphasis>]
+ </term>
+
+ <listitem>
+ <para>
+ Enable if you want to accept ICMP redirect messages.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_CLAMP_PATH_MTU</varname> = [true|<emphasis>false</emphasis>]
+ </term>
+
+ <listitem>
+ <para>
+ If Path MTU Discovery does not work well, enable this option.
+ It sets the MSS value of a packet so that the remote site would
+ never send a packet bigger than the MSS value.
+ </para>
+ <para>
+ No ICMP packets are needed to make this work, so use this on
+ networks with broken ICMP filtering.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_DEFAULT_TTL</varname> = <replaceable>64</replaceable>
+ </term>
+
+ <listitem>
+ <para>
+ Here you can change the default TTL used for sending packets.
+ </para>
+ <para>
+ The given value must be between 10 and 255.
+ Don't mess with this unless you know what you are doing.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_LOG_BAD_TCP_FLAGS</varname> = [<emphasis>true</emphasis>|false]
+ </term>
+
+ <listitem>
+ <para>
+ Enable this to log TCP packets with bad flags or options.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_LOG_INVALID_ICMP</varname> = [<emphasis>true</emphasis>|false]
+ </term>
+
+ <listitem>
+ <para>
+ Enable this to log INVALID ICMP packets.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_LOG_INVALID_TCP</varname> = [<emphasis>true</emphasis>|false]
+ </term>
+
+ <listitem>
+ <para>
+ Enable this to log INVALID TCP packets.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_LOG_INVALID_UDP</varname> = [<emphasis>true</emphasis>|false]
+ </term>
+
+ <listitem>
+ <para>
+ Enable this to log INVALID UDP packets.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_LOG_MARTIANS</varname> = [true|<emphasis>false</emphasis>]
+ </term>
+
+ <listitem>
+ <para>
+ Enable this to log packets with impossible addresses.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_LOG_STEALTH_SCANS</varname> = [<emphasis>true</emphasis>|false]
+ </term>
+
+ <listitem>
+ <para>
+ Enable this to log all stealth scans.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_PMTU_DISCOVERY</varname> = [<emphasis>true</emphasis>|false]
+ </term>
+
+ <listitem>
+ <para>
+ Enables Path MTU Discovery.
+ Disable it when you are experiencing problems.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_RP_FILTER</varname> = [<emphasis>true</emphasis>|false]
+ </term>
+
+ <listitem>
+ <para>
+ Enable to drop connection from non-routable IPs,
+ e.g. prevent source routing.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_SYN_COOKIES</varname> = [<emphasis>true</emphasis>|false]
+ </term>
+
+ <listitem>
+ <para>
+ Enable for SYN-flood protection.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_USE_ECN</varname> = [true|<emphasis>false</emphasis>]
+ </term>
+
+ <listitem>
+ <para>
+ Enables the ECN (Explicit Congestion Notification) TCP flag.
+ </para>
+ <para>
+ Some routers on the Internet still do not support ECN properly,
+ so this is not enabled by default.
+ When this setting is disabled, ECN is only advertised
+ when asked for.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+
+ <para>
+ <citerefentry>
+ <refentrytitle>firewall</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+</refentry>
assert hook_zone_exists ${HOOK}
PROGNAME=$(basename ${0})
- assert isset PROGNAME
+ METHOD=""
+ case "${PROGNAME}" in
+ ip-pre-up)
+ METHOD="ppp_ip_pre_up"
+ ;;
+ ipv6-down)
+ METHOD="ppp_ipv6_down"
+ ;;
+ ipv6-up)
+ METHOD="ppp_ipv6_up"
+ ;;
+ ip-down)
+ METHOD="ppp_ipv4_down"
+ ;;
+ ip-up)
+ METHOD="ppp_ipv4_up"
+ ;;
+ esac
+ assert isset METHOD
- log DEBUG "${PROGNAME} was called with the following parameters:"
+ log DEBUG "${PROGNAME}/${METHOD} was called with the following parameters:"
log DEBUG " $@"
- hook_zone_exec ${HOOK} ppp-${PROGNAME} ${ZONE}
- ret=$?
-
- exit ${ret}
+ hook_zone_exec "${HOOK}" "${METHOD}" "${ZONE}"
+ exit $?
fi
exit ${EXIT_OK}
+++ /dev/null
-# Kernel configuration file for IPv4
-#
-
-# Enable IPv4 packet forwarding
-net.ipv4.ip_forward = 1
-
-# Enable source route verification
-net.ipv4.conf.default.rp_filter = 1
-
-# Do not accept source routing
-net.ipv4.conf.default.accept_source_route = 0
-
-# Enable ARP filter
-net.ipv4.conf.default.arp_filter = 1
+++ /dev/null
-# Kernel configuration file for IPv6
-#
-
-# Enable IPv6 forwarding
-net.ipv6.conf.all.forwarding = 1
-net.ipv6.conf.default.forwarding = 1
--- /dev/null
+[Unit]
+Description=Initialize kernel parameters for the firewalls
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/network/helpers/firewall-kernel-init
[Unit]
Description=Firewall for IPv4
-Before=network.service
+After=firewall-init.service
+Before=network.target
+Requires=firewall-init.service
[Service]
Type=oneshot
[Unit]
Description=Firewall for IPv6
-Before=network.service
+After=firewall-init.service
+Before=network.target
+Requires=firewall-init.service
[Service]
Type=oneshot
[Unit]
Description=Network Connectivity
+After=firewall-init.service
Before=network.target
+Requires=firewall-init.service
[Service]
Type=oneshot
[Unit]
Description=Network Connectivity for zone %I
+After=firewall-init.service
+Requires=firewall-init.service
[Service]
Type=oneshot