# man pages
MAN_PAGES = \
+ man/firewall-config.8 \
man/network.8 \
man/network-config.8 \
man/network-device.8 \
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 IPFire Network Development Team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+# Accounting
+
+function conntrack_get_accounting() {
+ sysctl_get "net.netfilter.nf_conntrack_acct"
+}
+
+function conntrack_set_accounting() {
+ local value="${1}"
+ assert isset value
+
+ # Convert boolean values into 0 and 1.
+ if enabled value; then
+ log INFO "Enabling connection tracking accounting"
+ value="1"
+ else
+ log INFO "Disabling connection tracking accounting"
+ value="0"
+ fi
+
+ sysctl_set "net.netfilter.nf_conntrack_acct" "${value}"
+}
+
+# Max. connections
+
+function conntrack_get_max_connections() {
+ sysctl_get "net.netfilter.nf_conntrack_max"
+}
+
+function conntrack_set_max_connections() {
+ local value="${1}"
+ assert isinteger value
+
+ log INFO "Conntrack: Setting max. amount of concurrent connections to ${value}"
+ sysctl_set "net.netfilter.nf_conntrack_max" "${value}"
+}
+
+# UDP timeout
+
+function conntrack_get_udp_timeout() {
+ sysctl_get "net.netfilter.nf_conntrack_udp_timeout"
+}
+
+function conntrack_set_udp_timeout() {
+ local value="${1}"
+ assert isinteger value
+
+ log INFO "Conntrack: Setting UDP timeout to ${value}s"
+ sysctl_set "net.netfilter.nf_conntrack_udp_timeout" "${value}"
+}
FIREWALL_CLAMP_PATH_MTU="false"
FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_CLAMP_PATH_MTU"
+# Conntrack: Max. amount of simultaneous connections.
+CONNTRACK_MAX_CONNECTIONS="16384"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_MAX_CONNECTIONS"
+
+# Conntrack: UDP timeout
+CONNTRACK_UDP_TIMEOUT="60"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} CONNTRACK_UDP_TIMEOUT"
+
+# Use SYN cookies or not
+FIREWALL_SYN_COOKIES="true"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_SYN_COOKIES"
+
+# rp_filter
+FIREWALL_RP_FILTER="true"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_RP_FILTER"
+
+# Log martians
+FIREWALL_LOG_MARTIANS="false"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_LOG_MARTIANS"
+
+# Accept ICMP redirects
+FIREWALL_ACCEPT_ICMP_REDIRECTS="false"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_ACCEPT_ICMP_REDIRECTS"
+
+# ECN (Explicit Congestion Notification)
+FIREWALL_USE_ECN="false"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_USE_ECN"
+
+# Path MTU discovery
+FIREWALL_PMTU_DISCOVERY="true"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_PMTU_DISCOVERY"
+
+# Default TTL
+FIREWALL_DEFAULT_TTL="64"
+FIREWALL_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS} FIREWALL_DEFAULT_TTL"
+
FIREWALL4_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS}"
FIREWALL6_CONFIG_PARAMS="${FIREWALL_CONFIG_PARAMS}"
# #
###############################################################################
+# This function initializes all kernel parameters that need to be adjusted
+# to run this firewall properly.
+function firewall_kernel_init() {
+ log INFO "Configuring kernel parameters..."
+ local option
+
+ # Enable conntrack accounting
+ conntrack_set_accounting "true"
+
+ # Adjust max. amount of simultaneous connections
+ conntrack_set_max_connections "${CONNTRACK_MAX_CONNECTIONS}"
+
+ # Increase UDP connection timeout (fixes DNS)
+ conntrack_set_udp_timeout "${CONNTRACK_UDP_TIMEOUT}"
+
+ # Disable sending redirects
+ log INFO "Disabling sending redirects"
+ sysctl_set_recursively "net.ipv6.conf" "send_redirects" 0
+ sysctl_set_recursively "net.ipv4.conf" "send_redirects" 0
+
+ # Enable source route protection
+ log INFO "Enabling source route protection"
+ sysctl_set_recursively "net.ipv6.conf" "accept_source_route" 0
+ sysctl_set_recursively "net.ipv4.conf" "accept_source_route" 0
+
+ # ICMP broadcast protection (smurf amplifier protection)
+ log INFO "Enabling ICMP broadcast protection (smurf amplifier protection)"
+ sysctl_set "net.ipv4.icmp_echo_ignore_broadcasts" 1
+
+ # ICMP Dead Error Message protection
+ log INFO "Enabling ICMP dead error message protection"
+ sysctl_set "net.ipv4.icmp_ignore_bogus_error_responses" 0
+
+ # Enable packet forwarding
+ log INFO "Enabling packet forwarding"
+ sysctl_set_recursively "net.ipv6.conf" "forwarding" 1
+ sysctl_set_recursively "net.ipv4.conf" "forwarding" 1
+
+ # Setting some kernel performance options
+ log INFO "Setting some kernel performance options"
+ for option in window_scaling timestamps sack dsack fack; do
+ sysctl_set "net.ipv4.tcp_${option}" 1
+ done
+ sysctl_set "net.ipv4.tcp_low_latency" 0
+
+ # Reduce DoS ability by reducing timeouts
+ log INFO "Reducing DoS ability"
+ sysctl_set "net.ipv4.tcp_fin_timeout" 30
+ sysctl_set "net.ipv4.tcp_keepalive_time" 1800
+
+ # Set number of times to retry SYN in a new connection
+ sysctl_set "net.ipv4.tcp_syn_retries" 3
+
+ # Set number of times to retry a SYN-ACK in a half-open new connection
+ sysctl_set "net.ipv4.tcp_synack_retries" 2
+
+ # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
+ sysctl_set "net.ipv4.tcp_rfc1337" 1
+
+ # SYN-flood protection
+ if enabled FIREWALL_SYN_COOKIES; then
+ log INFO "Enabling SYN-flood protection via SYN-cookies"
+ sysctl_set_bool "net.ipv4.tcp_syncookies" 1
+ else
+ log INFO "Disabling SYN-flood protection via SYN-cookies"
+ sysctl_set_bool "net.ipv4.tcp_syncookies" 0
+ fi
+
+ # rp_filter
+ if enabled FIREWALL_RP_FILTER; then
+ log INFO "Enabling anti-spoof from non-routable IP addresses"
+ sysctl_set_recursively "net.ipv4.conf" "rp_filter" 1
+ else
+ log INFO "Disabling anti-spoof from non-routable IP addresses"
+ sysctl_set_recursively "net.ipv4.conf" "rp_filter" 0
+ fi
+
+ # Log martians
+ if enabled FIREWALL_LOG_MARTIANS; then
+ log INFO "Enabling the logging of martians"
+ sysctl_set_recursively "net.ipv4.conf" "log_martians" 1
+ else
+ log INFO "Disabling the logging of martians"
+ sysctl_set_recursively "net.ipv4.conf" "log_martians" 0
+ fi
+
+ # ICMP redirect messages
+ if enabled FIREWALL_ACCEPT_ICMP_REDIRECTS; then
+ log INFO "Enabling accepting ICMP-redirect messages"
+ sysctl_set_recursively "net.ipv6.conf" "accept_redirects" 1
+ sysctl_set_recursively "net.ipv4.conf" "accept_redirects" 1
+ else
+ log INFO "Disabling accepting ICMP-redirect messages"
+ sysctl_set_recursively "net.ipv6.conf" "accept_redirects" 0
+ sysctl_set_recursively "net.ipv4.conf" "accept_redirects" 0
+ fi
+
+ # Explicit Congestion Notification
+ if enabled FIREWALL_USE_ECN; then
+ log INFO "Enabling ECN (Explicit Congestion Notification)"
+ sysctl_set "net.ipv4.tcp_ecn" 1
+ else
+ log INFO "Disabling ECN (Explicit Congestion Notification)"
+ sysctl_set "net.ipv4.tcp_ecn" 2
+ fi
+
+ # Dynamic IP address hacking
+ log INFO "Enabling kernel support for dynamic IP addresses"
+ sysctl_set "net.ipv4.ip_dynaddr" 1
+
+ if enabled FIREWALL_PMTU_DISCOVERY; then
+ log INFO "Enabling PMTU discovery"
+ sysctl_set "net.ipv4.ip_no_pmtu_disc" 0
+ else
+ log INFO "Disabling PMTU discovery"
+ sysctl_set "net.ipv4.ip_no_pmtu_disc" 1
+ fi
+
+ # TTL
+ if ipv4_ttl_valid "${FIREWALL_DEFAULT_TTL}"; then
+ log INFO "Setting default TTL to ${FIREWALL_DEFAULT_TTL}"
+ sysctl_set "net.ipv4.ip_default_ttl" "${FIREWALL_DEFAULT_TTL}"
+ else
+ log ERROR "Invalid value for default TTL '${FIREWALL_DEFAULT_TTL}'"
+ log ERROR " Must be between 10 and 255!"
+ fi
+
+ return ${EXIT_OK}
+}
+
# High-level function which will create a ruleset for the current firewall
# configuration and load it into the kernel.
function firewall_start() {
return ${EXIT_FALSE}
}
+
+function ipv4_ttl_valid() {
+ local ttl="${1}"
+
+ isinteger ttl || return ${EXIT_FALSE}
+
+ # Must be between 10 and 255.
+ [ "${ttl}" -lt 10 ] && return ${EXIT_FALSE}
+ [ "${ttl}" -gt 255 ] && return ${EXIT_FALSE}
+
+ return ${EXIT_TRUE}
+}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 IPFire Network Development Team #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+SYSCTL_PATH="/proc/sys"
+
+function sysctl_key_to_path() {
+ local key="${1}"
+ assert isset key
+
+ print "${SYSCTL_PATH}/${key//.//}"
+
+ return ${EXIT_OK}
+}
+
+function sysctl_key_exists() {
+ local key="${1}"
+ assert isset key
+
+ local path="$(sysctl_key_to_path "${key}")"
+
+ [ -e "${path}" ] && return ${EXIT_OK}
+ return ${EXIT_ERROR}
+}
+
+function sysctl_get() {
+ local key="${1}"
+ assert isset key
+
+ fread "$(sysctl_key_to_path "${key}")" || return $?
+ return ${EXIT_OK}
+}
+
+function sysctl_set() {
+ local key="${1}"
+ assert isset key
+
+ local value="${2}"
+
+ fwrite "$(sysctl_key_to_path "${key}")" "${value}" || return $?
+ return ${EXIT_OK}
+}
+
+function sysctl_set_bool() {
+ local key="${1}"
+
+ local value="${2}"
+ if enabled value; then
+ value="1"
+ else
+ value="0"
+ fi
+
+ sysctl_set "${key}" "${value}"
+}
+
+function sysctl_set_recursively() {
+ local basekey="${1}"
+ assert isset basekey
+
+ local subkey="${2}"
+ assert isset subkey
+
+ local value="${3}"
+
+ local basepath="$(sysctl_key_to_path "${basekey}")"
+ local subpath="/${subkey//\.//}"
+
+ local path
+ for path in $(find "${basepath}" -type f); do
+ [[ ${path} =~ ${subpath}$ ]] || continue
+
+ fwrite "${path}" "${value}"
+ done
+
+ return ${EXIT_OK}
+}
+#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
# #
###############################################################################
-# Enable connection tracking accounting.
-net.netfilter.nf_conntrack_acct=1
+. /usr/lib/network/functions
+
+# Initialize kernel parameters for the firewall.
+firewall_kernel_init
+
+exit ${EXIT_OK}
--- /dev/null
+<?xml version="1.0"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS/DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<refentry id="firewall-config">
+ <refentryinfo>
+ <title>firewall-config</title>
+ <productname>network</productname>
+
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>Michael</firstname>
+ <surname>Tremer</surname>
+ <email>michael.tremer@ipfire.org</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>firewall-config</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>firewall-config</refname>
+ <refpurpose>Firewall Configuration Control Program</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>firewall-config</command>
+ </cmdsynopsis>
+
+ <cmdsynopsis>
+ <command>firewall-config <replaceable>KEY=VALUE</replaceable></command>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para>
+ The <command>firewall-config</command> command may be used to set
+ global firewall configuration options.
+ </para>
+ <para>
+ Please have a look at the individual man pages for more options.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>Commands</title>
+
+ <para>
+ If no additional argument is given, running the command will
+ dump a list of all configuration variables and their current values.
+ </para>
+
+ <para>
+ You may set a new value by adding the variable name and the new
+ value to the command line.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>Variables</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>
+ <varname>CONNTRACK_MAX_CONNECTIONS</varname> = <replaceable>16384</replaceable>
+ </term>
+
+ <listitem>
+ <para>
+ Limits the max. number of simultaneous connections.
+ </para>
+ <para>
+ Modify this if you want to handle a larger number of concurrent
+ connections. Every connection will use approx. 16 kBytes of memory.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>CONNTRACK_UDP_TIMEOUT</varname> = <replaceable>60</replaceable>
+ </term>
+
+ <listitem>
+ <para>
+ Defines the timeout (in seconds) the kernel will wait until
+ a half-assured UDP connection is fully established.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_ACCEPT_ICMP_REDIRECTS</varname> = [true|<emphasis>false</emphasis>]
+ </term>
+
+ <listitem>
+ <para>
+ Enable if you want to accept ICMP redirect messages.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_CLAMP_PATH_MTU</varname> = [true|<emphasis>false</emphasis>]
+ </term>
+
+ <listitem>
+ <para>
+ If Path MTU Discovery does not work well, enable this option.
+ It sets the MSS value of a packet so that the remote site would
+ never send a packet bigger than the MSS value.
+ </para>
+ <para>
+ No ICMP packets are needed to make this work, so use this on
+ networks with broken ICMP filtering.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_DEFAULT_TTL</varname> = <replaceable>64</replaceable>
+ </term>
+
+ <listitem>
+ <para>
+ Here you can change the default TTL used for sending packets.
+ </para>
+ <para>
+ The given value must be between 10 and 255.
+ Don't mess with this unless you know what you are doing.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_LOG_MARTIANS</varname> = [true|<emphasis>false</emphasis>]
+ </term>
+
+ <listitem>
+ <para>
+ Enable this to log packets with impossible addresses.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_PMTU_DISCOVERY</varname> = [<emphasis>true</emphasis>|false]
+ </term>
+
+ <listitem>
+ <para>
+ Enables Path MTU Discovery.
+ Disable it when you are experiencing problems.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_RP_FILTER</varname> = [<emphasis>true</emphasis>|false]
+ </term>
+
+ <listitem>
+ <para>
+ Enable to drop connection from non-routable IPs,
+ e.g. prevent source routing.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_SYN_COOKIES</varname> = [<emphasis>true</emphasis>|false]
+ </term>
+
+ <listitem>
+ <para>
+ Enable for SYN-flood protection.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ <varname>FIREWALL_USE_ECN</varname> = [true|<emphasis>false</emphasis>]
+ </term>
+
+ <listitem>
+ <para>
+ Enables the ECN (Explicit Congestion Notification) TCP flag.
+ </para>
+ <para>
+ Some routers on the Internet still do not support ECN properly,
+ so this is not enabled by default.
+ When this setting is disabled, ECN is only advertised
+ when asked for.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+
+ <para>
+ <citerefentry>
+ <refentrytitle>firewall</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+</refentry>
+++ /dev/null
-# Kernel configuration file for IPv4
-#
-
-# Enable IPv4 packet forwarding
-net.ipv4.ip_forward = 1
-
-# Enable source route verification
-net.ipv4.conf.default.rp_filter = 1
-
-# Do not accept source routing
-net.ipv4.conf.default.accept_source_route = 0
-
-# Enable ARP filter
-net.ipv4.conf.default.arp_filter = 1
+++ /dev/null
-# Kernel configuration file for IPv6
-#
-
-# Enable IPv6 forwarding
-net.ipv6.conf.all.forwarding = 1
-net.ipv6.conf.default.forwarding = 1
--- /dev/null
+[Unit]
+Description=Initialize kernel parameters for the firewalls
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/network/helpers/firewall-kernel-init
[Unit]
Description=Firewall for IPv4
-Before=network.service
+After=firewall-init.service
+Before=network.target
+Requires=firewall-init.service
[Service]
Type=oneshot
[Unit]
Description=Firewall for IPv6
-Before=network.service
+After=firewall-init.service
+Before=network.target
+Requires=firewall-init.service
[Service]
Type=oneshot
[Unit]
Description=Network Connectivity
+After=firewall-init.service
Before=network.target
+Requires=firewall-init.service
[Service]
Type=oneshot
[Unit]
Description=Network Connectivity for zone %I
+After=firewall-init.service
+Requires=firewall-init.service
[Service]
Type=oneshot