Just curious if anybody sees anyways this ruleset could be
improved? It comes from the edge router porject whic is
based on the linux router project.
http://edge.fireplug.net/
its basically a firewall/router/masq setup on a floppy,
works quite nice.
#!/bin/sh
# Copyright(c)1998 [EMAIL PROTECTED]
# Minimal Edge Router Firewall
# Default Policies:
# deny input from outside
# masquerade, forward and allow all output from inside
# allow all tcp packets returned outgoing connections
# rcS.d/S42firewall -> ../init.d/firewall
# rc6.d/K38firewall -> ../init.d/firewall
# firewall start|stop|restart
PATH=/sbin:/usr/sbin:/bin:/usr/bin
. /etc/edge/edge-help
[ -s "$PRVCFG" ]||EXIT "Edge Router private network info not
configured"
. $PRVCFG
[ -s "$IDF" -a -s "$NETINFO" ]||EXIT "Edge Router not
configured"
. $NETINFO
# finally do something useful
case "$1" in
start)MSG $0: Configuring Network
# TCP PARAMETERS - enable forwarding, SYN flood and source
routing
for P in ip_forward tcp_syncookies conf/default/rp_filter
do echo 1 >/proc/sys/net/ipv4/$P;done
MSG Establishing Firewall
# DEFAULT POLICIES
PLCY input DENY
PLCY forward DENY
PLCY output ACCEPT
# MASQUERADING AND FORWARDING
MSQ forward -s $pNL
# SPOOFING
# MUST BE FIRST don't allow our internal address to come in
from the Outside
DNY input -i $rIF -p all -s $pNL #-l
# INSIDE and LOCALHOST
ACC input -i lo -p all
ACC input -i $pIF -p all
# INBOUND
NEW eth
INS input 2 -i $rIF -j eth
NEW nolog
INS eth -i $rIF -j nolog
NEW accept
INS eth -i $rIF -j accept
# accept all tcp connections inbound that are already
established
ACC accept -i $rIF -p TCP ! -y
# dns
ACC accept -i $rIF -p TCP -d $ANY 53 -b
ACC accept -i $rIF -p UDP -d $ANY 53 -b
# dhcpcd
ACC accept -i $rIF -p UDP -s $ANY 68
ACC accept -i $rIF -p UDP -s $ANY 68 -d 255.255.255.255 67
# udp for masquerade
ACC accept -i $rIF -p UDP -d $rIP 60000:65535
# ftp-data
ACC accept -i $rIF -p tcp -s $ANY ftp-data
# ICQ
ACC accept -i $rIF -p UDP -s 205.188.252.0/24 4000 -d $rIP
# accept echo-reply, accept time-exceeded, destination-
unreachable
for t in echo-reply time-exceeded destination-unreachable
router-advertisement echo-request
do ACC accept -i $rIF -p ICMP -s $ANY $t;done
# OUTBOUND
# some sanity checks for ICMP
#ACC output -p ICMP -s $ANY echo-request
# NOLOG - deny without logging
sed -e '/^#/d' -e 's/\(.*\)#.*/\1/' -e '/^$/d'
<$FWDENY|while read SRV PRO OPTS; do
[ -n "$SRV" -a -n "$PRO" ] && DNY nolog -i $rIF -p $PRO -s
$ANY -d $ANY $SRV $OPTS ;done
DNY nolog -i $rIF -d ! $rIP
#DNY nolog -i $rIF -s $ANY -d 255.255.255.255
# MUST BE LAST - override policy to get accounting and
logging
for if in $rIF $pIF lo;do
DNY input -i $if -l
ACC output -i $if
done
;;
stop)MSG Stopping
echo 0>/proc/sys/net/ipv4/ip_forward
for r in input output forward;do FLSH $r;done
PLCY input ACCEPT
FLSH eth
REM accept
REM nolog
REM eth
;;
restart)MSG Re-starting
$0 stop
$0 start
;;
*)USE "\n\tConfigure Edge Router Firewall\n"
exit 1;;
esac
Harondel J. Sibble
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
[EMAIL PROTECTED] (pgp enabled) http://www.pdscc.com
(604) 739-3709 (voice/fax) (604) 686-2253 (pager)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
