From c6de143b1e20ca080ef59ee73e4a5f8edc6e02bb Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Sat, 9 Mar 2019 15:42:24 +0100
Subject: [PATCH] Reorganize ports for services, rename 'default_ports.conf' to
 'ports.conf'.

---
 conf/default_ports.conf    | 40 -------------------
 conf/main_ipv4.conf.sample | 62 ------------------------------
 conf/main_ipv6.conf.sample | 15 --------
 conf/ports.conf            | 79 ++++++++++++++++++++++++++++++++++++++
 ip6t-firewall-server       | 20 +++++-----
 ipt-firewall-server        | 32 +++++++--------
 6 files changed, 105 insertions(+), 143 deletions(-)
 delete mode 100644 conf/default_ports.conf
 create mode 100644 conf/ports.conf

diff --git a/conf/default_ports.conf b/conf/default_ports.conf
deleted file mode 100644
index 344eb49..0000000
--- a/conf/default_ports.conf
+++ /dev/null
@@ -1,40 +0,0 @@
-#!/usr/bin/env bash
-
-
-# -------------
-# --- Define Ports for Services
-# -------------
-
-# - Web Server Ports
-# -
-http_ports="80,443"
-
-# - FTP Servers Passive Portrange
-# -
-ftp_passive_port_range="50000:50400"
-
-# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
-# -
-mail_user_ports="587,465,110,995,143,993"
-
-# - SSH Ports
-# -
-# - comma separated list
-ssh_ports="22"
-
-# - VPN Service
-vpn_ports="1194 1195"
-
-# - Mumble Server
-# -
-mumble_ports="64738"
-
-# - XyMon Service (usually TCP port 1984)
-# -
-# - NOT YET IMPLEMENTED
-# -
-xymon_port=1984
-
-# - Munin Server Port (usually TCP port 4949)
-# -
-munin_remote_port="4949"
diff --git a/conf/main_ipv4.conf.sample b/conf/main_ipv4.conf.sample
index 95cdf6c..0392bd2 100644
--- a/conf/main_ipv4.conf.sample
+++ b/conf/main_ipv4.conf.sample
@@ -6,45 +6,6 @@
 ## ----------------------------------------------------------------
 
 
-# -------------
-# --- Define Ports for Services
-# -------------
-
-# - Web Server Ports
-# -
-http_ports="80,443"
-
-# - FTP Servers Passive Portrange
-# -
-ftp_passive_port_range="50000:50400"
-
-# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
-# -
-mail_user_ports="587,465,110,995,143,993"
-
-# - SSH Ports
-# -
-# - comma separated list
-ssh_ports="22"
-
-# - VPN Service
-vpn_ports="1194 1195"
-
-# - Mumble Server
-# -
-mumble_ports="64738"
-
-# - XyMon Service (usually TCP port 1984)
-# -
-# - NOT YET IMPLEMENTED
-# -
-xymon_port=1984
-
-# - Munin Server Port (usually TCP port 4949)
-# -
-munin_remote_port="4949"
-
-
 # -------------
 # --- Prevent bridged traffic getting pushed through the host's iptables rules
 # -------------
@@ -456,26 +417,3 @@ kernel_activate_rp_filter=true
 # -
 kernel_log_martians=false
 
-
-# -------------
-# --- Some further Ports/IP-Address Configuration
-# -------------
-
-# - unpriviligierte Ports
-# -
-unprivports="1024:65535"
-
-# - Loopback
-loopback="127.0.0.0/8"
-
-# - Private Networks
-priv_class_a="10.0.0.0/8"
-priv_class_b="172.16.0.0/12"
-priv_class_c="192.168.0.0/16"
-
-# - Multicast Addresse
-class_d_multicast="224.0.0.0/4"
-
-# Reserved Addresse
-class_e_reserved="240.0.0.0/5"
-
diff --git a/conf/main_ipv6.conf.sample b/conf/main_ipv6.conf.sample
index c02d9ee..a3492c3 100644
--- a/conf/main_ipv6.conf.sample
+++ b/conf/main_ipv6.conf.sample
@@ -6,21 +6,6 @@
 ## ----------------------------------------------------------------
 
 
-# -------------
-# --- Some Ports/IP-Address Configuration
-# -------------
-
-# - unpriviligierte Ports
-# -
-unprivports="1024:65535"
-
-# unique local address (ULA) - private address block
-ula_block="fc00::/7"
-
-# - Loopback
-loopback="::1/128"
-
-
 # -------------
 # --- Prevent bridged traffic getting pushed through the host's iptables rules
 # -------------
diff --git a/conf/ports.conf b/conf/ports.conf
new file mode 100644
index 0000000..5ea02aa
--- /dev/null
+++ b/conf/ports.conf
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+
+# -------------
+# --- Define Ports for Services
+# -------------
+
+# - Web Server Ports
+# -
+http_ports="80,443"
+
+# - FTP Servers Passive Portrange
+# -
+ftp_passive_port_range="50000:50400"
+
+# - Mail Client Ports (Submission/SMTPS/POPS/IMAPS)
+# -
+mail_user_ports="587,465,110,995,143,993"
+
+# - SSH Ports
+# -
+# - comma separated list
+ssh_ports="22"
+
+# - VPN Service
+vpn_ports="1194 1195"
+
+# - Mumble Server
+# -
+mumble_ports="64738"
+
+# - XyMon Service (usually TCP port 1984)
+# -
+# - NOT YET IMPLEMENTED
+# -
+xymon_port=1984
+
+# - Munin Server Port (usually TCP port 4949)
+# -
+munin_remote_port="4949"
+
+
+# -------------
+# --- Predefined Ports
+# -------------
+
+# - unpriviligierte Ports
+# -
+unprivports="1024:65535"
+
+
+# -------------
+# --- Some IPv4-Address Configuration
+# -------------
+
+# - Loopback
+loopback_ipv4="127.0.0.0/8"
+
+# - Private Networks
+priv_class_a="10.0.0.0/8"
+priv_class_b="172.16.0.0/12"
+priv_class_c="192.168.0.0/16"
+
+# - Multicast Addresse
+class_d_multicast="224.0.0.0/4"
+
+# Reserved Addresse
+class_e_reserved="240.0.0.0/5"
+
+
+# -------------
+# --- Some IPv6-Address Configuration
+# -------------
+
+# unique local address (ULA) - private address block
+ula_block="fc00::/7"
+
+# - Loopback
+loopback_ipv6="::1/128"
diff --git a/ip6t-firewall-server b/ip6t-firewall-server
index 0613a2a..d538809 100755
--- a/ip6t-firewall-server
+++ b/ip6t-firewall-server
@@ -22,7 +22,7 @@ inc_functions_file="${ipt_conf_dir}/include_functions.conf"
 load_modules_file=${ipt_conf_dir}/load_modules_ipv6.conf
 
 conf_logging=${ipt_conf_dir}/logging_ipv6.conf
-conf_default_ports=${ipt_conf_dir}/default_ports.conf
+conf_ports=${ipt_conf_dir}/ports.conf
 conf_interfaces=${ipt_conf_dir}/interfaces_ipv6.conf
 conf_main=${ipt_conf_dir}/main_ipv6.conf
 conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
@@ -111,10 +111,10 @@ else
    source $conf_logging
 fi
 
-if [[ ! -f "$conf_default_ports" ]]; then
-   fatal "Missing configuration for default_ports - file '$conf_default_ports'"
+if [[ ! -f "$conf_ports" ]]; then
+   fatal "Missing configuration for default_ports - file '$conf_ports'"
 else
-   source $conf_default_ports
+   source $conf_ports
 fi
 
 if [[ ! -f "$conf_interfaces" ]]; then
@@ -619,25 +619,25 @@ done
 for _dev in ${ext_if_arr[@]} ; do
    if $log_spoofed || $log_all ; then
       $ip6t -A INPUT -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
-      $ip6t -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
+      $ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
       if $kernel_forward_between_interfaces ; then
          $ip6t -A FORWARD -i $_dev -s $ula_block -j $LOG_TARGET $tag_log_prefix "$log_prefix Private (ula_block): "
-         $ip6t -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
+         $ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j $LOG_TARGET $tag_log_prefix "$log_prefix (loopback): "
       fi
    fi
    $ip6t -A INPUT -i $_dev -s $ula_block -j DROP
-   $ip6t -A INPUT -i $_dev -s $loopback -j DROP
+   $ip6t -A INPUT -i $_dev -s $loopback_ipv6 -j DROP
    if $kernel_forward_between_interfaces ; then
       $ip6t -A FORWARD -i $_dev -s $ula_block -j DROP
-      $ip6t -A FORWARD -i $_dev -s $loopback -j DROP
+      $ip6t -A FORWARD -i $_dev -s $loopback_ipv6 -j DROP
    fi
 
    # Don't allow spoofing from that server
    $ip6t -A OUTPUT -o $_dev -s $ula_block -j DROP
-   $ip6t -A OUTPUT -o $_dev -s $loopback -j DROP
+   $ip6t -A OUTPUT -o $_dev -s $loopback_ipv6 -j DROP
    if $kernel_forward_between_interfaces ; then
       $ip6t -A FORWARD -o $_dev -s $ula_block -j DROP
-      $ip6t -A FORWARD -o $_dev -s $loopback -j DROP
+      $ip6t -A FORWARD -o $_dev -s $loopback_ipv6 -j DROP
    fi
 done
 
diff --git a/ipt-firewall-server b/ipt-firewall-server
index 1f643fc..8dff0bd 100755
--- a/ipt-firewall-server
+++ b/ipt-firewall-server
@@ -22,7 +22,7 @@ inc_functions_file="${ipt_conf_dir}/include_functions.conf"
 load_modules_file=${ipt_conf_dir}/load_modules_ipv4.conf
 
 conf_logging=${ipt_conf_dir}/logging_ipv4.conf
-conf_default_ports=${ipt_conf_dir}/default_ports.conf
+conf_ports=${ipt_conf_dir}/ports.conf
 conf_interfaces=${ipt_conf_dir}/interfaces_ipv4.conf
 conf_main=${ipt_conf_dir}/main_ipv4.conf
 conf_post_declarations=${ipt_conf_dir}/post_decalrations.conf
@@ -111,10 +111,10 @@ else
    source $conf_logging
 fi
 
-if [[ ! -f "$conf_default_ports" ]]; then
-   fatal "Missing configuration for default_ports - file '$conf_default_ports'"
+if [[ ! -f "$conf_ports" ]]; then
+   fatal "Missing configuration for default_ports - file '$conf_ports'"
 else
-   source $conf_default_ports
+   source $conf_ports
 fi
 
 if [[ ! -f "$conf_interfaces" ]]; then
@@ -779,7 +779,7 @@ for _dev in ${ext_if_arr[@]} ; do
       $ipt -A INPUT -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
       $ipt -A INPUT -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
       $ipt -A INPUT -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
-      $ipt -A INPUT -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
+      $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
       $ipt -A INPUT -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
       $ipt -A INPUT -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
       #$ipt -A INPUT -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
@@ -788,7 +788,7 @@ for _dev in ${ext_if_arr[@]} ; do
          $ipt -A FORWARD -i $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix Class A private net:"
          $ipt -A FORWARD -i $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix Class B private net:"
          $ipt -A FORWARD -i $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix Class C private net:"
-         $ipt -A FORWARD -i $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
+         $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix From Loopback:"
          $ipt -A FORWARD -i $_dev -s $class_d_multicast -j $LOG_TARGET $tag_log_prefix "$log_prefix Class D Multicast:"
          $ipt -A FORWARD -i $_dev -s $class_e_reserved -j $LOG_TARGET $tag_log_prefix "$log_prefix Class E reserved:"
          #$ipt -A FORWARD -i $_dev -d $broadcast_addr -j $LOG_TARGET $tag_log_prefix "$log_prefix Broadcast Address:"
@@ -801,7 +801,7 @@ for _dev in ${ext_if_arr[@]} ; do
    # Retfuse packets claiming to be from a Class C private network.
    $ipt -A INPUT -i $_dev -s $priv_class_c -j DROP
    # Refuse packets claiming to be from loopback interface.
-   $ipt -A INPUT -i $_dev -s $loopback -j DROP
+   $ipt -A INPUT -i $_dev -s $loopback_ipv4 -j DROP
    # Refuse Class D multicast addresses. Multicast is illegal as a source address.
    $ipt -A INPUT -i $_dev -s $class_d_multicast -j DROP
    # Refuse Class E reserved IP addresses.
@@ -816,7 +816,7 @@ for _dev in ${ext_if_arr[@]} ; do
       # Refuse packets claiming to be from a Class C private network.
       $ipt -A FORWARD -i $_dev -s $priv_class_c -j DROP
       # Refuse packets claiming to be from loopback interface.
-      $ipt -A FORWARD -i $_dev -s $loopback -j DROP
+      $ipt -A FORWARD -i $_dev -s $loopback_ipv4 -j DROP
       # Refuse Class D multicast addresses. Multicast is illegal as a source address.
       $ipt -A FORWARD -i $_dev -s $class_d_multicast -j DROP
       # Refuse Class E reserved IP addresses.
@@ -836,14 +836,14 @@ done
 # quench to the loopback.
 for _dev in ${ext_if_arr[@]} ; do
    if $log_to_lo || $log_all ; then
-      $ipt -A INPUT -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
+      $ipt -A INPUT -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
       if $kernel_activate_forwarding ; then
-         $ipt -A FORWARD -i $_dev -d $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
+         $ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix To Loopback:"
       fi
    fi
-   $ipt -A INPUT -i $_dev -d $loopback -j DROP
+   $ipt -A INPUT -i $_dev -d $loopback_ipv4 -j DROP
    if $kernel_activate_forwarding ; then
-      $ipt -A FORWARD -i $_dev -d $loopback -j DROP
+      $ipt -A FORWARD -i $_dev -d $loopback_ipv4 -j DROP
    fi
 done
 
@@ -857,23 +857,23 @@ for _dev in ${ext_if_arr[@]} ; do
       $ipt -A OUTPUT -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
       $ipt -A OUTPUT -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
       $ipt -A OUTPUT -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
-      $ipt -A OUTPUT -o $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
+      $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
       if $kernel_activate_forwarding ; then
          $ipt -A FORWARD -o $_dev -s $priv_class_a -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class A:"
          $ipt -A FORWARD -o $_dev -s $priv_class_b -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class B:"
          $ipt -A FORWARD -o $_dev -s $priv_class_c -j $LOG_TARGET $tag_log_prefix "$log_prefix out Class C:"
-         $ipt -A FORWARD -o $_dev -s $loopback -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
+         $ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j $LOG_TARGET $tag_log_prefix "$log_prefix out Loopback:"
       fi
    fi
    $ipt -A OUTPUT -o $_dev -s $priv_class_a -j DROP
    $ipt -A OUTPUT -o $_dev -s $priv_class_b -j DROP
    $ipt -A OUTPUT -o $_dev -s $priv_class_c -j DROP
-   $ipt -A OUTPUT -o $_dev -s $loopback -j DROP
+   $ipt -A OUTPUT -o $_dev -s $loopback_ipv4 -j DROP
    if $kernel_activate_forwarding ; then
       $ipt -A FORWARD -o $_dev -s $priv_class_a -j DROP
       $ipt -A FORWARD -o $_dev -s $priv_class_b -j DROP
       $ipt -A FORWARD -o $_dev -s $priv_class_c -j DROP
-      $ipt -A FORWARD -o $_dev -s $loopback -j DROP
+      $ipt -A FORWARD -o $_dev -s $loopback_ipv4 -j DROP
    fi
 done