Compare commits
7 Commits
409ace650e
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
| 63889b0dc9 | |||
| abef59c769 | |||
| 9fd36a8236 | |||
| 24d91d38c6 | |||
| 71e01e8413 | |||
| aab8585d90 | |||
| e6984a622c |
@ -25,6 +25,10 @@ standard_ident_port=113
|
||||
standard_ipp_port=631
|
||||
standard_irc_port=6667
|
||||
standard_jabber_port=5222
|
||||
standard_ldap_port=389
|
||||
standard_ldaps_port=636
|
||||
standard_mdns_port=5353
|
||||
standard_mndp_port=5678
|
||||
standard_mumble_port=64738
|
||||
standard_munin_port=4949
|
||||
standard_mysql_port=3306
|
||||
|
||||
@ -23,6 +23,8 @@ log_syn_flood=false
|
||||
log_port_scanning=false
|
||||
log_ssh_brute_force=false
|
||||
log_fragments=false
|
||||
log_mdns=false
|
||||
log_mndp=false
|
||||
log_new_not_sync=false
|
||||
log_syn_with_suspicious_mss=false
|
||||
log_invalid_packets=false
|
||||
@ -40,6 +42,8 @@ log_prohibited=false
|
||||
log_voip=false
|
||||
log_rejected=true
|
||||
|
||||
log_blocked_ip=false
|
||||
|
||||
log_ssh=false
|
||||
|
||||
# - logging messages
|
||||
|
||||
@ -23,6 +23,8 @@ log_syn_flood=false
|
||||
log_port_scanning=false
|
||||
log_ssh_brute_force=false
|
||||
log_fragments=false
|
||||
log_mdns=false
|
||||
log_mndp=false
|
||||
log_new_not_sync=false
|
||||
log_syn_with_suspicious_mss=false
|
||||
log_invalid_packets=false
|
||||
@ -40,6 +42,8 @@ log_prohibited=false
|
||||
log_voip=false
|
||||
log_rejected=true
|
||||
|
||||
log_blocked_ip=false
|
||||
|
||||
log_ssh=false
|
||||
|
||||
# - logging messages
|
||||
@ -51,5 +55,9 @@ log_prefix="[ IPv6 ]"
|
||||
# - Log all traffic for givven ip address
|
||||
# ---
|
||||
|
||||
# - You can also give hostname(s)
|
||||
# -
|
||||
# - Blank seoarated list of ips/hostnames
|
||||
# -
|
||||
log_ips=""
|
||||
|
||||
|
||||
@ -36,6 +36,61 @@ do_not_firewall_lx_guest_systems=false
|
||||
drop_icmp=false
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
|
||||
# --- Drop Tinc VPN Traffic
|
||||
# -------------
|
||||
|
||||
# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
|
||||
#
|
||||
# Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
|
||||
# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
|
||||
# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
|
||||
# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
|
||||
# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
|
||||
#
|
||||
# Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
|
||||
# (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
|
||||
# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
|
||||
# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
|
||||
# dass eine manuelle IP-Konfiguration erforderlich ist.
|
||||
#
|
||||
# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
|
||||
# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
|
||||
# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
|
||||
# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
|
||||
#
|
||||
# Zusammengefasst:
|
||||
# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
|
||||
# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
|
||||
#
|
||||
drop_mndp=true
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop Multicast DNS Traffic
|
||||
# -------------
|
||||
|
||||
# Multicast Domain Name System (mDNS) protocol
|
||||
#
|
||||
# UDP Port 5353/
|
||||
#
|
||||
# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
|
||||
# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
|
||||
# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
|
||||
# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
|
||||
# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
|
||||
# von mDNS) kommunizieren.
|
||||
#
|
||||
# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
|
||||
# allows devices to identify themselves on the local network and register and
|
||||
# resolve names without central DNS servers. This is often used in local
|
||||
# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
|
||||
# (an open-source implementation of mDNS).
|
||||
#
|
||||
drop_mdns=true
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Allow all outgoing traffic
|
||||
# -------------
|
||||
|
||||
@ -36,6 +36,61 @@ do_not_firewall_lx_guest_systems=false
|
||||
drop_icmp=false
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
|
||||
# --- Drop Tinc VPN Traffic
|
||||
# -------------
|
||||
|
||||
# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
|
||||
#
|
||||
# Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
|
||||
# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
|
||||
# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
|
||||
# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
|
||||
# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
|
||||
#
|
||||
# Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
|
||||
# (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
|
||||
# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
|
||||
# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
|
||||
# dass eine manuelle IP-Konfiguration erforderlich ist.
|
||||
#
|
||||
# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
|
||||
# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
|
||||
# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
|
||||
# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
|
||||
#
|
||||
# Zusammengefasst:
|
||||
# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
|
||||
# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
|
||||
#
|
||||
drop_mndp=true
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop Multicast DNS Traffic
|
||||
# -------------
|
||||
|
||||
# Multicast Domain Name System (mDNS) protocol
|
||||
#
|
||||
# UDP Port 5353/
|
||||
#
|
||||
# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
|
||||
# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
|
||||
# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
|
||||
# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
|
||||
# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
|
||||
# von mDNS) kommunizieren.
|
||||
#
|
||||
# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
|
||||
# allows devices to identify themselves on the local network and register and
|
||||
# resolve names without central DNS servers. This is often used in local
|
||||
# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
|
||||
# (an open-source implementation of mDNS).
|
||||
#
|
||||
drop_mdns=true
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Allow all outgoing traffic
|
||||
# -------------
|
||||
|
||||
@ -327,8 +327,9 @@ done
|
||||
# ---
|
||||
declare -a smtpd_additional_outgoung_port_arr
|
||||
for _port in $smtpd_additional_outgoung_ports ; do
|
||||
smtpd_additional_outgoung_ports+=("$_port")
|
||||
don
|
||||
smtpd_additional_outgoung_port_arr+=("$_port")
|
||||
done
|
||||
|
||||
|
||||
|
||||
# ---
|
||||
|
||||
@ -547,9 +547,9 @@ if [[ -f "$conf_ban_ipv6_list" ]] ; then
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_blocked_ip || $log_all ; then
|
||||
$ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: "
|
||||
$ip6t -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv6.list: "
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked: "
|
||||
$ip6t -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv6.list: "
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -719,6 +719,75 @@ else
|
||||
fi
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
|
||||
# --- Drop Tinc VPN Traffic
|
||||
# -------------
|
||||
|
||||
[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true
|
||||
[ "${drop_mndp,,}" == "no" ] && drop_mndp=false
|
||||
|
||||
echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic"
|
||||
if [[ -n "$drop_mndp" ]] && $drop_mndp ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
|
||||
if $log_mndp || $log_all ; then
|
||||
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: "
|
||||
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: "
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: "
|
||||
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: "
|
||||
fi
|
||||
fi
|
||||
|
||||
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP
|
||||
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mndp_port -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP
|
||||
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP
|
||||
fi
|
||||
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop Multicast DNS Traffic
|
||||
# -------------
|
||||
|
||||
[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true
|
||||
[ "${drop_mdns,,}" == "no" ] && drop_mdns=false
|
||||
|
||||
echononl "\tDrop Multicast DNS Traffic"
|
||||
if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
|
||||
if $log_mdns || $log_all ; then
|
||||
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: "
|
||||
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: "
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: "
|
||||
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: "
|
||||
fi
|
||||
fi
|
||||
|
||||
$ip6t -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP
|
||||
$ip6t -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP
|
||||
$ip6t -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP
|
||||
fi
|
||||
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - Don't allow spoofing out from this server
|
||||
# ---
|
||||
@ -1756,9 +1825,9 @@ fi
|
||||
|
||||
echononl "\t\tMail (additional smtp ports IN)"
|
||||
|
||||
if [[ ${#smtpd_additional_listen_ports[@]} -gt 0 ]] ; then
|
||||
if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
for _port in ${smtpd_additional_listen_ports[@]} ; do
|
||||
for _port in ${smtpd_additional_listen_port_arr[@]} ; do
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ip6t -A INPUT -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
@ -2417,6 +2486,38 @@ else
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - LDAP out only
|
||||
# ---
|
||||
|
||||
echononl "\t\tLDAP out only"
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - LDAPS out only
|
||||
# ---
|
||||
|
||||
echononl "\t\tLDAPS out only"
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ip6t -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
$ip6t -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - Whois out only
|
||||
# ---
|
||||
@ -2666,11 +2767,11 @@ echo
|
||||
echononl "\tLogging all rejected traffic"
|
||||
|
||||
if $log_rejected || $log_all ; then
|
||||
#$ip6t -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
|
||||
#$ip6t -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
|
||||
#$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
|
||||
$ip6t -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
|
||||
|
||||
$ip6t -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
|
||||
$ip6t -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
|
||||
$ip6t -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
|
||||
|
||||
if $kernel_forward_between_interfaces ; then
|
||||
#$ip6t -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected: "
|
||||
$ip6t -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall): "
|
||||
|
||||
@ -675,9 +675,9 @@ if [[ -f "$conf_ban_ipv4_list" ]] ; then
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_blocked_ip || $log_all ; then
|
||||
$ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:"
|
||||
$ipt -A INPUT -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list:"
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked:"
|
||||
$ipt -A FORWARD -i $_dev -s $_ip -j $LOG_TARGET $tag_log_prefix "$log_prefix Blocked by ban_ipv4.list::"
|
||||
fi
|
||||
fi
|
||||
$ipt -A INPUT -i $_dev -s $_ip -j DROP
|
||||
@ -863,6 +863,72 @@ else
|
||||
fi
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
|
||||
# --- Drop Tinc VPN Traffic
|
||||
# -------------
|
||||
|
||||
[ "${drop_mndp,,}" == "yes" ] && drop_mndp=true
|
||||
[ "${drop_mndp,,}" == "no" ] && drop_mndp=false
|
||||
|
||||
echononl "\tDrop Tinc VPN / Mikrotik RouterOS Neighbor Discovery Traffic"
|
||||
if [[ -n "$drop_mndp" ]] && ${drop_mndp} ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
|
||||
if $log_mndp || $log_all ; then
|
||||
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP Out: "
|
||||
$ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP IN: "
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd Out: "
|
||||
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MNDP fwd In: "
|
||||
fi
|
||||
fi
|
||||
|
||||
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mndp_port -j DROP
|
||||
$ipt -A INPUT -i $_dev -p udp --sport $standard_mndp_port -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mndp_port -j DROP
|
||||
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mndp_port -j DROP
|
||||
fi
|
||||
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# -------------
|
||||
# --- Drop Multicast DNS Traffic
|
||||
# -------------
|
||||
|
||||
[ "${drop_mdns,,}" == "yes" ] && drop_mdns=true
|
||||
[ "${drop_mdns,,}" == "no" ] && drop_mdns=false
|
||||
|
||||
echononl "\tDrop Multicast DNS Traffic"
|
||||
if [[ -n "$drop_mdns" ]] && ${drop_mdns} ; then
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_mdns || $log_all ; then
|
||||
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS Out: "
|
||||
$ipt -A INPUT -i $_dev -p udp --sport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS IN: "
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd Out: "
|
||||
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j $LOG_TARGET $tag_log_prefix "$log_prefix MDNS fwd In: "
|
||||
fi
|
||||
fi
|
||||
$ipt -A OUTPUT -o $_dev -p udp --dport $standard_mdns_port -j DROP
|
||||
$ipt -A INPUT -i $_dev -p udp --dport $standard_mdns_port -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -o $_dev -p udp --dport $standard_mdns_port -j DROP
|
||||
$ipt -A FORWARD -i $_dev -p udp --dport $standard_mdns_port -j DROP
|
||||
fi
|
||||
done
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - Don't allow spoofing from that server
|
||||
# ---
|
||||
@ -1922,9 +1988,9 @@ fi
|
||||
|
||||
echononl "\t\tMail (additional smtp ports IN)"
|
||||
|
||||
if [[ ${#smtpd_additional_listen_ports[@]} -gt 0 ]] ; then
|
||||
if [[ ${#smtpd_additional_listen_port_arr[@]} -gt 0 ]] ; then
|
||||
|
||||
for _port in ${smtpd_additional_listen_ports[@]} ; do
|
||||
for _port in ${smtpd_additional_listen_port_arr[@]} ; do
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ipt -A INPUT -i $_dev -p tcp --dport $_port -m state --state NEW -j ACCEPT
|
||||
if $kernel_activate_forwarding ; then
|
||||
@ -2581,6 +2647,38 @@ else
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - LDAP out only
|
||||
# ---
|
||||
|
||||
echononl "\t\tLDAP out only"
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldap_port -m state --state NEW -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
echo_done
|
||||
|
||||
|
||||
# ---
|
||||
# - LDAPS out only
|
||||
# ---
|
||||
|
||||
echononl "\t\tLDAPS out only"
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
$ipt -A OUTPUT -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ipt -A FORWARD -o $_dev -p tcp --dport $standard_ldaps_port -m state --state NEW -j ACCEPT
|
||||
fi
|
||||
done
|
||||
|
||||
echo_done
|
||||
|
||||
|
||||
|
||||
|
||||
# ---
|
||||
@ -2827,15 +2925,16 @@ echo
|
||||
echononl "\tLogging all rejected traffic"
|
||||
|
||||
if $log_rejected || $log_all ; then
|
||||
#$ipt -A OUTPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
|
||||
#$ipt -A INPUT -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
|
||||
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
|
||||
$ipt -A OUTPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
|
||||
|
||||
$ipt -A OUTPUT -m limit --limit-burst 5 -p tcp ! --tcp-flags ACK,FIN ACK,FIN -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
|
||||
$ipt -A OUTPUT -m limit --limit-burst 5 -p udp -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
|
||||
$ipt -A INPUT -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
|
||||
|
||||
if $kernel_activate_forwarding ; then
|
||||
#$ipt -A FORWARD -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected:"
|
||||
$ipt -A FORWARD -m limit --limit-burst 5 -j $LOG_TARGET $tag_log_prefix "$log_prefix Rejected (end of firewall):"
|
||||
fi
|
||||
|
||||
echo_done
|
||||
else
|
||||
echo_skipped
|
||||
|
||||
Reference in New Issue
Block a user