Hi,
I only just found this great script. I took the liberty of fixing a
couple of the 'TO-DOs' in it. Patch for the latest version (0.9) is
attached for anybody that's interested.
Rgds
Pete
diff -Naur firewall-0.9/firewall firewall-0.9.1/firewall
--- firewall-0.9/firewall 2003-06-20 23:58:26.000000000 +0100
+++ firewall-0.9.1/firewall 2003-10-05 01:41:13.000000000 +0100
@@ -115,44 +115,70 @@
echo "Unload ipchains module and rerun."
exit 1
fi
-
- #Check for ip forwarding
- if [ 1 != "`cat /proc/sys/net/ipv4/ip_forward`" ]; then
-# TODO: fix this. if the script is only going to be run as a firewall
-# there is no need for this to be set, as there is no routing.
-# Perhaps a check to see if internal networks are defined?
-
- echo "Routing has not been enabled." >&2
- if [ -e /etc/sysctl.conf ] ; then
- echo "Set net.ipv4.ip_forward and" >&2
- echo " net.ipv4.ip_always_defrag = 1 " >&2
- echo " in /etc/sysctl.conf" >&2
- else
- echo "Please set FORWARD_IPV4=\"yes\" " >&2
- echo " in /etc/sysconfig/network" >&2
- fi
- echo " or use your network configuration tool" >&2
- echo " to enable ip forwarding." >&2
- exit 1
- fi
+ #Check to see if there are any other than system default interfaces
+ # (3 standard, + pppx)
- #Check for spoof protection
-# TODO: How is this done for iptables????
-
-# TODO: Check to see if any of the requested interfaces are found
+ if [ `ls /proc/sys/net/ipv4/conf | wc -l` -gt 4 ]; then
+
+ #Check for ip forwarding
+ if [ 1 != "`cat /proc/sys/net/ipv4/ip_forward`" ]; then
+ echo "Routing has not been enabled." >&2
+ if [ -e /etc/sysctl.conf ] ; then
+ echo "Set net.ipv4.ip_forward and" >&2
+ echo " net.ipv4.ip_always_defrag = 1 " >&2
+ echo " in /etc/sysctl.conf" >&2
+ else
+ echo "Please set FORWARD_IPV4=\"yes\" " >&2
+ echo " in /etc/sysconfig/network" >&2
+ fi
+ echo " or use your network configuration tool" >&2
+ echo " to enable ip forwarding." >&2
+ exit 1
+ fi
+ else echo "Cannot find internal interface - assuming firewall only config"
+ fi
+
+ #Check for spoofing protection
+
+ if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
+ for f in /proc/sys/net/ipv4/conf/*/rp_filter
+ do
+ if [ 1 != "`cat $f`" ]; then
+ echo "No Spoofing Protection - Set " $f " = 1"
+ fi
+ done
+ else
+ echo "Kernel does not have spoofing protection support"
+ exit 1
+ fi
+
+
+ # Check to see if all of the requested interfaces are found
+
+ for EXT_INTERFACE in $EXT_INTERFACES;
+ do
+ if [ ! -e /proc/sys/net/ipv4/conf/$EXT_INTERFACE ]; then
+ echo "Requested interface " $EXT_INTERFACE" does not exist"
+ exit 1
+ fi
+ done
# if we made it this far, then things are good
# make sure that ip_tables is loaded
-# TODO: Adjust this to check for the presence of the capability not
-# the module. This may be compiled into the kernel not as a module.
+ # Check for iptables capability in kernel
- if [ 1 != `/sbin/lsmod | grep -c ip_tables` 2>/dev/null ]; then
- #doesn't appear to be loaded
- /sbin/modprobe ip_tables
- fi
-}
+ if [ ! -e /proc/net/ip_tables_names ]; then
+ echo "No iptables Capability Loaded - Checking for module..."
+ if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]; then
+ echo "Module found - loading....."
+ /sbin/modprobe ip_tables
+ else
+ echo "Kernel has no capability for iptables - giving up!"
+ exit 1
+ fi
+ fi
logging() {
# rules to log all traffic about to be dropped
