I have searched the FAQs and mail archives but could not find the solution.
I am currently running Dachstein (CD version) on the Road Runner cable
network. As might be expected on a cable network, my logs quickly overfill
with the following noise:
Every few seconds -
Jun 3 10:50:30 firewall kernel: Packet log: input DENY eth0 PROTO=17
10.40.32.1:67 255.255.255.255:68 L=333 S=0x80 I=31378 F=0x0000 T=255 (#9)
Every three minutes -
Jun 3 10:49:58 firewall kernel: Packet log: input DENY eth0 PROTO=2
192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#11)
Thus, I added the following two rules to my Network.conf file.
############################################################################
##
#Ignored Traffic:
############################################################################
##
SILENT_DENY="17_10.40.32.1_68"
SILENT_DENY="all_224.0.0.0/4"
############################################################################
##
Here's the problem... when I add only the first silent deny ("_68"),
everything works fine and it will ignore the traffic directed at port 68.
It still logs the broadcast noise directed at 224.0.0.1. When I add the
second rule to ignore the IGMP packets sent from Road Runner, both rules
cancel out(?) and all entries get logged again overfilling my log files.
This is the first line that comes up from the output of "ipchains -nvL" when
I only enter the first silent deny:
54 18972 DENY udp ------ 0xFF 0x00 eth0
10.40.32.1 0.0.0.0/0 * -> 68
This is the first line that comes up from the output of "ipchains -nvL" when
I enter both the silent deny rules (The "_68" line no longer shows up from
"ipchains -nvL" after I add the second silent deny.):
0 0 DENY all ------ 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
I have a feeling that my problem is the order in which I entered the rules
since I don't think that they should be at the top of the firewall rules
list. Where should I add them in my network.conf file to make sure that
both stop logging? I have tried this several times and have always backed
up my configuration to floppy. All background help is listed below and any
help is appreciated.
**************************************
Background Info
**************************************
* Distribution:
Dachstein-cd-v1.0.2.iso
* Output of "uname -a":
Linux firewall 2.2.19-3-LEAF-RAID #4 Sat Dec 1 17:27:59 CST 2001 i386
unknown
* Output of "ip addr show":
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:fd:0b:00:42:75 brd ff:ff:ff:ff:ff:ff
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:a0:24:c8:b6:f5 brd ff:ff:ff:ff:ff:ff
inet 66.26.39.63/24 brd 255.255.255.255 scope global eth0
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:10:5a:2a:15:23 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
* Output of "ip route show":
66.26.39.0/24 dev eth0 proto kernel scope link src 66.26.39.63
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
default via 66.26.39.1 dev eth0
* Output of "ipchains -nvL":
Chain input (policy DENY: 2 packets, 706 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 DENY all ------ 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 13 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 14 -> *
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
9 3219 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
1 28 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
66.26.39.63 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 127.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 192.168.1.0/24 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 113
40 10726 ACCEPT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
0 0 REJECT udp ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 68
0 0 DENY udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 67
0 0 ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
0 0 ACCEPT icmp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> *
0 0 ACCEPT ospf ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 161:162 -> *
37 5898 ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
37 5898 MASQ all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
77 16468 fairq all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
77 16468 ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain fairq (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 520
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 520 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 179
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 179 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 23 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 22 -> *
* Output of "network.conf" file (See section on "ignored traffic" after
"Domain Search Order and Name Servers":
############################################################################
###
# Extended firewall configruation scripts
# By Charles Steinkuehler
# Version 1.3.2
# September 29, 2001
############################################################################
###
# Brief instructions for this file
############################################################################
###
#
# VERBOSE=(YES/NO) Default: Yes
# Be verbose about settings.
#
# MAX_LOOP=(int) Default: 10
# Maximum number of incrementable entries to search for.
# IE: If you create a DNS7=, and MAX_LOOP=7, it will not be reached.
# (DNS0 - DNS7 == 8 entires)
# Setting this value too high will decrease the speed of the configuation
# system.
#
# IPFWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO
# Enable IP forwarding in the kernel. FILTER_ON means forwarding will
# only happen when IP filtering rules are loaded
#
# IPALWAYSDEFRAG_KERNEL=(YES/NO) Default: NO
# Enable IP Global defragmentation in the kernel.
#
# **WARNING** - If this was turned on everywhere in a network of routers,
# it can result in TCP connections failing and TCP connection resets.
#
# ONLY turn this on if the box is a firewall or the single point of
# entry for a network, or an endpoint for port forwarding or a load
# balancer for a WWW server farm. DO NOT turn this on if the box is a
# conventional router as it breaks the TCP/IP RFCes. This option is
# needed when using IP NAT, IP masquerading, IP autofw, IP portfw,
# transperent proxying or other kernel operations that intercept a
# packet flow and redirect it.
#
# It is a usful tool when using a packet filtering router to protect
# directly attached ethernet networks of servers as it stops fragment
# attacks on the servers in behind the router. Another use is packet
# filtering router to protect dial-in Internet users on NASes
# (Portmasters, TC racks etc) from various SMB and fragment attacks
# and to redirect all WWW connections into a WWW proxy-caching server.
#
# CONFIG_HOSTNAME=(YES/NO) Default: NO
# Create /etc/hostname file using HOSTNAME entry.
# Any current hostname file will be **OVERWRITTEN**
#
# CONFIG_HOSTSFILE=(YES/NO) Default: NO
# Create /etc/hosts file using HOSTSx entries.
# Any current hosts file will be **OVERWRITTEN**
#
# CONFIG_DNS=(YES/NO) Default: NO
# Create /etc/resolv.conf file using DOMAINS and DNSx entries.
# Any current resolv.conf file will be **OVERWRITTEN**
#
# IF_LIST Default: "$IF_AUTO"
# A space seperated list of interfaces that can be ACTIVE on this machine
# This controls which interfaces can be brought up and down manually.
#
# IF_AUTO Default: "eth0"
# A space seperated list of interfaces that get started on boot. Tunneling
# interfaces like CIPE should be after the raw interfaces they depend on.
# The interfaces are started in the order they occur on the list, and are
# shutdown in the reverse order of IF_LIST.
#
# IPFILTER_SWITCH=(none|router|firewall) Default: "none"
# Selects the basic IP filtering/firewalling setup of the router. "None"
# is used for a straight through router, "router" for a filtering router
with
# IP spoof protection and Martian protection and "firewall" for a basic IP
# masquerading/NAT firewall. The basic filter types are provided in
# /etc/ipfilter.conf. If you want more than what is provided read the man
# pages for ipchains or ipfwadm and BE CAREFUL when you edit this!
#
############################################################################
###
# General Settings
############################################################################
###
VERBOSE=YES
MAX_LOOP=10
IPFWDING_KERNEL=FILTER_ON
IPALWAYSDEFRAG_KERNEL=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=NO
############################################################################
###
# Interfaces
############################################################################
###
# Start pppd PPP interfaces first as pppd's use of DNS can delay startup.
#
# Interfaces to start on boot go here - ie "ppp0 eth0"
# Do NOT include interfaces configured by dhcp!
IF_AUTO="eth1"
# List of all configured interfaces, manual start and boot start
IF_LIST="$IF_AUTO"
# Accept ICMP Redirects on ALL interfaces, also depends on /proc
# per interface IP forwarding flag. - YES/NO
ALLIF_ACCEPT_REDIRECTS=NO
# Need these both for interfaces run by daemons - ie PPP, CIPE, some
# WAN interfaces
# IP spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=YES
# Bridge Setup - Global stuff
#
# Enable bridging - YES/NO
BRG_SWITCH=NO
# Exempt ethernet protocol types - type "brcfg list" to find out allowed
# values
BRG_EXEMPT_PROTOS=""
############################################################################
###
eth0_IPADDR=1.1.1.2
eth0_MASKLEN=30
eth0_BROADCAST=+
# Use this to set the default route if required - ONLY one to be set.
# routed or gated could be used to set this so only use if not running
these.
eth0_DEFAULT_GW=1.1.1.1
# Secondary IP addresses/networks on same wire - add them here
#eth0_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24"
# Additional routes for this interface, if any
# Space seperated list: <PREFIX>[_<more ip route options>]
#eth0_ROUTES="1.1.1.13 2.2.2.0/24_via_1.1.1.18"
# IP spoofing protection on this interface - YES/NO
eth0_IP_SPOOF=YES
# Kernel logging of spoofed packets on this interface - YES/NO
eth0_IP_KRNL_LOGMARTIANS=YES
# This setting affects the processing of ICMP redirects. Setting it to NO
# makes this more secure. Don't turn this off if you have two IP
# networks/subnets on the same media - YES/NO
eth0_IP_SHARED_MEDIA=NO
# Bridge this interface - YES/NO
eth0_BRIDGE=NO
# Proxy-arp from this interface, no other config required to turn on proxy
ARP!
# - YES/NO
eth0_PROXY_ARP=NO
# Simple QoS/fair queueing support
# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO
eth0_FAIRQ=NO
# Ethernet Transmit Queue Length
# eth0_TXQLEN=100
# Complex QoS - Enable all of these + above to turn it on
#eth0_BNDWIDTH=10Mbit # Device bandwidth
#eth0_HNDL=2 # Queue Handle - must be unique
#eth0_IABURST=100 # Interactive Burst
#eth0_IARATE=1Mbit # Interactive Rate
#eth0_PXMTU=1514 # Physical MTU - includes Link Layer header
############################################################################
###
eth1_IPADDR=192.168.1.254
eth1_MASKLEN=24
eth1_BROADCAST=+
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=YES
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO
############################################################################
###
#eth2_IPADDR=
#eth2_MASKLEN=
#eth2_BROADCAST=+
#eth2_ROUTES=
#eth2_IP_SPOOF=YES
#eth2_IP_KRNL_LOGMARTIANS=YES
#eth2_IP_SHARED_MEDIA=NO
#eth2_BRIDGE=NO
#eth2_PROXY_ARP=
#eth2_FAIRQ=NO
############################################################################
###
# NAT 'virtual' interface (optional: required only for static-NAT DMZ
systems)
############################################################################
###
# Configured as an interface to allow flexible handling of bringing the
# routing rules up/down in conjunction with the physical interfaces
# interface spec is an indexed list of IP address pairs and a base priority
# number for ip rule creation
#nat0_BASE_PRI=100 # Unique base value for ip rules
# Indexed list: <public IP> <private DMZ IP>
#nat0_PAIR0="1.1.2.3 192.168.2.13"
#nat0_PAIR1="1.1.2.4 192.168.2.14"
#nat0_PAIR2="1.1.2.5 192.168.2.15"
# Sangoma FR example
#fr498_IPADDR=10.0.10.1
#fr498_PTPADDR=10.0.10.2
#fr498_IP_SPOOF=YES
#fr498_IP_KRNL_LOGMARTIANS=YES
# Simple QoS support
#fr498_FAIRQ=YES
#fr498_TXQLEN=50
# Complex FR QoS - Enable ALL of these + above to turn it on
#fr498_FRBURST=960Kbit # FR Burst capacity (a rate)
#fr498_BULKRATE=320Kbit # Usually you set this to the CIR
#fr498_BULKBURST=50 # Number of packets that can burst in bulk class
#fr498_BNDWIDTH=1920Kbit # The bandwidth of the interface
#fr498_IABURST=512 # No of Interactive Burst packets
#fr498_IARATE=640Kbit # Burst capicity bandwith between
# BURST and CIR
#fr498_HNDL=2 # The queue handle - must be unique Dialup PPP is 1000+
#fr498_PXMTU=1508 # The Physical MTU of the interface (data + MAC header)
# PPP interface stuff - these apply to all ASYNC ppp interfaces, options
# same as ethernet above.
#ppp_BNDWIDTH=30Kbit
#ppp_FAIRQ=YES
#ppp_TXQLEN=30
#ppp_IABURST=20
#ppp_IARATE=10Kbit
#ppp_PXMTU=1500
############################################################################
###
# IP Filter setup - can pull in settings from above
############################################################################
###
# Set up the basic type of filtering. Can be one of (none|router|firewall)
# You must load the ip_masq_* modules to enable full IP masquerading, and
# ip_masq_portfw if you want to forward external ports pop-3, mtp, www
# to internal machines below.
IPFILTER_SWITCH=firewall
# This set of variables is used with both sets of filters
SNMP_BLOCK=YES # Block all SNMP (YES/NO)
# List of IP Nos used for SNMP management
#SNMP_MANAGER_IPS="10.100.1.2"
# Fair Queuing support
# List of Mark values
MRK_CRIT=1 # Critical traffic, routing, DNS
MRK_IA=2 # Interactive traffic - telnet, ssh, IRC
# List of traffic types and maps to mark values
# Setting this variable turns on the
# fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route
${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain
${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh"
# NOTE: Do NOT turn on the DMZ network or ANY external port masquerading/
# port forwarding when EXTERN_DYNADDR is on because some security
# leaks will result. You may also want to limit the external open
# ports to domain (UDP) for DNS. Anyhow, these features are not that
# usable unless you have a static external address
#
EXTERN_IF="eth0" # External Interface
# Added for DHCP support
# Setting this to YES causes the dhcp client to try to configure the
# interfaces listed in IF_DHCP, and causes EXTERN_IP to be read directly
# from the interfaceB
EXTERN_DHCP=YES # YES/NO
# The interface(s) to configure via dhcp
IF_DHCP=$EXTERN_IF
# If YES, your firewall filters use 0/0 for your IP address, instead of your
# actual IP address. Set this to NO for typical ethernet setups, even if
you
# are using DHCP
EXTERN_DYNADDR=NO # YES/NO
# - or -
# External Interface IP number...the default should be fine for most folks
eval EXTERN_IP="${"$EXTERN_IF"_IPADDR:-""}"
# Set EXTERN_IP to "DYNAMIC" if you need the rules to read the IP from the
# interface, but you arn't using DHCP (ie PPPoE and dialup users)
#EXTERN_IP=DYNAMIC
# If external interface IP is dynamic, read the configured IP address
# This should probably be moved to the init.d network script, but I put it
# here for now, as it is more obvious what it is doing, in case it
# messes something else up.
if [ "$EXTERN_DHCP" = "YES" -o "$EXTERN_DHCP" = "Yes" -o
"$EXTERN_DHCP" = "yes" -o "$EXTERN_IP" = "DYNAMIC" ] ; then
# This computes the IP address of $EXTERN_IF
EXTERN_IP=`ip addr list label $EXTERN_IF | grep inet | sed
'1!d' | sed 's/^[^.0-9]*([.0-9]*).*$/1/'`
# If the external address is not configured, use a bogus address for the
# external interface to prevent a bunch of (harmless) errors that spit out
# when the IPCHAINS script is called.
if [ x$EXTERN_IP = x ]; then
EXTERN_IP=192.168.254.254
fi
fi
# Traffic to completely ignore...define here to prevent filling your logs
# Space seperated list: protocol_srcip[/mask][_dstport]
#SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37"
# Extra rule scripts added by Charles Steinkuehler to more easily support
# non-standard extentions of the pre-configured ipchains rules
IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output
# ICMP types to open
# Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]"
#EXTERN_ICMP_PORT0="0/0 : 1.1.1.12"
## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc"
# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_UDP_PORT0="0/0 domain"
#EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12"
# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
#EXTERN_TCP_PORTS="216.171.153.128/25_ssh 0/0_www 0/0_1023"
# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12"
#EXTERN_TCP_PORT1="0/0 www"
# Generic Services open to outside world
# Space seperated list: protocol_srcip/mask_dstport
#EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8"
# -or-
# Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]"
#EXTERN_PROTO0="50 5.6.7.8/32"
#EXTERN_PROTO1="51 5.6.7.8/32"
############################################################################
###
# Internal Interface
############################################################################
###
# Comment 3 settings below for no internal network (DMZ only configuration)
INTERN_IF="eth1" # Internal Interface
INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s)
INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=YES # Masquerade internal network to outside
# world - YES/NO
# These services are not masqueraded from int to ext/DMZ, preventing access
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST="tcp_0/0_ssh"
# Override for above...only the listed dest IP's can be accessed
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh"
############################################################################
###
# Port Forwarding
############################################################################
###
# Remember to open appropriate holes in the firewall rules, above
# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port>
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp"
# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available
#INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available
#INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available
#INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available
#INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available
#INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH access
# Advanced settings: parameters passed directly to portfw and autofw
# Indexed list: "<ipmasqadm portfw options>"
#INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]"
#INTERN_SERVER1=""
# Indexed list: "<ipmasqadm autofw options>"
#INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1"
#INTERN_AUTOFW1=""
############################################################################
###
# DMZ setup (optional)
############################################################################
###
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
DMZ_SWITCH=NO
DMZ_IF="eth2"
DMZ_NET=192.168.2.0/24
# DMZ switches for all flavors except PRIVATE
############################################################################
###
# For NAT DMZ's:
# DMZ_NET, above is likely a private IP range...DMZ_SRC should encompass the
# public IP range being NAT'd to DMZ_NET. Any systems
DMZ_SRC=1.1.1.0/27
# For Proxy-Arp or NAT DMZ's only:
# For security, any IP's within the DMZ_NET (PROXY) or DMZ_SRC (NAT)
# specification, above, that are NOT remote systems reached via DMZ_IF must
# be listed here. This potentially includes IP's of this LRP system, your
# gateway, and systems connected to your external interface.
DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP"
## Both of the following should be used together - ie if you turn on
## DMZ_HIGH_TCP_CONNECT - DO specify DMZ_CLOSED_DEST!
# Allows inbound connections to high tcp ports (>1023)
# You can also allow to specific machines using 1024: (or a smaller range)
# as the dest port range in DMZ_OPEN_DEST (RECOMMENDED)
DMZ_HIGH_TCP_CONNECT=NO
## 3306 MySQL, 6000 X, 2049 NFS, 7100 xfs
DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
# Inbound services to allow to the DMZ
# <protocol>_<destination IP/network>_<destination port or range>
DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_domain
icmp_${DMZ_NET}_:
tcp_1.1.2.13_www"
# PRIVATE DMZ switches
############################################################################
###
# Services port-forwarded to the DMZ network
# Indexed list: "Protocol LocalIP LocalPort RemoteIP [ RemotePort ]"
#DMZ_SERVER0="udp $EXTERN_IP domain 192.168.2.1 domain"
#DMZ_SERVER1="tcp $EXTERN_IP domain 192.168.2.1 domain"
#DMZ_SERVER2="tcp 1.2.3.13 www 192.168.2.1 www"
#DMZ_SERVER3="tcp 1.2.3.13 smtp 192.168.2.1 smtp"
#DMZ_SERVER4="tcp 1.2.3.12 www 192.168.2.1 8080"
# Allow all outbound traffic from DMZ (YES)
# or just traffic from port-forwarded servers (NO)
#DMZ_OUTBOUND_ALL=YES
############################################################################
###
# Interface activation/deactivation functions
# Here so that special interface commands can be called and daemons started
#
# Arps can be set up here, network/host routes and so forth.
#
# This appears to be a little messy but is needed to achieve maximum
# functionality and flexibility.
#
############################################################################
###
echo_rtepfx () {
local IFS='_'
set -- $1
echo $1
}
echo_rteargs () {
local IFS='_'
set -- $1
shift
echo $@
}
# Function to add a static NAT translation
# $1 = Name of environment variable which contains IP address
# $2 = Action (add or del)
# $3 = Base priority value
# $y = Current walklist index count
do_nat () {
local PRIORITY=$(($3 + $y ))
local ACTION=$2
eval local args=$$1
set -- $args
ip route $ACTION nat $1 via $2
ip rule $ACTION prio $PRIORITY from $2 nat $1
}
if_up () {
local ADDR
# sort out a few things to make life easier - here so that you
# can see what is done and so that you can add anything if needed
eval local IPADDR=${"$1"_IPADDR:-""} # I am also a good genius
eval local MASKLEN=${"$1"_MASKLEN:-""}
eval local BROADCAST=${"$1"_BROADCAST:-""}
eval local PTPADDR=${"$1"_PTPADDR:-""}
eval local DEFAULT_GW=${"$1"_DEFAULT_GW:-""}
eval local IP_EXTRA_ADDRS=${"$1"_IP_EXTRA_ADDRS:-""}
eval local ROUTES=${"$1"_ROUTES:-""}
eval local FAIRQ=${"$1"_FAIRQ:-""}
eval local TXQLEN=${"$1"_TXQLEN:-""}
eval local IP_SPOOF=${"$1"_IP_SPOOF:-""}
eval local IP_KRNL_LOGMARTIANS=${"$1"_IP_KRNL_LOGMARTIANS:-""}
eval local IP_SHARED_MEDIA=${"$1"_IP_SHARED_MEDIA:-""}
eval local BRIDGE=${"$1"_BRIDGE:-""}
eval local PROXY_ARP=${"$1"_PROXY_ARP:-""}
if [ -n "$BROADCAST" ] ; then
IFCFG_BROADCAST="broadcast $BROADCAST"
fi
# Do dee global bridge stuff
brg_global
# Set default interface flags here - used for PPP and WAN interfaces
if_setproc default rp_filter $DEF_IP_SPOOF
if_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS
if_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS
# Set up each interface
case $1 in
ppp0)
pppd call provider
;;
fr*)
wanconfig card wanpipe1 dev $1 start
ip addr add $IPADDR peer $PTPADDR dev $1
ip link set $1 up
# Fair queuing - this can be selected for any interface
ip_frQoS $1
;;
nat*)
eval local BASE_PRI=${"$1"_BASE_PRI:-""}
walk_list $1_PAIR $INIT_INDEX do_nat add $BASE_PRI
;;
*) # default interface startup
brg_iface $1 up $BRIDGE
[ -n "$IPADDR" ] && ip addr add $IPADDR/$MASKLEN
$IFCFG_BROADCAST dev $1
for ADDR in $IP_EXTRA_ADDRS; do
ip addr add $ADDR dev $1
done
ip link set $1 up
case "$PROXY_ARP" in
YES|Yes|yes)
ip route flush dev $1
;;
*)
;;
esac
# Fair queuing - this can be selected for any interface
ip_QoS $1
;;
esac
for route in $ROUTES; do
ip route add `echo_rtepfx $route` dev $1 `echo_rteargs $route`
done
# Do universal interface config items here
# Default route support
[ -n "$DEFAULT_GW" ] && ip route replace default via $DEFAULT_GW dev $1
# Set the TX Queue Length
[ -n "$TXQLEN" ] && ip link set $1 txqlen $TXQLEN
# Spoof protection
if_setproc $1 rp_filter $IP_SPOOF
# Kernel logging of martians on this interface
if_setproc $1 log_martians $IP_KRNL_LOGMARTIANS
# Shared Media stuff
if_setproc $1 shared_media $IP_SHARED_MEDIA
# Proxy ARP support
if_setproc $1 proxy_arp $PROXY_ARP
return 0
}
if_down () {
# Do Dee global bridge stuff
brg_global
case $1 in
ppp*)
[ -f /var/run/$1.pid ] && qt kill `cat /var/run/$1.pid`
sleep 5 # Wait for pppd to die
;;
fr*)
qt ip link set $1 down
qt ip addr flush dev $1
qt wanconfig card wanpipe1 dev $1 stop
;;
nat*)
eval local BASE_PRI=${"$1"_BASE_PRI:-""}
walk_list $1_PAIR $INIT_INDEX do_nat del $BASE_PRI
;;
*) # default action
brg_iface $1 down
ip link set $1 down # This also kills any routes
qt ip addr flush dev $1
;;
esac
# Clean up any QoS/fair queuing stuff
ip_QoSclear $1
true
} #END if_down
############################################################################
###
# Hostname Requires: CONFIG_HOSTNAME=YES
############################################################################
###
HOSTNAME=firewall
############################################################################
###
# Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES
############################################################################
###
# IP FQDN hostname alias1 alias2..
HOSTS0="$eth1_IPADDR $HOSTNAME.private.network $HOSTNAME fw"
#HOSTS1="192.168.1.22 host2.private.network host2 h2"
############################################################################
###
# Domain Search Order and Name Servers Requires: CONFIG_DNS=YES
############################################################################
###
DOMAINS="private.network"
DNS0=127.0.0.1
#DNS0=Your.Primary.DNS.Server
#DNS1=Your.Secondary.DNS.Server
############################################################################
##
#Ignored Traffic:
############################################################################
##
SILENT_DENY="17_10.40.32.1_68"
SILENT_DENY="all_224.0.0.0/4"
############################################################################
###
# QoS/Fariqueing functions
############################################################################
###
ip_QoSclear () {
[ -x /sbin/tc ] && qt tc qdisc del dev $1 root
return 0
}
ip_frQoS () {
# Set some vaiables
eval local FAIRQ=${"$1"_FAIRQ:-""}
eval local BULKRATE=${"$1"_BULKRATE:-""}
eval local BULKBURST=${"$1"_BULKBURST:-""}
eval local FRBURST=${"$1"_FRBURST:-""}
eval local HNDL=${"$1"_HNDL:-""}
eval local BNDWIDTH=${"$1"_BNDWIDTH:-""}
eval local IARATE=${"$1"_IARATE:-""}
eval local IABURST=${"$1"_IABURST:-""}
eval local PXMTU=${"$1"_PXMTU:-""}
if [ ! -x /sbin/tc ]; then
return 1
fi
if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ]
then
return 1
fi
if [ -z "$BULKRATE" -o -z "$FRBURST" -o -z "$HNDL" -o -z "$PXMTU" -o -z
"$BNDWIDTH" -o -z "$IARATE" -o -z "$IABURST" -o -z "$BULKBURST" ]; then
tc qdisc replace dev $1 root sfq
return 0
fi
# Attach CBQ to device
tc qdisc add dev $1 root handle $HNDL: cbq bandwidth $BNDWIDTH avpkt 1000
# Set up classes
# Bulk class
tc class add dev $1 parent $HNDL:0 classid :1 est 1sec 8sec cbq bandwidth
$BNDWIDTH rate $BULKRATE allot $PXMTU bounded weight 1 prio 6
avpkt 1000
maxburst $BULKBURST split $HNDL:0 defmap ff7f
tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15
# Interactive Class
tc class add dev $1 parent $HNDL:0 classid :2 est 2sec 16sec cbq bandwidth
$BNDWIDTH rate $IARATE allot $PXMTU bounded weight 1 prio 6
avpkt 1000
maxburst $IABURST split $HNDL:0 defmap 80
tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15
# Priority class
tc class add dev $1 parent $HNDL:0 classid :3 est 1sec 8sec cbq bandwidth
$BNDWIDTH rate $FRBURST allot $PXMTU bounded weight 1 prio 1
avpkt 1000
maxburst 21
tc qdisc add dev $1 parent $HNDL:3 pfifo
# Add filters
tc filter add dev $1 parent $HNDL:0 protocol ip priority 50 handle
$MRK_CRIT fw classid $HNDL:3
tc filter add dev $1 parent $HNDL:0 protocol ip priority 60 handle
$MRK_IA
fw classid $HNDL:2
return 0
}
ip_QoS () {
# Set some vaiables
eval local HNDL=${"$1"_HNDL:-""}
eval local FAIRQ=${"$1"_FAIRQ:-""}
if [ -z "$FAIRQ" -a -n "$2" ]; then
local FAIRQ=$2
fi
eval local BNDWIDTH=${"$1"_BNDWIDTH:-""}
if [ -z "$BNDWIDTH" -a -n "$3" ]; then
local BNDWIDTH=$3
fi
eval local PXMTU=${"$1"_PXMTU:-""}
if [ -z "$PXMTU" -a -n "$4" ]; then
local PXMTU=$4
fi
eval local IARATE=${"$1"_IARATE:-""}
if [ -z "$IARATE" -a -n "$5" ]; then
local IARATE=$5
fi
eval local IABURST=${"$1"_IABURST:-""}
if [ -z "$IABURST" -a -n "$6" ]; then
local IABURST=$6
fi
if [ ! -x /sbin/tc ]; then
return 1
fi
if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ]
then
return 1
fi
if [ -z "$BNDWIDTH" -o -z "$IABURST" -o -z "$IARATE" -o -z "$HNDL" -o -z
"$PXMTU" ]; then
tc qdisc replace dev $1 root sfq
return 0
fi
# Attach CBQ to device
tc qdisc add dev $1 root handle $HNDL: cbq bandwidth $BNDWIDTH
avpkt
1000
# Set up classes
# Bulk class
tc class add dev $1 parent $HNDL:0 classid :1 est 1sec 8sec cbq bandwidth
$BNDWIDTH rate $BNDWIDTH allot $PXMTU avpkt 1000 bounded weight 1 prio 6
split $HNDL:0 defmap ff7f
tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15
# Interactive class
tc class add dev $1 parent $HNDL:0 classid :2 est 2sec 16sec cbq bandwidth
$BNDWIDTH rate $IARATE maxburst $IABURST allot $PXMTU avpkt 1000 bounded
isolated weight 1 prio 2 split $HNDL:0 defmap 80
tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15
# Priority class
tc class add dev $1 parent $HNDL:0 classid :3 est 1sec 8sec cbq bandwidth
$BNDWIDTH rate $BNDWIDTH allot $PXMTU avpkt 1000 bounded weight 1 prio 1
tc qdisc add dev $1 parent $HNDL:3 pfifo
# Add filters
tc filter add dev $1 parent $HNDL:0 protocol ip priority 50 handle
$MRK_CRIT fw classid $HNDL:3
tc filter add dev $1 parent $HNDL:0 protocol ip priority 60 handle
$MRK_IA
fw classid $HNDL:2
return 0
}
############################################################################
###
# End
############################################################################
###
_______________________________________________________________
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
