I forgot to add this with one of the previous commits.
This is the rewrite of the setting rules using custom chains.
This also utilizes the newly added protocol support.
+++ /dev/null
-# fss-0002
-# valid direction: input, output, forward, postrouting, prerouting, none
-# valid device: all, this, (any device name goes here without parenthesis)
-# valid action: append, insert, policy, none
-
-first:
- # initialize the firewall
- direction none
- device all
- action none
-
- rule -F
- rule -X
- rule -Z
- rule -t nat -F
- rule -t mangle -F
-
- # setup initial operations
- direction input
- device all
- action append
-
-
- # Enable ALL local connections (loopback)
- device lo
- direction output
- rule -j ACCEPT
-
- direction input
- rule -j ACCEPT
- device all
-
- # the above loopback rules should catch all true loopback connections
- # the following loopback rules will only catch anything if a loopback spoofing is happending
- # therefore, do not allow spoof by REJECTing
- device lo
- direction input
- rule -s 127.0.0.1 -j REJECT
- rule -d 127.0.0.1 -j REJECT
- device all
-
-
- # the ip_list command will search for a file in the network settings directory and then apply an action of each of the ip addresses in the file
- # the file is simply a set of ip addresses separated by whitespace, preferable each on a newline
- # either 'source' or 'destination' must follow the ip_list
- # following 'source' or 'destination' is the filename
- # this is primarily for whitelisting and blacklisting, below are whitelist & blacklist usage cases
- ip_list source default-whitelist -j ACCEPT
- ip_list source default-blacklist -j REJECT
- ip_list destination default-whitelist -j ACCEPT
- ip_list destination default-blacklist -j REJECT
-
-
- ## Explicitly deny dhcp renewals
- #rule -p udp -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j REJECT
-
-
- ## Log Network Time Protocol Traffic
- #direction output
- #rule -p udp --sport 123 --dport 123 -j LOG --log-prefix "TRAFFIC:NTP "
- #
- #direction input
- #rule -p udp --sport 123 --dport 123 -j LOG --log-prefix "TRAFFIC:NTP "
-
-
- ## Log DHCP Client Traffic
- #$I -p udp -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j LOG --log-prefix "TRAFFIC:DHCP "
-
-
- ## Log Web Traffic
- #direction output
- #rule -p tcp --sport 80 -j LOG --log-prefix "TRAFFIC:WEB "
- #
- #direction input
- #rule -p tcp --dport 80 -j LOG --log-prefix "TRAFFIC:WEB "
-
-
- ## Log SSH Traffic
- #direction output
- #rule -p tcp --sport 22 -j LOG --log-prefix "TRAFFIC:SSH "
- #
- #direction input
- #rule -p tcp --dport 22 -j LOG --log-prefix "TRAFFIC:SSH "
-
-
- ## Log VNC Traffic
- # (uses more than just 5900, so this is a little incomplete)
- #direction output
- #rule -p tcp --sport 5900 -j LOG --log-prefix "TRAFFIC:VNC "
- #
- #direction input
- #rule -p tcp --dport 5900 -j LOG --log-prefix "TRAFFIC:VNC "
-
-
- # Allow ALL input connections that have already been established by this host
- rule -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-
- ## Drop all broadcast and multicast packets sent to this machine
- #rule -m addrtype --dst-type BROADCAST,MULTICAST -j REJECT
-
-
- ## global forwarding (to/from eth1)
- #direction forward
- #rule -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1
- #rule -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth1
- #direction input
-
-
- ## masquerading
- #direction postrouting
- #rule -t nat -o eth0 -j MASQUERADE
- #direction input
-
-
- ## Supply a DMZ to all things to an entire subnet of 192.168.1.0 for eth0
- #direction prerouting
- #rule -t nat -j DNAT --to-destination 192.168.1.0-192.168.1.254 -i eth0
- #direction input
-
-
- ## Change the source address before packet leaves the machine
- #direction postrouting
- #rule -t nat -j SNAT --to-source 222.111.222.11 -o eth0
- #direction input
-
- # Prevent an XMAS attack
- rule -p tcp --tcp-flags ALL ALL -j DROP
-
- # Prevent NULL attack
- rule -p tcp --tcp-flags ALL NONE -j DROP
-
- # Force SYN packets check
- rule -p tcp ! --syn -m state --state NEW -j DROP
-
- ## Open Moko usb network support (host=eth0 openmoko=usb0)
- #direction postrouting
- #rule -t nat -o eth0 -j MASQUERADE
- #direction forward
- #rule -j ACCEPT -o usb0
- #rule -j ACCEPT -i usb0
- #direction input
-
-
- # 113 = identd, firewalling this is safer as well as reducing clutter from ftp-servers and chat programs
- rule -p tcp --dport 113 -j REJECT
-
-
- ## Log all dropped packets for debug purposes
- #rule 1 -p tcp -m state --state INVALID -j LOG --log-prefix "FIREWALL:INVALID "
-
-
- # Drop all INVALID packets so they aren't even processed
- action insert
- direction output
- rule -m state --state INVALID -j REJECT
-
- direction input
- rule -m state --state INVALID -j REJECT
- action append
-
-
- # Disable X's Open Port
- # Will X server work with this blocked? Is this needed for X11 Fowarding?
- #direction output
- #rule -p tcp --dport 6000 -j REJECT
- #direction input
- rule -p tcp --dport 6000 -j REJECT
-
-
- ## Prevent IP-Spoof attacks (should not come from outside the network, and therefore should only be enabled on a machine that has access outside network) (eth0 = outside network)
- #rule -s 10.0.0.0/8 -j REJECT -i eth0
- #rule -s 172.16.0.0/12 -j REJECT -i eth0
- #rule -s 192.168.0.0/16 -j REJECT -i eth0
-
-
- # Allow dhcp client renewels. If these are blocked, you will not be able to renew easily
- rule -p udp -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
-
-
- # Allow Network Time Protocal Communication
- #direction output
- #rule -p udp --sport 123 --dport 123 -j ACCEPT
- #direction input
-
-
- ## Allows for Samba/Windows Shared Network Communication
- ## By default this is set to REJECT, because window shares generally flood the network, which would then flood the firewall rules making them hard to see
- ## Windows Ports Uses, and these should never be allowed on WORLD:
- ## tcp 136 = Profile Naming System
- ## UDP 137 = NETBIOS Name Service
- ## UDP 138 = NETBIOS Datagram Service
- ## TCP 139 = NETBIOS Session Service
- ## TCP 445 = Windows File and Print Sharing
- ## TCP/UDP 593 = DCE endpoint resolution, mirror of 135
- #rule -p tcp --dport 136 -j REJECT
- #rule -p udp --dport 137 -j REJECT
- #rule -p udp --dport 138 -j REJECT
- #rule -p tcp --dport 139 -j REJECT
- #rule -p tcp --dport 445 -j REJECT
- #rule -p tcp --sport 136 -j REJECT
- #rule -p udp --sport 137 -j REJECT
- #rule -p udp --sport 138 -j REJECT
- #rule -p tcp --sport 139 -j REJECT
- #rule -p tcp --sport 445 -j REJECT
-
-
- ## ICMP ping/pong (receiving pings)
- #rule -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
-
-
- ## iSCSI Target
- #rule -p tcp --dport 3260 -j ACCEPT
-
-
-last:
- # setup initial operations
- direction input
- device all
- action append
-
-
- ## allow Well-known port output: 0-1023
- #rule -p tcp --dport 0:1023 -j ACCEPT
- #rule -p udp --dport 0:1023 -j ACCEPT
-
-
- ## allow registered ports: 1024-49151
- #rule -p tcp --dport 1024:49151 -j ACCEPT
- #rule -p udp --dport 1024:49151 -j ACCEPT
-
-
- ## allow all other ports: 49152-61000
- ## For ease of the uneducated, enable these by default
- rule -p tcp --dport 49152:61000 -j ACCEPT
- rule -p udp --dport 49152:61000 -j ACCEPT
-
-
- ## allow all other ports: 61001-65535
- ## For ease of the uneducated, enable these by default
- rule -p tcp --dport 61001:65535 -j ACCEPT
- rule -p udp --dport 61001:65535 -j ACCEPT
-
- # Log everything else (input)
- # everything that reaches this point without being accepted, reject, or otherwise handled will be logged
- rule -j LOG --log-prefix "FIREWALL:INPUT "
-
- # now handle output rules
- direction output
-
- # allow Well-known port output: 0-1023
- rule -p tcp --dport 0:1023 -j ACCEPT
- rule -p udp --dport 0:1023 -j ACCEPT
-
-
- # allow registered ports: 1024-49151
- rule -p tcp --dport 1024:49151 -j ACCEPT
- rule -p udp --dport 1024:49151 -j ACCEPT
-
-
- # allow all other ports: 49152-61000
- # For ease of the uneducated, enable these by default
- rule -p tcp --dport 49152:61000 -j ACCEPT
- rule -p udp --dport 49152:61000 -j ACCEPT
-
-
- # allow all other ports: 61001-65535
- # For ease of the uneducated, enable these by default
- rule -p tcp --dport 61001:65535 -j ACCEPT
- rule -p udp --dport 61001:65535 -j ACCEPT
-
- ## Log everything else (output)
- #rule -j LOG --log-prefix "FIREWALL:OUTPUT "
-
- # allow icmp output, such as pings
- rule -p icmp -j ACCEPT
-
- # the catch-all policies
- action policy
- direction input
- rule DROP
-
- direction output
- rule DROP
-
- direction forward
- rule DROP
-
-stop:
- device all
- action policy
-
- direction input
- rule ACCEPT
-
- direction output
- rule ACCEPT
-
- direction forward
- rule ACCEPT
-
- direction none
- action none
- rule --flush
- rule -t nat --flush
- rule -t mangle --flush
- rule --delete-chain
- rule -t nat --delete-chain
- rule -t mangle --delete-chain
-
-lock:
- device all
- action policy
-
- direction input
- rule DROP
-
- direction output
- rule DROP
-
- direction forward
- rule DROP
-
- direction none
- action none
- rule --flush
- rule -t nat --flush
- rule -t mangle --flush
- rule --delete-chain
- rule -t nat --delete-chain
- rule -t mangle --delete-chain
-
- action insert
- direction input
- device lo
- rule -j ACCEPT
-
- direction output
- device lo
- rule -j ACCEPT
# fss-0002
main:
- # setup initial operations
- direction input
device this
- action append
-
+ direction input
# Define a blacklist and a whitelist, put ip addresses in the file named 'example-device-whitelist' separated by whitespace to whitelist an ip address
- ip_list source example-device-whitelist -j ACCEPT
- ip_list source example-device-blacklist -j REJECT
- ip_list destination example-device-whitelist -j ACCEPT
- ip_list destination example-device-blacklist -j REJECT
+ #ip_list source example-device-whitelist -j ACCEPT
+ #ip_list source example-device-blacklist -j REJECT
+ #ip_list destination example-device-whitelist -j ACCEPT
+ #ip_list destination example-device-blacklist -j REJECT
- ## DNS Server (Bind or Maradns) (zoneserver from maradns does this portion)
- ## is tcp needed?
- #direction output
- #rule -p udp --dport 53 -j ACCEPT
- #direction input
- #rule -p udp --dport 53 -j ACCEPT
-
+input-tcp:
+ device this
+ direction input
+ protocol tcp
## Http / Web
- #rule -p tcp --dport 80 --j LOG --log-prefix "TRAFFIC:WEB "
- #rule -p tcp --dport 80 -j ACCEPT
+ #rule --dport 80 -m state --state NEW -j LOG --log-prefix "TRAFFIC:WEB "
+ #rule --dport 80 -m state --state NEW -j ACCEPT
+ ## Http / Web redirect to Https / Secure Web
+ #direction prerouting-input
+ #rule -t nat --dport 80 -m state --state NEW -j REDIRECT --to-port 443
+ #direction input
## Https / Secure Web
- #rule -p tcp --dport 443 --j LOG --log-prefix "TRAFFIC:WEB "
- #rule -p tcp --dport 443 -j ACCEPT
-
+ #rule --dport 443 -m state --state NEW -j LOG --log-prefix "TRAFFIC:WEB "
+ #rule --dport 443 -m state --state NEW -j ACCEPT
## MySQL
- #rule -p tcp --dport 3306 -j ACCEPT
-
+ #rule --dport 3306 -m state --state NEW -j ACCEPT
## Music Player Daemon
- #rule -p tcp --dport 6600 -j ACCEPT
-
+ #rule --dport 6600 -m state --state NEW -j ACCEPT
## Camsource
- #rule -p tcp --dport 9192 -j ACCEPT
-
+ #rule --dport 9192 -m state --state NEW -j ACCEPT
## Cups Printer Administration
- #rule -p tcp --dport 631 -j ACCEPT
-
+ #rule --dport 631 -m state --state NEW -j ACCEPT
## Ssh (OpenSSH)
- #rule -p tcp --dport 22 -j LOG --log-prefix "TRAFFIC:SSH "
- #rule -p tcp --dport 22 -j ACCEPT
-
+ #rule --dport 22 -m state --state NEW -j LOG --log-prefix "TRAFFIC:SSH "
+ #rule --dport 22 -m state --state NEW -j ACCEPT
## clamd (Clam Antivirus) - remote access, not needed for normal
- #rule -p tcp --dport 3310 -j ACCEPT
-
+ #rule --dport 3310 -m state --state NEW -j ACCEPT
## Virtual Network Client Server (add 1 for each seperat vnc server)
- #rule -p tcp --dport 5900 -j ACCEPT
-
+ #rule --dport 5900 -m state --state NEW -j ACCEPT
## Printer Port, is probably open...safer to close unless you are SERVING a printer
- #rule -p tcp --dport 515 -j REJECT
-
+ #rule --dport 515 -m state --state NEW -j REJECT
## Subversion server
- #rule -p tcp --dport 3690 -j ACCEPT
- #rule -p udp --dport 3690 -j ACCEPT
-
+ #rule --dport 3690 -m state --state NEW -j ACCEPT
## Silc server
- #rule -p tcp --dport 706 -j ACCEPT
+ #rule --dport 706 -m state --state NEW -j ACCEPT
+
+ ## Worms of Prey
+ #rule --dport 47288 -m state --state NEW -j ACCEPT
+
+ ## Git Daemon
+ #rule --dport 9418 -m state --state NEW -j ACCEPT
+
+
+input-udp:
+ device this
+ direction input
+ protocol udp
+
+ ## DNS Server (Bind or Maradns) (zoneserver from maradns does this portion)
+ #rule --dport 53 -m state --state NEW -j ACCEPT
+
+ ## DHCP Server
+ #rule -m state --state NEW --dport 67 --sport 68 -j ACCEPT
+ #rule -m state --state NEW --dport 68 --sport 67 -j ACCEPT
+ ## Subversion server
+ #rule --dport 3690 -m state --state NEW -j ACCEPT
## Worms of Prey
- #rule -p tcp --dport 47288 -j ACCEPT
- #rule -p udp --sport 47288:47544 -j ACCEPT
- #rule -p udp --dport 47288:47544 -j ACCEPT
+ #rule --sport 47288:47544 -m state --state NEW -j ACCEPT
+ #rule --dport 47288:47544 -m state --state NEW -j ACCEPT
+
+
+input-icmp:
+ device this
+ direction input
+ protocol icmp
+
+ # allow all icmp input, such as pings
+ #rule -m state --state NEW -j ACCEPT
+
+ # allow icmp: echo reply (outbound ping)
+ ##rule --icmp-type 0 -m state --state NEW -j ACCEPT
+
+ # allow icmp: destination unreachable
+ #rule --icmp-type 3 -m state --state NEW -j ACCEPT
+
+ # allow icmp: source quench
+ #rule --icmp-type 4 -m state --state NEW -j ACCEPT
+
+ # allow icmp: redirect
+ #rule --icmp-type 5 -m state --state NEW -j ACCEPT
+
+ # allow icmp: echo request (inbound ping)
+ #rule --icmp-type 8 -m state --state NEW -j ACCEPT
+
+ # allow icmp: router advertisement
+ #rule --icmp-type 9 -m state --state NEW -j ACCEPT
+
+ # allow icmp: router Solicitation
+ #rule --icmp-type 10 -m state --state NEW -j ACCEPT
+
+ # allow icmp: time exceeded
+ #rule --icmp-type 11 -m state --state NEW -j ACCEPT
+
+ # allow icmp: bad ip header
+ #rule --icmp-type 12 -m state --state NEW -j ACCEPT
+
+ # allow icmp: timestamp
+ #rule --icmp-type 13 -m state --state NEW -j ACCEPT
+
+ # allow icmp: timestamp reply
+ #rule --icmp-type 14 -m state --state NEW -j ACCEPT
+
+ # allow icmp: information request
+ #rule --icmp-type 15 -m state --state NEW -j ACCEPT
+
+ # allow icmp: information reply
+ #rule --icmp-type 16 -m state --state NEW -j ACCEPT
+
+ # allow icmp: address request
+ #rule --icmp-type 17 -m state --state NEW -j ACCEPT
+
+ # allow icmp: address reply
+ #rule --icmp-type 18 -m state --state NEW -j ACCEPT
+
+ # allow icmp: traceroute
+ #rule --icmp-type 30 -m state --state NEW -j ACCEPT
+
+
+output-tcp:
+ device this
+ direction output
+ protocol tcp
+
+
+output-udp:
+ device this
+ direction output
+ protocol udp
+
+ ## DNS Server (Bind or Maradns) (zoneserver from maradns does this portion)
+ #rule --dport 53 -m state --state NEW -j ACCEPT
+
+ ## DHCP Server
+ #rule -m state --state NEW --dport 67 --sport 68 -j ACCEPT
+
+
+output-icmp:
+ device this
+ direction output
+ protocol icmp
+
+
--- /dev/null
+# fss-0002
+# valid direction: input, output, forward, postrouting, postrouting-output, postrouting-input, prerouting, prerouting-output, prerouting-input, none
+# valid device: all, this, (any device name goes here without parenthesis)
+# valid action: append, insert, policy, none
+# valid procotol: none, (any valid iptables protocol type, such as tcp, udp, and icmp)
+
+main:
+ # initialize the firewall
+ direction none
+ action none
+
+ rule -F
+ rule -Z
+ rule -t nat -F
+ rule -t mangle -F
+
+ # setup initial operations
+ direction input
+ action append
+
+
+ # Enable ALL local connections (loopback)
+ device lo
+ direction output
+ rule -j ACCEPT
+
+ direction input
+ rule -j ACCEPT
+ device all
+
+ # the above loopback rules should catch all true loopback connections
+ # the following loopback rules will only catch anything if a loopback spoofing is happending
+ # therefore, do not allow spoof by DROPing
+ #rule -s 127.0.0.1 -j DROP
+ #rule -d 127.0.0.1 -j DROP
+
+
+ # Drop all INVALID packets so they aren't even processed
+ direction output
+ rule -m state --state INVALID -j DROP
+
+ direction input
+ rule -m state --state INVALID -j DROP
+
+
+ # Allow ALL input&output connections that have already been established by this host
+ direction output
+ rule -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+ direction input
+ rule -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+
+ # send all tcp packets to the tcp queue
+ direction output
+ protocol tcp
+ rule -m state --state NEW -j output-tcp
+
+ direction input
+ rule -m state --state NEW -j input-tcp
+
+
+ # send all udp packets to the udp queue
+ direction output
+ protocol udp
+ rule -m state --state NEW -j output-udp
+
+ direction input
+ rule -m state --state NEW -j input-udp
+
+
+ # send all tcp packets to the tcp queue
+ direction output
+ protocol icmp
+ rule -m state --state NEW -j output-icmp
+
+ direction input
+ rule -m state --state NEW -j input-icmp
+
+
+input-tcp:
+ direction input
+ protocol tcp
+
+ # Prevent an XMAS attack
+ rule --tcp-flags ALL ALL -j DROP
+
+ # Prevent NULL attack
+ rule --tcp-flags ALL NONE -j DROP
+
+
+input-udp:
+ direction input
+ protocol udp
+
+ # Allow dhcp client renewals. If these are blocked, you will not be able to renew easily
+ rule -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
+
+
+input-icmp:
+ direction input
+ protocol icmp
+
+
+output-tcp:
+ direction output
+ protocol tcp
+
+
+output-udp:
+ direction output
+ protocol udp
+
+
+output-icmp:
+ direction output
+ protocol icmp
--- /dev/null
+# fss-0002
+# valid direction: input, output, forward, postrouting, postrouting-output, postrouting-input, prerouting, prerouting-output, prerouting-input, none
+# valid device: all, this, (any device name goes here without parenthesis)
+# valid action: append, insert, policy, none
+# valid procotol: none, (any valid iptables protocol type, such as tcp, udp, and icmp)
+
+main:
+ direction input
+
+ # Log everything else (input)
+ # everything that reaches this point without being accepted, reject, or otherwise handled will be logged
+ rule -m state --state NEW -j LOG --log-prefix "FIREWALL:INPUT "
+
+ direction output
+
+ ## Log everything else (output)
+ #rule -j LOG --log-prefix "FIREWALL:OUTPUT "
+
+ # the catch-all policies
+ action policy
+ direction input
+ rule DROP
+
+ direction output
+ rule DROP
+
+ direction forward
+ rule DROP
+
+
+input-tcp:
+ direction output
+ protocol tcp
+
+ ## allow Well-known port output: 0-1023
+ #rule --dport 0:1023 -m state --state NEW -j ACCEPT
+
+ ## allow registered ports: 1024-49151
+ #rule --dport 1024:49151 -m state --state NEW -j ACCEPT
+
+ ## allow all other ports: 49152-61000
+ ## For ease of the uneducated, enable these by default
+ #rule --dport 49152:61000 -m state --state NEW -j ACCEPT
+
+ ## allow all other ports: 61001-65535
+ ## For ease of the uneducated, enable these by default
+ #rule --dport 61001:65535 -m state --state NEW -j ACCEPT
+
+
+output-tcp:
+ direction output
+ protocol tcp
+
+ # allow Well-known port output: 0-1023
+ rule --dport 0:1023 -m state --state NEW -j ACCEPT
+
+ # allow registered ports: 1024-49151
+ rule --dport 1024:49151 -m state --state NEW -j ACCEPT
+
+ # allow all other ports: 49152-61000
+ # For ease of the uneducated, enable these by default
+ rule --dport 49152:61000 -m state --state NEW -j ACCEPT
+
+ # allow all other ports: 61001-65535
+ # For ease of the uneducated, enable these by default
+ rule --dport 61001:65535 -m state --state NEW -j ACCEPT
+
+
+input-udp:
+ direction input
+ protocol udp
+
+ ## allow Well-known port output: 0-1023
+ #rule --dport 0:1023 -m state --state NEW -j ACCEPT
+
+ ## allow registered ports: 1024-49151
+ #rule --dport 1024:49151 -m state --state NEW -j ACCEPT
+
+ ## allow all other ports: 49152-61000
+ ## For ease of the uneducated, enable these by default
+ #rule --dport 49152:61000 -m state --state NEW -j ACCEPT
+
+ ## allow all other ports: 61001-65535
+ ## For ease of the uneducated, enable these by default
+ #rule --dport 61001:65535 -m state --state NEW -j ACCEPT
+
+
+output-udp:
+ direction output
+ protocol udp
+
+ # allow Well-known port output: 0-1023
+ rule --dport 0:1023 -m state --state NEW -j ACCEPT
+
+ # allow registered ports: 1024-49151
+ rule --dport 1024:49151 -m state --state NEW -j ACCEPT
+
+ # allow all other ports: 49152-61000
+ # For ease of the uneducated, enable these by default
+ rule --dport 49152:61000 -m state --state NEW -j ACCEPT
+
+ # allow all other ports: 61001-65535
+ # For ease of the uneducated, enable these by default
+ rule --dport 61001:65535 -m state --state NEW -j ACCEPT
+
+
+input-icmp:
+ direction input
+ protocol icmp
+
+ # allow all icmp input, such as pings
+ #rule -m state --state NEW -j ACCEPT
+
+ # allow icmp: echo reply (outbound ping)
+ #rule --icmp-type 0 -m state --state NEW -j ACCEPT
+
+ # allow icmp: destination unreachable
+ rule --icmp-type 3 -m state --state NEW -j ACCEPT
+
+ # allow icmp: source quench
+ rule --icmp-type 4 -m state --state NEW -j ACCEPT
+
+ # allow icmp: redirect
+ rule --icmp-type 5 -m state --state NEW -j ACCEPT
+
+ # allow icmp: echo request (inbound ping)
+ rule --icmp-type 8 -m state --state NEW -j ACCEPT
+
+ # allow icmp: router advertisement
+ rule --icmp-type 9 -m state --state NEW -j ACCEPT
+
+ # allow icmp: router Solicitation
+ rule --icmp-type 10 -m state --state NEW -j ACCEPT
+
+ # allow icmp: time exceeded
+ rule --icmp-type 11 -m state --state NEW -j ACCEPT
+
+ # allow icmp: bad ip header
+ rule --icmp-type 12 -m state --state NEW -j ACCEPT
+
+ # allow icmp: timestamp
+ rule --icmp-type 13 -m state --state NEW -j ACCEPT
+
+ # allow icmp: timestamp reply
+ rule --icmp-type 14 -m state --state NEW -j ACCEPT
+
+ # allow icmp: information request
+ rule --icmp-type 15 -m state --state NEW -j ACCEPT
+
+ # allow icmp: information reply
+ rule --icmp-type 16 -m state --state NEW -j ACCEPT
+
+ # allow icmp: address request
+ rule --icmp-type 17 -m state --state NEW -j ACCEPT
+
+ # allow icmp: address reply
+ rule --icmp-type 18 -m state --state NEW -j ACCEPT
+
+ # allow icmp: traceroute
+ #rule --icmp-type 30 -m state --state NEW -j ACCEPT
+
+
+output-icmp:
+ direction output
+ protocol icmp
+
+ # allow icmp output, such as pings
+ rule -m state --state NEW -j ACCEPT
--- /dev/null
+# fss-0002
+# valid direction: input, output, forward, postrouting, postrouting-output, postrouting-input, prerouting, prerouting-output, prerouting-input, none
+# valid device: all, this, (any device name goes here without parenthesis)
+# valid action: append, insert, policy, none
+# valid procotol: none, (any valid iptables protocol type, such as tcp, udp, and icmp)
+
+stop:
+ action policy
+
+ direction input
+ rule ACCEPT
+
+ direction output
+ rule ACCEPT
+
+ direction forward
+ rule ACCEPT
+
+ direction none
+ action none
+ rule --flush
+ rule -t nat --flush
+ rule -t mangle --flush
+ rule --delete-chain
+ rule -t nat --delete-chain
+ rule -t mangle --delete-chain
+
+lock:
+ action policy
+
+ direction input
+ rule DROP
+
+ direction output
+ rule DROP
+
+ direction forward
+ rule DROP
+
+ direction none
+ action none
+ rule --flush
+ rule -t nat --flush
+ rule -t mangle --flush
+ rule --delete-chain
+ rule -t nat --delete-chain
+ rule -t mangle --delete-chain
+
+ action insert
+ direction input
+ device lo
+ rule -j ACCEPT
+
+ direction output
projects / fll / commitdiff