From da2b5e9d13d0895c929bae8f9963cc5a4a5e383d Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Thu, 7 Jun 2012 19:39:11 -0500 Subject: [PATCH] Update: add the new default/example firewall setting files I forgot to add this with one of the previous commits. This is the rewrite of the setting rules using custom chains. This also utilizes the newly added protocol support. --- level_3/firewall/data/settings/default-firewall | 340 --------------------- .../firewall/data/settings/example-device-firewall | 178 ++++++++--- level_3/firewall/data/settings/firewall-first | 117 +++++++ level_3/firewall/data/settings/firewall-last | 168 ++++++++++ level_3/firewall/data/settings/firewall-other | 54 ++++ 5 files changed, 473 insertions(+), 384 deletions(-) delete mode 100644 level_3/firewall/data/settings/default-firewall create mode 100644 level_3/firewall/data/settings/firewall-first create mode 100644 level_3/firewall/data/settings/firewall-last create mode 100644 level_3/firewall/data/settings/firewall-other diff --git a/level_3/firewall/data/settings/default-firewall b/level_3/firewall/data/settings/default-firewall deleted file mode 100644 index 37bf801..0000000 --- a/level_3/firewall/data/settings/default-firewall +++ /dev/null @@ -1,340 +0,0 @@ -# fss-0002 -# valid direction: input, output, forward, postrouting, prerouting, none -# valid device: all, this, (any device name goes here without parenthesis) -# valid action: append, insert, policy, none - -first: - # initialize the firewall - direction none - device all - action none - - rule -F - rule -X - rule -Z - rule -t nat -F - rule -t mangle -F - - # setup initial operations - direction input - device all - action append - - - # Enable ALL local connections (loopback) - device lo - direction output - rule -j ACCEPT - - direction input - rule -j ACCEPT - device all - - # the above loopback rules should catch all true loopback connections - # the following loopback rules will only catch anything if a loopback spoofing is happending - # therefore, do not allow spoof by REJECTing - device lo - direction input - rule -s 127.0.0.1 -j REJECT - rule -d 127.0.0.1 -j REJECT - device all - - - # the ip_list command will search for a file in the network settings directory and then apply an action of each of the ip addresses in the file - # the file is simply a set of ip addresses separated by whitespace, preferable each on a newline - # either 'source' or 'destination' must follow the ip_list - # following 'source' or 'destination' is the filename - # this is primarily for whitelisting and blacklisting, below are whitelist & blacklist usage cases - ip_list source default-whitelist -j ACCEPT - ip_list source default-blacklist -j REJECT - ip_list destination default-whitelist -j ACCEPT - ip_list destination default-blacklist -j REJECT - - - ## Explicitly deny dhcp renewals - #rule -p udp -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j REJECT - - - ## Log Network Time Protocol Traffic - #direction output - #rule -p udp --sport 123 --dport 123 -j LOG --log-prefix "TRAFFIC:NTP " - # - #direction input - #rule -p udp --sport 123 --dport 123 -j LOG --log-prefix "TRAFFIC:NTP " - - - ## Log DHCP Client Traffic - #$I -p udp -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j LOG --log-prefix "TRAFFIC:DHCP " - - - ## Log Web Traffic - #direction output - #rule -p tcp --sport 80 -j LOG --log-prefix "TRAFFIC:WEB " - # - #direction input - #rule -p tcp --dport 80 -j LOG --log-prefix "TRAFFIC:WEB " - - - ## Log SSH Traffic - #direction output - #rule -p tcp --sport 22 -j LOG --log-prefix "TRAFFIC:SSH " - # - #direction input - #rule -p tcp --dport 22 -j LOG --log-prefix "TRAFFIC:SSH " - - - ## Log VNC Traffic - # (uses more than just 5900, so this is a little incomplete) - #direction output - #rule -p tcp --sport 5900 -j LOG --log-prefix "TRAFFIC:VNC " - # - #direction input - #rule -p tcp --dport 5900 -j LOG --log-prefix "TRAFFIC:VNC " - - - # Allow ALL input connections that have already been established by this host - rule -m state --state ESTABLISHED,RELATED -j ACCEPT - - - ## Drop all broadcast and multicast packets sent to this machine - #rule -m addrtype --dst-type BROADCAST,MULTICAST -j REJECT - - - ## global forwarding (to/from eth1) - #direction forward - #rule -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1 - #rule -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth1 - #direction input - - - ## masquerading - #direction postrouting - #rule -t nat -o eth0 -j MASQUERADE - #direction input - - - ## Supply a DMZ to all things to an entire subnet of 192.168.1.0 for eth0 - #direction prerouting - #rule -t nat -j DNAT --to-destination 192.168.1.0-192.168.1.254 -i eth0 - #direction input - - - ## Change the source address before packet leaves the machine - #direction postrouting - #rule -t nat -j SNAT --to-source 222.111.222.11 -o eth0 - #direction input - - # Prevent an XMAS attack - rule -p tcp --tcp-flags ALL ALL -j DROP - - # Prevent NULL attack - rule -p tcp --tcp-flags ALL NONE -j DROP - - # Force SYN packets check - rule -p tcp ! --syn -m state --state NEW -j DROP - - ## Open Moko usb network support (host=eth0 openmoko=usb0) - #direction postrouting - #rule -t nat -o eth0 -j MASQUERADE - #direction forward - #rule -j ACCEPT -o usb0 - #rule -j ACCEPT -i usb0 - #direction input - - - # 113 = identd, firewalling this is safer as well as reducing clutter from ftp-servers and chat programs - rule -p tcp --dport 113 -j REJECT - - - ## Log all dropped packets for debug purposes - #rule 1 -p tcp -m state --state INVALID -j LOG --log-prefix "FIREWALL:INVALID " - - - # Drop all INVALID packets so they aren't even processed - action insert - direction output - rule -m state --state INVALID -j REJECT - - direction input - rule -m state --state INVALID -j REJECT - action append - - - # Disable X's Open Port - # Will X server work with this blocked? Is this needed for X11 Fowarding? - #direction output - #rule -p tcp --dport 6000 -j REJECT - #direction input - rule -p tcp --dport 6000 -j REJECT - - - ## Prevent IP-Spoof attacks (should not come from outside the network, and therefore should only be enabled on a machine that has access outside network) (eth0 = outside network) - #rule -s 10.0.0.0/8 -j REJECT -i eth0 - #rule -s 172.16.0.0/12 -j REJECT -i eth0 - #rule -s 192.168.0.0/16 -j REJECT -i eth0 - - - # Allow dhcp client renewels. If these are blocked, you will not be able to renew easily - rule -p udp -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT - - - # Allow Network Time Protocal Communication - #direction output - #rule -p udp --sport 123 --dport 123 -j ACCEPT - #direction input - - - ## Allows for Samba/Windows Shared Network Communication - ## By default this is set to REJECT, because window shares generally flood the network, which would then flood the firewall rules making them hard to see - ## Windows Ports Uses, and these should never be allowed on WORLD: - ## tcp 136 = Profile Naming System - ## UDP 137 = NETBIOS Name Service - ## UDP 138 = NETBIOS Datagram Service - ## TCP 139 = NETBIOS Session Service - ## TCP 445 = Windows File and Print Sharing - ## TCP/UDP 593 = DCE endpoint resolution, mirror of 135 - #rule -p tcp --dport 136 -j REJECT - #rule -p udp --dport 137 -j REJECT - #rule -p udp --dport 138 -j REJECT - #rule -p tcp --dport 139 -j REJECT - #rule -p tcp --dport 445 -j REJECT - #rule -p tcp --sport 136 -j REJECT - #rule -p udp --sport 137 -j REJECT - #rule -p udp --sport 138 -j REJECT - #rule -p tcp --sport 139 -j REJECT - #rule -p tcp --sport 445 -j REJECT - - - ## ICMP ping/pong (receiving pings) - #rule -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT - - - ## iSCSI Target - #rule -p tcp --dport 3260 -j ACCEPT - - -last: - # setup initial operations - direction input - device all - action append - - - ## allow Well-known port output: 0-1023 - #rule -p tcp --dport 0:1023 -j ACCEPT - #rule -p udp --dport 0:1023 -j ACCEPT - - - ## allow registered ports: 1024-49151 - #rule -p tcp --dport 1024:49151 -j ACCEPT - #rule -p udp --dport 1024:49151 -j ACCEPT - - - ## allow all other ports: 49152-61000 - ## For ease of the uneducated, enable these by default - rule -p tcp --dport 49152:61000 -j ACCEPT - rule -p udp --dport 49152:61000 -j ACCEPT - - - ## allow all other ports: 61001-65535 - ## For ease of the uneducated, enable these by default - rule -p tcp --dport 61001:65535 -j ACCEPT - rule -p udp --dport 61001:65535 -j ACCEPT - - # Log everything else (input) - # everything that reaches this point without being accepted, reject, or otherwise handled will be logged - rule -j LOG --log-prefix "FIREWALL:INPUT " - - # now handle output rules - direction output - - # allow Well-known port output: 0-1023 - rule -p tcp --dport 0:1023 -j ACCEPT - rule -p udp --dport 0:1023 -j ACCEPT - - - # allow registered ports: 1024-49151 - rule -p tcp --dport 1024:49151 -j ACCEPT - rule -p udp --dport 1024:49151 -j ACCEPT - - - # allow all other ports: 49152-61000 - # For ease of the uneducated, enable these by default - rule -p tcp --dport 49152:61000 -j ACCEPT - rule -p udp --dport 49152:61000 -j ACCEPT - - - # allow all other ports: 61001-65535 - # For ease of the uneducated, enable these by default - rule -p tcp --dport 61001:65535 -j ACCEPT - rule -p udp --dport 61001:65535 -j ACCEPT - - ## Log everything else (output) - #rule -j LOG --log-prefix "FIREWALL:OUTPUT " - - # allow icmp output, such as pings - rule -p icmp -j ACCEPT - - # the catch-all policies - action policy - direction input - rule DROP - - direction output - rule DROP - - direction forward - rule DROP - -stop: - device all - action policy - - direction input - rule ACCEPT - - direction output - rule ACCEPT - - direction forward - rule ACCEPT - - direction none - action none - rule --flush - rule -t nat --flush - rule -t mangle --flush - rule --delete-chain - rule -t nat --delete-chain - rule -t mangle --delete-chain - -lock: - device all - action policy - - direction input - rule DROP - - direction output - rule DROP - - direction forward - rule DROP - - direction none - action none - rule --flush - rule -t nat --flush - rule -t mangle --flush - rule --delete-chain - rule -t nat --delete-chain - rule -t mangle --delete-chain - - action insert - direction input - device lo - rule -j ACCEPT - - direction output - device lo - rule -j ACCEPT diff --git a/level_3/firewall/data/settings/example-device-firewall b/level_3/firewall/data/settings/example-device-firewall index d5bf363..0d7f069 100644 --- a/level_3/firewall/data/settings/example-device-firewall +++ b/level_3/firewall/data/settings/example-device-firewall @@ -1,80 +1,170 @@ # fss-0002 main: - # setup initial operations - direction input device this - action append - + direction input # Define a blacklist and a whitelist, put ip addresses in the file named 'example-device-whitelist' separated by whitespace to whitelist an ip address - ip_list source example-device-whitelist -j ACCEPT - ip_list source example-device-blacklist -j REJECT - ip_list destination example-device-whitelist -j ACCEPT - ip_list destination example-device-blacklist -j REJECT + #ip_list source example-device-whitelist -j ACCEPT + #ip_list source example-device-blacklist -j REJECT + #ip_list destination example-device-whitelist -j ACCEPT + #ip_list destination example-device-blacklist -j REJECT - ## DNS Server (Bind or Maradns) (zoneserver from maradns does this portion) - ## is tcp needed? - #direction output - #rule -p udp --dport 53 -j ACCEPT - #direction input - #rule -p udp --dport 53 -j ACCEPT - +input-tcp: + device this + direction input + protocol tcp ## Http / Web - #rule -p tcp --dport 80 --j LOG --log-prefix "TRAFFIC:WEB " - #rule -p tcp --dport 80 -j ACCEPT + #rule --dport 80 -m state --state NEW -j LOG --log-prefix "TRAFFIC:WEB " + #rule --dport 80 -m state --state NEW -j ACCEPT + ## Http / Web redirect to Https / Secure Web + #direction prerouting-input + #rule -t nat --dport 80 -m state --state NEW -j REDIRECT --to-port 443 + #direction input ## Https / Secure Web - #rule -p tcp --dport 443 --j LOG --log-prefix "TRAFFIC:WEB " - #rule -p tcp --dport 443 -j ACCEPT - + #rule --dport 443 -m state --state NEW -j LOG --log-prefix "TRAFFIC:WEB " + #rule --dport 443 -m state --state NEW -j ACCEPT ## MySQL - #rule -p tcp --dport 3306 -j ACCEPT - + #rule --dport 3306 -m state --state NEW -j ACCEPT ## Music Player Daemon - #rule -p tcp --dport 6600 -j ACCEPT - + #rule --dport 6600 -m state --state NEW -j ACCEPT ## Camsource - #rule -p tcp --dport 9192 -j ACCEPT - + #rule --dport 9192 -m state --state NEW -j ACCEPT ## Cups Printer Administration - #rule -p tcp --dport 631 -j ACCEPT - + #rule --dport 631 -m state --state NEW -j ACCEPT ## Ssh (OpenSSH) - #rule -p tcp --dport 22 -j LOG --log-prefix "TRAFFIC:SSH " - #rule -p tcp --dport 22 -j ACCEPT - + #rule --dport 22 -m state --state NEW -j LOG --log-prefix "TRAFFIC:SSH " + #rule --dport 22 -m state --state NEW -j ACCEPT ## clamd (Clam Antivirus) - remote access, not needed for normal - #rule -p tcp --dport 3310 -j ACCEPT - + #rule --dport 3310 -m state --state NEW -j ACCEPT ## Virtual Network Client Server (add 1 for each seperat vnc server) - #rule -p tcp --dport 5900 -j ACCEPT - + #rule --dport 5900 -m state --state NEW -j ACCEPT ## Printer Port, is probably open...safer to close unless you are SERVING a printer - #rule -p tcp --dport 515 -j REJECT - + #rule --dport 515 -m state --state NEW -j REJECT ## Subversion server - #rule -p tcp --dport 3690 -j ACCEPT - #rule -p udp --dport 3690 -j ACCEPT - + #rule --dport 3690 -m state --state NEW -j ACCEPT ## Silc server - #rule -p tcp --dport 706 -j ACCEPT + #rule --dport 706 -m state --state NEW -j ACCEPT + + ## Worms of Prey + #rule --dport 47288 -m state --state NEW -j ACCEPT + + ## Git Daemon + #rule --dport 9418 -m state --state NEW -j ACCEPT + + +input-udp: + device this + direction input + protocol udp + + ## DNS Server (Bind or Maradns) (zoneserver from maradns does this portion) + #rule --dport 53 -m state --state NEW -j ACCEPT + + ## DHCP Server + #rule -m state --state NEW --dport 67 --sport 68 -j ACCEPT + #rule -m state --state NEW --dport 68 --sport 67 -j ACCEPT + ## Subversion server + #rule --dport 3690 -m state --state NEW -j ACCEPT ## Worms of Prey - #rule -p tcp --dport 47288 -j ACCEPT - #rule -p udp --sport 47288:47544 -j ACCEPT - #rule -p udp --dport 47288:47544 -j ACCEPT + #rule --sport 47288:47544 -m state --state NEW -j ACCEPT + #rule --dport 47288:47544 -m state --state NEW -j ACCEPT + + +input-icmp: + device this + direction input + protocol icmp + + # allow all icmp input, such as pings + #rule -m state --state NEW -j ACCEPT + + # allow icmp: echo reply (outbound ping) + ##rule --icmp-type 0 -m state --state NEW -j ACCEPT + + # allow icmp: destination unreachable + #rule --icmp-type 3 -m state --state NEW -j ACCEPT + + # allow icmp: source quench + #rule --icmp-type 4 -m state --state NEW -j ACCEPT + + # allow icmp: redirect + #rule --icmp-type 5 -m state --state NEW -j ACCEPT + + # allow icmp: echo request (inbound ping) + #rule --icmp-type 8 -m state --state NEW -j ACCEPT + + # allow icmp: router advertisement + #rule --icmp-type 9 -m state --state NEW -j ACCEPT + + # allow icmp: router Solicitation + #rule --icmp-type 10 -m state --state NEW -j ACCEPT + + # allow icmp: time exceeded + #rule --icmp-type 11 -m state --state NEW -j ACCEPT + + # allow icmp: bad ip header + #rule --icmp-type 12 -m state --state NEW -j ACCEPT + + # allow icmp: timestamp + #rule --icmp-type 13 -m state --state NEW -j ACCEPT + + # allow icmp: timestamp reply + #rule --icmp-type 14 -m state --state NEW -j ACCEPT + + # allow icmp: information request + #rule --icmp-type 15 -m state --state NEW -j ACCEPT + + # allow icmp: information reply + #rule --icmp-type 16 -m state --state NEW -j ACCEPT + + # allow icmp: address request + #rule --icmp-type 17 -m state --state NEW -j ACCEPT + + # allow icmp: address reply + #rule --icmp-type 18 -m state --state NEW -j ACCEPT + + # allow icmp: traceroute + #rule --icmp-type 30 -m state --state NEW -j ACCEPT + + +output-tcp: + device this + direction output + protocol tcp + + +output-udp: + device this + direction output + protocol udp + + ## DNS Server (Bind or Maradns) (zoneserver from maradns does this portion) + #rule --dport 53 -m state --state NEW -j ACCEPT + + ## DHCP Server + #rule -m state --state NEW --dport 67 --sport 68 -j ACCEPT + + +output-icmp: + device this + direction output + protocol icmp + + diff --git a/level_3/firewall/data/settings/firewall-first b/level_3/firewall/data/settings/firewall-first new file mode 100644 index 0000000..fbba547 --- /dev/null +++ b/level_3/firewall/data/settings/firewall-first @@ -0,0 +1,117 @@ +# fss-0002 +# valid direction: input, output, forward, postrouting, postrouting-output, postrouting-input, prerouting, prerouting-output, prerouting-input, none +# valid device: all, this, (any device name goes here without parenthesis) +# valid action: append, insert, policy, none +# valid procotol: none, (any valid iptables protocol type, such as tcp, udp, and icmp) + +main: + # initialize the firewall + direction none + action none + + rule -F + rule -Z + rule -t nat -F + rule -t mangle -F + + # setup initial operations + direction input + action append + + + # Enable ALL local connections (loopback) + device lo + direction output + rule -j ACCEPT + + direction input + rule -j ACCEPT + device all + + # the above loopback rules should catch all true loopback connections + # the following loopback rules will only catch anything if a loopback spoofing is happending + # therefore, do not allow spoof by DROPing + #rule -s 127.0.0.1 -j DROP + #rule -d 127.0.0.1 -j DROP + + + # Drop all INVALID packets so they aren't even processed + direction output + rule -m state --state INVALID -j DROP + + direction input + rule -m state --state INVALID -j DROP + + + # Allow ALL input&output connections that have already been established by this host + direction output + rule -m state --state ESTABLISHED,RELATED -j ACCEPT + + direction input + rule -m state --state ESTABLISHED,RELATED -j ACCEPT + + + # send all tcp packets to the tcp queue + direction output + protocol tcp + rule -m state --state NEW -j output-tcp + + direction input + rule -m state --state NEW -j input-tcp + + + # send all udp packets to the udp queue + direction output + protocol udp + rule -m state --state NEW -j output-udp + + direction input + rule -m state --state NEW -j input-udp + + + # send all tcp packets to the tcp queue + direction output + protocol icmp + rule -m state --state NEW -j output-icmp + + direction input + rule -m state --state NEW -j input-icmp + + +input-tcp: + direction input + protocol tcp + + # Prevent an XMAS attack + rule --tcp-flags ALL ALL -j DROP + + # Prevent NULL attack + rule --tcp-flags ALL NONE -j DROP + + +input-udp: + direction input + protocol udp + + # Allow dhcp client renewals. If these are blocked, you will not be able to renew easily + rule -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT + + +input-icmp: + direction input + protocol icmp + + +output-tcp: + direction output + protocol tcp + + +output-udp: + direction output + protocol udp + + +output-icmp: + direction output + protocol icmp diff --git a/level_3/firewall/data/settings/firewall-last b/level_3/firewall/data/settings/firewall-last new file mode 100644 index 0000000..5c027c9 --- /dev/null +++ b/level_3/firewall/data/settings/firewall-last @@ -0,0 +1,168 @@ +# fss-0002 +# valid direction: input, output, forward, postrouting, postrouting-output, postrouting-input, prerouting, prerouting-output, prerouting-input, none +# valid device: all, this, (any device name goes here without parenthesis) +# valid action: append, insert, policy, none +# valid procotol: none, (any valid iptables protocol type, such as tcp, udp, and icmp) + +main: + direction input + + # Log everything else (input) + # everything that reaches this point without being accepted, reject, or otherwise handled will be logged + rule -m state --state NEW -j LOG --log-prefix "FIREWALL:INPUT " + + direction output + + ## Log everything else (output) + #rule -j LOG --log-prefix "FIREWALL:OUTPUT " + + # the catch-all policies + action policy + direction input + rule DROP + + direction output + rule DROP + + direction forward + rule DROP + + +input-tcp: + direction output + protocol tcp + + ## allow Well-known port output: 0-1023 + #rule --dport 0:1023 -m state --state NEW -j ACCEPT + + ## allow registered ports: 1024-49151 + #rule --dport 1024:49151 -m state --state NEW -j ACCEPT + + ## allow all other ports: 49152-61000 + ## For ease of the uneducated, enable these by default + #rule --dport 49152:61000 -m state --state NEW -j ACCEPT + + ## allow all other ports: 61001-65535 + ## For ease of the uneducated, enable these by default + #rule --dport 61001:65535 -m state --state NEW -j ACCEPT + + +output-tcp: + direction output + protocol tcp + + # allow Well-known port output: 0-1023 + rule --dport 0:1023 -m state --state NEW -j ACCEPT + + # allow registered ports: 1024-49151 + rule --dport 1024:49151 -m state --state NEW -j ACCEPT + + # allow all other ports: 49152-61000 + # For ease of the uneducated, enable these by default + rule --dport 49152:61000 -m state --state NEW -j ACCEPT + + # allow all other ports: 61001-65535 + # For ease of the uneducated, enable these by default + rule --dport 61001:65535 -m state --state NEW -j ACCEPT + + +input-udp: + direction input + protocol udp + + ## allow Well-known port output: 0-1023 + #rule --dport 0:1023 -m state --state NEW -j ACCEPT + + ## allow registered ports: 1024-49151 + #rule --dport 1024:49151 -m state --state NEW -j ACCEPT + + ## allow all other ports: 49152-61000 + ## For ease of the uneducated, enable these by default + #rule --dport 49152:61000 -m state --state NEW -j ACCEPT + + ## allow all other ports: 61001-65535 + ## For ease of the uneducated, enable these by default + #rule --dport 61001:65535 -m state --state NEW -j ACCEPT + + +output-udp: + direction output + protocol udp + + # allow Well-known port output: 0-1023 + rule --dport 0:1023 -m state --state NEW -j ACCEPT + + # allow registered ports: 1024-49151 + rule --dport 1024:49151 -m state --state NEW -j ACCEPT + + # allow all other ports: 49152-61000 + # For ease of the uneducated, enable these by default + rule --dport 49152:61000 -m state --state NEW -j ACCEPT + + # allow all other ports: 61001-65535 + # For ease of the uneducated, enable these by default + rule --dport 61001:65535 -m state --state NEW -j ACCEPT + + +input-icmp: + direction input + protocol icmp + + # allow all icmp input, such as pings + #rule -m state --state NEW -j ACCEPT + + # allow icmp: echo reply (outbound ping) + #rule --icmp-type 0 -m state --state NEW -j ACCEPT + + # allow icmp: destination unreachable + rule --icmp-type 3 -m state --state NEW -j ACCEPT + + # allow icmp: source quench + rule --icmp-type 4 -m state --state NEW -j ACCEPT + + # allow icmp: redirect + rule --icmp-type 5 -m state --state NEW -j ACCEPT + + # allow icmp: echo request (inbound ping) + rule --icmp-type 8 -m state --state NEW -j ACCEPT + + # allow icmp: router advertisement + rule --icmp-type 9 -m state --state NEW -j ACCEPT + + # allow icmp: router Solicitation + rule --icmp-type 10 -m state --state NEW -j ACCEPT + + # allow icmp: time exceeded + rule --icmp-type 11 -m state --state NEW -j ACCEPT + + # allow icmp: bad ip header + rule --icmp-type 12 -m state --state NEW -j ACCEPT + + # allow icmp: timestamp + rule --icmp-type 13 -m state --state NEW -j ACCEPT + + # allow icmp: timestamp reply + rule --icmp-type 14 -m state --state NEW -j ACCEPT + + # allow icmp: information request + rule --icmp-type 15 -m state --state NEW -j ACCEPT + + # allow icmp: information reply + rule --icmp-type 16 -m state --state NEW -j ACCEPT + + # allow icmp: address request + rule --icmp-type 17 -m state --state NEW -j ACCEPT + + # allow icmp: address reply + rule --icmp-type 18 -m state --state NEW -j ACCEPT + + # allow icmp: traceroute + #rule --icmp-type 30 -m state --state NEW -j ACCEPT + + +output-icmp: + direction output + protocol icmp + + # allow icmp output, such as pings + rule -m state --state NEW -j ACCEPT diff --git a/level_3/firewall/data/settings/firewall-other b/level_3/firewall/data/settings/firewall-other new file mode 100644 index 0000000..9698f3e --- /dev/null +++ b/level_3/firewall/data/settings/firewall-other @@ -0,0 +1,54 @@ +# fss-0002 +# valid direction: input, output, forward, postrouting, postrouting-output, postrouting-input, prerouting, prerouting-output, prerouting-input, none +# valid device: all, this, (any device name goes here without parenthesis) +# valid action: append, insert, policy, none +# valid procotol: none, (any valid iptables protocol type, such as tcp, udp, and icmp) + +stop: + action policy + + direction input + rule ACCEPT + + direction output + rule ACCEPT + + direction forward + rule ACCEPT + + direction none + action none + rule --flush + rule -t nat --flush + rule -t mangle --flush + rule --delete-chain + rule -t nat --delete-chain + rule -t mangle --delete-chain + +lock: + action policy + + direction input + rule DROP + + direction output + rule DROP + + direction forward + rule DROP + + direction none + action none + rule --flush + rule -t nat --flush + rule -t mangle --flush + rule --delete-chain + rule -t nat --delete-chain + rule -t mangle --delete-chain + + action insert + direction input + device lo + rule -j ACCEPT + + direction output -- 1.8.3.1