firewall: allow INPUT NFSD if nfsd service is available.
firewall: allow OUTPUT if nfs client is available. firewall: exclude tun* interface for default rules.
This commit is contained in:
parent
5a8b0b54fc
commit
bfadca762d
48
firewall
48
firewall
|
@ -150,14 +150,17 @@ fw_start() {
|
||||||
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -s "${LAN}" -d "${IPLAN}" --dport 8140 -m state --state NEW -m comment --comment "New Puppet in"
|
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -s "${LAN}" -d "${IPLAN}" --dport 8140 -m state --state NEW -m comment --comment "New Puppet in"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ $(command -v nfsdcltrack) ]; then
|
||||||
#### NFS Server
|
#### NFS Server
|
||||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
|
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS in"
|
||||||
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
|
$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS in"
|
||||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
|
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS "
|
||||||
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
|
$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
|
||||||
## 32769: rpc.quotad
|
# 32769: rpc.quotad
|
||||||
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
|
# For more informations see: https://wiki.debian.org/SecuringNFS
|
||||||
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
|
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
|
||||||
|
$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
|
||||||
|
fi
|
||||||
|
|
||||||
#### tftp allowed
|
#### tftp allowed
|
||||||
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 69 -m state --state NEW -m comment --comment "TFTPD in"
|
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 69 -m state --state NEW -m comment --comment "TFTPD in"
|
||||||
|
@ -229,26 +232,29 @@ fw_start() {
|
||||||
$IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --sport 443 -m state --state NEW -m comment --comment "New HTTPDs out"
|
$IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --sport 443 -m state --state NEW -m comment --comment "New HTTPDs out"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -d /etc/ldap ]; then
|
if [ -d /etc/ldap ]; then
|
||||||
#### ldap connection should be in TLS or at least in LDAPS/SSL
|
#### ldap connection should be in TLS or at least in LDAPS/SSL
|
||||||
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "LDAP out"
|
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "LDAP out"
|
||||||
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 636 -m state --state NEW -m comment --comment "LDAPS out"
|
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 636 -m state --state NEW -m comment --comment "LDAPS out"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ $(command -v dhcpd) ]; then
|
if [ $(command -v dhcpd) ]; then
|
||||||
#### dhcpd
|
#### dhcpd
|
||||||
$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "DHCPD out"
|
$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "DHCPD out"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ $(command -v nfsiostat) ]; then
|
||||||
|
#### NFS Client
|
||||||
|
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
|
||||||
|
$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
|
||||||
|
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
|
||||||
|
$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
|
||||||
|
# List of ports to use given by NFS server
|
||||||
|
# For more informations see: https://wiki.debian.org/SecuringNFS
|
||||||
|
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
|
||||||
|
$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
|
||||||
|
fi
|
||||||
|
|
||||||
# #### NFS Client
|
|
||||||
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
|
|
||||||
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
|
|
||||||
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
|
|
||||||
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
|
|
||||||
# ## Port spécifié par le serveur NFS contacté
|
|
||||||
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
|
|
||||||
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
|
|
||||||
#
|
|
||||||
# #### Printers
|
# #### Printers
|
||||||
# $IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 161 -m state --state NEW -m comment --comment "SNMP OUT"
|
# $IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 161 -m state --state NEW -m comment --comment "SNMP OUT"
|
||||||
#
|
#
|
||||||
|
@ -332,7 +338,7 @@ case "${1}" in
|
||||||
fw_stop
|
fw_stop
|
||||||
fw_init
|
fw_init
|
||||||
# List all available interface except localhost
|
# List all available interface except localhost
|
||||||
for PATH_ILAN in $(find /sys/class/net/ ! -name lo -type l); do
|
for PATH_ILAN in $(find /sys/class/net/ ! \( -name lo -o -iname "tun*" \) -type l); do
|
||||||
# Interface name
|
# Interface name
|
||||||
ILAN=$(basename ${PATH_ILAN})
|
ILAN=$(basename ${PATH_ILAN})
|
||||||
IS_UP=$(grep 1 ${PATH_ILAN}/carrier)
|
IS_UP=$(grep 1 ${PATH_ILAN}/carrier)
|
||||||
|
|
Loading…
Reference in New Issue