jegardai
/
scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

firewall: allow INPUT NFSD if nfsd service is available. 

firewall: allow OUTPUT if nfs client is available.
firewall: exclude tun* interface for default rules.
This commit is contained in:
Jeremy Gardais 2015-09-16 18:43:29 +02:00
parent 5a8b0b54fc
commit bfadca762d
1 changed files with 33 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
firewall
View File

@ -150,14 +150,17 @@ fw_start() {
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -s "${LAN}" -d "${IPLAN}" --dport 8140 -m state --state NEW -m comment --comment "New Puppet in"
fi
#### NFS Server
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
## 32769: rpc.quotad
#$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
if [ $(command -v nfsdcltrack) ]; then
#### NFS Server
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS in"
$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS in"
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS "
$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS in"
# 32769: rpc.quotad
# For more informations see: https://wiki.debian.org/SecuringNFS
$IPT -A INPUT -j ACCEPT -p tcp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 32769 -m state --state NEW -m comment --comment "NFS quotad in"
fi
#### tftp allowed
#$IPT -A INPUT -j ACCEPT -p udp -i "${ILAN}" -d "${IPLAN}" --dport 69 -m state --state NEW -m comment --comment "TFTPD in"
@ -229,26 +232,29 @@ fw_start() {
$IPT -A OUTPUT -j ACCEPT -p tcp -o ${ILAN} --sport 443 -m state --state NEW -m comment --comment "New HTTPDs out"
fi
if [ -d /etc/ldap ]; then
#### ldap connection should be in TLS or at least in LDAPS/SSL
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "LDAP out"
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 636 -m state --state NEW -m comment --comment "LDAPS out"
fi
if [ -d /etc/ldap ]; then
#### ldap connection should be in TLS or at least in LDAPS/SSL
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 389 -m state --state NEW -m comment --comment "LDAP out"
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 636 -m state --state NEW -m comment --comment "LDAPS out"
fi
if [ $(command -v dhcpd) ]; then
#### dhcpd
$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "DHCPD out"
fi
if [ $(command -v dhcpd) ]; then
#### dhcpd
$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --sport 67:68 --dport 67:68 -m state --state NEW -m comment --comment "DHCPD out"
fi
if [ $(command -v nfsiostat) ]; then
#### NFS Client
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
# List of ports to use given by NFS server
# For more informations see: https://wiki.debian.org/SecuringNFS
$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
fi
# #### NFS Client
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 111 -m state --state NEW -m comment --comment "NFS out"
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 2049 -m state --state NEW -m comment --comment "NFS out"
# ## Port spécifié par le serveur NFS contacté
# #$IPT -A OUTPUT -j ACCEPT -p tcp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
# #$IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 32767 -m state --state NEW -m comment --comment "NFS mountd out"
#
# #### Printers
# $IPT -A OUTPUT -j ACCEPT -p udp -o "${ILAN}" -s "${IPLAN}" --dport 161 -m state --state NEW -m comment --comment "SNMP OUT"
#
@ -332,7 +338,7 @@ case "${1}" in
fw_stop
fw_init
# List all available interface except localhost
for PATH_ILAN in $(find /sys/class/net/ ! -name lo -type l); do
for PATH_ILAN in $(find /sys/class/net/ ! \( -name lo -o -iname "tun*" \) -type l); do
# Interface name
ILAN=$(basename ${PATH_ILAN})
IS_UP=$(grep 1 ${PATH_ILAN}/carrier)