3 # Setup an initial save file
5 require './ipfilter-lib.pl';
10 $iface = $in{'iface'.$in{'auto'}};
11 if ($iface eq 'other') {
12 $iface = $in{'iface'.$in{'auto'}.'_other'};
14 $iface || &error($text{'setup_eiface'});
15 if ($in{'auto'} >= 2) {
16 # Block all incoming traffic, except for established
17 # connections, DNS replies and safe ICMP types
18 # In mode 3 allow ssh and ident too
19 # In mode 4 allow ftp, echo-request and high ports too
21 { 'action' => 'skip', 'skip' => 1, 'active' => 1,
22 'quick' => 1, 'dir' => 'in',
25 'cmt' => 'Skip next rule for external interface' },
26 { 'action' => 'pass', 'active' => 1,
27 'quick' => 1, 'dir' => 'in',
30 'cmt' => 'Allow all traffic on internal interface' },
31 { 'action' => 'pass', 'active' => 1,
32 'quick' => 1, 'dir' => 'in',
36 'to-port-start' => 1024,
37 'to-port-range' => '<>',
38 'to-port-end' => 1024,
40 'cmt' => 'Accept responses to DNS queries' },
41 { 'action' => 'pass', 'active' => 1,
42 'quick' => 1, 'dir' => 'in',
45 'icmp-type' => 'echorep',
47 'cmt' => 'Accept responses to our pings' },
48 { 'action' => 'pass', 'active' => 1,
49 'quick' => 1, 'dir' => 'in',
52 'icmp-type' => 'unreach',
54 'cmt' => 'Accept notifications of unreachable hosts' },
55 { 'action' => 'pass', 'active' => 1,
56 'quick' => 1, 'dir' => 'in',
59 'icmp-type' => 'squench',
61 'cmt' => 'Accept notifications to reduce sending speed' },
62 { 'action' => 'pass', 'active' => 1,
63 'quick' => 1, 'dir' => 'in',
66 'icmp-type' => 'timex',
68 'cmt' => 'Accept notifications of lost packets' },
69 { 'action' => 'pass', 'active' => 1,
70 'quick' => 1, 'dir' => 'in',
73 'icmp-type' => 'paramprob',
75 'cmt' => 'Accept notifications of protocol problems' }
77 if ($in{'auto'} >= 3) {
80 { 'action' => 'pass', 'active' => 1,
81 'quick' => 1, 'dir' => 'in',
85 'to-port-comp' => '=',
88 'cmt' => 'Allow connections to our SSH server' },
89 { 'action' => 'pass', 'active' => 1,
90 'quick' => 1, 'dir' => 'in',
94 'to-port-comp' => '=',
97 'cmt' => 'Allow connections to our IDENT server' },
100 if ($in{'auto'} == 4) {
101 # Allow pings and most high ports
103 { 'action' => 'pass', 'active' => 1,
104 'quick' => 1, 'dir' => 'in',
107 'icmp-type' => 'echo',
109 'cmt' => 'Respond to pings' },
110 { 'action' => 'block', 'active' => 1,
111 'quick' => 1, 'dir' => 'in',
115 'to-port-start' => 2049,
116 'to-port-range' => '<>',
117 'to-port-end' => 2050,
119 'cmt' => 'Protect our NFS server' },
120 { 'action' => 'block', 'active' => 1,
121 'quick' => 1, 'dir' => 'in',
125 'to-port-start' => 6000,
126 'to-port-range' => '<>',
127 'to-port-end' => 6063,
129 'cmt' => 'Protect our X11 display server' },
130 { 'action' => 'block', 'active' => 1,
131 'quick' => 1, 'dir' => 'in',
135 'to-port-start' => 7000,
136 'to-port-range' => '<>',
137 'to-port-end' => 7010,
139 'cmt' => 'Protect our X font server' },
140 { 'action' => 'pass', 'active' => 1,
141 'quick' => 1, 'dir' => 'in',
145 'to-port-start' => 1024,
146 'to-port-range' => '<>',
147 'to-port-end' => 65535,
149 'cmt' => 'Allow connections to unprivileged ports' },
153 # Add final block rule
154 push(@rules, { 'action' => 'block', 'active' => 1,
157 push(@rules, { 'action' => 'pass', 'active' => 1,
162 # Just add one rule for NAT
163 push(@natrules, { 'action' => 'map', 'active' => 1,
164 'fromip' => '0.0.0.0', 'frommask' => 0,
165 'toip' => '0.0.0.0', 'tomask' => 32,
167 'type' => 'ipnat' });
169 # Allow all other traffic
170 push(@rules, { 'action' => 'pass', 'active' => 1,
173 push(@rules, { 'action' => 'pass', 'active' => 1,
179 # Just add rules to allow all
180 push(@rules, { 'action' => 'pass', 'active' => 1,
183 push(@rules, { 'action' => 'pass', 'active' => 1,
187 &lock_file($config{'ipf_conf'});
188 &save_config(\@rules);
189 &unlock_file($config{'ipf_conf'});
190 &lock_file($config{'ipnatf_conf'});
191 &save_config(\@natrules, undef, 'ipnat');
192 &unlock_file($config{'ipnatf_conf'});
196 &create_firewall_init();
199 &webmin_log("setup");
projects / webmin.git / blob