From 7c99efcfdd45fcb3ffbdd1a4dca4ef4c79c0471d Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Wed, 9 Jul 2008 18:45:19 +0000
Subject: [PATCH] Added support for bastille firewall.
---
install/apps/bastille-firewall | 93 +++
install/apps/bastille-ipchains | 654 ++++++++++++++++++
install/apps/bastille-netfilter | 626 +++++++++++++++++
install/apps/bastille_licence.txt | 339 +++++++++
install/install.php | 10 +
install/lib/installer_base.lib.php | 54 +-
install/tpl/bastille-firewall.cfg.master | 320 +++++++++
install/update.php | 6 +
interface/web/admin/form/firewall.tform.php | 4 +-
server/conf/bastille-firewall.cfg.master | 320 +++++++++
.../plugins-available/firewall_plugin.inc.php | 126 ++++
.../mysql_clientdb_plugin.inc.php | 1 +
12 files changed, 2550 insertions(+), 3 deletions(-)
create mode 100644 install/apps/bastille-firewall
create mode 100644 install/apps/bastille-ipchains
create mode 100644 install/apps/bastille-netfilter
create mode 100644 install/apps/bastille_licence.txt
create mode 100644 install/tpl/bastille-firewall.cfg.master
create mode 100644 server/conf/bastille-firewall.cfg.master
create mode 100644 server/plugins-available/firewall_plugin.inc.php
diff --git a/install/apps/bastille-firewall b/install/apps/bastille-firewall
new file mode 100644
index 0000000000..2f701ec92a
--- /dev/null
+++ b/install/apps/bastille-firewall
@@ -0,0 +1,93 @@
+#!/bin/sh
+#
+# bastille-firewall Load/unload ipchains rulesets
+#
+# do not rename this file unless you edit /sbin/bastille-firewall-reset
+#
+# chkconfig: 2345 5 98
+# description: A firewall/packet-filter script for Linux systems \
+# that allows the machine to be used as a gateway system
+#
+# $Id: bastille-firewall,v 1.6 2002/02/24 17:19:14 peterw Exp $
+# Copyright (c) 1999-2002 Peter Watkins
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Thanks to David Ranch, Brad A, Don G, and others for their suggestions
+#
+# This script is designed to be used as a SysV-style init script.
+#
+# It should be run with a "start" argument
+# 1) as an rc?.d "S" script, _before_ the "network" script
+# [copy this to /etc/rc.d/init.d/bastille-firewall (or your equivalent of
+# /etc/rc.d/init.d) and run 'chkconfig -add bastille-firewall' ]
+# 2) any time an interface is brought up or changed, e.g.
+# establishing a PPP conection or renewing a DHCP lease
+# [copy 'bastille-firewall-reset', 'bastille-firewall-schedule'
+# and 'ifup-local' to /sbin/]
+#
+# Normally you Do Not _Ever_ Want to run this with a "stop" argument!
+#
+# Note that running this with "stop" will disable the firewall and open
+# your system to all network traffic; if you make changes to these rules,
+# apply them by running the script again with a "start" argument.
+#
+# ** As of 0.99-beta1, this script merely kicks off the real script,
+# either /sbin/bastille-ipchains or /sbin/bastille-netfilter
+
+# Default is to use the 'ipchains' script, which will load the
+# ipchains compatibility module if you're using a 2.4 kernel
+REALSCRIPT=/sbin/bastille-ipchains
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+
+# exit function to be called in place of regular Bourne exit
+clean_exit()
+{
+ rmdir /var/lock/bastille-firewall 2>/dev/null
+ exit $1
+}
+
+[ ! -d /var/lock ] && mkdir -m 0755 /var/lock
+
+mkdir -m 0700 /var/lock/bastille-firewall 2>/dev/null
+if [ $? -ne 0 ]; then
+ if [ -n "${BASTILLE_FWALL_QUIET_FAIL}" ]; then exit 0; fi
+ echo "ERROR: bastille-firewall currently being reset or lock is stuck."
+ echo "To un-stick, remove the directory /var/lock/bastille-firewall"
+ exit 1
+fi
+
+if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
+ # We are using Linux 2.3 or newer; use the netfilter script if available
+ if [ -x /sbin/bastille-netfilter ]; then
+ REALSCRIPT=/sbin/bastille-netfilter
+ fi
+fi
+
+if [ ! -x ${REALSCRIPT} ]; then
+ echo "ERROR: \"${REALSCRIPT}\" not available!"
+ clean_exit 1
+fi
+
+${REALSCRIPT} "$1"
+bretval=$?
+
+# Use "subsys" locks to indicate our status
+case "$1" in
+ start|restart|reload)
+ if [ $bretval -eq 0 ]; then touch /var/lock/subsys/bastille-firewall; fi
+ ;;
+ stop)
+ rm -f /var/lock/subsys/bastille-firewall
+ ;;
+esac
+
+clean_exit $bretval
+
diff --git a/install/apps/bastille-ipchains b/install/apps/bastille-ipchains
new file mode 100644
index 0000000000..5755014662
--- /dev/null
+++ b/install/apps/bastille-ipchains
@@ -0,0 +1,654 @@
+#!/bin/sh
+#
+# /sbin/bastille-ipchains Load/unload ipchains rulesets
+#
+# $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-ipchains,v $
+# Modified by: $Author: peterw $
+# $Date: 2001/08/18 15:38:31 $
+# $Revision: 1.18 $
+#
+# Copyright (C) 1999-2001 Peter Watkins
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Thanks to David Ranch, Brad A, Don G, and others for their suggestions
+#
+# This script is designed to be called BY a SysV-style init script.
+#
+# It should be run with a "start" argument
+# 1) BY an rc?.d "S" script, _before_ the "network" script
+# (normally via the "bastille-firewall" init script;
+# as of 2001/02/14, the only purpose of bastille-firewall
+# is to start this script)
+# 2) any time an interface is brought up or changed, e.g.
+# establishing a PPP conection or renewing a DHCP lease
+# [also copy 'bastille-firewall-reset', 'bastille-firewall-schedule' and
+# 'ifup-local' to /sbin/ (in addition to the bastille-firewall init script]
+#
+# Normally you Do Not _Ever_ Want to run this with a "stop" argument!
+#
+# Note that running this with "stop" will disable the firewall and open
+# your system to all network traffic; if you make changes to these rules,
+# apply them by running the script again with a "start" argument.
+
+PATH=/bin:/sbin:/usr/bin:/usr/sbin
+IPCHAINS=/sbin/ipchains
+CONFIG=/etc/Bastille/bastille-firewall.cfg
+
+if [ ! -f ${CONFIG} ]; then
+ echo "ERROR: unable to read configuration file \"${CONFIG}\""
+ exit 1
+fi
+
+# source the configuration file, which will set environment variables
+. ${CONFIG}
+
+if [ -z "${TRUSTED_IFACES}" ]; then
+ echo "ERROR: no trusted interfaces specified! Exiting!"
+ exit 1
+fi
+
+#
+# Computed values
+#
+# These things should be queried/computed at run time
+#
+# LOCAL_ADDRESSES
+#
+# LOCAL_ADDRESSES lists all IP addresses for this server
+# (for the INTERNAL_SERVICES rules); if you have virtual
+# network devices, you may want to hand-code this, e.g.
+# LOCAL_ADDRESSES="127.0.0.0/8"
+#
+# The following makes a list of all current IP addresses
+LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8: `
+#
+#
+# INTERNAL_NETWORKS
+#
+# INTERNAL_NETWORKS lists the masked networks for the INT_INTERFACES
+# e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0"
+# The following makes a list of all current internal IP addresses _with netmasks_
+for i in ${INTERNAL_IFACES} ; do
+ INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} 2>/dev/null| grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}' | sed 's:127\.0\.0\.1/$:127.0.0.1/8:'`"
+done
+#
+#
+# DNS_SERVERS
+#
+# Derive this from /etc/resolv.conf if it's not set already
+# Note we only take the first three as most systems' resolvers
+# can only use three nameservers; see MAXNS in resolv.h for details
+MAXNS=3
+if [ -z "${DNS_SERVERS}" ]; then
+ DNS_SERVERS=`grep nameserver /etc/resolv.conf | awk -F\# '{print $1}' | grep '^nameserver' | awk '{print $2"/32"}' | head -${MAXNS}`
+fi
+#
+#
+# LOG_FLAG
+#
+# Flag to add to ${REJECT_METHOD} rules to force logging
+if [ "${LOG_FAILURES}" = "Y" ]; then
+ LOG_FLAG="-l"
+else
+ LOG_FLAG=""
+fi
+#
+#
+# CALLED_METHOD
+#
+# Variable to hold $1, for use in functions (which have their own $1 vars)
+CALLED_METHOD="$1"
+#
+#
+# REJECT_METHOD
+# Convert netfilter/DROP to ipchains/DENY
+if [ "${REJECT_METHOD}" = "DROP" ]; then
+ REJECT_METHOD="DENY"
+fi
+#
+#
+# NTP_SERVERS
+#
+# Do hostname lookups for any names in NTP_SERVERS
+#
+ntp_server_addrs=""
+for n in ${NTP_SERVERS}; do
+ ip=`echo ${n} | egrep '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'`
+ if [ -n "${ip}" ]; then
+ # looks like an IP address, use it as-is
+ ntp_server_addrs="${ntp_server_addrs} ${ip}"
+ else
+ # use 'host' t resolve address
+ ip=`host ${n} 2>/dev/null| awk '/ has address / { print $4 }' | head -1`
+ ntp_server_addrs="${ntp_server_addrs} ${ip}"
+ fi
+done
+
+
+#
+# Shell functions
+#
+# include_supplemental
+# source supplemental (plug-in) firewall scripts
+include_supplemental()
+{
+ # args: $1 = nickname for the supplemental phase
+ nickname="$1"
+ if [ -e /etc/Bastille/firewall.d/${nickname}.sh ]; then
+ cd /etc/Bastille/firewall.d && . ./${nickname}.sh
+ fi
+ if [ -d /etc/Bastille/firewall.d/${nickname}.d ]; then
+ for s in `ls /etc/Bastille/firewall.d/${nickname}.d/*.sh`; do
+ cd /etc/Bastille/firewall.d/${nickname}.d && \
+ . ${s}
+ done
+ fi
+}
+#
+# do_masq_mods
+# Function to load/unload "ip_masq_*" kernel modules
+do_masq_mods()
+{
+ # args: $1 = "load" or "unload"
+ #
+ # find the currently loaded modules
+ masq_mods=`lsmod | awk '{print $1}' | grep '^ip_masq_'`
+ #
+ # Step 1: unload unwanted modules
+ for m in ${masq_mods} ; do
+ UNLOAD_THIS_MOD=Y
+ for normal_mod in ${IP_MASQ_MODULES} ; do
+ if [ "ip_masq_${normal_mod}" = $m ]; then
+ # this module is _supposed_ to be loaded
+ UNLOAD_THIS_MOD=N
+ fi
+ done
+ if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then
+ # we're either disabling the firewall or we've disabled masquerading,
+ # so we should unload _all_ masq modules
+ UNLOAD_THIS_MOD=Y
+ fi
+ if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then
+ rmmod $m || echo "Error unloading ${m} module"
+ fi
+ done
+ # Step 2: load wanted modules that are not already loaded
+ if [ $1 = "load" ]; then
+ for normal_mod in ${IP_MASQ_MODULES} ; do
+ MOD_LOADED=N
+ for m in ${masq_mods} ; do
+ if [ "ip_masq_${normal_mod}" = ${m} ]; then
+ MOD_LOADED=Y
+ fi
+ done
+ if [ $MOD_LOADED = "N" ]; then
+ insmod "ip_masq_${normal_mod}" || echo "Error loading ip_masq_${normal_mod} module"
+ fi
+ done
+ fi
+}
+
+# See how we were called.
+case "$1" in
+ start|reload|restart)
+ #
+ # anything to do before resetting?
+ include_supplemental pre-reset
+ #
+ # For Red Hat users, let's ensure that its firewalls are disabled
+ rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on`
+ rhtest_iptables=`chkconfig --list iptables 2>/dev/null | grep :on`
+ bftest=`chkconfig --list bastille-firewall 2>/dev/null | grep :on`
+ if [ \( -n "${rhtest_ipchains}" -o -n "${rhtest_iptables}" \) -a -n "${bftest}" ]; then
+ echo
+ echo "bastille-firewall conflicts with Red Hat 7.1's 'ipchains'"
+ echo "and 'iptables' firewalls. We are disabling Red Hat's firewalls."
+ [ -n "${rhtest_ipchains}" ] && chkconfig --level 0123456 ipchains off
+ [ -n "${rhtest_iptables}" ] && chkconfig --level 0123456 iptables off
+ echo
+ fi
+ # load the IPCHAINS compatibilty module if we're using a 2.4 kernel
+ if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then
+ echo "Loading ipchains compatibility module"
+ modprobe ipchains
+ fi
+ #
+ # we set defaults to DENY now to minimize possible interruptions
+ # if this script is re-run to reset rules
+ #
+ # set default policy to disallow forwarding
+ ${IPCHAINS} -P forward DENY
+ # flush rules
+ ${IPCHAINS} -F forward
+ # default is to disallow incoming traffic
+ ${IPCHAINS} -P input DENY
+ # flush rules
+ ${IPCHAINS} -F input
+ # disallow outbound until we set up the explicit outbound rules
+ ${IPCHAINS} -P output DENY
+ # flush rules
+ ${IPCHAINS} -F output
+
+ # Run our "early" custom script if it exists
+ [ -f /etc/Bastille/bastille-firewall-early.sh ] && . /etc/Bastille/bastille-firewall-early.sh
+
+ # any new-style "early" plugins?
+ include_supplemental early
+
+ # always allow MTU discovery packets
+ ${IPCHAINS} -A input -p icmp --icmp-type fragmentation-needed -j ACCEPT
+ ${IPCHAINS} -A output -p icmp --icmp-type fragmentation-needed -j ACCEPT
+
+ include_supplemental pre-local-block
+
+ # Block any non-local attempts to get localhost addresses
+ # per woody@thebunker.net's bugtraq post
+ ${IPCHAINS} -A input -d 127.0.0.0/8 ! -i lo -j ${REJECT_METHOD} ${LOG_FLAG}
+
+ # Fragments
+ if [ "${ALLOW_FRAGMENTS}" = "N" ]; then
+ ${IPCHAINS} -A input -f -j ${REJECT_METHOD}
+ fi
+
+ # from the ipchains HOWTO, I think
+ if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then
+ if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
+ echo -n "Setting up IP spoofing protection..."
+ for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
+ echo 1 > $f
+ done
+ echo " done."
+ else
+ echo "WARNING: errors encountered while trying to enable IP spoofing protection!"
+ fi
+ fi
+
+ include_supplemental pre-trusted
+
+ # Allow all traffic from trusted interfaces
+ echo -n "Allowing traffic from trusted interfaces..."
+ for t_iface in ${TRUSTED_IFACES} ; do
+ ${IPCHAINS} -A input -i ${t_iface} -d 0.0.0.0/0 -j ACCEPT
+ done
+ echo " done. "
+
+ # If you have networks that route traffic to each other through this
+ # server, you may want to add some forwarding rules, here, e.g.
+ # one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0"
+ #${IPCHAINS} -A forward -i eth0 -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT
+ # the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1"
+ #${IPCHAINS} -A forward -i eth1 -d 192.168.0.0/16 -s 10.0.0.0/8 -j ACCEPT
+
+ include_supplemental pre-mcast-block
+
+ # No packets with multicast source addresses (Joshua K, RFC 1122)
+ ${IPCHAINS} -A input -s 224.0.0.0/4 -j ${REJECT_METHOD} ${LOG_FLAG}
+
+ # Forwarding
+
+ include_supplemental pre-nat
+
+ # IP Masquerading/forwarding
+ #
+ # Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list)
+ do_masq_mods unload
+ #
+ if [ -n "${IP_MASQ_NETWORK}" ]; then
+ echo -n "Setting up masquerading rules..."
+ # since we've set the default forwarding policy to
+ # reject, we can enable forwarding now
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+ # set up rules for masqueraded networks
+ for net in ${IP_MASQ_NETWORK} ; do
+ if [ "${DROP_SMB_NAT_BCAST}" = "Y" ]; then
+ # NetBIOS
+ ${IPCHAINS} -A forward -p tcp -s ${net} -d 0.0.0.255/0.0.0.255 137:139 -j ${REJECT_METHOD} ${LOG_FLAG}
+ ${IPCHAINS} -A forward -p udp -s ${net} -d 0.0.0.255/0.0.0.255 137:139 -j ${REJECT_METHOD} ${LOG_FLAG}
+ fi
+ for pub in ${PUBLIC_IFACES} ; do
+ # NAT should be one-way, deny traffic from public
+ # interfaces that is addresses to masq'ed networks
+ ${IPCHAINS} -A input -d ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG}
+ # spoofed addreses from outside
+ ${IPCHAINS} -A input -s ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG}
+ # enable forwarding
+ ${IPCHAINS} -A forward -s ${net} -i ${pub} -j MASQ
+ done
+ done
+ echo " done."
+ echo -n "Loading masquerading modules..."
+ do_masq_mods load
+ echo " done."
+ fi
+
+ echo -n "Setting up chains for public/internal interface traffic..."
+
+ # make a public input chain
+ ${IPCHAINS} -N PUB_IN 2> /dev/null
+ ${IPCHAINS} -F PUB_IN
+ # as close to setting policy as we can get
+ ${IPCHAINS} -A PUB_IN -j DENY
+ # make a public output chain
+ ${IPCHAINS} -N PUB_OUT 2> /dev/null
+ ${IPCHAINS} -F PUB_OUT
+ # as close to setting policy as we can get
+ ${IPCHAINS} -A PUB_OUT -j DENY
+
+ # make an "INTERNAL" input chain
+ ${IPCHAINS} -N INT_IN 2> /dev/null
+ ${IPCHAINS} -F INT_IN
+ # as close to setting policy as we can get
+ ${IPCHAINS} -A INT_IN -j DENY
+ # make an "INTERNAL" output chain
+ ${IPCHAINS} -N INT_OUT 2> /dev/null
+ ${IPCHAINS} -F INT_OUT
+ # as close to setting policy as we can get
+ ${IPCHAINS} -A INT_OUT -j DENY
+
+ include_supplemental pre-chain-split
+
+ # direct packets to the INTERNAL_* chains
+ for iface in ${INTERNAL_IFACES} ; do
+ ${IPCHAINS} -A input -i ${iface} -j INT_IN
+ ${IPCHAINS} -A output -i ${iface} -j INT_OUT
+ NON_LOOPBACK_SEEN=N
+ for net in ${LOCAL_ADDRESSES} ; do
+ if [ ${net} != "127.0.0.1/8" ]; then
+ NON_LOOPBACK_SEEN=Y
+ fi
+ done
+ # complain if no local addresses
+ if [ ${NON_LOOPBACK_SEEN} = "N" ]; then
+ echo "WARNING: no non-loopback local addresses; protection from INTERNAL_IFACES not enabled!"
+ fi
+ done
+
+ # Direct PUBLIC interface traffic to the proper chain
+ for iface in ${PUBLIC_IFACES} ; do
+ ${IPCHAINS} -A input -i ${iface} -j PUB_IN
+ ${IPCHAINS} -A output -i ${iface} -j PUB_OUT
+ done
+
+ include_supplemental pre-audit
+
+ # Auditing must be set up before these packets are blocked!
+ #
+ for service in ${TCP_AUDIT_SERVICES} ; do
+ ${IPCHAINS} -A PUB_IN -p tcp -d 0.0.0.0/0 ${service} -y -l
+ done
+ for service in ${UDP_AUDIT_SERVICES} ; do
+ ${IPCHAINS} -A PUB_IN -p udp -d 0.0.0.0/0 ${service} -l
+ done
+ for type in ${ICMP_AUDIT_TYPES} ; do
+ ${IPCHAINS} -A PUB_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -l
+ done
+
+ # disallow any attempts to get to internal interfaces from outside
+ # not good if this is supposed to route between normal networks
+ for int in ${INTERNAL_NETWORKS} ; do
+ # deny traffic from public
+ # interfaces that is addressed to internal networks
+ ${IPCHAINS} -A PUB_IN -d ${int} -j ${REJECT_METHOD} ${LOG_FLAG}
+ # spoofed addreses from outside
+ ${IPCHAINS} -A PUB_IN -s ${int} -j ${REJECT_METHOD} ${LOG_FLAG}
+ done
+
+ echo " done. "
+
+ echo -n "Setting up general rules..."
+
+ include_supplemental pre-dhcp
+
+ # Allow response from DHCP servers
+ for iface in ${DHCP_IFACES} ; do
+ for chain in input PUB_IN INT_IN ; do
+ # allow UDP responses
+ ${IPCHAINS} -A ${chain} -p udp -s 0.0.0.0/0 bootps -d 255.255.255.255/0 bootpc -j ACCEPT
+ # normally we allow TCP data returns so this is redundant
+ # ${IPCHAINS} -A ${chain} -p tcp -s 0.0.0.0/0 bootps -d 255.255.255.255/0 bootpc -j ACCEPT
+ done
+ # make link so dhcpcd runs firewall when IP changes (if no such file already)
+ [ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750
+ if [ -x /sbin/bastille-firewall-reset -a ! -L /etc/dhcpc/dhcpcd-${iface}.exe ]; then
+ ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe
+ fi
+ done
+
+ include_supplemental pre-internal
+
+ # internal interface rules
+ for net in ${LOCAL_ADDRESSES} ; do
+ # Allow accessses to TCP services on this system
+ for serv in ${TCP_INTERNAL_SERVICES} ; do
+ ${IPCHAINS} -A INT_IN -p tcp -d ${net} ${serv} -j ACCEPT
+ done
+ ${IPCHAINS} -A INT_IN -p tcp -d ${net} ${serv} \! -y -j ACCEPT
+ # UDP services
+ for serv in ${UDP_INTERNAL_SERVICES} ; do
+ ${IPCHAINS} -A INT_IN -p udp -d ${net} ${serv} -j ACCEPT
+ done
+ done
+ # ICMP
+ # hopefully you don't care about hiding from internal hosts!
+ ${IPCHAINS} -A INT_IN -p icmp -d 0.0.0.0/0 -j ACCEPT
+ ${IPCHAINS} -A INT_OUT -p icmp -d 0.0.0.0/0 -j ACCEPT
+ # ...but if you do... try this... (and see the PUB_IN rules below)
+ #for type in ${ICMP_ALLOWED_TYPES} ; do
+ # ${IPCHAINS} -A INT_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -j ACCEPT
+ #done
+ #for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do
+ # ${IPCHAINS} -A INT_OUT -p icmp --icmp-type ${type} -j REJECT
+ #done
+
+ # input rules
+ #
+ # public interfaces
+
+ include_supplemental pre-input
+
+ # --------------------- ICMP --------------------------
+ for type in ${ICMP_ALLOWED_TYPES} ; do
+ ${IPCHAINS} -A PUB_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -j ACCEPT
+ done
+
+ # --------------------- TCP --------------------------
+ for serv in ${TCP_PUBLIC_SERVICES} ; do
+ ${IPCHAINS} -A PUB_IN -p tcp -d 0.0.0.0/0 ${serv} -j ACCEPT
+ done
+
+ # if you're disallowing ICMP, you may be trying to look
+ # invisible/disable ping, so let's just drop these attempts
+ ${IPCHAINS} -A PUB_IN -p icmp -d 0.0.0.0/0 -j DENY ${LOG_FLAG}
+
+ for chain in PUB_IN INT_IN ; do
+ if [ ${FORCE_PASV_FTP} != "Y" ]; then
+ # no point explicitly blocking TCP services unless active FTP is enabled
+ # Step 1: block the high port TCP services
+ for serv in ${TCP_BLOCKED_SERVICES} ; do
+ # only block -y initial connects; in case the port was needlessly
+ # specified, this should still enable it to be used as a source
+ # port for non-FTP connecions from this host or machines using it as a gateway
+ ${IPCHAINS} -A ${chain} -p tcp -d 0.0.0.0/0 ${serv} -y -j ${REJECT_METHOD} ${LOG_FLAG}
+ done
+ # FEATURE: check bound high TCP and complain?
+ # Step 2: allow the ftp-data connections
+ ${IPCHAINS} -A ${chain} -p tcp -d 0.0.0.0/0 1024: -s 0.0.0.0/0 ftp-data -j ACCEPT
+ fi
+
+ # general response to my TCP requests
+ ${IPCHAINS} -A ${chain} -p tcp \! -y -j ACCEPT
+
+ # no TCP requests to other ports (redundant)
+ # ${IPCHAINS} -A ${chain} -p tcp -j ${REJECT_METHOD} ${LOG_FLAG}
+
+ # --------------------- UDP --------------------------
+ for serv in ${UDP_PUBLIC_SERVICES} ; do
+ ${IPCHAINS} -A PUB_IN -p udp -d 0.0.0.0/0 ${serv} -j ACCEPT
+ done
+
+ # This isn't necessary unless you have DNS_SERVERS or NTP_SERVERS
+ # but who wouldn't have DNS servers configured?
+ for serv in ${UDP_BLOCKED_SERVICES} ; do
+ ${IPCHAINS} -A ${chain} -p udp -d 0.0.0.0/0 ${serv} -j ${REJECT_METHOD} ${LOG_FLAG}
+ done
+
+ for dns_net in ${DNS_SERVERS} ; do
+ ${IPCHAINS} -A ${chain} -p udp -s ${dns_net} domain -d 0.0.0.0/0 1024: -j ACCEPT
+ done
+
+ for ntp_net in ${ntp_server_addrs} ; do
+ # this allows unprivileged queries, e.g. 'ntpdate'
+ ${IPCHAINS} -A ${chain} -p udp -s ${ntp_net} ntp -d 0.0.0.0/0 1024: -j ACCEPT
+ # this allows you to run an ntp daemon to maintain
+ # system time nore gracefully than with 'ntpdate'
+ ${IPCHAINS} -A ${chain} -p udp -s ${ntp_net} ntp -d 0.0.0.0/0 ntp -j ACCEPT
+ done
+ # Reject other UDP (redundant)
+ #${IPCHAINS} -A ${chain} -p udp -j ${REJECT_METHOD} ${LOG_FLAG}
+ done
+
+
+ # end of loop through public interfaces for input rules
+
+ if [ ${FORCE_PASV_FTP} != "Y" -a \( -n "${PUBLIC_IFACES}" -o -n "${INTERNAL_IFACES}" \) ]; then
+ # warning
+ echo
+ echo "WARNING: allowing \"active\" FTP; any unknown TCP services running"
+ echo "on high ports will be vulnerable; blocking too many high TCP ports"
+ echo "may affect various TCP _clients_ running on this machine or using"
+ echo "this machine as a gateway."
+ fi
+
+ # now we can deny the attempts from the internal interfaces to this host
+ for tnet in ${LOCAL_ADDRESSES} ; do
+ for chain in PUB_IN INT_IN ; do
+ ${IPCHAINS} -A ${chain} -d ${tnet} -j ${REJECT_METHOD} ${LOG_FLAG}
+ done
+ done
+ # now that we've blocked attempts from the internal interfaces
+ # to the IP's on this server, we need to accept other connections
+ # so the IP Masq / NAT will function
+ for net in ${IP_MASQ_NETWORK} ; do
+ for chain in PUB_IN INT_IN ; do
+ ${IPCHAINS} -A ${chain} -s ${net} -j ACCEPT
+ done
+ done
+
+ # --------------------- catch-all --------------------------
+ # Reject all other traffic (redundant if not logging)
+ if [ ${LOG_FAILURES} = "Y" ]; then
+ for chain in input forward PUB_IN INT_IN ; do
+ ${IPCHAINS} -A ${chain} -j ${REJECT_METHOD} ${LOG_FLAG}
+ done
+ fi
+
+ #
+ echo " done."
+
+ echo -n "Setting up outbound rules..."
+
+ include_supplemental pre-output
+
+ # block outbound ICMP types (usu. to hide from traceroute)
+ for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do
+ # ** The following will limit ICMP on public and internal interfaces:
+ # for chain in PUB_OUT INT_OUT ; do
+ # ** but our default is to only limit outbound ICMP on public interfaces
+ for chain in PUB_OUT ; do
+ ${IPCHAINS} -A ${chain} -p icmp --icmp-type ${type} -j REJECT ${LOG_FLAG}
+ done
+ done
+ #
+ # Here you might really lock things down if this is a server,
+ # e.g., to keep it from doing anything but connecting to
+ # SMTP servers and responding to Web requests, or whatever
+ # the specific requirements are.
+ #
+ # Such lockdowns are recommended if the situation affords you
+ # that flexibility.
+ #
+ # default is to enable outbound traffic
+ # (again, here, for a server you might default to ${REJECT_METHOD} )
+ ${IPCHAINS} -P output ACCEPT
+
+ include_supplemental pre-policy-reset
+
+ # Now that all rules are set, we can change the policies
+ # to the user preference safely
+ ${IPCHAINS} -P forward ${REJECT_METHOD}
+ ${IPCHAINS} -P input ${REJECT_METHOD}
+ # to set default "policies" for PUB_* and INT_* chains, add a final rule
+ if [ ${LOG_FAILURES} != "Y" ]; then
+ # if LOG_FAILURES were set, we would have already done this
+ for chain in PUB_IN INT_IN ; do
+ ${IPCHAINS} -A ${chain} -j ${REJECT_METHOD} ${LOG_FLAG}
+ done
+ fi
+ for chain in PUB_OUT INT_OUT ; do
+ ${IPCHAINS} -A ${chain} -j ACCEPT
+ done
+ # rule 1 in all of these chains is a deny rule; remove it so other rules work
+ for chain in PUB_IN INT_IN PUB_OUT INT_OUT ; do
+ ${IPCHAINS} -D ${chain} -j DENY
+ done
+
+ include_supplemental post-rule-setup
+
+ echo " done."
+
+ ;;
+ stop)
+ include_supplemental pre-drop-rules
+ echo
+ echo "WARNING: reverting to default settings (dropping firewall)"
+ # We should disable NAT/forwarding even if not set to restore defaults
+ echo -n "disabling IP forwarding..."
+ echo 0 > /proc/sys/net/ipv4/ip_forward
+ echo " done."
+ echo -n "unloading masquerading modules..."
+ do_masq_mods unload
+ echo " done."
+ # flushing seems to leave the default input at ${REJECT_METHOD}
+ echo -n "resetting default input rules to accept..."
+ ${IPCHAINS} -P input ACCEPT
+ echo " done."
+ echo -n "resetting default output rule to accept..."
+ ${IPCHAINS} -P output ACCEPT
+ echo " done."
+ # We disabled forwarding with the /proc interface, but we
+ # reset FORWARD to ACCEPT because that;s the normal default
+ echo -n "resetting default forward rule to accept..."
+ ${IPCHAINS} -P forward ACCEPT
+ echo " done."
+ for chain in input output forward ; do
+ echo -n "flushing ${chain} rules..."
+ ${IPCHAINS} -F ${chain}
+ echo " done."
+ done
+ # flush and delete the user-defined chains
+ echo -n "removing user-defined chains..."
+ for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do
+ ${IPCHAINS} -F ${chain}
+ ${IPCHAINS} -X ${chain}
+ done
+ include_supplemental post-drop-rules
+ echo " done."
+ ;;
+ status)
+ ${IPCHAINS} -L -v -n
+ ;;
+ *)
+ echo "Usage: $0 {start|restart|reload|stop|status}"
+ exit 1
+esac
+
+exit 0
+
diff --git a/install/apps/bastille-netfilter b/install/apps/bastille-netfilter
new file mode 100644
index 0000000000..2ffb333530
--- /dev/null
+++ b/install/apps/bastille-netfilter
@@ -0,0 +1,626 @@
+#!/bin/sh
+#
+# /sbin/bastille-netfilter Load/unload netfilter rulesets
+#
+# $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-netfilter,v $
+# Modified by: $Author: peterw $
+# $Date: 2002/01/11 02:23:14 $
+# $Revision: 1.27 $
+#
+# Copyright (C) 1999-2001 Peter Watkins
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Thanks to David Ranch, Brad A, Don G, Jay Beale and others
+# (especially the netfilter mailing list!) for their suggestions
+#
+# This script is designed to be called BY a SysV-style init script.
+#
+# It should be run with a "start" argument
+# 1) BY an rc?.d "S" script, _before_ the "network" script
+# (normally via the "bastille-firewall" init script;
+# as of 2001/02/14, the only purpose of bastille-firewall
+# is to start this script)
+# 2) any time an interface is brought up or changed, e.g.
+# establishing a PPP conection or renewing a DHCP lease
+# [also copy 'bastille-firewall-reset', 'bastille-firewall-schedule' and
+# 'ifup-local' to /sbin/ (in addition to the bastille-firewall init script]
+#
+# Normally you Do Not _Ever_ Want to run this with a "stop" argument!
+#
+# Note that running this with "stop" will disable the firewall and open
+# your system to all network traffic; if you make changes to these rules,
+# apply them by running the script again with a "start" argument.
+
+PATH=/bin:/sbin:/usr/bin:/usr/sbin
+IPTABLES=/sbin/iptables
+CONFIG=/etc/Bastille/bastille-firewall.cfg
+
+if [ ! -x ${IPTABLES} ]; then
+ echo "ERROR: \"${IPTABLES}\" does not exist!"
+ if [ -x /sbin/bastille-ipchains ]; then
+ # better to fall back to 'ipchains' than do nothing
+ unset IPTABLES
+ echo "Executing /sbin/bastille-ipchains $1"
+ /sbin/bastille-ipchains $1
+ exit $?
+ fi
+ exit 1
+fi
+
+if [ ! -f ${CONFIG} ]; then
+ echo "ERROR: unable to read configuration file \"${CONFIG}\""
+ exit 1
+fi
+
+# source the configuration file, which will set environment variables
+. ${CONFIG}
+
+if [ -z "${REJECT_METHOD}" ]; then
+ echo "ERROR: no reject method specified (corrupt config file?) Exiting!"
+ exit 1
+fi
+
+
+#
+# Computed values
+#
+# These things should be queried/computed at run time
+#
+# LOCAL_ADDRESSES
+#
+# LOCAL_ADDRESSES lists all IP addresses for this server
+# (for the INTERNAL_SERVICES rules); if you have virtual
+# network devices, you may want to hand-code this, e.g.
+# LOCAL_ADDRESSES="127.0.0.0/8"
+#
+# The following makes a list of all current IP addresses
+LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8: `
+#
+#
+# DEFAULT_GW_IFACE
+#
+# The name of the address that is the default gateway (for SNAT)
+DEFAULT_GW_IFACE=`netstat -nr | awk '$1 == "0.0.0.0" {print $8}'`
+#
+#
+# INTERNAL_NETWORKS
+#
+# INTERNAL_NETWORKS lists the masked networks for the INT_INTERFACES
+# e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0"
+# The following makes a list of all current internal IP addresses _with netmasks_
+for i in ${INTERNAL_IFACES} ; do
+ INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} | grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}' | sed 's:127\.0\.0\.1/$:127.0.0.1/8:'`"
+ if [ $i = "${DEFAULT_GW_IFACE}" ]; then
+ DEFAULT_GW_IP=`ifconfig ${i} | grep "inet addr" | awk '{print $2}'`
+ fi
+done
+#
+#
+# CALLED_METHOD
+#
+# Variable to hold $1, for use in functions (which have their own $1 vars)
+CALLED_METHOD="$1"
+#
+#
+# REJECT_METHOD
+#
+# Convert ipchains/DENY to netfilter/DROP
+if [ "${REJECT_METHOD}" = "DENY" ]; then
+ REJECT_METHOD="DROP"
+fi
+
+# counter number to help toubleshoot
+RULENUM=0
+
+#
+# Shell functions
+#
+# include_supplemental
+# source supplemental (plug-in) firewall scripts
+include_supplemental()
+{
+ # args: $1 = nickname for the supplemental phase
+ nickname="$1"
+ if [ -e /etc/Bastille/firewall.d/${nickname}.sh ]; then
+ cd /etc/Bastille/firewall.d && . ./${nickname}.sh
+ fi
+ if [ -d /etc/Bastille/firewall.d/${nickname}.d ]; then
+ for s in `ls /etc/Bastille/firewall.d/${nickname}.d/*.sh`; do
+ cd /etc/Bastille/firewall.d/${nickname}.d && \
+ . ${s}
+ done
+ fi
+}
+#
+# incr_rule_num
+# Increment counter number to help toubleshoot
+incr_rule_num()
+{
+ RULENUM=`expr $RULENUM + 1`
+ return 0
+}
+#
+# do_masq_mods
+# Function to load/unload NAT kernel modules
+do_masq_mods()
+{
+ # args: $1 = "load" or "unload"
+ #
+ # find the currently loaded modules
+ masq_mods=`lsmod | awk '{print $1}' | grep '^ip_nat_'`
+ #
+ # Step 1: unload unwanted modules
+ for m in ${masq_mods} ; do
+ UNLOAD_THIS_MOD=Y
+ for normal_mod in ${IP_MASQ_MODULES} ; do
+ if [ "ip_nat_${normal_mod}" = $m -o "ip_nat_${normal_mod}_conntrack" = $m ]; then
+ # this module is _supposed_ to be loaded
+ UNLOAD_THIS_MOD=N
+ fi
+ done
+ if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then
+ # we're either disabling the firewall or we've disabled masquerading,
+ # so we should unload _all_ masq modules
+ UNLOAD_THIS_MOD=Y
+ fi
+ if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then
+ rmmod ${m} || echo "Error unloading ${m} module"
+ fi
+ done
+ # Step 2: load wanted modules that are not already loaded
+ if [ $1 = "load" ]; then
+ for normal_mod in ${IP_MASQ_MODULES} ; do
+ MOD_LOADED=N
+ for m in ${masq_mods} ; do
+ if [ "ip_nat_${normal_mod}" = $m ]; then
+ MOD_LOADED=Y
+ fi
+ done
+ if [ $MOD_LOADED = "N" ]; then
+ insmod "ip_nat_${normal_mod}" || echo "Error loading ip_nat_${normal_mod} module"
+ fi
+ # try to load any _conntrack variants
+ modprobe "ip_nat_${normal_mod}_conntrack" 2>/dev/null
+ done
+ fi
+}
+
+# See how we were called.
+case "$1" in
+ start|restart|reload)
+ #
+ # anything to do before resetting?
+ include_supplemental pre-reset
+ #
+ # Make sure we don't have any ipchains rules!
+ for c in INPUT OUTPUT FORWARD; do
+ ipchains -P ${c} DENY 2>/dev/null
+ ipchains -F ${c} 2>/dev/null
+ done
+ ipchains -X 2>/dev/null
+ rmmod ipchains 2>/dev/null
+ #
+ # For Red Hat users, let's ensure that its firewalls are disabled
+ rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on`
+ rhtest_iptables=`chkconfig --list iptables 2>/dev/null | grep :on`
+ bftest=`chkconfig --list bastille-firewall 2>/dev/null | grep :on`
+ if [ \( -n "${rhtest_ipchains}" -o -n "${rhtest_iptables}" \) -a -n "${bftest}" ]; then
+ echo
+ echo "bastille-firewall conflicts with Red Hat 7.1's 'ipchains'"
+ echo "and 'iptables' firewalls. We are disabling Red Hat's firewalls."
+ [ -n "${rhtest_ipchains}" ] && chkconfig --level 0123456 ipchains off
+ [ -n "${rhtest_iptables}" ] && chkconfig --level 0123456 iptables off
+ echo
+ fi
+ #
+ # Make sure the iptables/netfilter kernel module is loaded
+ modprobe ip_tables
+ #
+ # Clean up the default chains
+ #
+ # we set defaults to DROP to minimize possible interruptions
+ # if this script is re-run to reset rules
+ #
+ for chain in INPUT OUTPUT FORWARD ; do
+ ${IPTABLES} -P ${chain} DROP
+ # flush rules
+ ${IPTABLES} -F ${chain}
+ done
+ #
+ for chain in PREROUTING POSTROUTING ; do
+ ${IPTABLES} -t nat -F ${chain}
+ done
+ ${IPTABLES} -t mangle -F PREROUTING
+ # Our custom chains
+ for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do
+ ${IPTABLES} -N ${chain} 2> /dev/null
+ ${IPTABLES} -F ${chain}
+ ${IPTABLES} -A ${chain} -j DROP
+ done
+
+ # PAROLE chain is used for TCP services
+ ${IPTABLES} -N PAROLE 2> /dev/null
+ ${IPTABLES} -F PAROLE
+ if [ "${IP_ALWAYS_USE_STATE}" = "Y" ]; then
+ # nmap NULL scans pass the --syn test, but this doesn't seem
+ # to catch them, either
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A PAROLE -p tcp --tcp-flags ALL NONE -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PAROLE ${REJECT_METHOD} $RULENUM" ; incr_rule_num
+ ${IPTABLES} -A PAROLE -p tcp --tcp-flags ALL NONE -j ${REJECT_METHOD}
+ ${IPTABLES} -A PAROLE -p tcp -m state --state NEW --syn -j ACCEPT
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A PAROLE -p tcp -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PAROLE ${REJECT_METHOD} $RULENUM" ; incr_rule_num
+ ${IPTABLES} -A PAROLE -p tcp -j ${REJECT_METHOD}
+ fi
+ ${IPTABLES} -A PAROLE -j ACCEPT
+
+ # Run our "early" custom script if it exists
+ [ -f /etc/Bastille/bastille-firewall-early.sh ] && . /etc/Bastille/bastille-firewall-early.sh
+
+ # any new-style "early" plugins?
+ include_supplemental early
+
+ # enable stateful rules
+ modprobe ip_conntrack
+ modprobe ip_conntrack_ftp
+ modprobe ipt_LOG
+
+ # from the ipchains HOWTO
+ if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then
+ if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
+ echo -n "Setting up IP spoofing protection..."
+ for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
+ echo 1 > $f
+ done
+ echo " done."
+ else
+ echo "WARNING: errors encountered while trying to enable IP spoofing protection!"
+ fi
+ fi
+
+ include_supplemental pre-local-block
+
+ # Block any non-local attempts to get localhost addresses
+ # per woody@thebunker.net's bugtraq post
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM" ; incr_rule_num
+ ${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j ${REJECT_METHOD}
+
+ # Uncomment this to really, truly block active FTP
+ # (shouldn't be necessary if ip_conntrack_ftp does its job)
+ #if [ ${FORCE_PASV_FTP} = "Y" ]; then
+ # [ "${LOG_FAILURES}" = "Y" ] && \
+ # ${IPTABLES} -A INPUT -p tcp --sport ftp-data -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ # ${IPTABLES} -A INPUT -p tcp --sport ftp-data -j ${REJECT_METHOD}
+ # [ "${LOG_FAILURES}" = "Y" ] && \
+ # ${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ # ${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j ${REJECT_METHOD}
+ #fi
+
+ include_supplemental pre-established
+
+ # Stateful data returns (this should include ICMP messages)
+ # ...for data to this box
+ ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ ${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+ # Fragments
+ if [ "${ALLOW_FRAGMENTS}" = "N" ]; then
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A INPUT -f -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ ${IPTABLES} -A INPUT -f -j ${REJECT_METHOD}
+ fi
+
+ include_supplemental pre-trusted
+
+ # Allow all traffic from trusted interfaces
+ echo -n "Allowing traffic from trusted interfaces..."
+ for t_iface in ${TRUSTED_IFACES} ; do
+ # we could be pickier here, e.g. only allow traffic
+ # that looks valid
+ ${IPTABLES} -A INPUT -i ${t_iface} -j ACCEPT
+ done
+ echo " done. "
+
+ # If you have networks that route traffic to each other through this
+ # server, you may want to add some forwarding rules, here, e.g.
+ # one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0"
+ #
+ # Note: I _think_ this is right; if not, please let me know!
+ #
+ #${IPTABLES} -A FORWARD -i eth0 -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT
+ # the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1"
+ #${IPTABLES} -A FORWARD -i eth1 -d 192.168.0.0/16 -s 10.0.0.0/8 -j ACCEPT
+
+ include_supplemental pre-mcast-block
+
+ # No packets with multicast source addresses (Joshua K, RFC 1122)
+ # (If you want to enable multicast, comment this out!)
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A INPUT -s 224.0.0.0/4 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ ${IPTABLES} -A INPUT -s 224.0.0.0/4 -j ${REJECT_METHOD}
+
+ # Forwarding
+
+ include_supplemental pre-nat
+
+ # IP Masquerading/forwarding
+ #
+ # Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list)
+ #do_masq_mods unload
+ #
+ if [ -n "${IP_MASQ_NETWORK}" ]; then
+ echo -n "Loading NAT modules..."
+ modprobe iptable_nat
+ echo " done."
+ echo -n "Setting up masquerading rules..."
+ # since we've set the default forwarding policy to
+ # reject, we can enable forwarding now
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+ # set up rules for masqueraded networks
+ for net in ${IP_MASQ_NETWORK} ; do
+ for pub in ${PUBLIC_IFACES} ; do
+ # NAT should be one-way, deny traffic from public
+ # interfaces that is addresses to masq'ed networks
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A INPUT -d ${net} -i ${pub} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ ${IPTABLES} -A INPUT -d ${net} -i ${pub} -j ${REJECT_METHOD}
+ # spoofed addreses from outside
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A INPUT -s ${net} -i ${pub} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ ${IPTABLES} -A INPUT -s ${net} -i ${pub} -j ${REJECT_METHOD}
+ if [ "${DROP_SMB_NAT_BCAST}" = "Y" ]; then
+ # NetBIOS
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ ${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD}
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ ${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD}
+ fi
+ # set up a NAT rule with MASQ -- se below for SNAT
+ ${IPTABLES} -t nat -A POSTROUTING -s ${net} -o ${pub} -j MASQUERADE
+ ${IPTABLES} -A FORWARD -s ${net} -o ${pub} -j ACCEPT
+ done
+ done
+ # If you have a statuc address for the public interface,
+ # you might prefer setting upp static NAT instead of the
+ # -j MASQUERADE code above:
+ #${IPTABLES} -t nat -A POSTROUTING -o ${DEFAULT_GW_IFACE} -j SNAT --to ${DEFAULT_GW_IP}
+ echo " done."
+ echo -n "Loading masquerading modules..."
+ do_masq_mods load
+ echo " done."
+ fi
+
+ include_supplemental pre-chain-split
+
+ echo -n "Setting up chains for public/internal interface traffic..."
+
+ # Direct PUBLIC interface traffic to the proper chain
+ for iface in ${PUBLIC_IFACES} ; do
+ ${IPTABLES} -A INPUT -i ${iface} -j PUB_IN
+ ${IPTABLES} -A OUTPUT -o ${iface} -j PUB_OUT
+ done
+
+
+ # disallow any attempts to get to internal interfaces from outside
+ # not good if this is supposed to route between normal networks
+ for int in ${INTERNAL_NETWORKS} ; do
+ # deny traffic from public
+ # interfaces that is addressed to internal networks
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A PUB_IN -d ${int} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ ${IPTABLES} -A PUB_IN -d ${int} -j ${REJECT_METHOD}
+ # spoofed addreses from outside
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A PUB_IN -s ${int} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ ${IPTABLES} -A PUB_IN -s ${int} -j ${REJECT_METHOD}
+ done
+
+ # direct packets to the INTERNAL_* chains
+ for iface in ${INTERNAL_IFACES} ; do
+ ${IPTABLES} -A INPUT -i ${iface} -j INT_IN
+ ${IPTABLES} -A OUTPUT -o ${iface} -j INT_OUT
+ done
+ echo " done. "
+
+ echo -n "Setting up general rules..."
+
+ include_supplemental pre-dhcp
+
+ # Allow response from DHCP servers
+ for iface in ${DHCP_IFACES} ; do
+ # make link so dhcpcd runs firewall when IP changes (if no such file already)
+ [ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750
+ if [ -x /sbin/bastille-firewall-reset -a ! -L /etc/dhcpc/dhcpcd-${iface}.exe ]; then
+ ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe
+ fi
+ done
+
+ include_supplemental pre-internal
+
+ # internal interface rules
+ # Allow accessses to TCP services on this system
+ for serv in ${TCP_INTERNAL_SERVICES} ; do
+ ${IPTABLES} -A INT_IN -p tcp --dport ${serv} -j PAROLE
+ done
+ # UDP services
+ for serv in ${UDP_INTERNAL_SERVICES} ; do
+ ${IPTABLES} -A INT_IN -p udp --dport ${serv} -j ACCEPT
+ done
+ # ICMP
+ # hopefully you don't care about hiding from internal hosts!
+ ${IPTABLES} -A INT_IN -p icmp -j ACCEPT
+ ${IPTABLES} -A INT_OUT -p icmp -j ACCEPT
+ # ...but if you do... try this... (and see the PUB_IN rules below)
+ #for type in ${ICMP_ALLOWED_TYPES} ; do
+ # ${IPTABLES} -A INT_IN -p icmp --icmp-type ${type} -j ACCEPT
+ #done
+
+ include_supplemental pre-input
+
+ # input rules
+ #
+ # public interfaces
+
+ # --------------------- ICMP --------------------------
+ for type in ${ICMP_ALLOWED_TYPES} ; do
+ ${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -j ACCEPT
+ done
+
+ # --------------------- TCP --------------------------
+ for serv in ${TCP_PUBLIC_SERVICES} ; do
+ ${IPTABLES} -A PUB_IN -p tcp --dport ${serv} -j PAROLE
+ done
+
+ # --------------------- UDP --------------------------
+ for serv in ${UDP_PUBLIC_SERVICES} ; do
+ ${IPTABLES} -A PUB_IN -p udp --dport ${serv} -j ACCEPT
+ done
+
+ include_supplemental pre-audit
+
+ # -------------- Public interface input auditing ---------------
+ # Note that this will only audit services that are not actually available
+ #
+ for service in ${TCP_AUDIT_SERVICES} ; do
+ ${IPTABLES} -A PUB_IN -p tcp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit"
+ done
+ for service in ${UDP_AUDIT_SERVICES} ; do
+ ${IPTABLES} -A PUB_IN -p udp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit"
+ done
+ for type in ${ICMP_AUDIT_TYPES} ; do
+ ${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit"
+ done
+
+ # if you're disallowing ICMP, you may be trying to look
+ # invisible/disable ping, so let's just drop these attempts
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A PUB_IN -p icmp -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN DROP $RULENUM" ; incr_rule_num
+ ${IPTABLES} -A PUB_IN -p icmp -j DROP
+
+ # --------------------- catch-all --------------------------
+ # Reject all other traffic (redundant if not logging)
+ if [ ${LOG_FAILURES} = "Y" ]; then
+ for chain in INPUT PUB_IN INT_IN ; do
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A ${chain} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ ${IPTABLES} -A ${chain} -j ${REJECT_METHOD}
+ done
+ fi
+
+ #
+ echo " done."
+
+ include_supplemental pre-output
+
+ echo -n "Setting up outbound rules..."
+ #
+ # Here you might really lock things down if this is a server,
+ # e.g., to keep it from doing anything but connecting to
+ # SMTP servers and responding to Web requests, or whatever
+ # the specific requirements are.
+ #
+ # Such lockdowns are recommended if the situation affords you
+ # that flexibility.
+ #
+ # If you want to only allow the server to respond to requests
+ # (and not even make DNS/dhcp/ntp queries!), then uncomment these lines:
+ # # Note: if the connection table fills, you won't be able to
+ # # respond to requests if you rely on "-m state" with these rules
+ # ${IPTABLES} -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ # [ ${LOG_FAILURES} = "Y" ] && \
+ # ${IPTABLES} -A OUTPUT -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "OUTPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ # ${IPTABLES} -A OUTPUT -j REJECT
+ #
+ # default is to enable outbound traffic
+ ${IPTABLES} -P OUTPUT ACCEPT
+
+ include_supplemental pre-policy-reset
+
+ # Now that all rules are set, we can change the policies
+ # to the user preference safely
+ [ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A FORWARD -j ${REJECT_METHOD}
+ [ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A INPUT -j ${REJECT_METHOD}
+ # to set default "policies" for PUB_* and INT_* chains, add a final rule
+ if [ ${LOG_FAILURES} != "Y" ]; then
+ # if LOG_FAILURES were set, we would have already done this
+ for chain in PUB_IN INT_IN INPUT FORWARD; do
+ [ "${LOG_FAILURES}" = "Y" ] && \
+ ${IPTABLES} -A ${chain} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num
+ ${IPTABLES} -A ${chain} -j ${REJECT_METHOD}
+ done
+ fi
+ for chain in PUB_OUT INT_OUT ; do
+ ${IPTABLES} -A ${chain} -j ACCEPT
+ done
+ # rule 1 in all of these chains is a deny rule; remove it so other rules work
+ for chain in PUB_IN INT_IN PUB_OUT INT_OUT ; do
+ ${IPTABLES} -D ${chain} -j DROP
+ done
+
+ include_supplemental post-rule-setup
+
+ echo " done."
+
+ ;;
+ stop)
+ include_supplemental pre-drop-rules
+ echo
+ echo "WARNING: reverting to default settings (dropping firewall)"
+ # We should disable NAT/forwarding even if not set to restore defaults
+ echo -n "disabling IP forwarding..."
+ echo 0 > /proc/sys/net/ipv4/ip_forward
+ echo " done."
+ echo -n "unloading masquerading modules..."
+ do_masq_mods unload
+ echo " done."
+ # flushing leaves the default input at ${REJECT_METHOD}
+ echo -n "resetting default input rules to accept..."
+ ${IPTABLES} -P INPUT ACCEPT
+ echo " done."
+ echo -n "resetting default output rule to accept..."
+ ${IPTABLES} -P OUTPUT ACCEPT
+ echo " done."
+ # We disabled forwarding with the /proc interface, but we
+ # reset FORWARD to ACCEPT because that;s the normal default
+ echo -n "resetting default forward rule to accept..."
+ ${IPTABLES} -P FORWARD ACCEPT
+ echo " done."
+ for chain in INPUT OUTPUT FORWARD ; do
+ echo -n "flushing ${chain} rules..."
+ ${IPTABLES} -F ${chain}
+ echo " done."
+ done
+ for chain in PREROUTING POSTROUTING ; do
+ ${IPTABLES} -t nat -F ${chain}
+ done
+ ${IPTABLES} -t mangle -F PREROUTING
+ # flush and delete the user-defined chains
+ echo -n "removing user-defined chains..."
+ for chain in PUB_IN PUB_OUT INT_IN INT_OUT PAROLE ; do
+ ${IPTABLES} -F ${chain}
+ ${IPTABLES} -X ${chain}
+ done
+ include_supplemental post-drop-rules
+ echo " done."
+ ;;
+ status)
+ ${IPTABLES} -L -v -n
+ ;;
+ *)
+ echo "Usage: $0 {start|restart|reload|stop|status}"
+ exit 1
+esac
+
+exit 0
+
diff --git a/install/apps/bastille_licence.txt b/install/apps/bastille_licence.txt
new file mode 100644
index 0000000000..d511905c16
--- /dev/null
+++ b/install/apps/bastille_licence.txt
@@ -0,0 +1,339 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along
+ with this program; if not, write to the Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.
diff --git a/install/install.php b/install/install.php
index 257b5b21d5..2c82e7d576 100644
--- a/install/install.php
+++ b/install/install.php
@@ -175,6 +175,10 @@ if($install_mode == 'Standard') {
//* Configure Apache
swriteln('Configuring Apache');
$inst->configure_apache();
+
+ //* Configure Firewall
+ swriteln('Configuring Firewall');
+ $inst->configure_firewall();
//* Configure ISPConfig
swriteln('Installing ISPConfig');
@@ -282,6 +286,12 @@ if($install_mode == 'Standard') {
$inst->configure_apache();
}
+ //** Configure Firewall
+ if(strtolower($inst->simple_query('Configure Firewall Server',array('y','n'),'y')) == 'y') {
+ swriteln('Configuring Firewall');
+ $inst->configure_firewall();
+ }
+
//** Configure ISPConfig :-)
if(strtolower($inst->simple_query('Install ISPConfig Web-Interface',array('y','n'),'y')) == 'y') {
swriteln('Installing ISPConfig');
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 87c0751519..0ac9d6bc32 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -595,6 +595,58 @@ class installer_base {
}
+ public function configure_firewall()
+ {
+ global $conf;
+
+ $dist_init_scripts = $conf['init_scripts'];
+
+ if(is_dir("/etc/Bastille")) caselog("mv -f /etc/Bastille /etc/Bastille.backup", $FILE, __LINE__);
+ @mkdir("/etc/Bastille", octdec($directory_mode));
+ if(is_dir("/etc/Bastille.backup/firewall.d")) caselog("cp -pfr /etc/Bastille.backup/firewall.d /etc/Bastille/", $FILE, __LINE__);
+ caselog("cp -f tpl/bastille-firewall.cfg.master /etc/Bastille/bastille-firewall.cfg", $FILE, __LINE__);
+ caselog("chmod 644 /etc/Bastille/bastille-firewall.cfg", $FILE, __LINE__);
+ $content = rf("/etc/Bastille/bastille-firewall.cfg");
+ $content = str_replace("{DNS_SERVERS}", "", $content);
+
+ $tcp_public_services = '';
+ $udp_public_services = '';
+
+ $row = $this->db->queryOneRecord("SELECT * FROM firewall WHERE server_id = ".intval($this->conf['server_id']));
+
+ if(trim($row["tcp_port"]) != '' || trim($row["udp_port"]) != ''){
+ $tcp_public_services = trim(str_replace(',',' ',$row["tcp_port"]));
+ $udp_public_services = trim(str_replace(',',' ',$row["udp_port"]));
+ } else {
+ $tcp_public_services = '21 22 25 53 80 110 443 8080 10000';
+ $udp_public_services = '53';
+ }
+ $content = str_replace("{TCP_PUBLIC_SERVICES}", $tcp_public_services, $content);
+ $content = str_replace("{UDP_PUBLIC_SERVICES}", $udp_public_services, $content);
+
+ wf("/etc/Bastille/bastille-firewall.cfg", $content);
+
+ if(is_file($dist_init_scripts."/bastille-firewall")) caselog("mv -f $dist_init_scripts/bastille-firewall $dist_init_scripts/bastille-firewall.backup_".date("m_d_Y__H_i_s", $current_date), $FILE, __LINE__);
+ caselog("cp -f apps/bastille-firewall $dist_init_scripts", $FILE, __LINE__);
+ caselog("chmod 700 $dist_init_scripts/bastille-firewall", $FILE, __LINE__);
+
+ if(is_file("/sbin/bastille-ipchains")) caselog("mv -f /sbin/bastille-ipchains /sbin/bastille-ipchains.backup", $FILE, __LINE__);
+ caselog("cp -f apps/bastille-ipchains /sbin", $FILE, __LINE__);
+ caselog("chmod 700 /sbin/bastille-ipchains", $FILE, __LINE__);
+
+ if(is_file("/sbin/bastille-netfilter")) caselog("mv -f /sbin/bastille-netfilter /sbin/bastille-netfilter.backup", $FILE, __LINE__);
+ caselog("cp -f apps/bastille-netfilter /sbin", $FILE, __LINE__);
+ caselog("chmod 700 /sbin/bastille-netfilter", $FILE, __LINE__);
+
+ exec("which ipchains &> /dev/null", $ipchains_location, $ret_val);
+ if(!is_file("/sbin/ipchains") && !is_link("/sbin/ipchains") && $ret_val == 0) phpcaselog(@symlink(shell_exec("which ipchains"), "/sbin/ipchains"), 'create symlink', $FILE, __LINE__);
+ unset($ipchains_location);
+ exec("which iptables &> /dev/null", $iptables_location, $ret_val);
+ if(!is_file("/sbin/iptables") && !is_link("/sbin/iptables") && $ret_val == 0) phpcaselog(@symlink(trim(shell_exec("which iptables")), "/sbin/iptables"), 'create symlink', $FILE, __LINE__);
+ unset($iptables_location);
+
+ }
+
public function install_ispconfig()
{
@@ -711,7 +763,7 @@ class installer_base {
//* make sure that the server config file (not the interface one) is only readable by the root user
exec("chmod 600 $install_dir/server/lib/$configfile");
exec("chown root:root $install_dir/server/lib/$configfile");
- if(@is_file("$install_dir/server/lib/mysql_clientdb.conf") {
+ if(@is_file("$install_dir/server/lib/mysql_clientdb.conf")) {
exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf");
exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf");
}
diff --git a/install/tpl/bastille-firewall.cfg.master b/install/tpl/bastille-firewall.cfg.master
new file mode 100644
index 0000000000..e43d0df1d4
--- /dev/null
+++ b/install/tpl/bastille-firewall.cfg.master
@@ -0,0 +1,320 @@
+#
+# /etc/bastille-firewall.cfg
+#
+# Configuration file for both 2.2/ipchains and 2.4/netfilter scripts
+#
+# $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-firewall.cfg,v $
+# Modified by: $Author: peterw $
+# $Date: 2002/01/04 13:34:18 $
+# $Revision: 1.7 $
+#
+# Copyright (C) 1999-2001 Peter Watkins
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Thanks to David Ranch, Brad A, Don G, and others for their suggestions
+
+# the configuration values should be whitespace-delimited lists of
+# appropriate values, e.g.
+# TCP_PUBLIC_SERVICES="80 smtp ssh"
+# lists Web (port 80), SMTP mail, and Secure Shell ports
+#
+# This script is suitable for workstations or simple NAT firewalls;
+# you may want to add more "output" restrictions for serious servers
+
+# 0) DNS servers (Linux 2.2/ipchains only)
+# You must list your DNS servers here so that
+# the firewall will allow them to service your lookup requests
+#
+# List of DNS servers/networks to allow "domain" responses from
+# This _could_ be nameservers as a list of <ip-address>/32 entries
+#DNS_SERVERS="a.b.c.d/32 e.f.g.h/32"
+# If you are running a caching nameserver, you'll need to allow from
+# "0.0.0.0/0" so named can query any arbitrary nameserver
+# (To enable a caching nameserver, you will also probably need to
+# add "domain" to the TCP and UDP public service lists.)
+#DNS_SERVERS="0.0.0.0/0"
+#
+# To have the DNS servers parsed from /etc/resolv.conf at runtime,
+# as normal workstations will want, make this variable empty
+#DNS_SERVERS=""
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+DNS_SERVERS="{DNS_SERVERS}"
+
+
+# 1) define your interfaces (all systems)
+# Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP
+# interface
+#
+# list internal/trusted interfaces
+# traffic from these interfaces will be allowed
+# through the firewall, no restrictions
+#TRUSTED_IFACES="lo" # MINIMAL/SAFEST
+#
+# list external/untrusted interfaces
+#PUBLIC_IFACES="eth+ ppp+ slip+" # SAFEST
+#
+# list internal/partially-trusted interfaces
+# e.g. if this acts as a NAT/IP Masq server and you
+# don't want clients on those interfaces having
+# full network access to services running on this
+# server (as the TRUSTED_IFACES allows)
+#INTERNAL_IFACES="" # SAFEST
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+TRUSTED_IFACES="lo" # MINIMAL/SAFEST
+PUBLIC_IFACES="eth+ ppp+ slip+ venet+" # SAFEST
+INTERNAL_IFACES="" # SAFEST
+
+
+# 2) services for which we want to log access attempts to syslog (all systems)
+# Note this only audits connection attempts from public interfaces
+#
+# Also see item 12, LOG_FAILURES
+#
+#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
+# anyone probing for BackOrifice?
+#UDP_AUDIT_SERVICES="31337"
+# how about ICMP?
+#ICMP_AUDIT_TYPES=""
+#ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert
+#
+# To enable auditing, you must have syslog configured to log "kern"
+# messages of "info" level; typically you'd do this with a line in
+# syslog.conf like
+# kern.info /var/log/messages
+# though the Bastille port monitor will normally want these messages
+# logged to a named pipe instead, and the Bastille script normally
+# configures syslog for "kern.*" which catches these messages
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
+#UDP_AUDIT_SERVICES="31337"
+#ICMP_AUDIT_TYPES=""
+
+
+# 3) services we allow connections to (all systems)
+#
+# FTP note:
+# To allow your machine to service "passive" FTP clients,
+# you will need to make allowances for the passive data
+# ports; Bastille users should read README.FTP for more
+# information
+#
+# "public" interfaces:
+# TCP services that "public" hosts should be allowed to connect to
+#TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST
+#
+# UDP services that "public" hosts should be allowed to connect to
+#UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST
+#
+# "internal" interfaces:
+# (NB: you will need to repeat the "public" services if you want
+# to allow "internal" hosts to reach those services, too.)
+# TCP services that internal clients can connect to
+#TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
+#
+# UDP services that internal clients can connect to
+#UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+TCP_PUBLIC_SERVICES="{TCP_PUBLIC_SERVICES}" # MINIMAL/SAFEST
+UDP_PUBLIC_SERVICES="{UDP_PUBLIC_SERVICES}" # MINIMAL/SAFEST
+TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
+UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
+
+# 4) passive/active FTP (Linux 2.2/ipchains only)
+# FTP is a firewall nightmare; if you allow "normal" FTP connections,
+# you must be careful to block any TCP services that are listening
+# on high ports; it's safer to require your FTP clients to use
+# "passive" mode.
+#
+# Note this will also force clients on machines
+# that use this one for NAT/IP Masquerading to use passive mode
+# for connections that go through this server (e.g. from the
+# internal network to public Internet machines
+#
+# For more information about FTP, see the Bastille README.FTP doc
+#
+#FORCE_PASV_FTP="N"
+#FORCE_PASV_FTP="Y" # SAFEST
+#
+FORCE_PASV_FTP="Y" # SAFEST
+
+
+# 5) Services to explicitly block. (Linux 2.2/ipchains only)
+# See FTP note above
+# Note that ranges of ports are specified with colons, and you
+# can specify an open range by using only one number, e.g.
+# 1024: means ports >= 1024 and :6000 means ports <= 6000
+#
+# TCP services on high ports that should be blocked if not forcing passive FTP
+# This should include X (6000:6010) and anything else revealed by 'netstat -an'
+# (this does not matter unless you're not forcing "passive" FTP)
+#TCP_BLOCKED_SERVICES="6000:6020"
+#
+# UDP services to block: this should be UDP services on high ports.
+# Your only vulnerability from public interfaces are the DNS and
+# NTP servers/networks (those with 0.0.0.0 for DNS servers should
+# obviously be very careful here!)
+#UDP_BLOCKED_SERVICES="2049"
+#
+# types of ICMP packets to allow
+#ICMP_ALLOWED_TYPES="destination-unreachable" # MINIMAL/SAFEST
+# the following allows you to ping/traceroute outbound
+#ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+TCP_BLOCKED_SERVICES="6000:6020"
+UDP_BLOCKED_SERVICES="2049"
+ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded echo-request"
+
+
+# 6) Source Address Verification (all Linux systems)
+# This helps prevent "IP Spoofing" attacks
+#
+ENABLE_SRC_ADDR_VERIFY="Y" # SAFEST
+
+
+# 7) IP Masquerading / NAT. (all systems)
+# List your internal/masq'ed networks here
+#
+# Also see item 4, FORCE_PASV_FTP, as that setting affects
+# clients using IP Masquerading through this machine
+#
+# Set this variable if you're using IP Masq / NAT for a local network
+#IP_MASQ_NETWORK="" # DISABLE/SAFEST
+#IP_MASQ_NETWORK="10.0.0.0/8" # example
+#IP_MASQ_NETWORK="192.168.0.0/16" # example
+#
+# Have lots of masq hosts? uncomment the following six lines
+# and list the hosts/networks in /etc/firewall-masqhosts
+# the script assumes any address without a "/" netmask afterwards
+# is an individual address (netmask /255.255.255.255):
+#if [ -f /etc/firewall-masqhosts ]; then
+# echo "Reading list of masq hosts from /etc/firewall-masqhosts"
+# # Read the file, but use 'awk' to strip comments
+# # Note the sed bracket phrase includes a space and tab char
+# IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ ]*::g'`
+#fi
+#
+# Masq modules
+# NB: The script will prepend "ip_masq_" to each module name
+#IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" # ALL (?)
+#IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+IP_MASQ_NETWORK="" # DISABLE/SAFEST
+IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED
+
+
+# 8) How to react to disallowed packets (all systems)
+# whether to "REJECT" or "DROP" disallowed packets; if you're running any
+# public services, you probably ought to use "REJECT"; if in serious stealth
+# mode, choose "DROP" so simple probes don't know if there's anything out there
+# NOTE: disallowed ICMP packets are discarded with "DROP", as
+# it would not make sense to "reject" the packet if you're
+# trying to disallow ping/traceroute
+# NOTE: the scripts that set up the filter rules will interpret these
+# keywords as needed, e.g. "DROP" becomes "DENY" for Linux 2.2/ipchains
+#
+REJECT_METHOD="DROP"
+
+
+# 9) DHCP (Linux 2.2/ipchains only)
+# In case your server needs to get a DHCP address from some other
+# machine (e.g. cable modem)
+#DHCP_IFACES="eth0" # example, to allow you to query on eth0
+#DHCP_IFACES="" # DISABLED
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+DHCP_IFACES="" # DISABLED
+
+
+# 10) NTP servers (Linux 2.2/ipchains only)
+# more UDP fun. List IP addresses or network space of NTP servers
+#
+#NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST
+#NTP_SERVERS="a.b.c.d/32 e.f.g.h/32" # example, to allow querying 2 servers
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST
+
+
+# 11) more ICMP. (Linux 2.2/ipchains only)
+# Control the outbound ICMP to make yourself invisible to
+# traceroute probes
+#
+#ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
+
+
+# 12) Logging (all systems)
+# With this enabled, ipchains will log all blocked packets.
+# ** this could generate huge logs **
+# This is primarily intended for the port mointoring system;
+# also note that you probably do not want to "AUDIT" any services
+# that you are not allowing, as doing so would mean duplicate
+# logging
+LOG_FAILURES="N" # do not log blocked packets
+
+# 13) Block fragmented packets (all systems)
+# There's no good reason to allow these
+#ALLOW_FRAGMENTS="N" # safest
+ALLOW_FRAGMENTS="Y" # old behavior
+
+# 14) Prevent SMB broadcasts from leaking out NAT setup (all systems)
+# Windows machines will poll teh net with SMB broadcasts,
+# basically advertising their existence. Most folks agree
+# that this traffic should be dropped
+#DROP_SMB_NAT_BCAST="N" # allow them (are you sure?)
+DROP_SMB_NAT_BCAST="Y" # drop those packets
+
+# 15) Log level (iptables/netfilter/Linux 2.4 only)
+# Control what level of logging is used when the firewall logs
+# information. Default is warning (4). Lowest priority is
+# debug (7); highest is emergency (0). To prevent syslog
+# from copying iptables error messages to the console, set
+# this to 6 (7 would also work, but 6 is recommended)
+# You can also stop syslogd/klogd from printing kernel
+# messages to the console by issuing the command
+# setterm -msg off
+#IP_LOG_LEVEL=6 # level used in 2.2/ipchains
+IP_LOG_LEVEL=4 # iptables/netfilter default
+
+# 16) Always attempt to use stateful features for inbound connections
+# Always using state will allow the firewall to reject invalid
+# packets sent to otherwise open TCP services, e.g. XMAS, NULL
+# and SIN/FYN scans. The downside to choosing this behavior is that
+# services may become unreachable if the packet filter's state
+# table becomes full.
+IP_ALWAYS_USE_STATE="N" # default, ensures services remain available
+#IP_ALWAYS_USE_STATE="Y" # disallow invalid packets
\ No newline at end of file
diff --git a/install/update.php b/install/update.php
index d5e349c2e7..f51a222ed7 100644
--- a/install/update.php
+++ b/install/update.php
@@ -200,6 +200,12 @@ if($reconfigure_services_answer == 'yes') {
//* Configure DBServer
swriteln('Configuring DBServer');
$inst->configure_dbserver();
+
+ if(@is_dir('/etc/Bastille')) {
+ //* Configure Firewall
+ swriteln('Configuring Firewall');
+ $inst->configure_firewall();
+ }
}
//** Configure ISPConfig
diff --git a/interface/web/admin/form/firewall.tform.php b/interface/web/admin/form/firewall.tform.php
index 40593ca4e5..2f4ace8125 100644
--- a/interface/web/admin/form/firewall.tform.php
+++ b/interface/web/admin/form/firewall.tform.php
@@ -79,7 +79,7 @@ $form["tabs"]['firewall'] = array (
'regex' => '/^[\s0-9\,]{0,255}$/',
'errmsg'=> 'tcp_ports_error_regex'),
),
- 'default' => '',
+ 'default' => '21,22,25,53,80,110,443,8080,10000',
'value' => '',
'width' => '30',
'maxlength' => '255'
@@ -91,7 +91,7 @@ $form["tabs"]['firewall'] = array (
'regex' => '/^[\s0-9\,]{0,255}$/',
'errmsg'=> 'tcp_ports_error_regex'),
),
- 'default' => '',
+ 'default' => '53',
'value' => '',
'width' => '30',
'maxlength' => '255'
diff --git a/server/conf/bastille-firewall.cfg.master b/server/conf/bastille-firewall.cfg.master
new file mode 100644
index 0000000000..b9658c9861
--- /dev/null
+++ b/server/conf/bastille-firewall.cfg.master
@@ -0,0 +1,320 @@
+#
+# /etc/bastille-firewall.cfg
+#
+# Configuration file for both 2.2/ipchains and 2.4/netfilter scripts
+#
+# $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-firewall.cfg,v $
+# Modified by: $Author: peterw $
+# $Date: 2002/01/04 13:34:18 $
+# $Revision: 1.7 $
+#
+# Copyright (C) 1999-2001 Peter Watkins
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+# Thanks to David Ranch, Brad A, Don G, and others for their suggestions
+
+# the configuration values should be whitespace-delimited lists of
+# appropriate values, e.g.
+# TCP_PUBLIC_SERVICES="80 smtp ssh"
+# lists Web (port 80), SMTP mail, and Secure Shell ports
+#
+# This script is suitable for workstations or simple NAT firewalls;
+# you may want to add more "output" restrictions for serious servers
+
+# 0) DNS servers (Linux 2.2/ipchains only)
+# You must list your DNS servers here so that
+# the firewall will allow them to service your lookup requests
+#
+# List of DNS servers/networks to allow "domain" responses from
+# This _could_ be nameservers as a list of <ip-address>/32 entries
+#DNS_SERVERS="a.b.c.d/32 e.f.g.h/32"
+# If you are running a caching nameserver, you'll need to allow from
+# "0.0.0.0/0" so named can query any arbitrary nameserver
+# (To enable a caching nameserver, you will also probably need to
+# add "domain" to the TCP and UDP public service lists.)
+#DNS_SERVERS="0.0.0.0/0"
+#
+# To have the DNS servers parsed from /etc/resolv.conf at runtime,
+# as normal workstations will want, make this variable empty
+#DNS_SERVERS=""
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+DNS_SERVERS="{DNS_SERVERS}"
+
+
+# 1) define your interfaces (all systems)
+# Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP
+# interface
+#
+# list internal/trusted interfaces
+# traffic from these interfaces will be allowed
+# through the firewall, no restrictions
+#TRUSTED_IFACES="lo" # MINIMAL/SAFEST
+#
+# list external/untrusted interfaces
+#PUBLIC_IFACES="eth+ ppp+ slip+" # SAFEST
+#
+# list internal/partially-trusted interfaces
+# e.g. if this acts as a NAT/IP Masq server and you
+# don't want clients on those interfaces having
+# full network access to services running on this
+# server (as the TRUSTED_IFACES allows)
+#INTERNAL_IFACES="" # SAFEST
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+TRUSTED_IFACES="lo" # MINIMAL/SAFEST
+PUBLIC_IFACES="eth+ ppp+ slip+ venet+" # SAFEST
+INTERNAL_IFACES="" # SAFEST
+
+
+# 2) services for which we want to log access attempts to syslog (all systems)
+# Note this only audits connection attempts from public interfaces
+#
+# Also see item 12, LOG_FAILURES
+#
+#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
+# anyone probing for BackOrifice?
+#UDP_AUDIT_SERVICES="31337"
+# how about ICMP?
+#ICMP_AUDIT_TYPES=""
+#ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert
+#
+# To enable auditing, you must have syslog configured to log "kern"
+# messages of "info" level; typically you'd do this with a line in
+# syslog.conf like
+# kern.info /var/log/messages
+# though the Bastille port monitor will normally want these messages
+# logged to a named pipe instead, and the Bastille script normally
+# configures syslog for "kern.*" which catches these messages
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
+#UDP_AUDIT_SERVICES="31337"
+#ICMP_AUDIT_TYPES=""
+
+
+# 3) services we allow connections to (all systems)
+#
+# FTP note:
+# To allow your machine to service "passive" FTP clients,
+# you will need to make allowances for the passive data
+# ports; Bastille users should read README.FTP for more
+# information
+#
+# "public" interfaces:
+# TCP services that "public" hosts should be allowed to connect to
+#TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST
+#
+# UDP services that "public" hosts should be allowed to connect to
+#UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST
+#
+# "internal" interfaces:
+# (NB: you will need to repeat the "public" services if you want
+# to allow "internal" hosts to reach those services, too.)
+# TCP services that internal clients can connect to
+#TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
+#
+# UDP services that internal clients can connect to
+#UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+TCP_PUBLIC_SERVICES="{tmpl_var name="TCP_PUBLIC_SERVICES"}" # MINIMAL/SAFEST
+UDP_PUBLIC_SERVICES="{tmpl_var name="UDP_PUBLIC_SERVICES"}" # MINIMAL/SAFEST
+TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
+UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
+
+# 4) passive/active FTP (Linux 2.2/ipchains only)
+# FTP is a firewall nightmare; if you allow "normal" FTP connections,
+# you must be careful to block any TCP services that are listening
+# on high ports; it's safer to require your FTP clients to use
+# "passive" mode.
+#
+# Note this will also force clients on machines
+# that use this one for NAT/IP Masquerading to use passive mode
+# for connections that go through this server (e.g. from the
+# internal network to public Internet machines
+#
+# For more information about FTP, see the Bastille README.FTP doc
+#
+#FORCE_PASV_FTP="N"
+#FORCE_PASV_FTP="Y" # SAFEST
+#
+FORCE_PASV_FTP="Y" # SAFEST
+
+
+# 5) Services to explicitly block. (Linux 2.2/ipchains only)
+# See FTP note above
+# Note that ranges of ports are specified with colons, and you
+# can specify an open range by using only one number, e.g.
+# 1024: means ports >= 1024 and :6000 means ports <= 6000
+#
+# TCP services on high ports that should be blocked if not forcing passive FTP
+# This should include X (6000:6010) and anything else revealed by 'netstat -an'
+# (this does not matter unless you're not forcing "passive" FTP)
+#TCP_BLOCKED_SERVICES="6000:6020"
+#
+# UDP services to block: this should be UDP services on high ports.
+# Your only vulnerability from public interfaces are the DNS and
+# NTP servers/networks (those with 0.0.0.0 for DNS servers should
+# obviously be very careful here!)
+#UDP_BLOCKED_SERVICES="2049"
+#
+# types of ICMP packets to allow
+#ICMP_ALLOWED_TYPES="destination-unreachable" # MINIMAL/SAFEST
+# the following allows you to ping/traceroute outbound
+#ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+TCP_BLOCKED_SERVICES="6000:6020"
+UDP_BLOCKED_SERVICES="2049"
+ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded echo-request"
+
+
+# 6) Source Address Verification (all Linux systems)
+# This helps prevent "IP Spoofing" attacks
+#
+ENABLE_SRC_ADDR_VERIFY="Y" # SAFEST
+
+
+# 7) IP Masquerading / NAT. (all systems)
+# List your internal/masq'ed networks here
+#
+# Also see item 4, FORCE_PASV_FTP, as that setting affects
+# clients using IP Masquerading through this machine
+#
+# Set this variable if you're using IP Masq / NAT for a local network
+#IP_MASQ_NETWORK="" # DISABLE/SAFEST
+#IP_MASQ_NETWORK="10.0.0.0/8" # example
+#IP_MASQ_NETWORK="192.168.0.0/16" # example
+#
+# Have lots of masq hosts? uncomment the following six lines
+# and list the hosts/networks in /etc/firewall-masqhosts
+# the script assumes any address without a "/" netmask afterwards
+# is an individual address (netmask /255.255.255.255):
+#if [ -f /etc/firewall-masqhosts ]; then
+# echo "Reading list of masq hosts from /etc/firewall-masqhosts"
+# # Read the file, but use 'awk' to strip comments
+# # Note the sed bracket phrase includes a space and tab char
+# IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ ]*::g'`
+#fi
+#
+# Masq modules
+# NB: The script will prepend "ip_masq_" to each module name
+#IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" # ALL (?)
+#IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+IP_MASQ_NETWORK="" # DISABLE/SAFEST
+IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED
+
+
+# 8) How to react to disallowed packets (all systems)
+# whether to "REJECT" or "DROP" disallowed packets; if you're running any
+# public services, you probably ought to use "REJECT"; if in serious stealth
+# mode, choose "DROP" so simple probes don't know if there's anything out there
+# NOTE: disallowed ICMP packets are discarded with "DROP", as
+# it would not make sense to "reject" the packet if you're
+# trying to disallow ping/traceroute
+# NOTE: the scripts that set up the filter rules will interpret these
+# keywords as needed, e.g. "DROP" becomes "DENY" for Linux 2.2/ipchains
+#
+REJECT_METHOD="DROP"
+
+
+# 9) DHCP (Linux 2.2/ipchains only)
+# In case your server needs to get a DHCP address from some other
+# machine (e.g. cable modem)
+#DHCP_IFACES="eth0" # example, to allow you to query on eth0
+#DHCP_IFACES="" # DISABLED
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+DHCP_IFACES="" # DISABLED
+
+
+# 10) NTP servers (Linux 2.2/ipchains only)
+# more UDP fun. List IP addresses or network space of NTP servers
+#
+#NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST
+#NTP_SERVERS="a.b.c.d/32 e.f.g.h/32" # example, to allow querying 2 servers
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST
+
+
+# 11) more ICMP. (Linux 2.2/ipchains only)
+# Control the outbound ICMP to make yourself invisible to
+# traceroute probes
+#
+#ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
+#
+# Please make sure variable assignments are on single lines; do NOT
+# use the "\" continuation character (so Bastille can change the
+# values if it is run more than once)
+ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
+
+
+# 12) Logging (all systems)
+# With this enabled, ipchains will log all blocked packets.
+# ** this could generate huge logs **
+# This is primarily intended for the port mointoring system;
+# also note that you probably do not want to "AUDIT" any services
+# that you are not allowing, as doing so would mean duplicate
+# logging
+LOG_FAILURES="N" # do not log blocked packets
+
+# 13) Block fragmented packets (all systems)
+# There's no good reason to allow these
+#ALLOW_FRAGMENTS="N" # safest
+ALLOW_FRAGMENTS="Y" # old behavior
+
+# 14) Prevent SMB broadcasts from leaking out NAT setup (all systems)
+# Windows machines will poll teh net with SMB broadcasts,
+# basically advertising their existence. Most folks agree
+# that this traffic should be dropped
+#DROP_SMB_NAT_BCAST="N" # allow them (are you sure?)
+DROP_SMB_NAT_BCAST="Y" # drop those packets
+
+# 15) Log level (iptables/netfilter/Linux 2.4 only)
+# Control what level of logging is used when the firewall logs
+# information. Default is warning (4). Lowest priority is
+# debug (7); highest is emergency (0). To prevent syslog
+# from copying iptables error messages to the console, set
+# this to 6 (7 would also work, but 6 is recommended)
+# You can also stop syslogd/klogd from printing kernel
+# messages to the console by issuing the command
+# setterm -msg off
+#IP_LOG_LEVEL=6 # level used in 2.2/ipchains
+IP_LOG_LEVEL=4 # iptables/netfilter default
+
+# 16) Always attempt to use stateful features for inbound connections
+# Always using state will allow the firewall to reject invalid
+# packets sent to otherwise open TCP services, e.g. XMAS, NULL
+# and SIN/FYN scans. The downside to choosing this behavior is that
+# services may become unreachable if the packet filter's state
+# table becomes full.
+IP_ALWAYS_USE_STATE="N" # default, ensures services remain available
+#IP_ALWAYS_USE_STATE="Y" # disallow invalid packets
\ No newline at end of file
diff --git a/server/plugins-available/firewall_plugin.inc.php b/server/plugins-available/firewall_plugin.inc.php
new file mode 100644
index 0000000000..8525bf3440
--- /dev/null
+++ b/server/plugins-available/firewall_plugin.inc.php
@@ -0,0 +1,126 @@
+<?php
+
+/*
+Copyright (c) 2008, Till Brehm, projektfarm Gmbh
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+ this list of conditions and the following disclaimer in the documentation
+ and/or other materials provided with the distribution.
+ * Neither the name of ISPConfig nor the names of its contributors
+ may be used to endorse or promote products derived from this software without
+ specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class firewall_plugin {
+
+ var $plugin_name = 'firewall_plugin';
+ var $class_name = 'firewall_plugin';
+
+
+ /*
+ This function is called when the plugin is loaded
+ */
+
+ function onLoad() {
+ global $app;
+
+ /*
+ Register for the events
+ */
+
+ //* Mailboxes
+ $app->plugins->registerEvent('firewall_insert',$this->plugin_name,'insert');
+ $app->plugins->registerEvent('firewall_update',$this->plugin_name,'update');
+ $app->plugins->registerEvent('firewall_delete',$this->plugin_name,'delete');
+
+
+ }
+
+
+ function insert($event_name,$data) {
+ global $app, $conf;
+
+ $this->update($event_name,$data);
+
+ }
+
+ function update($event_name,$data) {
+ global $app, $conf;
+
+ $tcp_ports = '';
+ $udp_ports = '';
+
+ $ports = explode(',',$data["new"]["tcp_port"]);
+ if(is_array($ports)) {
+ foreach($ports as $p) {
+ $p_int = intval($p);
+ if($p_int > 0) $tcp_ports .= $p_int . ' ';
+ }
+ }
+ $tcp_ports = trim($tcp_ports);
+
+ $ports = explode(',',$data["new"]["udp_port"]);
+ if(is_array($ports)) {
+ foreach($ports as $p) {
+ $p_int = intval($p);
+ if($p_int > 0) $udp_ports .= $p_int . ' ';
+ }
+ }
+ $udp_ports = trim($udp_ports);
+
+
+ $tpl = new tpl();
+ $tpl->newTemplate("bastille-firewall.cfg.master");
+
+ $tpl->setVar("TCP_PUBLIC_SERVICES",$tcp_ports);
+ $tpl->setVar("UDP_PUBLIC_SERVICES",$udp_ports);
+
+ file_put_contents('/etc/Bastille/bastille-firewall.cfg',$tpl->grab());
+ $app->log('Writing firewall configuration /etc/Bastille/bastille-firewall.cfg',LOGLEVEL_DEBUG);
+ unset($tpl);
+
+ if($data["new"]["active"] == 'y')) {
+ exec('/etc/init.d/bastille-firewall restart');
+ if(@is_file('/etc/debian_version')) exec('update-rc.d bastille-firewall defaults');
+ $app->log('Restarting the firewall',LOGLEVEL_DEBUG);
+ } else {
+ exec('/etc/init.d/bastille-firewall stop');
+ if(@is_file('/etc/debian_version')) exec('update-rc.d bastille-firewall remove');
+ $app->log('Stopping the firewall',LOGLEVEL_DEBUG);
+ }
+
+
+ }
+
+ function delete($event_name,$data) {
+ global $app, $conf;
+
+ exec('/etc/init.d/bastille-firewall stop');
+ if(@is_file('/etc/debian_version')) exec('update-rc.d bastille-firewall remove');
+ $app->log('Stopping the firewall',LOGLEVEL_DEBUG);
+
+ }
+
+
+
+
+} // end class
+
+?>
\ No newline at end of file
diff --git a/server/plugins-available/mysql_clientdb_plugin.inc.php b/server/plugins-available/mysql_clientdb_plugin.inc.php
index 7711236143..469937904b 100644
--- a/server/plugins-available/mysql_clientdb_plugin.inc.php
+++ b/server/plugins-available/mysql_clientdb_plugin.inc.php
@@ -60,6 +60,7 @@ class mysql_clientdb_plugin {
if($data["new"]["type"] == 'mysql') {
if(!include_once(ISPC_LIB_PATH.'/mysql_clientdb.conf')) {
$app->log('Unable to open'.ISPC_LIB_PATH.'/mysql_clientdb.conf',LOGLEVEL_ERROR);
+ return;
}
//* Connect to the database
--
GitLab