X-Git-Url: http://git.squeep.com/?p=firewall-squeep;a=blobdiff_plain;f=firewall.sh;h=8bf61607de02fcbf03af62915316e24eda5226b0;hp=4106807247651f4dfa3ae9fdbcf3dd93bd4aec66;hb=2abc48981b380f2e9b1c13ed0accb81c12f0b07c;hpb=cfde4971df11b411615d4e133a372a6d51d7ad97

diff --git a/firewall.sh b/firewall.sh
index 4106807..8bf6160 100755
--- a/firewall.sh
+++ b/firewall.sh
@@ -43,20 +43,17 @@ $IP6TABLES -P OUTPUT ACCEPT
 
 # accept local traffic
 $IPTABLES -A INPUT -i lo -j ACCEPT
-
 $IP6TABLES -A INPUT -i lo -j ACCEPT
 
 # accept ICMP
 $IPTABLES -A INPUT -p icmp -j ACCEPT
-
 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
 
 # drop source-route rh0 headery things
-$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
+$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2
 
 # accept things we set up
 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
 $IP6TABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 # accept ipv6 link-local traffic
@@ -71,22 +68,20 @@ do
 	$IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
 done
 
-create_set allowed_udp bitmap:port range 0-65535
-create_set allowed_tcp bitmap:port range 0-65535
+# accept ESP for IPSec
+$IPTABLES -A INPUT -p esp -j ACCEPT
+$IP6TABLES -A INPUT -p esp -j ACCEPT
 
-for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
-do
-	$IPSET -exist add allowed_tcp ${p}
-done
-for p in 53 123 1194 64738
-do
-	$IPSET -exist add allowed_udp ${p}
-done
+# accept all IPSec traffic
+$IPTABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
+$IP6TABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
+
+./services.sh ${EXT_IF}
+
+create_drop_chain xenophobe
 
-$IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
-$IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
-$IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
-$IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
+# insert asia blocker
+./sinokorea.sh
 
 # insert persistent-pest-blocker
 ./xenophobe.sh