From f7cca6ea32444a7764d54989bf360530d07d6092 Mon Sep 17 00:00:00 2001 From: Arnaud Desmons Date: Thu, 5 Sep 2002 07:37:06 +0000 Subject: untouched --- .../scripts/bastille-firewall.cfg.default | 288 +++++++++++++++++++++ firewall_wizard/scripts/check_ext_device.sh | 15 ++ firewall_wizard/scripts/compute_ext_device.sh | 19 ++ firewall_wizard/scripts/compute_level_name.sh | 147 +++++++++++ firewall_wizard/scripts/do_it_firew.sh | 230 ++++++++++++++++ firewall_wizard/scripts/firew.sh | 140 ++++++++++ firewall_wizard/scripts/liste_ext_device.sh | 29 +++ firewall_wizard/scripts/store_fwall.sh | 16 ++ 8 files changed, 884 insertions(+) create mode 100644 firewall_wizard/scripts/bastille-firewall.cfg.default create mode 100755 firewall_wizard/scripts/check_ext_device.sh create mode 100755 firewall_wizard/scripts/compute_ext_device.sh create mode 100755 firewall_wizard/scripts/compute_level_name.sh create mode 100755 firewall_wizard/scripts/do_it_firew.sh create mode 100755 firewall_wizard/scripts/firew.sh create mode 100755 firewall_wizard/scripts/liste_ext_device.sh create mode 100755 firewall_wizard/scripts/store_fwall.sh (limited to 'firewall_wizard') diff --git a/firewall_wizard/scripts/bastille-firewall.cfg.default b/firewall_wizard/scripts/bastille-firewall.cfg.default new file mode 100644 index 00000000..746c61de --- /dev/null +++ b/firewall_wizard/scripts/bastille-firewall.cfg.default @@ -0,0 +1,288 @@ +# +# /etc/bastille-firewall.cfg +# +# Configuration fiel for both 2.2/ipchains and 2.4/netfilter scripts +# +# version 0.99-beta1 +# Copyright (C) 1999-2001 Peter Watkins +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Thanks to David Ranch, Brad A, Don G, and others for their suggestions + +# the configuration values should be whitespace-delimited lists of +# appropriate values, e.g. +# TCP_PUBLIC_SERVICES="80 smtp ssh" +# lists Web (port 80), SMTP mail, and Secure Shell ports +# +# This script is suitable for workstations or simple NAT firewalls; +# you may want to add more "output" restrictions for serious servers + +# 0) DNS servers. You must list your DNS servers here so that +# the firewall will allow them to service your lookup requests +# +# List of DNS servers/networks to allow "domain" responses from +# This _could_ be nameservers as a list of /32 entries +#DNS_SERVERS="a.b.c.d/32 e.f.g.h/32" +# If you are running a caching nameserver, you'll need to allow from +# "0.0.0.0/0" so named can query any arbitrary nameserver +# (To enable a caching nameserver, you will also probably need to +# add "domain" to the TCP and UDP public service lists.) +#DNS_SERVERS="0.0.0.0/0" +# +# To have the DNS servers parsed from /etc/resolv.conf at runtime, +# as normal workstations will want, make this variable empty +#DNS_SERVERS="" +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +DNS_SERVERS="" + + +# 1) define your interfaces +# Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP +# interface +# +# list internal/trusted interfaces +# traffic from these interfaces will be allowed +# through the firewall, no restrictions +#TRUSTED_IFACES="lo" # MINIMAL/SAFEST +# +# list external/untrusted interfaces +#PUBLIC_IFACES="eth+ ppp+ slip+" # SAFEST +# +# list internal/partially-trusted interfaces +# e.g. if this acts as a NAT/IP Masq server and you +# don't want clients on those interfaces having +# full network access to services running on this +# server (as the TRUSTED_IFACES allows) +#INTERNAL_IFACES="" # SAFEST +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +TRUSTED_IFACES="lo" # MINIMAL/SAFEST +PUBLIC_IFACES="eth+ ppp+" # SAFEST +INTERNAL_IFACES="" # SAFEST + + +# 2) services for which we want to log access attempts to syslog +# Note this only audits connection attempts from public interfaces +# +# Also see item 12, LOG_FAILURES +# +#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" +# anyone probing for BackOrifice? +#UDP_AUDIT_SERVICES="31337" +# how about ICMP? +#ICMP_AUDIT_TYPES="" +#ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert +# +# To enable auditing, you must have syslog configured to log "kern" +# messages of "info" level; typically you'd do this with a line in +# syslog.conf like +# kern.info /var/log/messages +# though the Bastille port monitor will normally want these messages +# logged to a named pipe instead, and the Bastille script normally +# configures syslog for "kern.*" which catches these messages +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +TCP_AUDIT_SERVICES="" +UDP_AUDIT_SERVICES="" +ICMP_AUDIT_TYPES="" + + +# 3) services we allow connections to +# +# FTP note: +# To allow your machine to service "passive" FTP clients, +# you will need to make allowances for the passive data +# ports; Bastille users should read README.FTP for more +# information +# +# "public" interfaces: +# TCP services that "public" hosts should be allowed to connect to +#TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST +# +# UDP services that "public" hosts should be allowed to connect to +#UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST +# +# "internal" interfaces: +# (NB: you will need to repeat the "public" services if you want +# to allow "internal" hosts to reach those services, too.) +# TCP services that internal clients can connect to +#TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST +# +# UDP services that internal clients can connect to +#UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +#TCP_PUBLIC_SERVICES="109 53 143 80 20 21 22 110 443 25" # MINIMAL/SAFEST +TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST +UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST +TCP_INTERNAL_SERVICES="www ssh" # MINIMAL/SAFEST +UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST + +# 4) FTP is a firewall nightmare; if you allow "normal" FTP connections, +# you must be careful to block any TCP services that are listening +# on high ports; it's safer to require your FTP clients to use +# "passive" mode. +# +# Note this will also force clients on machines +# that use this one for NAT/IP Masquerading to use passive mode +# for connections that go through this server (e.g. from the +# internal network to public Internet machines +# +# For more information about FTP, see the Bastille README.FTP doc +# +#FORCE_PASV_FTP="N" +#FORCE_PASV_FTP="Y" # SAFEST +# +FORCE_PASV_FTP="N" # SAFEST + + +# 5) Services to explicitly block. See FTP note above +# Note that ranges of ports are specified with colons, and you +# can specify an open range by using only one number, e.g. +# 1024: means ports >= 1024 and :6000 means ports <= 6000 +# +# TCP services on high ports that should be blocked if not forcing passive FTP +# This should include X (6000:6010) and anything else revealed by 'netstat -an' +# (this does not matter unless you're not forcing "passive" FTP) +#TCP_BLOCKED_SERVICES="6000:6020" +# +# UDP services to block: this should be UDP services on high ports. +# Your only vulnerability from public interfaces are the DNS and +# NTP servers/networks (those with 0.0.0.0 for DNS servers should +# obviously be very careful here!) +#UDP_BLOCKED_SERVICES="2049" +# +# types of ICMP packets to allow +#ICMP_ALLOWED_TYPES="destination-unreachable" # MINIMAL/SAFEST +# the following allows you to ping/traceroute outbound +#ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded" +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +TCP_BLOCKED_SERVICES="6000:6020" +UDP_BLOCKED_SERVICES="2049" +ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded" + + +# 6) Source Address Verification helps prevent "IP Spoofing" attacks +# +ENABLE_SRC_ADDR_VERIFY="Y" # SAFEST + + +# 7) IP Masquerading / NAT. List your internal/masq'ed networks here +# +# Also see item 4, FORCE_PASV_FTP, as that setting affects +# clients using IP Masquerading through this machine +# +# Set this variable if you're using IP Masq / NAT for a local network +#IP_MASQ_NETWORK="" # DISABLE/SAFEST +#IP_MASQ_NETWORK="10.0.0.0/8" # example +#IP_MASQ_NETWORK="192.168.0.0/16" # example +# +# Have lots of masq hosts? uncomment the following six lines +# and list the hosts/networks in /etc/firewall-masqhosts +# the script assumes any address without a "/" netmask afterwards +# is an individual address (netmask /255.255.255.255): +#if [ -f /etc/firewall-masqhosts ]; then +# echo "Reading list of masq hosts from /etc/firewall-masqhosts" +# # Read the file, but use 'awk' to strip comments +# # Note the sed bracket phrase includes a space and tab char +# IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ ]*::g'` +#fi +# +# Masq modules +# NB: The script will prepend "ip_masq_" to each module name +#IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" # ALL (?) +#IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +IP_MASQ_NETWORK="192.168.4.0/24" # DISABLE/SAFEST +IP_MASQ_MODULES="" # RECOMMENDED + + +# 8) How to react to disallowed packets +# whether to "REJECT" or "DENY" disallowed packets; if you're running any +# public services, you probably ought to use "REJECT"; if in serious stealth +# mode, choose "DENY" so simple probes don't know if there's anything out there +# NOTE: disallowed ICMP packets are discarded with "DENY", as +# it would not make sense to "reject" the packet if you're +# trying to disallow ping/traceroute +# +REJECT_METHOD="DENY" + + +# 9) DHCP +# In case your server needs to get a DHCP address from some other +# machine (e.g. cable modem) +#DHCP_IFACES="eth0" # example, to allow you to query on eth0 +#DHCP_IFACES="" # DISABLED +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +DHCP_IFACES="" # DISABLED + + +# 10) more UDP fun. List IP addresses or network space of NTP servers +# +#NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST +#NTP_SERVERS="a.b.c.d/32 e.f.g.h/32" # example, to allow querying 2 servers +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST + + +# 11) more ICMP. Control the outbound ICMP to make yourself invisible to +# traceroute probes +# +#ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded" +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded" + + +# 12) Logging +# With this enabled, ipchains will log all blocked packets. +# ** this could generate huge logs ** +# This is primarily intended for the port mointoring system; +# also note that you probably do not want to "AUDIT" any services +# that you are not allowing, as doing so would mean duplicate +# logging +LOG_FAILURES="N" # do not log blocked packets + +# 13) Block fragmented packets +# There's no good reason to allow these +#ALLOW_FRAGMENTS="N" # safest +ALLOW_FRAGMENTS="Y" # old behavior + +# 14) Prevent SMB broadcasts from leaking out NAT setup +# Windows machines will poll teh net with SMB broadcasts, +# basically advertising their existence. Most folks agree +# that this traffic should be dropped +#DROP_SMB_NAT_BCAST="N" # allow them (are you sure?) +DROP_SMB_NAT_BCAST="Y" # drop those packets + diff --git a/firewall_wizard/scripts/check_ext_device.sh b/firewall_wizard/scripts/check_ext_device.sh new file mode 100755 index 00000000..c1fc0092 --- /dev/null +++ b/firewall_wizard/scripts/check_ext_device.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# script for wizard firewall configuration +# +# checking if the provided value is correct : +# strip the @, need at least a dot + + +dtmp=`echo ${wiz_ext_device} |sed -e 's/^\(\w*\).*$/\1/'` +if [ -z "${dtmp}" ] ;then + echo_debug "wiz_ext_device is empty, should not." + exit 1 +fi + +# all seems to be ok +exit 10 diff --git a/firewall_wizard/scripts/compute_ext_device.sh b/firewall_wizard/scripts/compute_ext_device.sh new file mode 100755 index 00000000..718517c6 --- /dev/null +++ b/firewall_wizard/scripts/compute_ext_device.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# script for wizard firewall configuration +# +# return on stdout the default value for network device + + +device= +file=/etc/sysconfig/network + +[ -f ${file} ] && device=`get_val ${file} GATEWAYDEV` + +[ -z "${device}" ] && device="ppp0" + +echo_debug "proposed ext device : ${device}" + +echo ${device} + +exit 0 + diff --git a/firewall_wizard/scripts/compute_level_name.sh b/firewall_wizard/scripts/compute_level_name.sh new file mode 100755 index 00000000..578b06f7 --- /dev/null +++ b/firewall_wizard/scripts/compute_level_name.sh @@ -0,0 +1,147 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini +# http://www.mandrakesoft.com + + +# firewall protection level +# +#- level 0 : no protection +# +#- level 1 : light filtering, usual services opened +# +#- level 2 : only 'internet' services +# +#- level 3 : strong protection : only out mail & http +# + +[ -z "${wiz_firewall_level}" ] && wiz_firewall_level=0 +[ ${wiz_firewall_level} -le 0 ] && wiz_firewall_level=0 +[ ${wiz_firewall_level} -ge 3 ] && wiz_firewall_level=3 + +[ -z "$LANG" ] && LANG=en + +case "$LANG" in + + fr) + case "${wiz_firewall_level}" in + + 0) txt="Aucun - Pas de protection" + ;; + 1) txt="Faible - Léger filtrage, services standards ouverts" + ;; + 2) txt="Intermédiaire - Web, ftp et ssh accessibles de l'extérieur" + ;; + 3) txt="Fort - Invisible de l'extérieur, usage interne limité au web" + ;; + *) txt="Aucun niveau selectionné ???" + ;; + esac + ;; + + it) + case "${wiz_firewall_level}" in + + 0) txt="None - No protection" + ;; + 1) txt="Low - Light filtering, standard services available" + ;; + 2) txt="Medium - web, ftp and ssh shown to outside" + ;; + 3) txt="Strong - no outside visibility, users limited to web" + ;; + *) txt="No Level protection selected ???" + ;; + esac + ;; + + es) + case "${wiz_firewall_level}" in + + 0) txt="None - No protection" + ;; + 1) txt="Low - Light filtering, standard services available" + ;; + 2) txt="Medium - web, ftp and ssh shown to outside" + ;; + 3) txt="Strong - no outside visibility, users limited to web" + ;; + *) txt="No Level protection selected ???" + ;; + esac + ;; + + de) + case "${wiz_firewall_level}" in + + 0) txt="None - No protection" + ;; + 1) txt="Low - Light filtering, standard services available" + ;; + 2) txt="Medium - web, ftp and ssh shown to outside" + ;; + 3) txt="Strong - no outside visibility, users limited to web" + ;; + *) txt="No Level protection selected ???" + ;; + esac + ;; + + es) + case "${wiz_firewall_level}" in + + 0) txt="None - No protection" + ;; + 1) txt="Low - Light filtering, standard services available" + ;; + 2) txt="Medium - web, ftp and ssh shown to outside" + ;; + 3) txt="Strong - no outside visibility, users limited to web" + ;; + *) txt="No Level protection selected ???" + ;; + esac + ;; + + *) + case "${wiz_firewall_level}" in + + 0) txt="None - No protection" + ;; + 1) txt="Low - Light filtering, standard services available" + ;; + 2) txt="Medium - web, ftp and ssh shown to outside" + ;; + 3) txt="Strong - no outside visibility, users limited to web" + ;; + *) txt="No Level protection selected ???" + ;; + esac + ;; +esac + +echo_debug "firewall level : ${txt}" + +echo $txt + +exit 0 diff --git a/firewall_wizard/scripts/do_it_firew.sh b/firewall_wizard/scripts/do_it_firew.sh new file mode 100755 index 00000000..89defad7 --- /dev/null +++ b/firewall_wizard/scripts/do_it_firew.sh @@ -0,0 +1,230 @@ +#!/bin/bash +# +# firewall This script sets up firewall rules. +# +# description: Sets up or removes firewall rules. +# +# Firewall rules for a firewall between a private internal network and the +# Internet. +# +# hacked to fit with wizard, protection level and initscripts. +# +# initial copyright : +# Copyright (C) 2000 Roaring Penguin Software Inc. This software may +# be distributed under the terms of the GNU General Public License, version +# 2 or any later version. + +# firewall protection level +# +#- level 0 : no protection +# open all TCP/UDP PORT on / and through the server/firewall +# DROP unroutable network +# +#- level 1 : light filtering, usual services opened +# open all TCP/UDP PORT on / and through the server/firewall +# DROP unroutable network +# NAT Activated on external interface +# +#- level 2 : only 'internet' services +# open only configured services on this server/firewall +# DROP unroutable network +# NAT Activated on external interface +# +#- level 3 : strong protection : only out mail & http +# DROP unroutable network +# block all ports except ssh +# + +# this should be launched by a wizard screen ? +${CWD}/scripts/store_fwall.sh + +typeset -i firewall_level +wiz_firewall_level=`get_var wiz_firewall_level` +[ -z "${wiz_firewall_level}" ] && wiz_firewall_level=0 +[ ${wiz_firewall_level} -le 0 ] && wiz_firewall_level=0 +[ ${wiz_firewall_level} -ge 3 ] && wiz_firewall_level=3 +echo_debug "# firewall level : ${wiz_firewall_level}" + +firewall_cfg=/etc/Bastille/bastille-firewall.cfg +bastille_firewall=/etc/init.d/bastille-firewall +bastille_ipchains=/sbin/bastille-ipchains +bastille_netfilter=/sbin/bastille-netfilter +file=/etc/sysconfig/mdk_serv + +# check requires files +[ -f $firewall_cfg ] || { + echo_debug "no Bastille config file" + cp -a ./scripts/bastille-firewall.cfg.default $firewall_cfg + } +for f in $bastille_firewall $bastille_ipchains $bastille_netfilter; do + [ -f $f ] || { + echo_debug "no $f file" + cp /usr/share/Bastille/$(basename $f) $f + chmod +x $f +} +done + +TCP_PUBLIC_SERVICES="" +UDP_PUBLIC_SERVICES="" +TCP_INTERNAL_SERVICES="" +UDP_INTERNAL_SERVICES="" + +# Wildcard address +ANY=0.0.0.0/0 + +# Interface to Internet +EXTIF=`get_var wiz_ext_device` +if [ -z "${EXTIF}" ]; then + EXTIF=ppp0 +fi + +INTERNAL_IFACES=`get_var wiz_device` +if [ -z "${INTERNAL_IFACES}" ]; then + echo_debug "# no internal network, exiting" + exit 1 +fi +if [ "x$INTERNAL_IFACES" = "x$EXTIF" ]; then + echo_debug "# external network device : ${EXTIF}" + chg_val ${firewall_cfg} PUBLIC_IFACES "" + + echo_debug "# internal network device : ${INTERNAL_IFACES}" + chg_val ${firewall_cfg} INTERNAL_IFACES ${INTERNAL_IFACES} + +else + echo_debug "# external network device : ${EXTIF}" + chg_val ${firewall_cfg} PUBLIC_IFACES ${EXTIF} + + echo_debug "# internal network device : ${INTERNAL_IFACES}" + chg_val ${firewall_cfg} INTERNAL_IFACES ${INTERNAL_IFACES} +fi + +# Internal network address. For stand-alone machines, delete this and +# all the "forward" rules. +INTERNAL=`get_var wiz_ip_net`/24 +if [ "${INTERNAL}" = "/24" ]; then + echo_debug "# no internal network, exiting" + exit 1 +fi + +# DNS Caching Name Server activated or not +wiz_caching_dns=`get_val ${file} wiz_caching_dns` +if [ ${wiz_caching_dns} -eq 1 ]; then + echo_debug "# DNS caching dns server : ${wiz_caching_dns}" + chg_val ${firewall_cfg} DNS_SERVERS ${ANY} s + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES domain " +else + echo_debug "# No DNS caching dns server : ${wiz_caching_dns}" + chg_val ${firewall_cfg} DNS_SERVERS "" s +fi +# news +echo_debug "# if exist, activate news server queries" +wiz_news_server=`get_val ${file} wiz_news_server` +if [ ! -z "${wiz_news_server}" ]; then + chg_val ${firewall_cfg} NTP_SERVERS ${wiz_news_server} s + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES nntp " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES nntp " +else + chg_val ${firewall_cfg} NTP_SERVERS "" s +fi + +echo_debug "# check ftp server" +wiz_ftp_internal=`get_val ${file} wiz_ftp_internal` +wiz_ftp_external=`get_val ${file} wiz_ftp_external` + +if [ ${wiz_ftp_external} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES ftp ftp-data " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES ftp ftp-data " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ftp ftp-data " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ftp ftp-data " +elif [ ${wiz_ftp_internal} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ftp ftp-data " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ftp ftp-data " +fi + +echo_debug "# check http server" +wiz_web_internal=`get_val ${file} wiz_web_internal` +wiz_web_external=`get_val ${file} wiz_web_external` + +if [ ${wiz_web_external} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES http https " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES http https " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES http https " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES http https " +elif [ ${wiz_web_internal} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES http https " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES http https " +fi + +echo_debug "# check Samba server" +wiz_workgroup=`get_val ${file} wiz_workgroup` + +if [ ! -z ${wiz_workgroup} ]; then + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES netbios-ns netbios-dgm netbios-ssn " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES netbios-ns netbios-dgm netbios-ssn " +fi + +echo_debug "# check Mail server" +wiz_mail_server=`get_val ${file} wiz_mail_server` +if [ ! -z ${wiz_mail_server} ]; then + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps " +fi +echo_debug "# check DHCP server" +wiz_ip_range1=`get_val ${file} wiz_ip_range1` +if [ ! -z ${wiz_ip_range1} -a ! -z ${wiz_ip_range2} ]; then + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES bootps bootpc " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES bootps bootpc " +fi +# open ssh +TCP_PUBLIC_SERVICES="$TCP_INTERNAL_SERVICES ssh " +UDP_PUBLIC_SERVICES="$UDP_INTERNAL_SERVICES ssh " +TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ssh " +UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ssh " + + +# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS. +#. /etc/rc.d/init.d/functions + +# level 0 et 3 +if [ ${wiz_firewall_level} -eq 0 -o ${wiz_firewall_level} -eq 3 ]; then + echo_debug "# Direct routing (without NAT)" + chg_val ${firewall_cfg} IP_MASQ_NETWORK "" s +else + echo_debug "# NAT internal network : ${INTERNAL}" + chg_val ${firewall_cfg} IP_MASQ_NETWORK ${INTERNAL} +fi + +# level 0 ou 1 +if [ ${wiz_firewall_level} -le 1 ]; then + echo_debug "# open all TCP/UDP PORT on/and through the server/firewall" + chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES ":" s + chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES ":" s + chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES ":" s + chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES ":" s +fi + + +if [ ${wiz_firewall_level} -eq 2 ]; then + chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES "$TCP_PUBLIC_SERVICES" s + chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES "$UDP_PUBLIC_SERVICES" s + chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES "$TCP_INTERNAL_SERVICES" s + chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES "$UDP_INTERNAL_SERVICES" s +fi + +if [ ${wiz_firewall_level} -eq 3 ]; then + chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES " " s + chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES " " s + chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES "ssh" s + chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES "ssh" s +fi + +echo_debug "# launch bastille-firewall script" + +chkconfig --level 345 bastille-firewall on +service bastille-firewall start + +exit 0 diff --git a/firewall_wizard/scripts/firew.sh b/firewall_wizard/scripts/firew.sh new file mode 100755 index 00000000..c7f1b10b --- /dev/null +++ b/firewall_wizard/scripts/firew.sh @@ -0,0 +1,140 @@ +#!/bin/sh +# +# firewall This script sets up firewall rules. +# +# chkconfig: 2345 09 91 +# description: Sets up or removes firewall rules. +# +# Firewall rules for a firewall between a private internal network and the +# Internet. +# +# Copyright (C) 2000 Roaring Penguin Software Inc. This software may +# be distributed under the terms of the GNU General Public License, version +# 2 or any later version. + +# Interface to Internet +EXTIF=ppp0 + +# Internal network address. For stand-alone machines, delete this and +# all the "forward" rules. +INTERNAL=192.168.2.0/24 + +# Wildcard address +ANY=0.0.0.0/0 + +# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS. + +. /etc/rc.d/init.d/functions + +### For details, see the man page ipchains(1) and +### /usr/share/doc/HOWTO/IPCHAINS-HOWTO -- David. + +case "$1" in + start) + echo -n "Setting up firewall rules" + + # Turn on forwarding to silence warnings... + echo 1 > /proc/sys/net/ipv4/ip_forward + + # Set default policies; clear all rules + ipchains -P input ACCEPT + ipchains -P output ACCEPT + ipchains -P forward DENY + + ipchains -F forward + ipchains -F input + ipchains -F output + + ### Spoof protection: Drop obviously suspect packets ### + + # Drop packets claiming to be from unroutable addresses + ipchains -A input -l -s 10.0.0.0/8 -i $EXTIF -j DENY + ipchains -A input -l -s 172.16.0.0/12 -i $EXTIF -j DENY + ipchains -A input -l -s 192.168.0.0/16 -i $EXTIF -j DENY + + # Drop packets wanting to go to unroutable addresses + ipchains -A input -l -d 10.0.0.0/8 -i $EXTIF -j DENY + ipchains -A input -l -d 172.16.0.0/12 -i $EXTIF -j DENY + ipchains -A input -l -d 192.168.0.0/16 -i $EXTIF -j DENY + + ### External access to services on this machine ### + + # Reject identd packets without logging + ipchains -A input -i $EXTIF -p tcp -d $ANY 113 -j REJECT + + # Allow access to sendmail -- log connection attempts + #ipchains -A input -l -i $EXTIF -p tcp -d $ANY 25 -y -j ACCEPT + #ipchains -A input -i $EXTIF -p tcp -d $ANY 25 -j ACCEPT + + # Allow access to ssh -- we run ssh on port 23 because of + # a stupid client firewall at one place we work. + #ipchains -A input -l -i $EXTIF -p tcp -d $ANY 23 -y -j ACCEPT + #ipchains -A input -i $EXTIF -p tcp -d $ANY 23 -j ACCEPT + + # Deny all other TCP connection attempts on the external interface + ipchains -A input -l -i $EXTIF -p tcp -y -j DENY + + # Deny TCP and UDP packets to privileged ports + ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY + ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY + + ### FORWARD rules only apply if you have an internal LAN gatewaying + ### through this computer. + # Allow DNS queries + ipchains -A forward -s $INTERNAL 1024: -d $ANY 53 -p udp -j MASQ + + # Allow internal users to browse web (http and https) + ipchains -A forward -s $INTERNAL 1024: -d $ANY 80 -p tcp -b -j MASQ + ipchains -A forward -s $INTERNAL 1024: -d $ANY 443 -p tcp -b -j MASQ + + # Allow internal users to read news + ipchains -A forward -s $INTERNAL 1024: -d $ANY 119 -p tcp -b -j MASQ + + # Allow internal users to access POP and IMAP services on mail server + ipchains -A forward -s $INTERNAL 1024: -d $ANY 25 -p tcp -b -j MASQ + ipchains -A forward -s $INTERNAL 1024: -d $ANY 110 -p tcp -b -j MASQ + ipchains -A forward -s $INTERNAL 1024: -d $ANY 143 -p tcp -b -j MASQ + + # Allow internal users to access external FTP servers + ipchains -A forward -s $INTERNAL 1024: -d $ANY 21 -p tcp -b -j MASQ + + # Allow internal users to access external Telnet and SSH servers + ipchains -A forward -s $INTERNAL 1024: -d $ANY 22 -p tcp -b -j MASQ + ipchains -A forward -s $INTERNAL 1024: -d $ANY 23 -p tcp -b -j MASQ + + # Allow unprivileged ports --> unprivileged ports for passive FTP + ipchains -A forward -s $INTERNAL 1024: -d $ANY 1024: -p tcp -b -j MASQ + + # A catch-all rule for logging purposes + ipchains -A forward -s $ANY -d $ANY -l -j DENY + + # Turn on forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + echo_success + echo "" + ;; + + stop) + echo -n "Shutting down firewall rules" + # Turn off forwarding + echo 0 > /proc/sys/net/ipv4/ip_forward + + # Set default policies; clear all rules + ipchains -P input ACCEPT + ipchains -P output ACCEPT + ipchains -P forward DENY + + ipchains -F forward + ipchains -F input + ipchains -F output + echo_success + echo "" + ;; + + *) + echo "Usage: firewall {start|stop}" + exit 1 +esac + +exit 0 diff --git a/firewall_wizard/scripts/liste_ext_device.sh b/firewall_wizard/scripts/liste_ext_device.sh new file mode 100755 index 00000000..042590f0 --- /dev/null +++ b/firewall_wizard/scripts/liste_ext_device.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# script for wizard firewall configuration +# +# return on stdout the list of allowed devices for external network interface + +# this script should be improved + +pdevice=`. ./common/scripts/functions.sh; ./firewall_wizard/scripts/compute_ext_device.sh` + +liste="ppp0\nppp0\nppp1\nppp1\nisdn0\nisdn0\nisdn1\nisdn1\n" + +liste=$liste"`ifconfig -a | awk ' /^eth/ { print $1"\n"$1, $4,":",$5 } '`\n" + +#for i in 0 1 2 3 ;do +# liste=${liste}"eth$i\nethernet adapter \ +# `ifconfig -a | grep eth$i| sed -n -e '1{s/.*HWaddr \(.*\)$/\1/p;}'`\n" + +# liste=${liste}"eth$i\neth$i \ +# `dmesg | grep eth$i| sed -n -e '1{s/^[^:]*: *\(.*\)$/\1/p;}'`\n" +#done + +test=`echo "${liste}" | grep ${pdevice}` + +[ -z "${test}" ] && liste="${pdevice}\n"${liste} + +echo -ne "${liste}" + +exit 0 + diff --git a/firewall_wizard/scripts/store_fwall.sh b/firewall_wizard/scripts/store_fwall.sh new file mode 100755 index 00000000..80f6b109 --- /dev/null +++ b/firewall_wizard/scripts/store_fwall.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# script for wizard firewall configuration +# +# store the value of device and security level in /etc/sysconfig/mdk_serv + +file=/etc/sysconfig/mdk_serv + +# store the external device value +dtmp=`echo ${wiz_ext_device} |sed -e 's/^\(\w*\).*$/\1/'` +chg_val ${file} wiz_ext_device ${dtmp} + +# store the security level +chg_val ${file} wiz_firewall_level ${wiz_firewall_level} + +exit 0 + -- cgit v1.2.1