diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-02-19 19:07:02 -0800 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-02-19 19:07:02 -0800 |
| commit | 3c18b9bf9a01575dd6cab370670382a1dd3a1fcf (patch) | |
| tree | dc40bc7a468b0e51699681a7211188a3ae81eb45 /templates/firewall | |
| parent | bb1a5a5e64956a50a8baf8bd8c1c49a9c60b9f12 (diff) | |
| download | vyatta-cfg-firewall-3c18b9bf9a01575dd6cab370670382a1dd3a1fcf.tar.gz vyatta-cfg-firewall-3c18b9bf9a01575dd6cab370670382a1dd3a1fcf.zip | |
Fix Bug 3951 default values for kernel tunable security parameters under firewall
Diffstat (limited to 'templates/firewall')
| -rw-r--r-- | templates/firewall/all-ping/node.def | 29 | ||||
| -rw-r--r-- | templates/firewall/source-validation/node.def | 35 |
2 files changed, 64 insertions, 0 deletions
diff --git a/templates/firewall/all-ping/node.def b/templates/firewall/all-ping/node.def new file mode 100644 index 0000000..40962c7 --- /dev/null +++ b/templates/firewall/all-ping/node.def @@ -0,0 +1,29 @@ +# icmp_echo_ignore_all +# default value - 0 +# If set non-zero, then kernel will ignore all ICMP ECHO requests sent to it + +type: txt + +help: Set handling of all IPv4 ICMP echo requests + +comp_help:Possible completions: + disable\tDisable processing of all IPv4 ICMP echo requests + enable\tEnable processing of all IPv4 ICMP echo requests + +default: "enable" + +syntax:expression: $VAR(@) in "enable", "disable"; "all-ping must be enable or disable" + +update: + if [ x$VAR(@) == xdisable ]; then + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/icmp_echo_ignore_all" + else + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/icmp_echo_ignore_all" + fi + +delete: + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/icmp_echo_ignore_all" + diff --git a/templates/firewall/source-validation/node.def b/templates/firewall/source-validation/node.def new file mode 100644 index 0000000..8e28d11 --- /dev/null +++ b/templates/firewall/source-validation/node.def @@ -0,0 +1,35 @@ +# rp_filter +# default value - 0 +# conf/all/rp_filter and conf/[interface]/rp_filter both must be set to TRUE +# to do source validation on the interface + + +type: txt + +help: Set policy for source validation by reversed path, as specified in RFC1812 + +comp_help:Possible completions: + enable\tDo source validation + disable\tNo source validation + +default: "disable" + +syntax:expression: $VAR(@) in "enable", "disable"; "source-validation must be enable or disable" + +update: + if [ x$VAR(@) == xenable ]; then + array=(`ls /proc/sys/net/ipv4/conf/`) + array_len=${#array[*]} + i=0 + while [ $i -lt $array_len ]; do + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/conf/${array[$i]%:*}/rp_filter" + let i++ + done + else + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/conf/all/rp_filter" + fi + +delete: + sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter" |