diff options
| author | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-02-19 19:08:03 -0800 |
|---|---|---|
| committer | Mohit Mehta <mohit.mehta@vyatta.com> | 2009-02-19 19:08:03 -0800 |
| commit | 55863b16fdaa0337c4f1df00ef045f3b646b24b6 (patch) | |
| tree | 9dc6da7b055c2f073cec0d61c29565caffe25a00 /templates | |
| parent | 3c18b9bf9a01575dd6cab370670382a1dd3a1fcf (diff) | |
| download | vyatta-cfg-firewall-55863b16fdaa0337c4f1df00ef045f3b646b24b6.tar.gz vyatta-cfg-firewall-55863b16fdaa0337c4f1df00ef045f3b646b24b6.zip | |
Fix Bug 3951 default values for kernel tunable security parameters under firewall
Diffstat (limited to 'templates')
| -rw-r--r-- | templates/firewall/broadcast-ping/node.def | 14 | ||||
| -rw-r--r-- | templates/firewall/conntrack-table-size/node.def | 8 | ||||
| -rw-r--r-- | templates/firewall/conntrack-tcp-loose/node.def | 2 | ||||
| -rw-r--r-- | templates/firewall/ip-src-route/node.def | 25 | ||||
| -rw-r--r-- | templates/firewall/log-martians/node.def | 24 | ||||
| -rw-r--r-- | templates/firewall/node.def | 2 | ||||
| -rw-r--r-- | templates/firewall/receive-redirects/node.def | 48 | ||||
| -rw-r--r-- | templates/firewall/send-redirects/node.def | 28 | ||||
| -rw-r--r-- | templates/firewall/syn-cookies/node.def | 5 |
9 files changed, 104 insertions, 52 deletions
diff --git a/templates/firewall/broadcast-ping/node.def b/templates/firewall/broadcast-ping/node.def index 3cf7e00..03f0bd2 100644 --- a/templates/firewall/broadcast-ping/node.def +++ b/templates/firewall/broadcast-ping/node.def @@ -1,3 +1,8 @@ +# icmp_echo_ignore_broadcasts +# default value - 1 +# If set non-zero, then the kernel will ignore all +# ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast. + type: txt help: Set handling of broadcast IPv4 ICMP echo and timestamp requests @@ -10,15 +15,6 @@ default: "disable" syntax:expression: $VAR(@) in "enable", "disable"; "broadcast-ping must be enable or disable" -create: - if [ x$VAR(@) == xenable ]; then - sudo sh -c "echo 0 > \ - /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" - else - sudo sh -c "echo 1 > \ - /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" - fi - update: if [ x$VAR(@) == xenable ]; then sudo sh -c "echo 0 > \ diff --git a/templates/firewall/conntrack-table-size/node.def b/templates/firewall/conntrack-table-size/node.def index bead82f..19d2b68 100644 --- a/templates/firewall/conntrack-table-size/node.def +++ b/templates/firewall/conntrack-table-size/node.def @@ -11,11 +11,16 @@ # tracking table consumes kernel memory, so the size selected should # be no larger than necessary. # +# default value when firewall is not set - 16384 +# default value when firewall is set - 32768 +# type: u32 help: Set size of netfilter connection tracking table +default: 32768 + comp_help:Possible completions: <1 - 50000000>\tNumber of entries allowed in connection tracking table @@ -24,9 +29,6 @@ syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 50000000) ; "Value must be betwee update: sudo sh -c "echo $VAR(@) > \ /proc/sys/net/nf_conntrack_max" -delete: - sudo sh -c "echo 32768 > \ - /proc/sys/net/nf_conntrack_max" diff --git a/templates/firewall/conntrack-tcp-loose/node.def b/templates/firewall/conntrack-tcp-loose/node.def index 387afcb..b261052 100644 --- a/templates/firewall/conntrack-tcp-loose/node.def +++ b/templates/firewall/conntrack-tcp-loose/node.def @@ -10,7 +10,7 @@ # # If this parameter is set to "enable", tracking such connections is # allowed. If disabled, such tracking is disabled. -# +# default value - 1 type: txt diff --git a/templates/firewall/ip-src-route/node.def b/templates/firewall/ip-src-route/node.def index c9e777c..07d1ab2 100644 --- a/templates/firewall/ip-src-route/node.def +++ b/templates/firewall/ip-src-route/node.def @@ -1,3 +1,9 @@ +# accept_source_route +# default - 0 +# Accept packets with SRR option. conf/all/accept_source_route and +# conf/[interface]/accept_source_route must be set to TRUE +# to accept packets with SRR option on the interface + type: txt help: Set policy for handling IPv4 packets with source route option @@ -10,19 +16,16 @@ default: "disable" syntax:expression: $VAR(@) in "enable", "disable"; "ip-src-route must be enable or disable" -create: - if [ x$VAR(@) == xenable ]; then - sudo sh -c "echo 1 > \ - /proc/sys/net/ipv4/conf/all/accept_source_route" - else - sudo sh -c "echo 0 > \ - /proc/sys/net/ipv4/conf/all/accept_source_route" - fi - update: if [ x$VAR(@) == xenable ]; then - sudo sh -c "echo 1 > \ - /proc/sys/net/ipv4/conf/all/accept_source_route" + array=(`ls /proc/sys/net/ipv4/conf/`) + array_len=${#array[*]} + i=0 + while [ $i -lt $array_len ]; do + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/conf/${array[$i]%:*}/accept_source_route" + let i++ + done else sudo sh -c "echo 0 > \ /proc/sys/net/ipv4/conf/all/accept_source_route" diff --git a/templates/firewall/log-martians/node.def b/templates/firewall/log-martians/node.def index cee3e6a..4d38903 100644 --- a/templates/firewall/log-martians/node.def +++ b/templates/firewall/log-martians/node.def @@ -1,3 +1,9 @@ +# log_martians +# default value - 1 +# Log packets with impossible addresses to kernel log. log_martians for the +# interface will be enabled if at least one of conf/{all,interface}/log_martians +# is set to TRUE, it will be disabled otherwise + type: txt help: Set policy for logging IPv4 packets with invalid addresses @@ -10,18 +16,20 @@ default: "enable" syntax:expression: $VAR(@) in "enable", "disable"; "log-martians must be enable or disable" -create: - if [ x$VAR(@) == xenable ]; then - sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" - else - sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians" - fi - update: if [ x$VAR(@) == xenable ]; then sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" else - sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/log_martians" + # log-martians can work when either set for 'all' or 'interface' + # thus, unset all log-martians parameters + array=(`ls /proc/sys/net/ipv4/conf/`) + array_len=${#array[*]} + i=0 + while [ $i -lt $array_len ]; do + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/conf/${array[$i]%:*}/log_martians" + let i++ + done fi delete: diff --git a/templates/firewall/node.def b/templates/firewall/node.def index a849d50..29c0992 100644 --- a/templates/firewall/node.def +++ b/templates/firewall/node.def @@ -8,3 +8,5 @@ create: delete: sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown + # set conntrack table size to standard 16384 entries if firewall disabled + sudo sh -c "echo 16384 > /proc/sys/net/nf_conntrack_max" diff --git a/templates/firewall/receive-redirects/node.def b/templates/firewall/receive-redirects/node.def index 94410c7..e72fed7 100644 --- a/templates/firewall/receive-redirects/node.def +++ b/templates/firewall/receive-redirects/node.def @@ -1,3 +1,17 @@ +# accept_redirects - Accept ICMP redirect messages. +# default value - 0 +# +# accept_redirects for the interface will be enabled if: +# +# - both conf/{all,interface}/accept_redirects are TRUE +# in the case forwarding for the interface is enabled +# or +# - at least one of conf/{all,interface}/accept_redirects +# is TRUE in the case forwarding for the interface is disabled +# +# accept_redirects for the interface will be disabled otherwise + + type: txt help: Set policy for handling received IPv4 ICMP redirect messages @@ -10,19 +24,33 @@ default: "disable" syntax:expression: $VAR(@) in "enable", "disable"; "receive-redirects must be enable or disable" -create: - if [ x$VAR(@) == xenable ]; then - sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects" - else - sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects" - fi - update: if [ x$VAR(@) == xenable ]; then - sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects" + array=(`ls /proc/sys/net/ipv4/conf/`) + array_len=${#array[*]} + i=0 + while [ $i -lt $array_len ]; do + sudo sh -c "echo 1 > \ + /proc/sys/net/ipv4/conf/${array[$i]%:*}/accept_redirects" + let i++ + done else - sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects" + array=(`ls /proc/sys/net/ipv4/conf/`) + array_len=${#array[*]} + i=0 + while [ $i -lt $array_len ]; do + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/conf/${array[$i]%:*}/accept_redirects" + let i++ + done fi delete: - sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects" + array=(`ls /proc/sys/net/ipv4/conf/`) + array_len=${#array[*]} + i=0 + while [ $i -lt $array_len ]; do + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/conf/${array[$i]%:*}/accept_redirects" + let i++ + done diff --git a/templates/firewall/send-redirects/node.def b/templates/firewall/send-redirects/node.def index 9a36554..0a34a15 100644 --- a/templates/firewall/send-redirects/node.def +++ b/templates/firewall/send-redirects/node.def @@ -1,3 +1,9 @@ +# send_redirects +# default value - 1 +# send_redirects for the interface will be enabled if at least one of +# conf/{all,interface}/send_redirects is set to TRUE, else it will be disabled. + + type: txt help: Set policy for sending IPv4 ICMP redirect messages @@ -6,23 +12,25 @@ comp_help:Possible completions: enable\tEnable sending IPv4 ICMP redirect messages disable\tDisable sending IPv4 ICMP redirect messages -default: "disable" +default: "enable" syntax:expression: $VAR(@) in "enable", "disable"; "send-redirects must be enable or disable" -create: - if [ x$VAR(@) == xenable ]; then - sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects" - else - sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects" - fi - update: if [ x$VAR(@) == xenable ]; then sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects" else - sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects" + # send-redirects can work when either set for 'all' or 'interface' + # thus, unset all send-redirects parameters + array=(`ls /proc/sys/net/ipv4/conf/`) + array_len=${#array[*]} + i=0 + while [ $i -lt $array_len ]; do + sudo sh -c "echo 0 > \ + /proc/sys/net/ipv4/conf/${array[$i]%:*}/send_redirects" + let i++ + done fi delete: - sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects" + sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects" diff --git a/templates/firewall/syn-cookies/node.def b/templates/firewall/syn-cookies/node.def index d85c84d..d823ab0 100644 --- a/templates/firewall/syn-cookies/node.def +++ b/templates/firewall/syn-cookies/node.def @@ -1,3 +1,8 @@ +# tcp_syncookies +# default value - 1 +# Send out syncookies when the syn backlog queue of a socket overflows. +# This is to prevent against the common 'syn flood attack' + type: txt help: Set policy for using TCP SYN cookies with IPv4 |