Many fixes for defaults and non-input chains to work properly. plus more

V1.6 - added make_rejects_chain() to allow making REJECT rules for any interface - added make_special_rules() that process keys: 'incoming open', 'incoming open & log', 'incoming block & log' from interface config and make rules without concrete host ties - finally fixed old bug with deliberately ignoring inherited defaults ('+'/'-'/'*') At last you can have really working default and exceptions. - added 2 helper functions to provide more subtle rule exxeptions control. But it is planned for subsequent release. - eliminated redundant option 'external' from internal options block. It was the inverse of 'is output' - fixed 'norestrict' implementation blocking exception rules - added sorting to some keys before dumping ready chains and tables, so order is more or less consistent between runs - More cosmetics to comb the code and output - added sanity check for output rules in generic_physical_rules() - fixed log prefixes to be more consistent
kadavris · Sep 4, 2020 · 6c8cb0c · 6c8cb0c
1 parent d47f4d7
commit 6c8cb0c
Show file tree

Hide file tree

Showing 2 changed files with 422 additions and 176 deletions.
diff --git a/firewall4-gen.conf.sample b/firewall4-gen.conf.sample
@@ -48,18 +48,24 @@
 #       limit scans - limit icmp pings and tcp probes to advised level
 #       logdrop[:portlist] - for close monitored nets - log all packet drops. default portlist is 0-1023
 #       norestrict - no particular filtering except general rules in the generator script.
-#       quarantine[addr:proto:portlist;...] - close all/some OUTGOING ON THIS INTERFACE until it is an established session (except what's in i-net)
+#       quarantine[:addr:proto:portlist;...] - close all/some NEW OUTGOING ON THIS INTERFACE
+#       samba - samba support for incoming connections
 #
 #       proto:portlist
-#           - when standalone - allow _incoming_to_server's_matching_ip_ by protocol & port(s).
-#           - whein used as a modifier for some other stuff like quarantine - set what block
+#           - when standalone (not a modifier for other statement like quarantine):
+#             if host/net class - allow _incoming_to_server's_matching_ip_ by protocol & port(s).
+#             if interface class - allow _OUTGOING_ from this interface.
+#           - when used as a modifier for some other stuff like quarantine - set what block
 #           proto: all|any|bcast|icmp|tcp|udp
 #           portlist: +|-|*|portlist[,...]
-#           where: '+' - allow all, '-' = block all, '*' - relaxed access to _server_ iface
+#           where: '+' - allow all in or out (depending on where this class used: host/net or interface),
+#                  '-' = block all in or out,
+#                  '*' - relaxed access to _server_ iface. No sense to use as interface's class, which is output type
 #                  portlist  - portrange[,portrange...]
-#                  portrange - port[:port]
+#                  portrange - portname|portnumber[:portnumber]
 #           multiple, entries for a single protocol are allowed.
-#           when there is '!' used before the port, the inverse meaning is applied (unimplemented!)
+#           when there is '!' used before the port, the inverse meaning is applied (almost unimplemented!)
+#           bcast uses 224.0.0.0/4 and 240.0.0.0/4 nets as destination.
 
 %classes = (
   'net un-trusted' => [ '', 'tcp:-', 'udp:-', 'icmp:-' ], # base class: no-nothing