-{% let flowtable_devices = fw4.resolve_offload_devices(); -%}
+{%
+ let flowtable_devices = fw4.resolve_offload_devices();
+ let available_helpers = filter(fw4.helpers(), h => h.available);
+-%}
table inet fw4
flush table inet fw4
{% endif %}
}
+{% endif %}
+{% if (length(available_helpers)): %}
+ #
+ # CT helper definitions
+ #
+
+{% for (let helper in available_helpers): %}
+{% for (let proto in helper.proto): %}
+ ct helper {{ helper.name }} {
+ type {{ fw4.quote(helper.name, true) }} protocol {{ proto.name }};
+ }
+
+{% endfor %}
+{% endfor %}
+
{% endif %}
#
# Set definitions
{% for (let rule in fw4.rules("output")): %}
{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
-{% for (let zone in fw4.zones()): for (let rule in zone.match_rules): %}
+{% for (let zone in fw4.zones()): %}
+{% for (let rule in zone.match_rules): %}
+{% if (zone.dflags.helper): %}
+{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, true); %}
+{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, true); %}
+{% if (devices_pos || subnets_pos): %}
+ {%+ if (rule.family): -%}
+ meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
+ {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%}
+ jump helper_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} CT helper assignment"
+{% endif %}
+{% endif %}
{%+ include("zone-jump.uc", { fw4, zone, rule, direction: "output" }) %}
-{% endfor; endfor %}
+{% endfor %}
+{% endfor %}
{% if (fw4.output_policy() == "reject"): %}
jump handle_reject
{% endif %}
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+{% for (let zone in fw4.zones()): %}
+{% if (zone.dflags.helper): %}
+{% for (let rule in zone.match_rules): %}
+{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, false); %}
+{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, false); %}
+{% if (rule.devices_neg || rule.subnets_neg || devices_pos || subnets_pos): %}
+ {%+ if (rule.family): -%}
+ meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
+ {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%}
+ jump helper_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} CT helper assignment"
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endfor %}
+ }
+
chain handle_reject {
meta l4proto tcp reject with {{
(fw4.default_option("tcp_reject_code") != "tcp-reset")
jump {{ zone.forward }}_to_{{ zone.name }}
}
+{% if (zone.dflags.helper): %}
+ chain helper_{{ zone.name }} {
+{% for (let rule in fw4.rules(`helper_${zone.name}`)): %}
+ {%+ include("rule.uc", { fw4, rule }) %}
+{% endfor %}
+ }
+
+{% endif %}
{% for (let verdict in ["accept", "reject", "drop"]): %}
{% if (zone.sflags[verdict]): %}
chain {{ verdict }}_from_{{ zone.name }} {
{% endfor %}
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
-{% for (let target in ["helper", "notrack"]): %}
-{% for (let zone in fw4.zones()): %}
-{% if (zone.dflags[target]): %}
-{% for (let rule in zone.match_rules): %}
-{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, false); %}
-{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, false); %}
-{% if (rule.devices_neg || rule.subnets_neg || devices_pos || subnets_pos): %}
+{% for (let zone in fw4.zones()): %}
+{% if (zone.dflags["notrack"]): %}
+{% for (let rule in zone.match_rules): %}
+{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, false); %}
+{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, false); %}
+{% if (rule.devices_neg || rule.subnets_neg || devices_pos || subnets_pos): %}
{%+ if (rule.family): -%}
meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
{%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%}
- jump {{ target }}_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{
- (target == "helper") ? "CT helper assignment" : "CT bypass"
- }}"
-{% endif %}
-{% endfor %}
-{% endif %}
-{% endfor %}
+ jump notrack_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} CT bypass"
+{% endif %}
+{% endfor %}
+{% endif %}
{% endfor %}
}
chain raw_output {
type filter hook output priority raw; policy accept;
-{% for (let target in ["helper", "notrack"]): %}
-{% for (let zone in fw4.zones()): %}
-{% if (zone.dflags[target]): %}
-{% for (let rule in zone.match_rules): %}
-{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, true); %}
-{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, true); %}
-{% if (devices_pos || subnets_pos): %}
+{% for (let zone in fw4.zones()): %}
+{% if (zone.dflags["notrack"]): %}
+{% for (let rule in zone.match_rules): %}
+{% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, true); %}
+{% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, true); %}
+{% if (devices_pos || subnets_pos): %}
{%+ if (rule.family): -%}
meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
{%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%}
- jump {{ target }}_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{
- (target == "helper") ? "CT helper assignment" : "CT bypass"
- }}"
-{% endif %}
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% endfor %}
- }
-
-{% for (let helper in fw4.helpers()): %}
-{% if (helper.available): %}
-{% for (let proto in helper.proto): %}
- ct helper {{ helper.name }} {
- type {{ fw4.quote(helper.name, true) }} protocol {{ proto.name }};
- }
-
+ jump notrack_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} CT bypass"
+{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
-{% for (let target in ["helper", "notrack"]): %}
-{% for (let zone in fw4.zones()): %}
-{% if (zone.dflags[target]): %}
- chain {{ target }}_{{ zone.name }} {
-{% for (let rule in fw4.rules(`${target}_${zone.name}`)): %}
+ }
+
+{% for (let zone in fw4.zones()): %}
+{% if (zone.dflags.notrack): %}
+ chain notrack_{{ zone.name }} {
+{% for (let rule in fw4.rules(`notrack_${zone.name}`)): %}
{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
}
{% endif %}
-{% endfor %}
{% endfor %}
#
flags offload;
}
+ #
+ # CT helper definitions
+ #
+
+ ct helper amanda {
+ type "amanda" protocol udp;
+ }
+
+ ct helper ftp {
+ type "ftp" protocol tcp;
+ }
+
+ ct helper RAS {
+ type "RAS" protocol udp;
+ }
+
+ ct helper Q.931 {
+ type "Q.931" protocol tcp;
+ }
+
+ ct helper irc {
+ type "irc" protocol tcp;
+ }
+
+ ct helper netbios-ns {
+ type "netbios-ns" protocol udp;
+ }
+
+ ct helper pptp {
+ type "pptp" protocol tcp;
+ }
+
+ ct helper sane {
+ type "sane" protocol tcp;
+ }
+
+ ct helper sip {
+ type "sip" protocol udp;
+ }
+
+ ct helper snmp {
+ type "snmp" protocol udp;
+ }
+
+ ct helper tftp {
+ type "tftp" protocol udp;
+ }
+
+ ct helper rtsp {
+ type "rtsp" protocol tcp;
+ }
+
+
#
# Set definitions
#
oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
jump accept_to_lan
}
+ chain helper_lan {
+ meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
+ meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
+ meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
+ meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
+ meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
+ meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
+ meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
+ meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
+ meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
+ meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
+ meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
+ meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking"
+ }
+
chain accept_from_lan {
iifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
- iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
- ct helper amanda {
- type "amanda" protocol udp;
- }
-
- ct helper ftp {
- type "ftp" protocol tcp;
- }
-
- ct helper RAS {
- type "RAS" protocol udp;
- }
-
- ct helper Q.931 {
- type "Q.931" protocol tcp;
- }
-
- ct helper irc {
- type "irc" protocol tcp;
- }
-
- ct helper netbios-ns {
- type "netbios-ns" protocol udp;
- }
-
- ct helper pptp {
- type "pptp" protocol tcp;
- }
-
- ct helper sane {
- type "sane" protocol tcp;
- }
-
- ct helper sip {
- type "sip" protocol udp;
- }
-
- ct helper snmp {
- type "snmp" protocol udp;
- }
-
- ct helper tftp {
- type "tftp" protocol udp;
- }
-
- ct helper rtsp {
- type "rtsp" protocol tcp;
- }
-
- chain helper_lan {
- meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
- meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
- meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
- meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
- meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
- meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
- meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
- meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
- meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
- meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
- meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
- meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking"
- }
-
#
# Mangle rules
oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ iifname "zone1" jump helper_test1 comment "!fw4: test1 IPv4/IPv6 CT helper assignment"
+ iifname "zone2" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment"
+ iifname "zone3" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment"
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
jump accept_to_test1
}
+ chain helper_test1 {
+ }
+
chain accept_from_test1 {
iifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic"
}
jump drop_to_test2
}
+ chain helper_test2 {
+ }
+
chain drop_from_test2 {
iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
}
jump reject_to_test3
}
+ chain helper_test3 {
+ }
+
chain reject_from_test3 {
iifname "zone3" counter jump handle_reject comment "!fw4: reject test3 IPv4/IPv6 traffic"
}
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
- iifname "zone1" jump helper_test1 comment "!fw4: test1 IPv4/IPv6 CT helper assignment"
- iifname "zone2" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment"
- iifname "zone3" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment"
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
- chain helper_test1 {
- }
-
- chain helper_test2 {
- }
-
- chain helper_test3 {
- }
-
#
# Mangle rules
oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
oifname { "test1", "test2" } oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ iifname "/never/" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment"
+ iifname "test*" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment"
+ iifname "foo*" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment"
+ iifname "bar*" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment"
+ iifname { "test1", "test2" } jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment"
+ iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment"
+ iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment"
+ iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment"
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
jump drop_to_test1
}
+ chain helper_test1 {
+ }
+
chain drop_from_test1 {
counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
}
jump drop_to_test2
}
+ chain helper_test2 {
+ }
+
chain drop_from_test2 {
iifname "/never/" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
}
jump drop_to_test3
}
+ chain helper_test3 {
+ }
+
chain drop_from_test3 {
iifname "test*" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
}
jump drop_to_test4
}
+ chain helper_test4 {
+ }
+
chain drop_from_test4 {
iifname "foo*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
iifname "bar*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
jump drop_to_test5
}
+ chain helper_test5 {
+ }
+
chain drop_from_test5 {
iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
- iifname "/never/" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment"
- iifname "test*" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment"
- iifname "foo*" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment"
- iifname "bar*" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment"
- iifname { "test1", "test2" } jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment"
- iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment"
- iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment"
- iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment"
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
- chain helper_test1 {
- }
-
- chain helper_test2 {
- }
-
- chain helper_test3 {
- }
-
- chain helper_test4 {
- }
-
- chain helper_test5 {
- }
-
#
# Mangle rules
meta nfproto ipv6 ip6 daddr { ::3, ::4 } ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment"
+ meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment"
+ meta nfproto ipv6 ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment"
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
jump drop_to_test1
}
+ chain helper_test1 {
+ }
+
chain drop_from_test1 {
meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 counter drop comment "!fw4: drop test1 IPv6 traffic"
}
jump drop_to_test2
}
+ chain helper_test2 {
+ }
+
chain drop_from_test2 {
meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 counter drop comment "!fw4: drop test2 IPv6 traffic"
meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 counter drop comment "!fw4: drop test2 IPv6 traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
- meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment"
- meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment"
- meta nfproto ipv6 ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: test2 IPv6 CT helper assignment"
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
- chain helper_test1 {
- }
-
- chain helper_test2 {
- }
-
#
# Mangle rules
meta nfproto ipv6 oifname "eth0" jump output_test5 comment "!fw4: Handle test5 IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
flush table inet fw4
table inet fw4 {
+ #
+ # CT helper definitions
+ #
+
+ ct helper amanda {
+ type "amanda" protocol udp;
+ }
+
+ ct helper ftp {
+ type "ftp" protocol tcp;
+ }
+
+ ct helper RAS {
+ type "RAS" protocol udp;
+ }
+
+ ct helper Q.931 {
+ type "Q.931" protocol tcp;
+ }
+
+ ct helper irc {
+ type "irc" protocol tcp;
+ }
+
+ ct helper netbios-ns {
+ type "netbios-ns" protocol udp;
+ }
+
+ ct helper pptp {
+ type "pptp" protocol tcp;
+ }
+
+ ct helper sane {
+ type "sane" protocol tcp;
+ }
+
+ ct helper sip {
+ type "sip" protocol udp;
+ }
+
+ ct helper snmp {
+ type "snmp" protocol udp;
+ }
+
+ ct helper tftp {
+ type "tftp" protocol udp;
+ }
+
+ ct helper rtsp {
+ type "rtsp" protocol tcp;
+ }
+
+
#
# Set definitions
#
oifname "zone4" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ iifname "zone1" jump helper_test1 comment "!fw4: test1 IPv4/IPv6 CT helper assignment"
+ iifname "zone2" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment"
+ iifname "zone3" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment"
+ iifname "zone4" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment"
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
jump drop_to_test1
}
+ chain helper_test1 {
+ meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
+ }
+
chain drop_from_test1 {
iifname "zone1" counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
}
jump drop_to_test2
}
+ chain helper_test2 {
+ meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
+ }
+
chain drop_from_test2 {
iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
}
jump drop_to_test3
}
+ chain helper_test3 {
+ meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
+ }
+
chain drop_from_test3 {
iifname "zone3" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
}
jump drop_to_test4
}
+ chain helper_test4 {
+ meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
+ meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
+ meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
+ meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
+ meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
+ meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
+ meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
+ meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
+ meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
+ meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
+ meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
+ meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking"
+ }
+
chain drop_from_test4 {
iifname "zone4" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
}
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
- iifname "zone1" jump helper_test1 comment "!fw4: test1 IPv4/IPv6 CT helper assignment"
- iifname "zone2" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment"
- iifname "zone3" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment"
- iifname "zone4" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment"
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
- ct helper amanda {
- type "amanda" protocol udp;
- }
-
- ct helper ftp {
- type "ftp" protocol tcp;
- }
-
- ct helper RAS {
- type "RAS" protocol udp;
- }
-
- ct helper Q.931 {
- type "Q.931" protocol tcp;
- }
-
- ct helper irc {
- type "irc" protocol tcp;
- }
-
- ct helper netbios-ns {
- type "netbios-ns" protocol udp;
- }
-
- ct helper pptp {
- type "pptp" protocol tcp;
- }
-
- ct helper sane {
- type "sane" protocol tcp;
- }
-
- ct helper sip {
- type "sip" protocol udp;
- }
-
- ct helper snmp {
- type "snmp" protocol udp;
- }
-
- ct helper tftp {
- type "tftp" protocol udp;
- }
-
- ct helper rtsp {
- type "rtsp" protocol tcp;
- }
-
- chain helper_test1 {
- meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
- }
-
- chain helper_test2 {
- meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
- }
-
- chain helper_test3 {
- meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
- }
-
- chain helper_test4 {
- meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
- meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
- meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
- meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
- meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
- meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
- meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
- meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
- meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
- meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
- meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
- meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking"
- }
-
#
# Mangle rules
counter comment "!fw4: @rule[2]"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
counter comment "!fw4: Explicitly enabled"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
jump drop_to_lan
}
+ chain helper_lan {
+ }
+
chain drop_from_lan {
}
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
type filter hook output priority raw; policy accept;
}
- chain helper_lan {
- }
-
#
# Mangle rules
meta nfproto ipv6 icmpv6 type . icmpv6 code { 136 . 0 } counter comment "!fw4: ICMP rule #5"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ iifname { "eth0", "eth1" } jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
+ iifname { "eth2", "eth3" } jump helper_wan comment "!fw4: wan IPv4/IPv6 CT helper assignment"
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
jump drop_to_lan
}
+ chain helper_lan {
+ }
+
chain drop_from_lan {
iifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
}
jump drop_to_wan
}
+ chain helper_wan {
+ }
+
chain drop_from_wan {
iifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
- iifname { "eth0", "eth1" } jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
- iifname { "eth2", "eth3" } jump helper_wan comment "!fw4: wan IPv4/IPv6 CT helper assignment"
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
- chain helper_lan {
- }
-
- chain helper_wan {
- }
-
#
# Mangle rules
oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
meta day { "Monday", "Tuesday", "Wednesday", "Sunday", "Thursday" } counter accept comment "!fw4: Time rule #12"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
oifname "eth2" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
projects / project / firewall4.git / commitdiff