diff --git a/SPECS/0003-extensions-format-security-fixes-in-libip-6-t_icmp.patch b/SPECS/0003-extensions-format-security-fixes-in-libip-6-t_icmp.patch new file mode 100644 index 0000000..cfefe78 --- /dev/null +++ b/SPECS/0003-extensions-format-security-fixes-in-libip-6-t_icmp.patch @@ -0,0 +1,61 @@ +From 7e63dd95957a264d15eefdda3ea9449a6c72eb86 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Adam=20Go=C5=82=C4=99biowski?= +Date: Wed, 14 Nov 2018 07:35:28 +0100 +Subject: [PATCH] extensions: format-security fixes in libip[6]t_icmp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") +introduced support for gcc feature to check format string against passed +argument. This commit adds missing bits to extenstions's libipt_icmp.c +and libip6t_icmp6.c that were causing build to fail. + +Fixes: 61d6c3834de3 ("xtables: add 'printf' attribute to xlate_add") +Signed-off-by: Adam Gołębiowski +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 907e429d7548157016cd51aba4adc5d0c7d9f816) +Signed-off-by: Phil Sutter +--- + extensions/libip6t_icmp6.c | 4 ++-- + extensions/libipt_icmp.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/extensions/libip6t_icmp6.c b/extensions/libip6t_icmp6.c +index 45a71875722c4..cc7bfaeb72fd7 100644 +--- a/extensions/libip6t_icmp6.c ++++ b/extensions/libip6t_icmp6.c +@@ -230,7 +230,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, + type_name = icmp6_type_xlate(icmptype); + + if (type_name) { +- xt_xlate_add(xl, type_name); ++ xt_xlate_add(xl, "%s", type_name); + } else { + for (i = 0; i < ARRAY_SIZE(icmpv6_codes); ++i) + if (icmpv6_codes[i].type == icmptype && +@@ -239,7 +239,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, + break; + + if (i != ARRAY_SIZE(icmpv6_codes)) +- xt_xlate_add(xl, icmpv6_codes[i].name); ++ xt_xlate_add(xl, "%s", icmpv6_codes[i].name); + else + return 0; + } +diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c +index 5418997668d4c..e76257c54708c 100644 +--- a/extensions/libipt_icmp.c ++++ b/extensions/libipt_icmp.c +@@ -236,7 +236,7 @@ static unsigned int type_xlate_print(struct xt_xlate *xl, unsigned int icmptype, + if (icmp_codes[i].type == icmptype && + icmp_codes[i].code_min == code_min && + icmp_codes[i].code_max == code_max) { +- xt_xlate_add(xl, icmp_codes[i].name); ++ xt_xlate_add(xl, "%s", icmp_codes[i].name); + return 1; + } + } +-- +2.21.0 + diff --git a/SPECS/arptables-helper b/SPECS/arptables-helper new file mode 100644 index 0000000..4039e7d --- /dev/null +++ b/SPECS/arptables-helper @@ -0,0 +1,89 @@ +#!/bin/bash +# config: /etc/sysconfig/arptables + +# Source 'em up +. /etc/init.d/functions + +ARPTABLES_CONFIG=/etc/sysconfig/arptables + +flush_delete_chains() { + echo -n $"Flushing all chains: " + if arptables -F; then + success + else + failure + fi + echo + + echo -n $"Removing user defined chains: " + if arptables -X; then + success + else + failure + fi + echo +} + +start() { + if [ ! -x /usr/sbin/arptables ]; then + exit 4 + fi + + # don't do squat if we don't have the config file + if [ -f $ARPTABLES_CONFIG ]; then + # If we don't clear these first, we might be adding to + # pre-existing rules. + flush_delete_chains + + arptables -Z + + echo -n $"Applying arptables firewall rules: " + /usr/sbin/arptables-restore < $ARPTABLES_CONFIG && \ + success || \ + failure + echo + touch /var/lock/subsys/arptables + else + failure + echo + echo $"Configuration file /etc/sysconfig/arptables missing" + exit 6 + fi +} + +stop() { + flush_delete_chains + echo -n $"Resetting built-in chains to the default ACCEPT policy:" + arptables -P INPUT ACCEPT && \ + arptables -P OUTPUT ACCEPT && \ + success || \ + failure + echo + rm -f /var/lock/subsys/arptables +} + +case "$1" in +start) + start + ;; + +stop) + stop + ;; + +restart|reload) + # "restart" is really just "start" as this isn't a daemon, + # and "start" clears any pre-defined rules anyway. + # This is really only here to make those who expect it happy + start + ;; + +condrestart|try-restart|force-reload) + [ -e /var/lock/subsys/arptables ] && start + ;; + +*) + exit 2 +esac + +exit 0 diff --git a/SPECS/arptables.service b/SPECS/arptables.service new file mode 100644 index 0000000..df6c7d6 --- /dev/null +++ b/SPECS/arptables.service @@ -0,0 +1,12 @@ +[Unit] +Description=Automates a packet filtering firewall with arptables +After=network.target + +[Service] +Type=oneshot +ExecStart=/usr/libexec/arptables-helper start +ExecStop=/usr/libexec/arptables-helper stop +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/ebtables-config b/SPECS/ebtables-config new file mode 100644 index 0000000..69d9289 --- /dev/null +++ b/SPECS/ebtables-config @@ -0,0 +1,11 @@ +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules if firewall gets stopped +# (e.g. on system shutdown). +EBTABLES_SAVE_ON_STOP="no" + +# Save (and restore) rule counters. +# Value: yes|no, default: no +# Save rule counters when saving a kernel table to a file. If the +# rule counters were saved, they will be restored when restoring the table. +EBTABLES_SAVE_COUNTER="no" diff --git a/SPECS/ebtables.service b/SPECS/ebtables.service new file mode 100644 index 0000000..e0b0162 --- /dev/null +++ b/SPECS/ebtables.service @@ -0,0 +1,11 @@ +[Unit] +Description=Ethernet Bridge Filtering tables + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/ebtables start +ExecStop=/usr/libexec/ebtables stop + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/ebtables.systemd b/SPECS/ebtables.systemd new file mode 100644 index 0000000..c31ddc0 --- /dev/null +++ b/SPECS/ebtables.systemd @@ -0,0 +1,71 @@ +#!/bin/bash + +RETVAL=0 +EBTCONF=/etc/sysconfig/ebtables + +initialize() { + # Initialize $TYPE tables + echo -n $" $TYPE tables: " + if [ -r /etc/sysconfig/ebtables.$TYPE ]; then + /sbin/ebtables -t $TYPE --atomic-file /etc/sysconfig/ebtables.$TYPE --atomic-commit > /dev/null || RETVAL=1 + else + echo -n "not configured" + fi + if [ $RETVAL -eq 0 ]; then + echo -n $"[ OK ]" + echo -ne "\r" + else + echo -n $"[FAILED]" + echo -ne "\r" + fi +} + +case $1 in + start) + if [[ -r $EBTCONF ]]; then + ebtables-restore <$EBTCONF + RETVAL=$? + else + echo -n "not configured" + fi + if [ $RETVAL -eq 0 ]; then + echo -n $"[ OK ]" + echo -ne "\r" + else + echo -n $"[FAILED]" + echo -ne "\r" + fi + ;; + stop) + [[ $EBTABLES_SAVE_ON_STOP == "yes" ]] && $0 save + /sbin/ebtables --init-table + RETVAL=$? + + if [ $RETVAL -eq 0 ]; then + echo -n $"[ OK ]" + echo -ne "\r" + else + echo -n $"[FAILED]" + echo -ne "\r" + fi + ;; + save) + echo -n $"Saving Ethernet bridge filtering (ebtables): " + ebtables-save >$EBTCONF + RETVAL=$? + + if [ $RETVAL -eq 0 ]; then + echo -n $"[ OK ]" + echo -ne "\r" + else + echo -n $"[FAILED]" + echo -ne "\r" + fi + ;; + *) + echo "usage: ${0##*/} {start|stop|save}" >&2 + exit 1 + ;; +esac + +# vim:set ts=2 sw=2 ft=sh et: diff --git a/SPECS/iptables-1.8.2.tar.bz2 b/SPECS/iptables-1.8.2.tar.bz2 new file mode 100644 index 0000000..5064c30 Binary files /dev/null and b/SPECS/iptables-1.8.2.tar.bz2 differ diff --git a/SPECS/iptables-1.8.4.tar.bz2 b/SPECS/iptables-1.8.4.tar.bz2 new file mode 100644 index 0000000..e95fb7a Binary files /dev/null and b/SPECS/iptables-1.8.4.tar.bz2 differ diff --git a/SPECS/iptables-config b/SPECS/iptables-config new file mode 100644 index 0000000..3d7e176 --- /dev/null +++ b/SPECS/iptables-config @@ -0,0 +1,59 @@ +# Load additional iptables modules (nat helpers) +# Default: -none- +# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which +# are loaded after the firewall rules are applied. Options for the helpers are +# stored in /etc/modprobe.conf. +IPTABLES_MODULES="" + +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped +# (e.g. on system shutdown). +IPTABLES_SAVE_ON_STOP="no" + +# Save current firewall rules on restart. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets +# restarted. +IPTABLES_SAVE_ON_RESTART="no" + +# Save (and restore) rule and chain counter. +# Value: yes|no, default: no +# Save counters for rules and chains to /etc/sysconfig/iptables if +# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or +# SAVE_ON_RESTART is enabled. +IPTABLES_SAVE_COUNTER="no" + +# Numeric status output +# Value: yes|no, default: yes +# Print IP addresses and port numbers in numeric format in the status output. +IPTABLES_STATUS_NUMERIC="yes" + +# Verbose status output +# Value: yes|no, default: yes +# Print info about the number of packets and bytes plus the "input-" and +# "outputdevice" in the status output. +IPTABLES_STATUS_VERBOSE="no" + +# Status output with numbered lines +# Value: yes|no, default: yes +# Print a counter/number for every rule in the status output. +IPTABLES_STATUS_LINENUMBERS="yes" + +# Reload sysctl settings on start and restart +# Default: -none- +# Space separated list of sysctl items which are to be reloaded on start. +# List items will be matched by fgrep. +#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf" + +# Set wait option for iptables-restore calls in seconds +# Default: 600 +# Set to 0 to deactivate the wait. +#IPTABLES_RESTORE_WAIT=600 + +# Set wait interval option for iptables-restore calls in microseconds +# Default: 1000000 +# Set to 100000 to try to get the lock every 100000 microseconds, 10 times a +# second. +# Only usable with IPTABLES_RESTORE_WAIT > 0 +#IPTABLES_RESTORE_WAIT_INTERVAL=1000000 diff --git a/SPECS/iptables.init b/SPECS/iptables.init new file mode 100755 index 0000000..52fa91a --- /dev/null +++ b/SPECS/iptables.init @@ -0,0 +1,374 @@ +#!/bin/bash +# +# iptables Start iptables firewall +# +# chkconfig: 2345 08 92 +# description: Starts, stops and saves iptables firewall +# +# config: /etc/sysconfig/iptables +# config: /etc/sysconfig/iptables-config +# +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop iptables firewall +# Description: Start, stop and save iptables firewall +### END INIT INFO + +# Source function library. +. /etc/init.d/functions + +IPTABLES=iptables +IPTABLES_DATA=/etc/sysconfig/$IPTABLES +IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback +IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config +IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" +VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES + +# only usable for root +if [ $EUID != 0 ]; then + echo -n $"${IPTABLES}: Only usable by root."; warning; echo + exit 4 +fi + +if [ ! -x /sbin/$IPTABLES ]; then + echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo + exit 5 +fi + +# Default firewall configuration: +IPTABLES_MODULES="" +IPTABLES_SAVE_ON_STOP="no" +IPTABLES_SAVE_ON_RESTART="no" +IPTABLES_SAVE_COUNTER="no" +IPTABLES_STATUS_NUMERIC="yes" +IPTABLES_STATUS_VERBOSE="no" +IPTABLES_STATUS_LINENUMBERS="yes" +IPTABLES_SYSCTL_LOAD_LIST="" +IPTABLES_RESTORE_WAIT=600 +IPTABLES_RESTORE_WAIT_INTERVAL=1000000 + +# Load firewall configuration. +[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" + +# explicitly omit security table from this list as +# it should be reserved for SELinux use +NF_TABLES="raw mangle filter nat" + + +flush_n_delete() { + # Flush firewall rules and delete chains. + echo -n $"${IPTABLES}: Flushing firewall rules: " + ret=0 + # For all tables + for i in $NF_TABLES; do + # Flush firewall rules. + $IPTABLES -t $i -F; + let ret+=$?; + + # Delete firewall chains. + $IPTABLES -t $i -X; + let ret+=$?; + + # Set counter to zero. + $IPTABLES -t $i -Z; + let ret+=$?; + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +set_policy() { + # Set policy for configured tables. + policy=$1 + echo -n $"${IPTABLES}: Setting chains to policy $policy: " + ret=0 + for i in $NF_TABLES; do + echo -n "$i " + case "$i" in + raw) + $IPTABLES -t raw -P PREROUTING $policy \ + && $IPTABLES -t raw -P OUTPUT $policy \ + || let ret+=1 + ;; + filter) + $IPTABLES -t filter -P INPUT $policy \ + && $IPTABLES -t filter -P OUTPUT $policy \ + && $IPTABLES -t filter -P FORWARD $policy \ + || let ret+=1 + ;; + nat) + $IPTABLES -t nat -P PREROUTING $policy \ + && $IPTABLES -t nat -P POSTROUTING $policy \ + && $IPTABLES -t nat -P OUTPUT $policy \ + || let ret+=1 + ;; + mangle) + $IPTABLES -t mangle -P PREROUTING $policy \ + && $IPTABLES -t mangle -P POSTROUTING $policy \ + && $IPTABLES -t mangle -P INPUT $policy \ + && $IPTABLES -t mangle -P OUTPUT $policy \ + && $IPTABLES -t mangle -P FORWARD $policy \ + || let ret+=1 + ;; + *) + let ret+=1 + ;; + esac + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +load_sysctl() { + # load matched sysctl values + if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then + echo -n $"Loading sysctl settings: " + ret=0 + for item in $IPTABLES_SYSCTL_LOAD_LIST; do + fgrep -hs $item /etc/sysctl.d/*.conf | sysctl -p - >/dev/null + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + return $ret +} + +start() { + # Do not start if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Applying firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; + if [ -f "$IPTABLES_FALLBACK_DATA" ]; then + echo -n $"${IPTABLES}: Applying firewall fallback rules: " + $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; return 1 + fi + else + return 1 + fi + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + touch $VAR_SUBSYS_IPTABLES + return $ret +} + +stop() { + # Set default chain policy to ACCEPT, in order to not break shutdown + # on systems where the default policy is DROP and root device is + # network-based (i.e.: iSCSI, NFS) + set_policy ACCEPT + # And then, flush the rules and delete chains + flush_n_delete + + rm -f $VAR_SUBSYS_IPTABLES + return $ret +} + +save() { + echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + ret=0 + TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \ + && chmod 600 "$TMP_FILE" \ + && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ + && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ + || ret=1 + if [ $ret -eq 0 ]; then + if [ -e $IPTABLES_DATA ]; then + cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ + && chmod 600 $IPTABLES_DATA.save \ + && restorecon $IPTABLES_DATA.save \ + || ret=1 + fi + if [ $ret -eq 0 ]; then + mv -f $TMP_FILE $IPTABLES_DATA \ + && chmod 600 $IPTABLES_DATA \ + && restorecon $IPTABLES_DATA \ + || ret=1 + fi + fi + rm -f $TMP_FILE + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +status() { + if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then + echo $"${IPTABLES}: Firewall is not running." + return 3 + fi + + NUM= + [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + VERBOSE= + [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" + COUNT= + [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" + + for table in $NF_TABLES; do + echo $"Table: $table" + $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo + done + + return 0 +} + +reload() { + # Do not reload if there is no config file. + if [ ! -f "$IPTABLES_DATA" ]; then + echo -n $"${IPTABLES}: No config file."; warning; echo + return 6 + fi + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi + + echo -n $"${IPTABLES}: Trying to reload firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then + OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}" + if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then + OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}" + fi + fi + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; echo "Firewall rules are not changed."; return 1 + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"${IPTABLES}: Loading additional modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + # Load sysctl settings + load_sysctl + + return $ret +} + +restart() { + [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save + stop + start +} + + +case "$1" in + start) + [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 + start + RETVAL=$? + ;; + stop) + [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save + stop + RETVAL=$? + ;; + restart|force-reload) + restart + RETVAL=$? + ;; + reload) + [ -e "$VAR_SUBSYS_IPTABLES" ] && reload + RETVAL=$? + ;; + condrestart|try-restart) + [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 + restart + RETVAL=$? + ;; + status) + status + RETVAL=$? + ;; + panic) + set_policy DROP + RETVAL=$? + ;; + save) + save + RETVAL=$? + ;; + *) + echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}" + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/SPECS/iptables.service b/SPECS/iptables.service new file mode 100644 index 0000000..39f95f9 --- /dev/null +++ b/SPECS/iptables.service @@ -0,0 +1,19 @@ +[Unit] +Description=IPv4 firewall with iptables +AssertPathExists=/etc/sysconfig/iptables +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/iptables/iptables.init start +ExecReload=/usr/libexec/iptables/iptables.init reload +ExecStop=/usr/libexec/iptables/iptables.init stop +Environment=BOOTUP=serial +Environment=CONSOLETYPE=serial +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/sysconfig_ip6tables b/SPECS/sysconfig_ip6tables new file mode 100644 index 0000000..34b8b87 --- /dev/null +++ b/SPECS/sysconfig_ip6tables @@ -0,0 +1,15 @@ +# sample configuration for ip6tables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited +COMMIT diff --git a/SPECS/sysconfig_iptables b/SPECS/sysconfig_iptables new file mode 100644 index 0000000..5183250 --- /dev/null +++ b/SPECS/sysconfig_iptables @@ -0,0 +1,14 @@ +# sample configuration for iptables service +# you can edit this manually or use system-config-firewall +# please do not ask us to add additional ports/services to this default configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT