#!/bin/bash #This is a sample set of calls for the modwall modules. #Written by William Stearns #Where to find the bricks themselves. This is only used for this script export PATH="/usr/lib/modwall/:$PATH" #00 #This, and the corresponding "lockdown stop" at the end are _optional_. #They improve security by blocking all traffic until the firewall is #completely set up. Not a good call on a running machine already #handling lots of packets. lockdown #01-09 Setup kernel start #Need iptables module load brick #Make sure ulogd running #Set up the optional target chains. These are just set up, not actually #called from anywhere. These need to be ready before they are used as #targets of any of the following bricks. banfor30 scrutinizedst scrutinizesrc #histogram autoreject #11-19 NAT/Mangle #Need NAT/Mangle brick with sample NAT/Mangle lines. #21-29 Mustblock (get rid of packets with invalid characteristics) macchk inputsrcaddrtype outputdstaddrtype fwdsrcaddrtype fwddstaddrtype address bogons icmpchk icmpfwdchk scrutinizesrc banfor30 DROP ipopts scrutinizesrc banfor30 DROP plength tcpchk scrutinizesrc banfor30 DROP udpchk scrutinizesrc banfor30 DROP catchmapper scrutinizesrc DROP catchmapreply scrutinizedst DROP #31-39 Learn (must be before established) Because these fall after the #Mustblock section, things like SYN/RST's, packets from bogon or illegal #addresses, packets with IP options, etc., won't get here. If you want #to do learning on those packets too, move the learn modules above #Mustblock ones. syncapture mapssh pasvmap scrutinize #Rules that actually allow traffic should be below this point. #41-49 Mustallow #Need OUTPUT DNS brick #Need admin brick for incoming ssh, outgoing syslog perhaps #51-59 Established, related (Everything after this can only refer to NEW rules) established #Need invalid brick (default LOG) #61-69 Punish/recent (must follow rules that might refresh the recent tables) checkbans shunsrc shundst punishmapper #71-79 Block (local policy) blockfwdports identreject #81-89 Allow (local policy) local-forward-accept local-input-accept local-output-accept #91-94 Log canarydst logremainder #95-98 Policy policy #99 lockdown stop