summaryrefslogtreecommitdiff
path: root/pkg/linux/bitmask-root
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/linux/bitmask-root')
-rwxr-xr-xpkg/linux/bitmask-root22
1 files changed, 22 insertions, 0 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index 6d296ecf..f1c5c0c3 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -740,6 +740,11 @@ def firewall_start(args):
iptables("--insert", BITMASK_CHAIN, "-o", default_device,
"--jump", "REJECT")
+ # log rejected packets to syslog
+ if DEBUG:
+ iptables("--insert", BITMASK_CHAIN, "-o", default_device,
+ "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7")
+
# allow traffic to gateways
for gateway in gateways:
ip4tables("--insert", BITMASK_CHAIN, "--destination", gateway,
@@ -750,10 +755,27 @@ def firewall_start(args):
ip4tables("--insert", BITMASK_CHAIN,
"--destination", local_network_ipv4, "-o", default_device,
"--jump", "ACCEPT")
+ # allow multicast Simple Service Discovery Protocol
+ ip4tables("--insert", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900",
+ "-o", default_device, "--jump", "ACCEPT")
+ # allow multicast Bonjour/mDNS
+ ip4tables("--insert", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353",
+ "-o", default_device, "--jump", "ACCEPT")
if local_network_ipv6:
ip6tables("--insert", BITMASK_CHAIN,
"--destination", local_network_ipv6, "-o", default_device,
"--jump", "ACCEPT")
+ # allow multicast Simple Service Discovery Protocol
+ ip6tables("--insert", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900",
+ "-o", default_device, "--jump", "ACCEPT")
+ # allow multicast Bonjour/mDNS
+ ip6tables("--insert", BITMASK_CHAIN,
+ "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353",
+ "-o", default_device, "--jump", "ACCEPT")
+
# block DNS requests to anyone but the service provider or localhost
# when we actually route ipv6, we will need dns rules for it too