diff options
Diffstat (limited to 'pkg/linux/bitmask-root')
-rwxr-xr-x | pkg/linux/bitmask-root | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index 6d296ecf..f1c5c0c3 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -740,6 +740,11 @@ def firewall_start(args): iptables("--insert", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT") + # log rejected packets to syslog + if DEBUG: + iptables("--insert", BITMASK_CHAIN, "-o", default_device, + "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7") + # allow traffic to gateways for gateway in gateways: ip4tables("--insert", BITMASK_CHAIN, "--destination", gateway, @@ -750,10 +755,27 @@ def firewall_start(args): ip4tables("--insert", BITMASK_CHAIN, "--destination", local_network_ipv4, "-o", default_device, "--jump", "ACCEPT") + # allow multicast Simple Service Discovery Protocol + ip4tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900", + "-o", default_device, "--jump", "ACCEPT") + # allow multicast Bonjour/mDNS + ip4tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353", + "-o", default_device, "--jump", "ACCEPT") if local_network_ipv6: ip6tables("--insert", BITMASK_CHAIN, "--destination", local_network_ipv6, "-o", default_device, "--jump", "ACCEPT") + # allow multicast Simple Service Discovery Protocol + ip6tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900", + "-o", default_device, "--jump", "ACCEPT") + # allow multicast Bonjour/mDNS + ip6tables("--insert", BITMASK_CHAIN, + "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353", + "-o", default_device, "--jump", "ACCEPT") + # block DNS requests to anyone but the service provider or localhost # when we actually route ipv6, we will need dns rules for it too |