summaryrefslogtreecommitdiff
path: root/pkg/linux
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/linux')
-rwxr-xr-xpkg/linux/bitmask-root26
1 files changed, 17 insertions, 9 deletions
diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root
index c6685877..1929b51b 100755
--- a/pkg/linux/bitmask-root
+++ b/pkg/linux/bitmask-root
@@ -765,11 +765,13 @@ def firewall_start(args):
"--jump", "ACCEPT")
# allow multicast Simple Service Discovery Protocol
ip4tables("--append", BITMASK_CHAIN,
- "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900",
+ "--protocol", "udp",
+ "--destination", "239.255.255.250", "--dport", "1900",
"-o", default_device, "--jump", "RETURN")
# allow multicast Bonjour/mDNS
ip4tables("--append", BITMASK_CHAIN,
- "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353",
+ "--protocol", "udp",
+ "--destination", "224.0.0.251", "--dport", "5353",
"-o", default_device, "--jump", "RETURN")
if local_network_ipv6:
ip6tables("--append", BITMASK_CHAIN,
@@ -777,11 +779,13 @@ def firewall_start(args):
"--jump", "ACCEPT")
# allow multicast Simple Service Discovery Protocol
ip6tables("--append", BITMASK_CHAIN,
- "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900",
+ "--protocol", "udp",
+ "--destination", "FF05::C", "--dport", "1900",
"-o", default_device, "--jump", "RETURN")
# allow multicast Bonjour/mDNS
ip6tables("--append", BITMASK_CHAIN,
- "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353",
+ "--protocol", "udp",
+ "--destination", "FF02::FB", "--dport", "5353",
"-o", default_device, "--jump", "RETURN")
# allow ipv4 traffic to gateways
@@ -792,15 +796,19 @@ def firewall_start(args):
# log rejected packets to syslog
if DEBUG:
iptables("--append", BITMASK_CHAIN, "-o", default_device,
- "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7")
+ "--jump", "LOG", "--log-prefix", "iptables denied: ",
+ "--log-level", "7")
- # for now, ensure all other ipv6 packets get rejected (regardless of device)
+ # for now, ensure all other ipv6 packets get rejected (regardless of
+ # device)
# (not sure why, but "-p any" doesn't work)
ip6tables("--append", BITMASK_CHAIN, "-p", "tcp", "--jump", "REJECT")
ip6tables("--append", BITMASK_CHAIN, "-p", "udp", "--jump", "REJECT")
# reject all other ipv4 sent over the default device
- ip4tables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT")
+ ip4tables("--append", BITMASK_CHAIN, "-o",
+ default_device, "--jump", "REJECT")
+
def firewall_stop():
"""
@@ -853,8 +861,8 @@ def main():
nameserver_setter.start(NAMESERVER)
except Exception as ex:
if not is_restart:
- nameserver_restorer.start()
- firewall_stop()
+ nameserver_restorer.start()
+ firewall_stop()
bail("ERROR: could not start firewall", ex)
elif command == "firewall_stop":