[Fix] set local DNS servers as configured in resolv.conf to bypass RA…

…BPSCAN to prevent potential Denial of Service from forged packets
IronChroni · Feb 4, 2014 · 36dc3a1 · 36dc3a1
1 parent c0dab40
commit 36dc3a1
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/.ca.def b/.ca.def
@@ -26,7 +26,7 @@ INSTALL_PATH="$INSTALL_PATH"
 # Untrusted Network interface; all traffic on defined interface will be
 # subject to all firewall rules. This should be your internet exposed
 # interface.
-IFACE_UNTRUSTED="$IFACE_IN"
+IFACE_UNTRUSTED="$IFACE_UNTRUSTED"
 
 # Trusted Network interface(s); all traffic on defined interface(s) will by-pass
 # ALL firewall rules, format is white space or comma separated list.

diff --git a/CHANGELOG b/CHANGELOG
@@ -1,6 +1,4 @@
 - 9.7
-[TODO] dynamically set pscan trigger level based on security level
-
 (rev:3)
 [Change] replace IFACE_IN/OUT variables with IFACE_UNTRUSTED variable in conf.apf
 [Change] removed defunct crondcheck() function
@@ -24,13 +22,14 @@
          validation callouts
 [Change] preroute rules now load before implicit trust on loopback interface traffic so rules can be
          applied against loopback traffic if so desired
-[Fix] SYSCTL_CONNTRACK better handles varied kernel and iptables versions to apply value on correct sysctl
-      hook file; nf_conntrack_max or ip_conntrack_max
+[Change] consolidated TMP_DROP and TMP_ALLOW chains into REFRESH_TEMP
 [Fix] trust rules refresh cronjob modified to remove MAILTO & SHELL variables which were causing crond
       'bad minute' errors on some systems
 [Fix] reordered chain flushes on refresh() to avoid any possible packet loss or loss of connectivity
       from hosts in the allow tables
-[Change] consolidated TMP_DROP and TMP_ALLOW chains into REFRESH_TEMP
+[Fix] SYSCTL_CONNTRACK better handles varied kernel and iptables versions to apply value on correct sysctl
+      hook file; nf_conntrack_max or ip_conntrack_max
+[Fix] set local DNS servers as configured in resolv.conf to bypass RABPSCAN to prevent potential Denial of Service from forged packets
 [Fix] restarts in some situations can cause 'iptables: Resource temporarily unavailable' errors, added 2sec
       sleep delay on restarts between flush() and start() to prevent resource errors
 [Fix] block rules for BLK_PRVNET and BLK_RESNET were being added with no interface modifier and as such had

diff --git a/files/firewall b/files/firewall
@@ -170,7 +170,7 @@ if [ "$RAB" == "1" ]; then
  else
 	RAB_TRIP_FLAGS="--update"
  fi
- 
+
  if [ "$LOG_DROP" == "1" ] || [ "$RAB_LOG_TRIP" == "1" ]; then
 	$IPT -A INPUT -p all -m recent --rcheck --hitcount $RAB_HITCOUNT --seconds $RAB_TIMER -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABTRIP ** "
  fi
@@ -191,6 +191,12 @@ if [ "$RAB" == "1" ]; then
   esac
   eout "{rab} RAB_PSCAN monitored ports $RAB_PSCAN_PORTS"
   $IPT -N RABPSCAN
+  LDNS=`cat /etc/resolv.conf  | grep -v "#" | grep -w nameserver | awk '{print$2}' | grep -v 127.0.0.1`
+  if [ "$LDNS" ]; then
+	for i in `echo $LDNS`; do
+		$IPT -I RABPSCAN -s $i -j RETURN
+	done
+  fi
   for i in `echo $RAB_PSCAN_PORTS | tr ',' ' '`; do
    if [ "$LOG_DROP" == "1" ] || [ "$RAB_LOG_HIT" == "1" ]; then
 	   $IPT -A RABPSCAN -p tcp --dport $i -m limit --limit=$LOG_RATE/minute -j $LOG_TARGET --log-level=$LOG_LEVEL $LEXT --log-prefix="** RABHIT ** "