summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-01-24 23:38:03 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:42 +0200
commit984708466b7c368e98a8b51c00acff5e6b870bd2 (patch)
treebb6d24999a82d54cf25a4c51c28a0872d519f03f /roles
parent0088f50a9bfe297760f9641dce4e770926d0f2fe (diff)
wibble
Diffstat (limited to 'roles')
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall.sh8
1 files changed, 5 insertions, 3 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index 4050e9e..cfd2678 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -253,6 +253,7 @@ run() {
# DROP bogus TCP packets.
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+ iptables -A INPUT -p tcp \! --syn -m state --state NEW -j DROP
# Allow all input/output to/from the loopback interface.
local localhost=$(inet46 $f '127.0.0.1/32' '::1/128')
@@ -278,11 +279,12 @@ run() {
# net.ipv4.icmp_ratemask runtime options). See icmp(7).
local t
for t in 'echo-reply' 'destination-unreachable' 'echo-request'; do
- iptables -A INPUT -i $if -p icmp -m icmp --icmp-type $t -j ACCEPT
- iptables -A OUTPUT -o $if -p icmp -m icmp --icmp-type $t -j ACCEPT
+ iptables -A INPUT -p icmp -m icmp --icmp-type $t -j ACCEPT
+ iptables -A OUTPUT -p icmp -m icmp --icmp-type $t -j ACCEPT
done
elif [ $f = 6 ]; then
- iptables -A INPUT -i $ip -p icmpv6 -j ACCEPT
+ iptables -A INPUT -p icmpv6 -j ACCEPT
+ iptables -A OUTPUT -p icmpv6 -j ACCEPT
fi