From bf307069820e656dc294970613a843b7985327fd Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 17 Mar 2004 19:06:54 +0000
Subject: [PATCH] Add nobogons interface option

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1197 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/bogons         | 60 +++++++++++++++++++++++++++++++++++++++
 Shorewall2/fallback.sh    |  2 ++
 Shorewall2/firewall       | 45 ++++++++++++++++++++++++++++-
 Shorewall2/install.sh     |  6 ++++
 Shorewall2/rfc1918        | 44 ++--------------------------
 Shorewall2/shorewall.spec |  3 ++
 6 files changed, 117 insertions(+), 43 deletions(-)
 create mode 100644 Shorewall2/bogons

diff --git a/Shorewall2/bogons b/Shorewall2/bogons
new file mode 100644
index 000000000..0ca59aeeb
--- /dev/null
+++ b/Shorewall2/bogons
@@ -0,0 +1,60 @@
+#
+# Shorewall 2.0-- Bogons File
+#
+# /etc/shorewall/bogons
+#
+# Lists the subnetworks that are blocked by the 'nobogons' interface option.
+#
+# The default list includes those those ip ADDRESSES listed
+# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
+# reserved for use in documentation and examples.
+#
+# Columns are:
+#
+# 	SUBNET		The subnet (host addresses also allowed)
+#	TARGET		Where to send packets to/from this subnet
+#			RETURN	- let the packet be processed normally
+#			DROP	- silently drop the packet
+#			logdrop - log then drop
+#
+###############################################################################
+#SUBNET			TARGET
+255.255.255.255		RETURN		# We need to allow limited broadcast
+169.254.0.0/16		DROP		# DHCP autoconfig
+192.0.2.0/24		logdrop		# Example addresses (RFC 3330)
+#
+# The following are generated with the help of the Python program found at:
+#
+#	http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
+#
+# The program was contributed by Andy Wiggin
+#
+0.0.0.0/7		logdrop		# Reserved
+2.0.0.0/8		logdrop		# Reserved
+5.0.0.0/8		logdrop		# Reserved
+7.0.0.0/8		logdrop		# Reserved
+23.0.0.0/8		logdrop		# Reserved
+27.0.0.0/8		logdrop		# Reserved
+31.0.0.0/8		logdrop		# Reserved
+36.0.0.0/7		logdrop		# Reserved
+39.0.0.0/8		logdrop		# Reserved
+41.0.0.0/8		logdrop		# Reserved
+42.0.0.0/8		logdrop		# Reserved
+49.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
+50.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
+58.0.0.0/7		logdrop		# Reserved
+70.0.0.0/7		logdrop		# Reserved
+72.0.0.0/5		logdrop		# Reserved
+85.0.0.0/8		logdrop		# Reserved
+86.0.0.0/7		logdrop		# Reserved
+88.0.0.0/5		logdrop		# Reserved
+96.0.0.0/3		logdrop		# Reserved
+127.0.0.0/8		logdrop		# Loopback
+197.0.0.0/8		logdrop		# Reserved
+198.18.0.0/15		logdrop		# Reserved
+223.0.0.0/8		logdrop		# Reserved - Returned by APNIC in 2003
+240.0.0.0/4		logdrop		# Reserved
+#
+# End of generated entries
+#
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall2/fallback.sh b/Shorewall2/fallback.sh
index 0426ef11b..6e03a2853 100755
--- a/Shorewall2/fallback.sh
+++ b/Shorewall2/fallback.sh
@@ -116,6 +116,8 @@ restore_file /etc/shorewall/whitelist
 restore_file /etc/shorewall/rfc1918
 restore_file /usr/share/shorewall/rfc1918
 
+restore_file /usr/share/shorewall/bogons
+
 restore_file /etc/shorewall/init
 
 restore_file /etc/shorewall/start
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 9d06c62df..115d7c945 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -659,7 +659,7 @@ validate_interfaces_file() {
 
 	for option in $options; do
 	    case $option in
-		dhcp|norfc1918|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|nosmurfs|-)
+		dhcp|norfc1918|nobogons|tcpflags|newnotsyn|arp_filter|routefilter|blacklist|proxyarp|maclist|nosmurfs|-)
 		    ;;
 		dropunclean|logunclean)
 		    if [ -z "$found_obsolete_option" ]; then
@@ -4655,6 +4655,46 @@ add_common_rules() {
 	    [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
 		run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
 	done
+    fi
+    #
+    # Bogons
+    #
+    nobogon_interfaces="$(find_interfaces_by_option norfc1918)"
+    
+    if [ -n "$nobogon_interfaces" ]; then
+	echo "Enabling Bogon Filtering"
+
+	strip_file bogons
+
+	createchain nobogons no
+
+	createchain bogons no
+	
+	log_rule $BOGON_LOG_LEVEL bogons DROP
+	
+	run_iptables -A bogons -j DROP
+
+	while read subnet target; do
+	    case $target in
+		logdrop)
+		    target=bogons
+		    ;;
+		DROP|RETURN)
+		    ;;
+		*)
+		    fatal_error "Invalid target ($target) for $subnet"
+		    ;;
+	    esac
+
+	    run_iptables2 -A nobogons -s $subnet -j $target
+
+	done < $TMP_DIR/bogons
+
+	for interface in $nobogon_interfaces; do
+	    for chain in $(first_chains $interface); do
+		run_iptables -A $chain -m state --state NEW -j nobogons
+	    done
+	done
 
     fi
 
@@ -5599,6 +5639,7 @@ do_initialize() {
     TCP_FLAGS_DISPOSITION=
     TCP_FLAGS_LOG_LEVEL=
     RFC1918_LOG_LEVEL=
+    BOGON_LOG_LEVEL=
     MARK_IN_FORWARD_CHAIN=
     SHARED_DIR=/usr/share/shorewall
     FUNCTIONS=
@@ -5732,6 +5773,8 @@ do_initialize() {
     fi
 
     [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info
+    [ -z "$BOGON_LOG_LEVEL" ]   && BOGON_LOG_LEVEL=info
+
     MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
     [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre
     if [ -n "$TC_ENABLED" ]; then
diff --git a/Shorewall2/install.sh b/Shorewall2/install.sh
index 5dd432d76..58b94f99a 100755
--- a/Shorewall2/install.sh
+++ b/Shorewall2/install.sh
@@ -384,6 +384,12 @@ install_file_with_backup rfc1918 ${PREFIX}/usr/share/shorewall/rfc1918 0600
 echo
 echo "RFC 1918 file installed as ${PREFIX}/etc/shorewall/rfc1918"
 #
+# Install the bogons file
+#
+install_file_with_backup bogons ${PREFIX}/usr/share/shorewall/bogons 0600
+echo
+echo "Bogon file installed as ${PREFIX}/etc/shorewall/bogons"
+#
 # Install the init file
 #
 if [ -f ${PREFIX}/etc/shorewall/init ]; then
diff --git a/Shorewall2/rfc1918 b/Shorewall2/rfc1918
index 01123a4b7..3d873b323 100644
--- a/Shorewall2/rfc1918
+++ b/Shorewall2/rfc1918
@@ -5,9 +5,7 @@
 #
 # Lists the subnetworks that are blocked by the 'norfc1918' interface option.
 #
-# The default list includes those IP addresses listed in RFC 1918, those listed
-# as 'reserved' by the IANA, the DHCP Autoconfig class B, and the class C
-# reserved for use in documentation and examples.
+# The default list includes those IP addresses listed in RFC 1918.
 #
 # Columns are:
 #
@@ -19,45 +17,7 @@
 #
 ###############################################################################
 #SUBNET			TARGET
-255.255.255.255		RETURN		# We need to allow limited broadcast
-169.254.0.0/16		DROP		# DHCP autoconfig
 172.16.0.0/12		logdrop		# RFC 1918
-192.0.2.0/24		logdrop		# Example addresses (RFC 3330)
 192.168.0.0/16		logdrop		# RFC 1918
-#
-# The following are generated with the help of the Python program found at:
-#
-#	http://www.shorewall.net/pub/shorewall/contrib/iana_reserved/
-#
-# The program was contributed by Andy Wiggin
-#
-0.0.0.0/7		logdrop		# Reserved
-2.0.0.0/8		logdrop		# Reserved
-5.0.0.0/8		logdrop		# Reserved
-7.0.0.0/8		logdrop		# Reserved
-10.0.0.0/8		logdrop		# Reserved
-23.0.0.0/8		logdrop		# Reserved
-27.0.0.0/8		logdrop		# Reserved
-31.0.0.0/8		logdrop		# Reserved
-36.0.0.0/7		logdrop		# Reserved
-39.0.0.0/8		logdrop		# Reserved
-41.0.0.0/8		logdrop		# Reserved
-42.0.0.0/8		logdrop		# Reserved
-49.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
-50.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
-58.0.0.0/7		logdrop		# Reserved
-70.0.0.0/7		logdrop		# Reserved
-72.0.0.0/5		logdrop		# Reserved
-85.0.0.0/8		logdrop		# Reserved
-86.0.0.0/7		logdrop		# Reserved
-88.0.0.0/5		logdrop		# Reserved
-96.0.0.0/3		logdrop		# Reserved
-127.0.0.0/8		logdrop		# Loopback
-197.0.0.0/8		logdrop		# Reserved
-198.18.0.0/15		logdrop		# Reserved
-223.0.0.0/8		logdrop		# Reserved - Returned by APNIC in 2003
-240.0.0.0/4		logdrop		# Reserved
-#
-# End of generated entries
-#
+10.0.0.0/8		logdrop		# RFC 1918
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall2/shorewall.spec b/Shorewall2/shorewall.spec
index 639f7c9e1..d27aee730 100644
--- a/Shorewall2/shorewall.spec
+++ b/Shorewall2/shorewall.spec
@@ -133,10 +133,13 @@ fi
 %attr(0544,root,root) /usr/share/shorewall/firewall
 %attr(0544,root,root) /usr/share/shorewall/help
 %attr(0600,root,root) /usr/share/shorewall/rfc1918
+%attr(0600,root,root) /usr/share/shorewall/bogons
 
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Web Mar 17 2004 Tom Eastep <tom@shorewall.net>
+- Add bogons file
 * Sat Mar 13 2004 Tom Eastep <tom@shorewall.net>
 - Update for 2.0.0 Final
 * Sat Mar 06 2004 Tom Eastep <tom@shorewall.net>