6wall patch

From SixXS Wiki
Jump to: navigation, search

This patch enables proper conntrack support in 6wall, a configurable IPv6 firewall script for Linux.

Paste the patch into a local file named 6wall.patch:

--- firewall.noconntrack	2008-09-05 13:50:32.000000000 +0000
+++ firewall	2008-09-05 17:18:43.000000000 +0000
@@ -242,17 +242,18 @@
     run_ip6tables -N $1
 
     if [ $2 = yes ]; then
-#	state="ESTABLISHED,RELATED"
-#	run_ip6tables -A $1 -m state --state $state -j ACCEPT
-#	[ -z "$NEWNOTSYN" ] && \
-#	    run_ip6tables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
+	state="ESTABLISHED,RELATED"
+	run_ip6tables -A $1 -m state --state $state -j ACCEPT
+	[ -z "$NEWNOTSYN" ] && \
+	    run_ip6tables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
 #
 #<ET> Connection tracking not supported yet, 
 #	simulate the established,related state with 
 #	tcp: syn not set - allow
 #	all others: drop
 #
-	run_ip6tables -A $1 -p tcp ! --syn -j ACCEPT
+	#run_ip6tables -A $1 -p tcp ! --syn -j ACCEPT
+	#run_ip6tables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
     fi
 
     eval ${1}_exists=Yes
@@ -375,8 +376,8 @@
 setcontinue() # $1 = name of chain
 {
 #<ET> Conection tracking not supported yet
-#    run_ip6tables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-    run_ip6tables -A $1 -p tcp ! --syn -j ACCEPT
+    run_ip6tables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
+#    run_ip6tables -A $1 -p tcp ! --syn -j ACCEPT
 }
 
 #
@@ -3482,10 +3483,10 @@
     #
 #<ET> only needed if IPv6 is only transport protocol, otherwise DNS queries
 #     can be done over IPv4
-#    for chain in INPUT OUTPUT FORWARD; do
-#	run_ip6tables -A $chain -p udp --dport 53 -j ACCEPT
-#	run_ip6tables -A $chain -p ! icmp -m state --state INVALID -j DROP
-#    done
+    for chain in INPUT OUTPUT FORWARD; do
+	run_ip6tables -A $chain -p udp --dport 53 -j ACCEPT
+	# run_ip6tables -A $chain -p ! icmp -m state --state INVALID -j DROP
+    done
 
 #    [ -n "$CLAMPMSS" ] && \
 #	run_ip6tables -A FORWARD -p tcp \
@@ -4057,9 +4058,9 @@
     #
     for chain in INPUT OUTPUT FORWARD; do
 #<ET> Connection tracking not yet available
-#	run_ip6tables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
-#	run_ip6tables -D $chain -p udp --dport 53 -j ACCEPT
-	run_ip6tables -D $chain -p tcp ! --syn -j ACCEPT
+	run_ip6tables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
+	run_ip6tables -D $chain -p udp --dport 53 -j ACCEPT
+#	run_ip6tables -D $chain -p tcp ! --syn -j ACCEPT
     done
 }
 

Then apply the patch to the file /usr/share/6wall/firewall, by issuing the commands:

cd /usr/share/6wall
patch < 6wall.patch