mirror of
https://github.com/trailofbits/algo.git
synced 2025-06-06 15:13:56 +02:00
Allow to unblock smb and netbios in config.cfg (#1558)
This commit is contained in:
parent
fe19859b00
commit
fe7755e6a0
3 changed files with 13 additions and 6 deletions
|
@ -108,6 +108,12 @@ unattended_reboot:
|
||||||
# Block traffic between connected clients
|
# Block traffic between connected clients
|
||||||
BetweenClients_DROP: true
|
BetweenClients_DROP: true
|
||||||
|
|
||||||
|
# Block SMB/CIFS traffic
|
||||||
|
block_smb: true
|
||||||
|
|
||||||
|
# Block NETBIOS traffic
|
||||||
|
block_netbios: true
|
||||||
|
|
||||||
congrats:
|
congrats:
|
||||||
common: |
|
common: |
|
||||||
"# Congratulations! #"
|
"# Congratulations! #"
|
||||||
|
|
|
@ -88,10 +88,10 @@ COMMIT
|
||||||
# Forward any packet that's part of an established connection
|
# Forward any packet that's part of an established connection
|
||||||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
# Drop SMB/CIFS traffic that requests to be forwarded
|
# Drop SMB/CIFS traffic that requests to be forwarded
|
||||||
-A FORWARD -p tcp --dport 445 -j DROP
|
-A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }}
|
||||||
# Drop NETBIOS trafic that requests to be forwarded
|
# Drop NETBIOS trafic that requests to be forwarded
|
||||||
-A FORWARD -p udp -m multiport --ports 137,138 -j DROP
|
-A FORWARD -p udp -m multiport --ports 137,138 -j {{ "DROP" if block_netbios else "ACCEPT" }}
|
||||||
-A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
|
-A FORWARD -p tcp -m multiport --ports 137,139 -j {{ "DROP" if block_netbios else "ACCEPT" }}
|
||||||
|
|
||||||
{% if ipsec_enabled %}
|
{% if ipsec_enabled %}
|
||||||
# Forward any IPSEC traffic from the VPN network
|
# Forward any IPSEC traffic from the VPN network
|
||||||
|
|
|
@ -91,9 +91,10 @@ COMMIT
|
||||||
-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
|
-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
|
||||||
|
|
||||||
-A FORWARD -j ICMPV6-CHECK
|
-A FORWARD -j ICMPV6-CHECK
|
||||||
-A FORWARD -p tcp --dport 445 -j DROP
|
-A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }}
|
||||||
-A FORWARD -p udp -m multiport --ports 137,138 -j DROP
|
-A FORWARD -p udp -m multiport --ports 137,138 -j {{ "DROP" if block_netbios else "ACCEPT" }}
|
||||||
-A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
|
-A FORWARD -p tcp -m multiport --ports 137,139 -j {{ "DROP" if block_netbios else "ACCEPT" }}
|
||||||
|
|
||||||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
{% if ipsec_enabled %}
|
{% if ipsec_enabled %}
|
||||||
-A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network_ipv6 }} -m policy --pol ipsec --dir in -j ACCEPT
|
-A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network_ipv6 }} -m policy --pol ipsec --dir in -j ACCEPT
|
||||||
|
|
Loading…
Add table
Reference in a new issue