Add variables and documentation for sysctl variables (fixes #7)

2022-03-15 16:01:42 +01:00 · 2022-03-15 16:01:42 +01:00 · c36be1c9c9
parent be023616a5
commit c36be1c9c9
2 changed files with 103 additions and 29 deletions
--- a/99
+++ b/99
@ -200,39 +200,82 @@ start() {
    # sysctl network security settings
    ##################################

-    # Don't answer to broadcast pings
-    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-
-    # Ignore bogus ICMP responses
-    echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
-
-    # Disable Source Routing
-    for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
-        echo 0 > "${proc_sys_file}"
-    done
-
-    # Enable TCP SYN cookies to avoid TCP-SYN-FLOOD attacks
+    # Set 1 to ignore broadcast pings (default)
+    : "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS:='1'}"
+    # Set 1 to ignore bogus ICMP responses (default)
+    : "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES:='1'}"
+    # Set 0 to disable source routing (default)
+    : "${SYSCTL_ACCEPT_SOURCE_ROUTE:='0'}"
+    # Set 1 to enable TCP SYN cookies (default)
    # cf http://cr.yp.to/syncookies.html
-    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+    : "${SYSCTL_TCP_SYNCOOKIES:='1'}"
+    # Set 0 to disable ICMP redirects (default)
+    : "${SYSCTL_ICMP_REDIRECTS:='0'}"
+    # Set 1 to enable Reverse Path filtering (default)
+    # Set 0 if VRRP is used
+    : "${SYSCTL_RP_FILTER:='1'}"
+    # Set 1 to log packets with inconsistent address (default)
+    : "${SYSCTL_LOG_MARTIANS:='1'}"

-    # Disable ICMP redirects
-    for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
-        echo 0 > "${proc_sys_file}"
-    done
+    if [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "1" ] || [ "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" = "0" ]; then
+        echo "${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+    else
+        echo "Invalid SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS value '${SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS}', must be '0' or '1'." >&2
+        exit 1
+    fi

-    for proc_sys_file in /proc/sys/net/ipv4/conf/*/send_redirects; do
-        echo 0 > "${proc_sys_file}"
-    done
+    if [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "1" ] || [ "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" = "0" ]; then
+        echo "${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+    else
+        echo "Invalid SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES value '${SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES}', must be '0' or '1'." >&2
+        exit 1
+    fi

-    # Enable Reverse Path filtering : verify if responses use same network interface
-    for proc_sys_file in /proc/sys/net/ipv4/conf/*/rp_filter; do
-        echo 1 > "${proc_sys_file}"
-    done
+    if [ "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = "1" ] || [ "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = "0" ]; then
+        for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
+            echo "${SYSCTL_ACCEPT_SOURCE_ROUTE}" = > "${proc_sys_file}"
+        done
+    else
+        echo "Invalid SYSCTL_ACCEPT_SOURCE_ROUTE value '${SYSCTL_ACCEPT_SOURCE_ROUTE}', must be '0' or '1'." >&2
+        exit 1
+    fi

-    # log des paquets avec adresse incoherente
-    for proc_sys_file in /proc/sys/net/ipv4/conf/*/log_martians; do
-        echo 1 > "${proc_sys_file}"
-    done
+    if [ "${SYSCTL_TCP_SYNCOOKIES}" = "1" ] || [ "${SYSCTL_TCP_SYNCOOKIES}" = "0" ]; then
+        echo "${SYSCTL_TCP_SYNCOOKIES}" > /proc/sys/net/ipv4/tcp_syncookies
+    else
+        echo "Invalid SYSCTL_TCP_SYNCOOKIES value '${SYSCTL_TCP_SYNCOOKIES}', must be '0' or '1'." >&2
+        exit 1
+    fi
+
+    if [ "${SYSCTL_ICMP_REDIRECTS}" = "1" ] || [ "${SYSCTL_ICMP_REDIRECTS}" = "0" ]; then
+        for proc_sys_file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
+            echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}"
+        done
+        for proc_sys_file in /proc/sys/net/ipv4/conf/*/send_redirects; do
+            echo "${SYSCTL_ICMP_REDIRECTS}" > "${proc_sys_file}"
+        done
+    else
+        echo "Invalid SYSCTL_ICMP_REDIRECTS value '${SYSCTL_ICMP_REDIRECTS}', must be '0' or '1'." >&2
+        exit 1
+    fi
+
+    if [ "${SYSCTL_RP_FILTER}" = "1" ] || [ "${SYSCTL_RP_FILTER}" = "0" ]; then
+        for proc_sys_file in /proc/sys/net/ipv4/conf/*/rp_filter; do
+            echo "${SYSCTL_RP_FILTER}" > "${proc_sys_file}"
+        done
+    else
+        echo "Invalid SYSCTL_RP_FILTER value '${SYSCTL_RP_FILTER}', must be '0' or '1'." >&2
+        exit 1
+    fi
+
+    if [ "${SYSCTL_LOG_MARTIANS}" = "1" ] || [ "${SYSCTL_LOG_MARTIANS}" = "0" ]; then
+        for proc_sys_file in /proc/sys/net/ipv4/conf/*/log_martians; do
+            echo "${SYSCTL_LOG_MARTIANS}" > "${proc_sys_file}"
+        done
+    else
+        echo "Invalid SYSCTL_LOG_MARTIANS value '${SYSCTL_LOG_MARTIANS}', must be '0' or '1'." >&2
+        exit 1
+    fi

    # IPTables configuration
    ########################
--- a/minifirewall.conf
+++ b/minifirewall.conf
@ -89,6 +89,7 @@ PROXYBYPASS="${INTLAN} 127.0.0.0/8 ::1/128"
 # (add IP:PORT for each one, example: '192.168.10.1:1234 192.168.10.2:5678')
 BACKUPSERVERS=''

+
 # Includes
 #####################

@ -98,4 +99,34 @@ BACKUPSERVERS=''
 # Within included files, you can use those helper functions :
 # * is_ipv6_enabled: returns true if IPv6 is enabled, or false
 # * is_docker_enabled: returns true if Docker mode is eabled, or false
-# * is_proxy_enabled: returns true if Proxy mode is enabled , or false
+# * is_proxy_enabled: returns true if Proxy mode is enabled , or false
+
+
+# Custom sysctl values (advanced)
+#################################
+
+# In most cases, the default values set by minifirewall are good.
+# If you really know what you are doing,
+# you can uncomment some lines and customize the values.
+
+# Set 1 to ignore broadcast pings (default)
+# SYSCTL_ICMP_ECHO_IGNORE_BROADCASTS='1'
+
+# Set 1 to ignore bogus ICMP responses (default)
+# SYSCTL_ICMP_IGNORE_BOGUS_ERROR_RESPONSES='1'
+
+# Set 0 to disable source routing (default)
+# SYSCTL_ACCEPT_SOURCE_ROUTE='0'
+
+# Set 1 to enable TCP SYN cookies (default)
+# SYSCTL_TCP_SYNCOOKIES='1'
+
+# Set 0 to disable ICMP redirects (default)
+# SYSCTL_ICMP_REDIRECTS='0'
+
+# Set 1 to enable Reverse Path filtering (default)
+# Set 0 if VRRP is used
+# SYSCTL_RP_FILTER='1'
+
+# Set 1 to log packets with inconsistent address (default)
+# SYSCTL_LOG_MARTIANS='1'