+# imported/converted from: /usr/share/shorewall/macro.*
+my $pve_fw_macros = {
+ 'Amanda' => [
+ { action => 'PARAM', proto => 'udp', dport => '10080' },
+ { action => 'PARAM', proto => 'tcp', dport => '10080' },
+ ],
+ 'Auth' => [
+ { action => 'PARAM', proto => 'tcp', dport => '113' },
+ ],
+ 'BGP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '179' },
+ ],
+ 'BitTorrent' => [
+ { action => 'PARAM', proto => 'tcp', dport => '6881:6889' },
+ { action => 'PARAM', proto => 'udp', dport => '6881' },
+ ],
+ 'BitTorrent32' => [
+ { action => 'PARAM', proto => 'tcp', dport => '6881:6999' },
+ { action => 'PARAM', proto => 'udp', dport => '6881' },
+ ],
+ 'CVS' => [
+ { action => 'PARAM', proto => 'tcp', dport => '2401' },
+ ],
+ 'Citrix' => [
+ { action => 'PARAM', proto => 'tcp', dport => '1494' },
+ { action => 'PARAM', proto => 'udp', dport => '1604' },
+ { action => 'PARAM', proto => 'tcp', dport => '2598' },
+ ],
+ 'DAAP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '3689' },
+ { action => 'PARAM', proto => 'udp', dport => '3689' },
+ ],
+ 'DCC' => [
+ { action => 'PARAM', proto => 'tcp', dport => '6277' },
+ ],
+ 'DHCPfwd' => [
+ { action => 'PARAM', proto => 'udp', dport => '67:68', sport => '67:68' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '67:68', sport => '67:68' },
+ ],
+ 'DNS' => [
+ { action => 'PARAM', proto => 'udp', dport => '53' },
+ { action => 'PARAM', proto => 'tcp', dport => '53' },
+ ],
+ 'Distcc' => [
+ { action => 'PARAM', proto => 'tcp', dport => '3632' },
+ ],
+ 'Edonkey' => [
+ { action => 'PARAM', proto => 'tcp', dport => '4662' },
+ { action => 'PARAM', proto => 'udp', dport => '4665' },
+ ],
+ 'FTP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '21' },
+ ],
+ 'Finger' => [
+ { action => 'PARAM', proto => 'tcp', dport => '79' },
+ ],
+ 'GNUnet' => [
+ { action => 'PARAM', proto => 'tcp', dport => '2086' },
+ { action => 'PARAM', proto => 'udp', dport => '2086' },
+ { action => 'PARAM', proto => 'tcp', dport => '1080' },
+ { action => 'PARAM', proto => 'udp', dport => '1080' },
+ ],
+ 'GRE' => [
+ { action => 'PARAM', proto => '47' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '47' },
+ ],
+ 'Git' => [
+ { action => 'PARAM', proto => 'tcp', dport => '9418' },
+ ],
+ 'Gnutella' => [
+ { action => 'PARAM', proto => 'tcp', dport => '6346' },
+ { action => 'PARAM', proto => 'udp', dport => '6346' },
+ ],
+ 'HKP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '11371' },
+ ],
+ 'HTTP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '80' },
+ ],
+ 'HTTPS' => [
+ { action => 'PARAM', proto => 'tcp', dport => '443' },
+ ],
+ 'ICPV2' => [
+ { action => 'PARAM', proto => 'udp', dport => '3130' },
+ ],
+ 'ICQ' => [
+ { action => 'PARAM', proto => 'tcp', dport => '5190' },
+ ],
+ 'IMAP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '143' },
+ ],
+ 'IMAPS' => [
+ { action => 'PARAM', proto => 'tcp', dport => '993' },
+ ],
+ 'IPIP' => [
+ { action => 'PARAM', proto => '94' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '94' },
+ ],
+ 'IPP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '631' },
+ ],
+ 'IPPbrd' => [
+ { action => 'PARAM', proto => 'udp', dport => '631' },
+ ],
+ 'IPPserver' => [
+ { action => 'PARAM', source => 'SOURCE', dest => 'DEST', proto => 'tcp', dport => '631' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '631' },
+ ],
+ 'IPsec' => [
+ { action => 'PARAM', proto => 'udp', dport => '500', sport => '500' },
+ { action => 'PARAM', proto => '50' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500', sport => '500' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '50' },
+ ],
+ 'IPsecah' => [
+ { action => 'PARAM', proto => 'udp', dport => '500', sport => '500' },
+ { action => 'PARAM', proto => '51' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500', sport => '500' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '51' },
+ ],
+ 'IPsecnat' => [
+ { action => 'PARAM', proto => 'udp', dport => '500' },
+ { action => 'PARAM', proto => 'udp', dport => '4500' },
+ { action => 'PARAM', proto => '50' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '500' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '4500' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '50' },
+ ],
+ 'IRC' => [
+ { action => 'PARAM', proto => 'tcp', dport => '6667' },
+ ],
+ 'JabberPlain' => [
+ { action => 'PARAM', proto => 'tcp', dport => '5222' },
+ ],
+ 'JabberSecure' => [
+ { action => 'PARAM', proto => 'tcp', dport => '5223' },
+ ],
+ 'Jabberd' => [
+ { action => 'PARAM', proto => 'tcp', dport => '5269' },
+ ],
+ 'Jetdirect' => [
+ { action => 'PARAM', proto => 'tcp', dport => '9100' },
+ ],
+ 'L2TP' => [
+ { action => 'PARAM', proto => 'udp', dport => '1701' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '1701' },
+ ],
+ 'LDAP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '389' },
+ ],
+ 'LDAPS' => [
+ { action => 'PARAM', proto => 'tcp', dport => '636' },
+ ],
+ 'MSNP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '1863' },
+ ],
+ 'MSSQL' => [
+ { action => 'PARAM', proto => 'tcp', dport => '1433' },
+ ],
+ 'Mail' => [
+ { action => 'PARAM', proto => 'tcp', dport => '25' },
+ { action => 'PARAM', proto => 'tcp', dport => '465' },
+ { action => 'PARAM', proto => 'tcp', dport => '587' },
+ ],
+ 'Munin' => [
+ { action => 'PARAM', proto => 'tcp', dport => '4949' },
+ ],
+ 'MySQL' => [
+ { action => 'PARAM', proto => 'tcp', dport => '3306' },
+ ],
+ 'NNTP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '119' },
+ ],
+ 'NNTPS' => [
+ { action => 'PARAM', proto => 'tcp', dport => '563' },
+ ],
+ 'NTP' => [
+ { action => 'PARAM', proto => 'udp', dport => '123' },
+ ],
+ 'NTPbi' => [
+ { action => 'PARAM', proto => 'udp', dport => '123' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '123' },
+ ],
+ 'NTPbrd' => [
+ { action => 'PARAM', proto => 'udp', dport => '123' },
+ { action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '123' },
+ ],
+ 'OSPF' => [
+ { action => 'PARAM', proto => '89' },
+ ],
+ 'OpenVPN' => [
+ { action => 'PARAM', proto => 'udp', dport => '1194' },
+ ],
+ 'PCA' => [
+ { action => 'PARAM', proto => 'udp', dport => '5632' },
+ { action => 'PARAM', proto => 'tcp', dport => '5631' },
+ ],
+ 'POP3' => [
+ { action => 'PARAM', proto => 'tcp', dport => '110' },
+ ],
+ 'POP3S' => [
+ { action => 'PARAM', proto => 'tcp', dport => '995' },
+ ],
+ 'PPtP' => [
+ { action => 'PARAM', proto => '47' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => '47' },
+ { action => 'PARAM', proto => 'tcp', dport => '1723' },
+ ],
+ 'Ping' => [
+ { action => 'PARAM', proto => 'icmp', dport => 'echo-request' },
+ ],
+ 'PostgreSQL' => [
+ { action => 'PARAM', proto => 'tcp', dport => '5432' },
+ ],
+ 'Printer' => [
+ { action => 'PARAM', proto => 'tcp', dport => '515' },
+ ],
+ 'RDP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '3389' },
+ ],
+ 'RIPbi' => [
+ { action => 'PARAM', proto => 'udp', dport => '520' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '520' },
+ ],
+ 'RNDC' => [
+ { action => 'PARAM', proto => 'tcp', dport => '953' },
+ ],
+ 'Razor' => [
+ { action => 'ACCEPT', proto => 'tcp', dport => '2703' },
+ ],
+ 'Rdate' => [
+ { action => 'PARAM', proto => 'tcp', dport => '37' },
+ ],
+ 'Rsync' => [
+ { action => 'PARAM', proto => 'tcp', dport => '873' },
+ ],
+ 'SANE' => [
+ { action => 'PARAM', proto => 'tcp', dport => '6566' },
+ ],
+ 'SMB' => [
+ { action => 'PARAM', proto => 'udp', dport => '135,445' },
+ { action => 'PARAM', proto => 'udp', dport => '137:139' },
+ { action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '137' },
+ { action => 'PARAM', proto => 'tcp', dport => '135,139,445' },
+ ],
+ 'SMBBI' => [
+ { action => 'PARAM', proto => 'udp', dport => '135,445' },
+ { action => 'PARAM', proto => 'udp', dport => '137:139' },
+ { action => 'PARAM', proto => 'udp', dport => '1024:65535', sport => '137' },
+ { action => 'PARAM', proto => 'tcp', dport => '135,139,445' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '135,445' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '137:139' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'udp', dport => '1024:65535', sport => '137' },
+ { action => 'PARAM', source => 'DEST', dest => 'SOURCE', proto => 'tcp', dport => '135,139,445' },
+ ],
+ 'SMBswat' => [
+ { action => 'PARAM', proto => 'tcp', dport => '901' },
+ ],
+ 'SMTP' => [
+ { action => 'PARAM', proto => 'tcp', dport => '25' },
+ ],
+ 'SMTPS' => [
+ { action => 'PARAM', proto => 'tcp', dport => '465' },
+ ],
+ 'SNMP' => [
+ { action => 'PARAM', proto => 'udp', dport => '161:162' },
+ { action => 'PARAM', proto => 'tcp', dport => '161' },
+ ],
+ 'SPAMD' => [
+ { action => 'PARAM', proto => 'tcp', dport => '783' },
+ ],
+ 'SSH' => [
+ { action => 'PARAM', proto => 'tcp', dport => '22' },
+ ],
+ 'SVN' => [
+ { action => 'PARAM', proto => 'tcp', dport => '3690' },
+ ],
+ 'SixXS' => [
+ { action => 'PARAM', proto => 'tcp', dport => '3874' },
+ { action => 'PARAM', proto => 'udp', dport => '3740' },
+ { action => 'PARAM', proto => '41' },
+ { action => 'PARAM', proto => 'udp', dport => '5072,8374' },
+ ],
+ 'Squid' => [
+ { action => 'PARAM', proto => 'tcp', dport => '3128' },
+ ],
+ 'Submission' => [
+ { action => 'PARAM', proto => 'tcp', dport => '587' },
+ ],
+ 'Syslog' => [
+ { action => 'PARAM', proto => 'udp', dport => '514' },
+ { action => 'PARAM', proto => 'tcp', dport => '514' },
+ ],
+ 'TFTP' => [
+ { action => 'PARAM', proto => 'udp', dport => '69' },
+ ],
+ 'Telnet' => [
+ { action => 'PARAM', proto => 'tcp', dport => '23' },
+ ],
+ 'Telnets' => [
+ { action => 'PARAM', proto => 'tcp', dport => '992' },
+ ],
+ 'Time' => [
+ { action => 'PARAM', proto => 'tcp', dport => '37' },
+ ],
+ 'Trcrt' => [
+ { action => 'PARAM', proto => 'udp', dport => '33434:33524' },
+ { action => 'PARAM', proto => 'icmp', dport => 'echo-request' },
+ ],
+ 'VNC' => [
+ { action => 'PARAM', proto => 'tcp', dport => '5900:5909' },
+ ],
+ 'VNCL' => [
+ { action => 'PARAM', proto => 'tcp', dport => '5500' },
+ ],
+ 'Web' => [
+ { action => 'PARAM', proto => 'tcp', dport => '80' },
+ { action => 'PARAM', proto => 'tcp', dport => '443' },
+ ],
+ 'Webcache' => [
+ { action => 'PARAM', proto => 'tcp', dport => '8080' },
+ ],
+ 'Webmin' => [
+ { action => 'PARAM', proto => 'tcp', dport => '10000' },
+ ],
+ 'Whois' => [
+ { action => 'PARAM', proto => 'tcp', dport => '43' },
+ ],
+};
+
+my $pve_fw_parsed_macros;
+my $pve_fw_preferred_macro_names = {};
+
+my $pve_std_chains = {
+ 'PVEFW-SET-ACCEPT-MARK' => [
+ "-j MARK --set-mark 1",
+ ],
+ 'PVEFW-DropBroadcast' => [
+ # same as shorewall 'Broadcast'
+ # simply DROP BROADCAST/MULTICAST/ANYCAST
+ # we can use this to reduce logging
+ { action => 'DROP', dsttype => 'BROADCAST' },
+ { action => 'DROP', dsttype => 'MULTICAST' },
+ { action => 'DROP', dsttype => 'ANYCAST' },
+ { action => 'DROP', dest => '224.0.0.0/4' },
+ ],
+ 'PVEFW-reject' => [
+ # same as shorewall 'reject'
+ { action => 'DROP', dsttype => 'BROADCAST' },
+ { action => 'DROP', source => '224.0.0.0/4' },
+ { action => 'DROP', proto => 'icmp' },
+ "-p tcp -j REJECT --reject-with tcp-reset",
+ "-p udp -j REJECT --reject-with icmp-port-unreachable",
+ "-p icmp -j REJECT --reject-with icmp-host-unreachable",
+ "-j REJECT --reject-with icmp-host-prohibited",
+ ],
+ 'PVEFW-Drop' => [
+ # same as shorewall 'Drop', which is equal to DROP,
+ # but REJECT/DROP some packages to reduce logging,
+ # and ACCEPT critical ICMP types
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
+ # we are not interested in BROADCAST/MULTICAST/ANYCAST
+ { action => 'PVEFW-DropBroadcast' },
+ # ACCEPT critical ICMP types
+ { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
+ { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
+ # Drop packets with INVALID state
+ "-m conntrack --ctstate INVALID -j DROP",
+ # Drop Microsoft SMB noise
+ { action => 'DROP', proto => 'udp', dport => '135,445', nbdport => 2 },
+ { action => 'DROP', proto => 'udp', dport => '137:139'},
+ { action => 'DROP', proto => 'udp', dport => '1024:65535', sport => 137 },
+ { action => 'DROP', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
+ { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
+ # Drop new/NotSyn traffic so that it doesn't get logged
+ "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP",
+ # Drop DNS replies
+ { action => 'DROP', proto => 'udp', sport => 53 },
+ ],
+ 'PVEFW-Reject' => [
+ # same as shorewall 'Reject', which is equal to Reject,
+ # but REJECT/DROP some packages to reduce logging,
+ # and ACCEPT critical ICMP types
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '43' }, # REJECT 'auth'
+ # we are not interested in BROADCAST/MULTICAST/ANYCAST
+ { action => 'PVEFW-DropBroadcast' },
+ # ACCEPT critical ICMP types
+ { action => 'ACCEPT', proto => 'icmp', dport => 'fragmentation-needed' },
+ { action => 'ACCEPT', proto => 'icmp', dport => 'time-exceeded' },
+ # Drop packets with INVALID state
+ "-m conntrack --ctstate INVALID -j DROP",
+ # Drop Microsoft SMB noise
+ { action => 'PVEFW-reject', proto => 'udp', dport => '135,445', nbdport => 2 },
+ { action => 'PVEFW-reject', proto => 'udp', dport => '137:139'},
+ { action => 'PVEFW-reject', proto => 'udp', dport => '1024:65535', sport => 137 },
+ { action => 'PVEFW-reject', proto => 'tcp', dport => '135,139,445', nbdport => 3 },
+ { action => 'DROP', proto => 'udp', dport => 1900 }, # UPnP
+ # Drop new/NotSyn traffic so that it doesn't get logged
+ "-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP",
+ # Drop DNS replies
+ { action => 'DROP', proto => 'udp', sport => 53 },
+ ],
+ 'PVEFW-logflags' => [
+ # same as shorewall logflags action. (fixme: enable/disable logging)
+ "-j LOG --log-prefix \"logflags-dropped:\" --log-level 4 --log-ip-options",
+ "-j DROP",
+ ],
+ 'PVEFW-tcpflags' => [
+ # same as shorewall tcpflags action.
+ # Packets arriving on this interface are checked for som illegal combinations of TCP flags
+ "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags",
+ "-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags",
+ "-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags",
+ "-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags",
+ "-p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags",
+ ],
+ 'PVEFW-smurflog' => [
+ # same as shorewall smurflog. (fixme: enable/disable logging)
+ "-j LOG --log-prefix \"smurfs-dropped\" --log-level 4",
+ "-j DROP",
+ ],
+ 'PVEFW-smurfs' => [
+ # same as shorewall smurfs action
+ # Filter packets for smurfs (packets with a broadcast address as the source).
+ "-s 0.0.0.0/32 -j RETURN",
+ "-m addrtype --src-type BROADCAST -g PVEFW-smurflog",
+ "-s 224.0.0.0/4 -g PVEFW-smurflog",
+ ],
+};
+
+# iptables -p icmp -h
+my $icmp_type_names = {
+ any => 1,
+ 'echo-reply' => 1,
+ 'destination-unreachable' => 1,
+ 'network-unreachable' => 1,
+ 'host-unreachable' => 1,
+ 'protocol-unreachable' => 1,
+ 'port-unreachable' => 1,
+ 'fragmentation-needed' => 1,
+ 'source-route-failed' => 1,
+ 'network-unknown' => 1,
+ 'host-unknown' => 1,
+ 'network-prohibited' => 1,
+ 'host-prohibited' => 1,
+ 'TOS-network-unreachable' => 1,
+ 'TOS-host-unreachable' => 1,
+ 'communication-prohibited' => 1,
+ 'host-precedence-violation' => 1,
+ 'precedence-cutoff' => 1,
+ 'source-quench' => 1,
+ 'redirect' => 1,
+ 'network-redirect' => 1,
+ 'host-redirect' => 1,
+ 'TOS-network-redirect' => 1,
+ 'TOS-host-redirect' => 1,
+ 'echo-request' => 1,
+ 'router-advertisement' => 1,
+ 'router-solicitation' => 1,
+ 'time-exceeded' => 1,
+ 'ttl-zero-during-transit' => 1,
+ 'ttl-zero-during-reassembly' => 1,
+ 'parameter-problem' => 1,
+ 'ip-header-bad' => 1,
+ 'required-option-missing' => 1,
+ 'timestamp-request' => 1,
+ 'timestamp-reply' => 1,
+ 'address-mask-request' => 1,
+ 'address-mask-reply' => 1,
+};