diff options
author | Peter Palfrader <peter@palfrader.org> | 2008-11-10 23:26:41 +0000 |
---|---|---|
committer | weasel <weasel@bc3d92e2-beff-0310-a7cd-cc87d7ac0ede> | 2008-11-10 23:26:41 +0000 |
commit | 393fbbb1d5a09694e6ac3878c6f50b8a66243efb (patch) | |
tree | 99b682425be4e8f386fab0f2d19407618aa785e8 | |
parent | 0741d0d39fc9c0554e82b22cd32d696b25b4c790 (diff) |
Insure against evil busses or trucks
git-svn-id: svn+ssh://asteria.noreply.org/svn/weaselutils/trunk@372 bc3d92e2-beff-0310-a7cd-cc87d7ac0ede
-rwxr-xr-x | Generate | 14 |
1 files changed, 14 insertions, 0 deletions
@@ -391,6 +391,7 @@ hostlist.each{ |host| iptables = File.new("#{dir}/#{$NAMESPACE}.iptables.sh", "w") ip6tables = File.new("#{dir}/#{$NAMESPACE}.ip6tables.sh", "w") ipferm = File.new("#{dir}/#{$NAMESPACE}.iptables.ferm", "w") + ip6ferm = File.new("#{dir}/#{$NAMESPACE}.ip6tables.ferm", "w") iptables.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}." iptables.puts "PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin" iptables.puts "echo 'Doing #{$NAMESPACE} VPN rules.'" @@ -403,6 +404,8 @@ hostlist.each{ |host| if host['ipv6'] ip6tables.puts "ip6tables --new-chain vpn-#{$NAMESPACE}" ip6tables.puts "ip6tables --flush vpn-#{$NAMESPACE}" + ip6ferm.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}." + ip6ferm.puts "def &vpn_#{$NAMESPACE}6() = {" end ipferm.puts "# Automatically created on #{THISHOST} at #{RIGHTNOW} by #{THISPROGRAM}." @@ -669,6 +672,7 @@ hostlist.each{ |host| conffile.puts "comp-lzo" conffile.puts "keepalive 10 30" conffile.puts "verb 0" + conffile.puts "script-security 2" if host['openvpn'] == '2.1' conffile.close ########## @@ -713,6 +717,14 @@ hostlist.each{ |host| " interface #{ peer['ifacename'] } " + " ACCEPT;" + if host['ipv6'] and peer['ipv6'] + ip6ferm.puts " saddr #{ host['link-local'][ peer['name'] ]['peer'] } \\" + ip6ferm.puts " daddr #{ host['link-local'][ peer['name'] ]['me'] } \\" + ip6ferm.puts " proto tcp dport #{ host['bgp_port'] or '179' } \\" + ip6ferm.puts " interface #{ peer['ifacename'] } \\" + ip6ferm.puts " ACCEPT;" + end + ########## bgpd.puts "!" bgpd.puts "! ** peer #{peer['name']} **" @@ -756,6 +768,8 @@ hostlist.each{ |host| ip6tables.close ipferm.puts "}" ipferm.close + ip6ferm.puts "}" + ip6ferm.close bgpd.close File.chmod(0600, bgpdfilename) == 1 or throw "Cannot chmod #{bgpdfilename}" |