
init/enable-ipv6 doc/default : currently enable_ipv6=false means: do not call
ip6tables.  it should mean: block all ipv6 traffic.  see NEWS.

vr 22 10:16 <@Fruit> joostvb: als IPv6 disabled is in uruk, misschien gewoon alle IPv6-verkeer blokkeren?
vr 22 10:17 <@Fruit> alle tables wissen en de policy op DROP zetten?
vr 22 10:17 <@Fruit> ik kan wel ff een mooie autistische ruleset in elkaar zetten
vr 22 10:22 < joostvb> ja, graag zo'n autistische ruleset voor ipv6

<quote>

Date: Fri, 22 Mar 2013 11:00:13 +0100
From: Wessel Dankers
To: Joost
Subject: autistische IPv6-rulebase
Message-ID: <20130322100013.GN2849@homsar.uvt.nl>

Om te voeren aan ip6tables-restore:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

*raw
:PREROUTING DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

*mangle
:PREROUTING DROP [0:0]
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:POSTROUTING DROP [0:0]
COMMIT



Zonder ip6tables-restore:

ip6tables -F
ip6tables -t raw -F
ip6tables -t mangle -F

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

ip6tables -t raw -P PREROUTING DROP
ip6tables -t raw -P OUTPUT DROP

ip6tables -t mangle -P PREROUTING DROP
ip6tables -t mangle -P INPUT DROP
ip6tables -t mangle -P FORWARD DROP
ip6tables -t mangle -P OUTPUT DROP
ip6tables -t mangle -P POSTROUTING DROP

Dit gaat er trouwens wel vanuit dat je in uruk de policies op ACCEPT
instelt, iets wat sowieso zou moeten gebeuren (anders kun je niet robuust
een ruleset laden).

</quote>

-----------

later: reimplement uruk-save in perl, be sure to run it only when /usr is
mounted, not in init-script during boot.

from group/uruk/etc/uruk/rc-experimental by Wessel Dankers, 2012:

-------------------

di 23 15:50 < Fruit> joostvb: Saving iptables ruleset: save "inactive".
di 23 15:50 < Fruit> joostvb: dat probeer ik te voorkomen, met enable_autosave=false en 
                     enable_save_counters=false
di 23 15:51 < Fruit> joostvb: maar dat blijft-ie doen

- enable ip-not-yet-known. for roaming users, for fast-chagnging ipv6 adresses,for
interfaces for which ip is not yet known.  optionally: allow specifying range as
local adress.  tnx Wessel for reporting issue.

- init script

*** /var issue

2 init scripts

eentje doet deny alles
tweede doet stuff

alternatief:

ifupdown /etc/network/interfaces  en vooral /etc/init.d/networking

/run is cleared during reboot.  we'd prefer to be able to load from saved state during
boot.  therefore, first block everything.  later, when /var etc. are available,
run uruk.  what to do before halt?

*** rh issue

/etc/redhat-lsb/lsb_* geleverd door redhat-lsb-4.0-3.el6.x86_64
License GPL, by Lawrence Lim e.a., 2011, for Red Hat, Inc.

--------------

- decide: fork this package, get new name, don't bother about migration scenario,
  use dedicated named chains and tables.

- major overhaul: use different chains, optimise behaviour when dealing with ipv6.
  we deal with private ip ranges in a braindead way; improve that.

- test on dijkstra, rolle, bruhat, freitag
   root@janacopoulos:/tmp# wget http://mdcc.cx/tmp/uruk/uruk_20110602-1_all.deb && dpkg -i uruk_20110602-1_all.deb

-------------

- add a full IPv6 example to uruk-rc manpage (we now only have the example
  rc-file).

-  28 14:11 < joostvb> ip6_noroute_ranges='::1/128 ffff:0:0::/96 fc00::/7 
                       fec0::/10 0200::/7 2001:0db8::/32'
vr 28 14:14 < Fruit> joostvb: overigens kun je in IPv6 veel beter over 
                     *routable* spreken dan unroutable
vr 28 14:14 < Fruit> 2000::/3 is gewoon de enige die routeerbaar is, de rest is 
                     lokaal
vr 28 14:26 < Fruit> 2001:0DB8::/32 has been assigned as a NON-ROUTABLE range 
                     to be used for documentation purpose [RFC3849].
vr 28 14:26 < Fruit> daar gaat de mooie 2000::/3 regel :(


--------------- first first prio -----------------------------------

- improve flush:
Subject: Re: uruk Re: iptables leegflikkeren: lelijk maar robuust Wessel
 Dankers <wsl@uvt.nl>
In-Reply-To: <20110114092236.GA14988@dijkstra.uvt.nl>
> Op Fri 14 Jan 2011 om 10:17:10 +0100 schreef Wessel Dankers:
> > iptables-save |
> >   sed -rn 's/^:([A-Z]+) [A-Z]+ \[[0-9]+:[0-9]+\]$/:\1 ACCEPT [0:0]/p; /^(\*|COMMIT$)/p' |
> >   iptables-restore



- gebruik voor net_foo strings als

privnet-10
privnet-0
privnet-172

-  29 15:16 < fvos> joostvb: misschien kan het al, maar op de eee wil ik dat 
                    het ook kan werken als er per verbinding een ander ip-adres 
                    is
za 29 15:18 < fvos> checking van de rc-file is er niet, zoals je zelf aangeeft, 
                    maar met de xml+xsl-aanvulling van mij kun je de 
                    instelling-documenten valideren tegen een xsd en het 
                    bestand opdelen in logische bestanden die je met xinclude 
                    samenvoegt
za 29 19:29 < joostvb> fvos: valideren tegen een xsd: patches welkom :)
za 29 19:29 < joostvb> fvos: maar ik denk niet dat ik dat de default ga maken, 
                       dat ie dat doet

- localhost is 0000:0000:0000:0000:0000:0000:0000:0001 aka
Fri 18 10:36 < Fruit> ::1
000:0000:0000:0000:0000:0000:0000:0000/0 is ::/0
s/(^|:)(0+($|:))+/::/
rijen van woorden kun je afkorten tot ::
Tnx Wessel
http://www.faqs.org/rfcs/rfc3330.html

- Suggested by Casper Gielen: enable broadcast/multicast filtering for IPv6
 Carefull, this part is very different from IPv4. IPv6 does not support
 broadcast (at all) while support for multicast is mandatory. Do not block
 without a proper understanding of what you are blocking.
 Very likely needs to get implemented in script/uruk.in near "# Don't answer
 broadcast and multicast packets"


----------------- first prio ------------------------------------

RSN: write urukconfig : generate uruk rc file based upon currently
offered network services.  all services will be available for _all_ IPs
(or perhaps just local network?)
Packages could run this to generate a first rc file.

----------------- candidates for upcoming release ------------------

- use ip{,6}tables-apply by Martin Krafft: safe testing of new rules on remote host.

- get rid of duplicated code in init-script:
      if test "$found_active" -a "$found_inactive"; then
      eval found_$rule=1

- dpkg --remove uruk does not remove symlinks in /etc/rcS.d/; init-script fails hard
  if binary gone.

- dpkg --purge uruk does not remove /var/lib/uruk/iptables/active.

- "status" is borken in case IPv6 is enabled (found on yosida):

root@yosida:~# invoke-rc.d uruk start
Saving IPv4 uruk rules as active ruleset.
Loading iptables ruleset: load "active".
Starting uruk (iptables)
Saving IPv6 uruk rules as active ruleset.
Loading ip6tables ruleset: load "active".
Starting uruk (ip6tables)

root@yosida:~# /etc/init.d/uruk status      
* Checking uruk (iptables): both active and inactive rulesets present, but active ruleset not loaded
* Checking uruk (ip6tables): both active and inactive rulesets present, but active ruleset not loaded

- "start" when uruk is running flushes and reloads current active ruleset.
  Should it do this?  Or should it rather be a no-op? check lsb.

- add a "dump-status" option to init-script: dump details about status, keep
  tmpfiles. usefull for debugging.

- /etc/init.d/uruk flush does not flush nat nor mangle table.  This means
force-reload breaks when these tables are in use.  See comment near initd_flush.
Fix this, and accept the introduced cruft.   Tnx Wessel.

- Phase out support for services_eth0_udp, but enforce ipS_eth0; warn for
obsolete syntax


----------------- end of candidates for upcoming release ------------------
----------------- stuff which just might happen one day -------------------

- improve documentation on usage with non-fixed IPs, refer to /etc/network/if-up.d/uruk.

- using names of interfaces in names of variables is dumb.  the characters
  @ : . occur in interface names, but are not allowed in variable names.
  E.g. eth0.54@eth0 and vif6.0 and eth0:3 

- use functions
   log_daemon_msg
   log_end_msg
   log_action_msg
in init-script, see e.g. firehol init script

- Thu 20 23:13 < fvos> joostvb: ik zou de huidige rc graag gesplitst zien in 
                     meerdere losse bestanden, bijvoorbeeld 'networks', 
                     'sources' en zo. Daardoor kunnen de entries in die 
                     bestanden ook eenvoudiger namen hebben en is misschien 
                     kwaliteitscontrole op missende verwijzingen ook 
                     eenvoudiger.
Fri 21 05:37 < joostvb> fvos: een syntax-checker zou inderdaad wel handig zijn 
                        ja

- Phase out support for rc_e

- Debian package: S40uruk could better be S41uruk: explicitly start after
networking (which is S40networking).

- We setup firewall rules only _after_ the network interfaces are configured.
This is dumb: we are vulnerable for bugs in the kernel's IP stack.  One
solution for this: Create an /etc/init.d/uruk-pre script, which is run as early
as possible, and _before_ network interfaces are configured.  It should disable
all networktraffic (except for traffic on loopbackinterface).  Only later,
networkinterfaces are configured, /etc/init.d/uruk is run and networkservices
are started.  (N.B.: so even with the current setup we _do_ protect our
services).

- In uruk-rc manpage, include example rc-file verbatim.  Include license text.

- Create "upload" target in /Makefile.am

- Improve examples in documentation:
<Fruit> joostvb: ik geloof dat ":" een leuke shorthand is voor "alle poorten"

- Fix bugs in uruk script: (force-)reload should do something sane when
uruk not running.

- Check documentation: uruk-rc manpage needs more stuff.

- Perhaps we need an uruk-init manpage, for the init script.

- Write a wrapper for OpenBSD's pf and FreeBSD's ipfilter, so that these tools
can use the same rc file format.  We'd also have to make sure init-script
works on non-LSB-systems, then.

- Reimplement uruk-save: make it more robust.  See
http://www.faqs.org/docs/iptables/iptables-save.html for example of file
format.  Use logic from iptables-save.c.

- Think about alternative for uruk-save: create a chain, and enable it once it's
fully build by doing just one iptables call.  This would allow truly atomical
loading of new rulesets.

- Is it sane to allow all traffic in default inactive rule?

- Check save_counters support in init script.  It's likely broken.

- Date: Wed, 9 Feb 2005 15:09:16 +0100
Message-ID: <20050209140916.GZ1487@trogdor.uvt.nl>
Herken broadcasts (misschien aan destination MAC-adres?) en log ze niet.
.
alternative implementation: near code-snippet:
 # supporting this for multiple-ips would need multiple chains
 # or, perhaps, some iptables extension.
This log-spamming happens only in multiple-ip-per-nic mode.
Do DROP stuff just before log, would that work?  (No, we really can't do
something like "--dest !(ip1 or ip2 or ip3)".)
.
yet to implement: loglevel "high".  Document multiple ip per nic logspamming bug.

# this file maintained at http://git.mdcc.cx/uruk.git
