From 347eb1547fa3831998162f5c0c203eacd7a2b6aa Mon Sep 17 00:00:00 2001
From: Mike Crute <mcrute@gmail.com>
Date: Thu, 29 Jul 2010 21:54:52 -0400
Subject: Allow blocking of funny business.

---
 firewall | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/firewall b/firewall
index 9661098..1117ee5 100644
--- a/firewall
+++ b/firewall
@@ -20,6 +20,7 @@ WHITE='\033[0m'
 RED='\033[0;31m'
 
 ALLOW_PING=0
+FUNNY_BUSINESS=0
 
 function do_log 
 {
@@ -51,6 +52,16 @@ function flush_all
     do_log "All chains flushed" $?
 }
 
+function block_shenanigans
+{
+    iptables -A INPUT -f -j DROP
+    do_log "Blocking packet fragments" $?
+    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+    do_log "Blocking null packets" $?
+    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+    do_log "Blocking christmas-tree packets" $?
+}
+
 function set_ping
 {
     policy="ACCEPT"
@@ -74,7 +85,7 @@ function load_policy
     LOADFILE="/etc/firewall/iptables-$policy"
 
     if [ -r $LOADFILE ]; then
-        . $LOADFILE
+        source $LOADFILE
         flush_all
         do_log "Loading ruleset $LOADFILE" $?
     else
@@ -138,6 +149,7 @@ function lockdown
 function build_firewall
 {
     load_policy $1
+    [[ $FUNNY_BUSINESS == 0 ]] && block_shenanigans
     set_defaults
     set_ping $ALLOW_PING
     
-- 
cgit v1.2.3