Renames

config

@@ -7,44 +7,62 @@ lanip=192.168.1.1
 lanbro=192.168.1.255
 
 ## badips.com ##
+blockbad=true
+logbad=true
 # ipset name
-banset=badips
+badset=badips
 # set size, default 65536
-badmaxelems=131072
+badmax=131072
 # 0 - 5 , 0 will ban max
-banlevel=0
+badlevel=0
 # ban time in seconds,  1 week =  604800,  1 day = 86400
-banttl=604800
+badttl=604800
 # h,d,w,m,y
-rangecheck=2h
+badrange=2h
 # ssh,http... or any
-banservice=any
+badservice=any
 
 ## whitenets ##
+whitenets=true
 #ipset name
-whiteset=goodips
+whitenetset=whitenets
 # set size, default 65536
-whitemaxelems=65536
+whitenetmax=65536
 # default ttl
-whitettl=172800
+whitenetttl=172800
 
 ## scannets ##
+blockscan=true
+logscan=true
 #ipset name
 scanset=scanips
 # set size, default 65536
-scanmaxelems=65536
+scanmax=65536
 # default ttl
 scanttl=172800
 
+## whitelistip ##
+whiteip=true
+unblockscan=true
+unblockbad=true
+#ipset name
+whiteipset=whiteips
+# set size, default 65536
+whiteipmax=65536
+# default ttl
+whiteipttl=172800
+
+## Multicast and broadcast ##
+cast=true
+blockcast=false
+logcast=true
+
 ## DEBUG ##
 loginput=true
 logstrange=true
 logbroken=true
 loginvalid=true
 logforward=true
-logbad=true
-logscan=true
-logcast=true
 debugtcp=true
 debugudp=true
 debugicmp=true
@@ -56,7 +74,7 @@ cast
 lan
 public
 badips
-white
+whitenets
 scanips
 final
 )

e-badips

@@ -7,14 +7,14 @@ source $CONFD/config
 tmp=$(mktemp)
 trap "/bin/rm -f ${tmp}" EXIT SIGHUP SIGINT SIGTERM
 
-if curl -f -s -S -m 60 -o $tmp "https://www.badips.com/get/list/${banservice}/${banlevel}?age=${rangecheck}" ; then
+if curl -f -s -S -m 60 -o $tmp "https://www.badips.com/get/list/${badservice}/${badlevel}?age=${badrange}" ; then
     while read -r ip ; do
-        [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] && ipset -! add ${banset} ${ip} timeout $banttl
+        [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] && ipset -! add ${badset} ${ip} timeout $badttl
     done < $tmp
 fi
 
 if curl -f -s -S -m 60 -o $tmp  "http://api.blocklist.de/getlast.php?time=7200&service=all" ; then
     while read -r ip ; do
-        [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] && ipset -! add ${banset} ${ip} timeout $banttl
+        [[ "$ip" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$ ]] && ipset -! add ${badset} ${ip} timeout $badttl
     done < $tmp
 fi

e-pullasn

@@ -13,5 +13,5 @@ while read -r asn ; do
 done < $CONFD/WHITE.asn
 
 grep -Eo "([0-9.]+){4}/[0-9]+" $tmp | while read -r net ; do
-    ipset -! add  $whiteset $net timeout $whitettl
+    ipset -! add  $whitenetset $net timeout $whitenetttl
 done

e-router

@@ -138,7 +138,7 @@ _init(){
 }
 
 _unblock(){
-    ipset create -! $scanset hash:ip hashsize $scanmaxelems timeout $scanttl maxelem $scanmaxelems forceadd counters
+    ipset create -! $scanset hash:ip hashsize $scanmax timeout $scanttl maxelem $scanmax forceadd counters
     ${iptables} -N FWUNBLOCK
     ${iptables} -A FWUNBLOCK -i ${wan} -m set --match-set $scanset src -j LOG --log-prefix "UNBLOCK: " --log-level 7
     ${iptables} -A FWUNBLOCK -i ${wan} -m set --match-set $scanset src -j SET --del-set $scanset src
@@ -146,10 +146,10 @@ _unblock(){
 }
 
 _whitenets() {
-    ipset create -! $whiteset hash:net hashsize 4096 timeout $whitettl maxelem $whitemaxelems
+    ipset create -! $whitenetset hash:net hashsize 4096 timeout $whitenetttl maxelem $whitenetmax
     while read -r net ; do
         [[ "$net" =~ ^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}/[0-9]{1,}$ ]] || continue
-        ipset -! add  $whiteset $net timeout 0
+        ipset -! add  $whitenetset $net timeout 0
     done < $confd/WHITE.nets
 }
 
@@ -194,13 +194,13 @@ lan() {
 }
 
 badips() {
-    ipset create -! $banset hash:ip hashsize $badmaxelems timeout $banttl maxelem $badmaxelems
+    ipset create -! $badset hash:ip hashsize $badmax timeout $badttl maxelem $badmax
     ${iptables} -N FWBAD
     if $logbad ; then
         _droplog "BAD"
-        ${iptables} -A FWBAD -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW -j BADLOGDROP
+        ${iptables} -A FWBAD -i ${wan} -m set --match-set $badset src -m conntrack --ctstate NEW -j BADLOGDROP
     fi
-    ${iptables} -A FWBAD -i ${wan} -m set --match-set $banset src -m conntrack --ctstate NEW -j ENDRESET
+    ${iptables} -A FWBAD -i ${wan} -m set --match-set $badset src -m conntrack --ctstate NEW -j ENDRESET
     ${iptables} -A INPUT -j FWBAD
 }
 
@@ -213,7 +213,7 @@ scanips() {
     ${iptables} -A INPUT -j FWSCAN
 }
 
-white() {
+whitenets() {
     _whitenets
     ${iptables} -N FWFILTERED
     while read -r port ; do
@@ -224,8 +224,8 @@ white() {
         [[ "$port" =~ ^[0-9]{1,}$ ]] || continue
         ${iptables} -A FWFILTERED -p tcp -m conntrack --ctstate NEW --ctproto TCP --dport $port -j ACCEPT
     done < $confd/WHITE.tcp
-    ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto UDP -j FWFILTERED
-    ${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $whiteset src -m conntrack --ctstate NEW --ctproto TCP -j FWFILTERED
+    ${iptables} -A INPUT -i ${wan} -p udp -m set --match-set $whitenetset src -m conntrack --ctstate NEW --ctproto UDP -j FWFILTERED
+    ${iptables} -A INPUT -i ${wan} -p tcp -m set --match-set $whitenetset src -m conntrack --ctstate NEW --ctproto TCP -j FWFILTERED
 }
 
 public() {