Menu
▾
▴
astlinux-commits — Commits to the AstLinux SVN repository
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(6) |
Jul
(14) |
Aug
(156) |
Sep
(35) |
Oct
(48) |
Nov
(55) |
Dec
(16) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(24) |
Feb
(154) |
Mar
(139) |
Apr
(175) |
May
(87) |
Jun
(34) |
Jul
(42) |
Aug
(68) |
Sep
(41) |
Oct
(76) |
Nov
(77) |
Dec
(50) |
| 2008 |
Jan
(98) |
Feb
(43) |
Mar
(102) |
Apr
(27) |
May
(55) |
Jun
(13) |
Jul
(58) |
Aug
(62) |
Sep
(61) |
Oct
(43) |
Nov
(87) |
Dec
(134) |
| 2009 |
Jan
(175) |
Feb
(106) |
Mar
(58) |
Apr
(41) |
May
(74) |
Jun
(123) |
Jul
(252) |
Aug
(192) |
Sep
(69) |
Oct
(38) |
Nov
(117) |
Dec
(95) |
| 2010 |
Jan
(146) |
Feb
(76) |
Mar
(90) |
Apr
(60) |
May
(23) |
Jun
(19) |
Jul
(208) |
Aug
(140) |
Sep
(103) |
Oct
(114) |
Nov
(50) |
Dec
(47) |
| 2011 |
Jan
(59) |
Feb
(47) |
Mar
(61) |
Apr
(58) |
May
(41) |
Jun
(11) |
Jul
(17) |
Aug
(49) |
Sep
(34) |
Oct
(166) |
Nov
(38) |
Dec
(70) |
| 2012 |
Jan
(87) |
Feb
(37) |
Mar
(28) |
Apr
(25) |
May
(29) |
Jun
(30) |
Jul
(43) |
Aug
(27) |
Sep
(46) |
Oct
(27) |
Nov
(51) |
Dec
(70) |
| 2013 |
Jan
(92) |
Feb
(34) |
Mar
(58) |
Apr
(37) |
May
(46) |
Jun
(9) |
Jul
(38) |
Aug
(22) |
Sep
(28) |
Oct
(42) |
Nov
(44) |
Dec
(34) |
| 2014 |
Jan
(63) |
Feb
(39) |
Mar
(48) |
Apr
(31) |
May
(21) |
Jun
(43) |
Jul
(36) |
Aug
(69) |
Sep
(53) |
Oct
(56) |
Nov
(46) |
Dec
(49) |
| 2015 |
Jan
(63) |
Feb
(35) |
Mar
(30) |
Apr
(38) |
May
(27) |
Jun
(42) |
Jul
(42) |
Aug
(63) |
Sep
(18) |
Oct
(45) |
Nov
(65) |
Dec
(71) |
| 2016 |
Jan
(54) |
Feb
(79) |
Mar
(59) |
Apr
(38) |
May
(32) |
Jun
(46) |
Jul
(42) |
Aug
(30) |
Sep
(58) |
Oct
(33) |
Nov
(98) |
Dec
(59) |
| 2017 |
Jan
(79) |
Feb
(12) |
Mar
(43) |
Apr
(32) |
May
(76) |
Jun
(59) |
Jul
(44) |
Aug
(14) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <kr...@us...> - 2006-08-15 01:45:41
|
Revision: 256 Author: krisk84 Date: 2006-08-14 18:45:38 -0700 (Mon, 14 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=256&view=rev Log Message: ----------- openvpn init fixes Modified Paths: -------------- trunk/package/openvpn/openvpn.init Modified: trunk/package/openvpn/openvpn.init =================================================================== --- trunk/package/openvpn/openvpn.init 2006-08-14 20:30:40 UTC (rev 255) +++ trunk/package/openvpn/openvpn.init 2006-08-15 01:45:38 UTC (rev 256) @@ -2,7 +2,11 @@ . /etc/rc.conf init () { + +if [ "$VPN" -a "VPN" = "openvpn" ] +then #check for existing of tun adapter + if [ -e /dev/net/tun ] then echo "Tun device was found." @@ -45,17 +49,12 @@ status /var/log/openvpn-status.log log-append /var/log/openvpn.log daemon" >> /tmp/etc/openvpn.conf - +fi } start () { -if [ $VPN -a $VPN = "raccoon" ] +if [ -f /tmp/etc/openvpn.conf ] then -echo "You have selected raccoon for your VPN service. Configure manually." -fi - -if [ $VPN -a $VPN = "openvpn" ] -then echo "Starting OpenVPN with settings from /etc/openvpn" /usr/sbin/openvpn /etc/openvpn.conf fi This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-14 20:30:49
|
Revision: 255 Author: krisk84 Date: 2006-08-14 13:30:40 -0700 (Mon, 14 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=255&view=rev Log Message: ----------- default config updates, rp-pppoe fixes Modified Paths: -------------- trunk/astlinux.config trunk/package/rp-pppoe/rp-pppoe.mk trunk/target/generic/target_skeleton/etc/init.d/network Added Paths: ----------- trunk/package/rp-pppoe/rp-pppoe-3.8-Makefile.patch trunk/package/rp-pppoe/rp-pppoe-3.8-configure.patch Modified: trunk/astlinux.config =================================================================== --- trunk/astlinux.config 2006-08-14 18:43:46 UTC (rev 254) +++ trunk/astlinux.config 2006-08-14 20:30:40 UTC (rev 255) @@ -34,7 +34,7 @@ BR2_TOPDIR_PREFIX="" BR2_TOPDIR_SUFFIX="" BR2_GNU_BUILD_SUFFIX="pc-linux-gnu" -BR2_JLEVEL=2 +BR2_JLEVEL=10 # # Toolchain Options @@ -163,6 +163,7 @@ # Other stuff # # BR2_PACKAGE_ACPID is not set +# BR2_PACKAGE_ARNOFW is not set BR2_PACKAGE_ASTERISK=y BR2_PACKAGE_ASTERISK_LIBPRI=y BR2_PACKAGE_ASTERISK_ZAPTEL=y @@ -232,7 +233,7 @@ BR2_PACKAGE_LIBELF=y # BR2_PACKAGE_LIBFLOAT is not set # BR2_PACKAGE_LIBGLIB12 is not set -# BR2_PACKAGE_LIBMAD is not set +BR2_PACKAGE_LIBMAD=y BR2_PACKAGE_LIBPCAP=y # BR2_PACKAGE_LIBPNG is not set # BR2_PACKAGE_LIBPQ is not set @@ -262,7 +263,7 @@ # BR2_PACKAGE_MODUTILS is not set # BR2_PACKAGE_MPG123 is not set # BR2_PACKAGE_MROUTED is not set -# BR2_PACKAGE_MSMTP is not set +BR2_PACKAGE_MSMTP=y # BR2_PACKAGE_MTD is not set BR2_PACKAGE_NANO=y BR2_PACKAGE_NCURSES=y @@ -273,6 +274,7 @@ BR2_PACKAGE_NEWT=y # BR2_PACKAGE_NTP is not set BR2_PACKAGE_OPENNTPD=y +# BR2_PACKAGE_OPENSER is not set BR2_PACKAGE_OPENSSH=y BR2_PACKAGE_OPENSSL=y # BR2_PACKAGE_OPENSSL_TARGET_HEADERS is not set @@ -292,16 +294,18 @@ # BR2_PACKAGE_RAIDTOOLS is not set # BR2_READLINE is not set # BR2_PACKAGE_RESCONV is not set +BR2_PACKAGE_RP-PPPOE=y BR2_PACKAGE_RSYNC=y # BR2_PACKAGE_RUBY is not set # BR2_PACKAGE_RXVT is not set BR2_PACKAGE_SCREEN=y # BR2_PACKAGE_SDL is not set -# BR2_PACKAGE_SFDISK is not set +BR2_PACKAGE_SFDISK=y # BR2_PACKAGE_SLANG is not set # BR2_PACKAGE_SMARTMONTOOLS is not set # BR2_PACKAGE_SOCAT is not set -# BR2_PACKAGE_SOX is not set +BR2_PACKAGE_SOX=y +BR2_PACKAGE_SOX_LIBMAD=y BR2_PACKAGE_STRACE=y BR2_PACKAGE_SYSFSUTILS=y # BR2_PACKAGE_SYSKLOGD is not set Added: trunk/package/rp-pppoe/rp-pppoe-3.8-Makefile.patch =================================================================== --- trunk/package/rp-pppoe/rp-pppoe-3.8-Makefile.patch (rev 0) +++ trunk/package/rp-pppoe/rp-pppoe-3.8-Makefile.patch 2006-08-14 20:30:40 UTC (rev 255) @@ -0,0 +1,57 @@ +diff -ur rp-pppoe-3.8.orig/src/libevent/Makefile.in rp-pppoe-3.8/src/libevent/Makefile.in +--- rp-pppoe-3.8.orig/src/libevent/Makefile.in 2006-04-02 10:29:42.000000000 -0400 ++++ rp-pppoe-3.8/src/libevent/Makefile.in 2006-08-14 15:25:02.000000000 -0400 +@@ -39,4 +39,4 @@ + + FORCE: + +-.phony: FORCE +\ No newline at end of file ++.phony: FORCE +diff -ur rp-pppoe-3.8.orig/src/Makefile.in rp-pppoe-3.8/src/Makefile.in +--- rp-pppoe-3.8.orig/src/Makefile.in 2006-04-02 10:29:42.000000000 -0400 ++++ rp-pppoe-3.8/src/Makefile.in 2006-08-14 15:24:26.000000000 -0400 +@@ -62,21 +62,23 @@ + TARGETS=@TARGETS@ + PPPOE_SERVER_LIBS=$(LIC_LIBDIR) $(LIC_LIB) + ++LIBS="-lc" ++ + all: $(TARGETS) + @echo "" + @echo "Type 'make install' as root to install the software." + + pppoe-sniff: pppoe-sniff.o if.o common.o debug.o +- @CC@ -o pppoe-sniff pppoe-sniff.o if.o common.o debug.o ++ @CC@ $(CFLAGS) -o pppoe-sniff pppoe-sniff.o if.o common.o debug.o $(LIBS) + + pppoe-server: pppoe-server.o if.o debug.o common.o md5.o libevent/libevent.a @PPPOE_SERVER_DEPS@ +- @CC@ -o pppoe-server @RDYNAMIC@ pppoe-server.o if.o debug.o common.o md5.o $(PPPOE_SERVER_LIBS) -Llibevent -levent ++ @CC@ $(CFLAGS) -o pppoe-server @RDYNAMIC@ pppoe-server.o if.o debug.o common.o md5.o $(PPPOE_SERVER_LIBS) -Llibevent -levent $(LIBS) + + pppoe: pppoe.o if.o debug.o common.o ppp.o discovery.o +- @CC@ -o pppoe pppoe.o if.o debug.o common.o ppp.o discovery.o ++ @CC@ $(CFLAGS) -o pppoe pppoe.o if.o debug.o common.o ppp.o discovery.o $(LIBS) + + pppoe-relay: relay.o if.o debug.o common.o +- @CC@ -o pppoe-relay relay.o if.o debug.o common.o ++ @CC@ $(CFLAGS) -o pppoe-relay relay.o if.o debug.o common.o $(LIBS) + + pppoe.o: pppoe.c pppoe.h + @CC@ $(CFLAGS) '-DVERSION="$(VERSION)"' -c -o pppoe.o pppoe.c +@@ -113,13 +115,13 @@ + + # Linux-specific plugin + rp-pppoe.so: plugin/libplugin.a plugin/plugin.o +- @CC@ -o rp-pppoe.so -shared plugin/plugin.o plugin/libplugin.a ++ @CC@ $(CFLAGS) -o rp-pppoe.so -shared plugin/plugin.o plugin/libplugin.a + + plugin/plugin.o: plugin.c + @CC@ '-DRP_VERSION="$(VERSION)"' $(CFLAGS) -I$(PPPD_INCDIR) -c -o plugin/plugin.o -fPIC plugin.c + + plugin/libplugin.a: plugin/discovery.o plugin/if.o plugin/common.o plugin/debug.o +- ar -rc $@ $^ ++ $(AR) -rc $@ $^ + + plugin/discovery.o: discovery.c + @CC@ $(CFLAGS) '-DVERSION="$(VERSION)"' -c -o plugin/discovery.o -fPIC discovery.c Added: trunk/package/rp-pppoe/rp-pppoe-3.8-configure.patch =================================================================== --- trunk/package/rp-pppoe/rp-pppoe-3.8-configure.patch (rev 0) +++ trunk/package/rp-pppoe/rp-pppoe-3.8-configure.patch 2006-08-14 20:30:40 UTC (rev 255) @@ -0,0 +1,12 @@ +diff -ur rp-pppoe-3.8.orig/src/configure rp-pppoe-3.8/src/configure +--- rp-pppoe-3.8.orig/src/configure 2006-04-02 10:29:42.000000000 -0400 ++++ rp-pppoe-3.8/src/configure 2006-08-14 16:24:52.000000000 -0400 +@@ -5744,7 +5744,7 @@ + echo "$as_me:$LINENO: checking packing order of bit fields" >&5 + echo $ECHO_N "checking packing order of bit fields... $ECHO_C" >&6 + if test "$cross_compiling" = yes; then +- $ECHO "no defaults for cross-compiling"; exit 0 ++ $ECHO "no defaults for cross-compiling - using arguments" + else + cat >conftest.$ac_ext <<_ACEOF + /* confdefs.h. */ Modified: trunk/package/rp-pppoe/rp-pppoe.mk =================================================================== --- trunk/package/rp-pppoe/rp-pppoe.mk 2006-08-14 18:43:46 UTC (rev 254) +++ trunk/package/rp-pppoe/rp-pppoe.mk 2006-08-14 20:30:40 UTC (rev 255) @@ -4,7 +4,7 @@ # ############################################################# # -RP-PPPOE_VERSION=3.5 +RP-PPPOE_VERSION=3.8 PPP_VERSION=2.4.3 RP-PPPOE_SOURCE_URL=http://www.roaringpenguin.com/penguin/pppoe RP-PPPOE_SOURCE=rp-pppoe-$(RP-PPPOE_VERSION).tar.gz @@ -16,7 +16,7 @@ $(RP-PPPOE_BUILD_DIR)/.unpacked: $(DL_DIR)/$(RP-PPPOE_SOURCE) zcat $(DL_DIR)/$(RP-PPPOE_SOURCE) | tar -C $(BUILD_DIR) $(TAR_OPTIONS) - - toolchain/patch-kernel.sh $(RP-PPPOE_BUILD_DIR) package/rp-pppoe/ rp-pppoe\*.patch + toolchain/patch-kernel.sh $(RP-PPPOE_BUILD_DIR) package/rp-pppoe/ rp-pppoe-$(RP-PPPOE_VERSION)*.patch touch $(RP-PPPOE_BUILD_DIR)/.unpacked $(RP-PPPOE_BUILD_DIR)/.configured: $(RP-PPPOE_BUILD_DIR)/.unpacked @@ -28,7 +28,7 @@ ac_cv_sizeof_unsigned_int=4 \ ac_cv_sizeof_unsigned_long=4 \ ac_cv_linux_kernel_pppoe=yes \ - ac_cv_pack_bitfields_reversed=yes \ + rpppoe_cv_pack_bitfields=rev \ ./configure \ --target=$(GNU_TARGET_NAME) \ --host=$(GNU_TARGET_NAME) \ @@ -57,10 +57,10 @@ $(MAKE) -C $(RP-PPPOE_BUILD_DIR)/src $(TARGET_DIR)/$(RP-PPPOE_TARGET_BINARY): $(RP-PPPOE_BUILD_DIR)/src/pppoe - $(INSTALL) -D -m 0755 $(RP-PPPOE_BUILD_DIR)/scripts/adsl-connect $(TARGET_DIR)/usr/sbin/adsl-connect - $(INSTALL) -D -m 0755 $(RP-PPPOE_BUILD_DIR)/scripts/adsl-start $(TARGET_DIR)/usr/sbin/adsl-start - $(INSTALL) -D -m 0755 $(RP-PPPOE_BUILD_DIR)/scripts/adsl-stop $(TARGET_DIR)/usr/sbin/adsl-stop - $(INSTALL) -D -m 0755 $(RP-PPPOE_BUILD_DIR)/scripts/adsl-status $(TARGET_DIR)/usr/sbin/adsl-status + $(INSTALL) -D -m 0755 $(RP-PPPOE_BUILD_DIR)/scripts/pppoe-connect $(TARGET_DIR)/usr/sbin/pppoe-connect + $(INSTALL) -D -m 0755 $(RP-PPPOE_BUILD_DIR)/scripts/pppoe-start $(TARGET_DIR)/usr/sbin/pppoe-start + $(INSTALL) -D -m 0755 $(RP-PPPOE_BUILD_DIR)/scripts/pppoe-stop $(TARGET_DIR)/usr/sbin/pppoe-stop + $(INSTALL) -D -m 0755 $(RP-PPPOE_BUILD_DIR)/scripts/pppoe-status $(TARGET_DIR)/usr/sbin/pppoe-status $(INSTALL) -D -m 0755 $(RP-PPPOE_BUILD_DIR)/src/pppoe-server $(TARGET_DIR)/usr/sbin/pppoe-server $(INSTALL) -D -m 0755 $(RP-PPPOE_BUILD_DIR)/src/pppoe-sniff $(TARGET_DIR)/usr/sbin/pppoe-sniff $(INSTALL) -D -m 0755 $(RP-PPPOE_BUILD_DIR)/src/pppoe-relay $(TARGET_DIR)/usr/sbin/pppoe-relay Modified: trunk/target/generic/target_skeleton/etc/init.d/network =================================================================== --- trunk/target/generic/target_skeleton/etc/init.d/network 2006-08-14 18:43:46 UTC (rev 254) +++ trunk/target/generic/target_skeleton/etc/init.d/network 2006-08-14 20:30:40 UTC (rev 255) @@ -184,7 +184,12 @@ echo "Attempting to bring up PPPoE on $PPPOEIF" echo "This could take some time..." +if [ -x /usr/sbin/pppoe-start ] +then +/usr/sbin/pppoe-start +else /usr/sbin/adsl-start +fi sleep 5 if [ "$DNS" -a "$DOMAIN" ] This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-14 18:43:50
|
Revision: 254 Author: krisk84 Date: 2006-08-14 11:43:46 -0700 (Mon, 14 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=254&view=rev Log Message: ----------- chansccp permissions fix Modified Paths: -------------- trunk/package/chansccp/chansccp.mk Modified: trunk/package/chansccp/chansccp.mk =================================================================== --- trunk/package/chansccp/chansccp.mk 2006-08-14 18:19:47 UTC (rev 253) +++ trunk/package/chansccp/chansccp.mk 2006-08-14 18:43:46 UTC (rev 254) @@ -16,6 +16,7 @@ $(CHANSCCP_DIR)/.unpacked: $(DL_DIR)/$(CHANSCCP_SOURCE) $(CHANSCCP_CAT) $(DL_DIR)/$(CHANSCCP_SOURCE) | tar -C $(BUILD_DIR) $(TAR_OPTIONS) - + chmod -R 755 $(CHANSCCP_DIR) touch $(CHANSCCP_DIR)/.unpacked $(CHANSCCP_DIR)/.configured: $(CHANSCCP_DIR)/.unpacked This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2006-08-14 18:19:50
|
Revision: 253 Author: dhartman Date: 2006-08-14 11:19:47 -0700 (Mon, 14 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=253&view=rev Log Message: ----------- init fixes in astshape and iptables Modified Paths: -------------- trunk/package/iproute2/astshape.init trunk/package/iptables/iptables.init Modified: trunk/package/iproute2/astshape.init =================================================================== --- trunk/package/iproute2/astshape.init 2006-08-14 03:05:37 UTC (rev 252) +++ trunk/package/iproute2/astshape.init 2006-08-14 18:19:47 UTC (rev 253) @@ -20,7 +20,6 @@ fi fi -fi } stop () { Modified: trunk/package/iptables/iptables.init =================================================================== --- trunk/package/iptables/iptables.init 2006-08-14 03:05:37 UTC (rev 252) +++ trunk/package/iptables/iptables.init 2006-08-14 18:19:47 UTC (rev 253) @@ -16,6 +16,7 @@ then if [ -x /usr/sbin/arno-iptables-firewall ] +then /usr/sbin/arno-iptables-firewall start else echo "You don't have arno iptables firewall installed" This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-14 03:05:39
|
Revision: 252 Author: krisk84 Date: 2006-08-13 20:05:37 -0700 (Sun, 13 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=252&view=rev Log Message: ----------- strip openser binary Modified Paths: -------------- trunk/package/openser/openser.mk Modified: trunk/package/openser/openser.mk =================================================================== --- trunk/package/openser/openser.mk 2006-08-14 03:00:23 UTC (rev 251) +++ trunk/package/openser/openser.mk 2006-08-14 03:05:37 UTC (rev 252) @@ -35,6 +35,7 @@ $(TARGET_DIR)/$(OPENSER_TARGET_BINARY): $(OPENSER_DIR)/$(OPENSER_BINARY) install -D -m 0755 $(OPENSER_DIR)/$(OPENSER_BINARY) $(TARGET_DIR)/$(OPENSER_TARGET_BINARY) + $(STRIP) $(TARGET_DIR)/$(OPENSER_TARGET_BINARY) install -D -m 0755 $(OPENSER_DIR)/scripts/openserctl $(TARGET_DIR)/usr/sbin/openserctl install -D -m 0755 $(OPENSER_DIR)/scripts/mysqldb.sh $(TARGET_DIR)/usr/sbin/mysqldb.sh touch -c $(TARGET_DIR)/$(OPENSER_TARGET_BINARY) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-14 03:00:28
|
Revision: 251 Author: krisk84 Date: 2006-08-13 20:00:23 -0700 (Sun, 13 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=251&view=rev Log Message: ----------- BASIC openser support Modified Paths: -------------- trunk/package/Config.in Added Paths: ----------- trunk/package/openser/ trunk/package/openser/Config.in trunk/package/openser/openser.mk Modified: trunk/package/Config.in =================================================================== --- trunk/package/Config.in 2006-08-14 01:54:52 UTC (rev 250) +++ trunk/package/Config.in 2006-08-14 03:00:23 UTC (rev 251) @@ -116,6 +116,7 @@ source "package/newt/Config.in" source "package/ntp/Config.in" source "package/openntpd/Config.in" +source "package/openser/Config.in" source "package/openssh/Config.in" source "package/openssl/Config.in" source "package/openvpn/Config.in" Added: trunk/package/openser/Config.in =================================================================== --- trunk/package/openser/Config.in (rev 0) +++ trunk/package/openser/Config.in 2006-08-14 03:00:23 UTC (rev 251) @@ -0,0 +1,8 @@ +config BR2_PACKAGE_OPENSER + bool "openser" + default n + select BR2_PACKAGE_OPENSSL + help + OpenSER is a mature and flexible open source SIP server (RFC3261). + + http://www.openser.org Added: trunk/package/openser/openser.mk =================================================================== --- trunk/package/openser/openser.mk (rev 0) +++ trunk/package/openser/openser.mk 2006-08-14 03:00:23 UTC (rev 251) @@ -0,0 +1,62 @@ +############################################################# +# +# openser +# +############################################################## +OPENSER_VERSION := 1.1.0-notls_src +OPENSER_SOURCE := openser-$(OPENSER_VERSION).tar.gz +OPENSER_SITE := http://www.openser.org/pub/openser/latest/src/ +OPENSER_DIR := $(BUILD_DIR)/openser-1.1.0-notls +OPENSER_BINARY := openser +OPENSER_TARGET_BINARY := usr/sbin/openser + +$(DL_DIR)/$(OPENSER_SOURCE): + $(WGET) -P $(DL_DIR) $(OPENSER_SITE)/$(OPENSER_SOURCE) + +$(OPENSER_DIR)/.source: $(DL_DIR)/$(OPENSER_SOURCE) + zcat $(DL_DIR)/$(OPENSER_SOURCE) | tar -C $(BUILD_DIR) $(TAR_OPTIONS) - + # toolchain/patch-kernel.sh $(OPENSER_DIR) package/openser/ openser\*.patch + touch $(OPENSER_DIR)/.source + +$(OPENSER_DIR)/.configured: $(OPENSER_DIR)/.source + touch $(OPENSER_DIR)/.configured + +$(OPENSER_DIR)/$(OPENSER_BINARY): $(OPENSER_DIR)/.configured + $(MAKE1) -C $(OPENSER_DIR) \ + prefix=/usr/ \ + cfg-prefix=/ \ + extra_defs="-DUSE_PTHREAD_MUTEX " \ + CC="$(TARGET_CC)" \ + ARCH="$(ARCH)" \ + CFLAGS="$(TARGET_CFLAGS)" \ + LOCALBASE="$(STAGING_DIR)/usr" \ + all + touch -c $(TARGET_DIR)/$(OPENSER_BINARY) + +$(TARGET_DIR)/$(OPENSER_TARGET_BINARY): $(OPENSER_DIR)/$(OPENSER_BINARY) + install -D -m 0755 $(OPENSER_DIR)/$(OPENSER_BINARY) $(TARGET_DIR)/$(OPENSER_TARGET_BINARY) + install -D -m 0755 $(OPENSER_DIR)/scripts/openserctl $(TARGET_DIR)/usr/sbin/openserctl + install -D -m 0755 $(OPENSER_DIR)/scripts/mysqldb.sh $(TARGET_DIR)/usr/sbin/mysqldb.sh + touch -c $(TARGET_DIR)/$(OPENSER_TARGET_BINARY) + +openser: uclibc openssl $(TARGET_DIR)/$(OPENSER_TARGET_BINARY) + +openser-source: $(DL_DIR)/$(OPENSER_SOURCE) + +openser-clean: + rm -Rf $(TARGET_DIR)/$(OPENSER_TARGET_BINARY) + rm -rf $(TARGET_DIR)/usr/sbin/openserctl + rm -rf $(TARGET_DIR)/usr/sbin/mysqldb.sh + -$(MAKE) -C $(OPENSER_DIR) clean + +openser-dirclean: + rm -rf $(OPENSER_DIR) + +############################################################# +# +# Toplevel Makefile options +# +############################################################# +ifeq ($(strip $(BR2_PACKAGE_OPENSER)),y) +TARGETS+=openser +endif This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-14 01:54:57
|
Revision: 250 Author: krisk84 Date: 2006-08-13 18:54:52 -0700 (Sun, 13 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=250&view=rev Log Message: ----------- move astshape to iproute2 dir Modified Paths: -------------- trunk/package/iproute2/astshape.init trunk/package/iproute2/iproute2.mk Added Paths: ----------- trunk/package/iproute2/astshape Removed Paths: ------------- trunk/target/generic/target_skeleton/usr/sbin/astshape Copied: trunk/package/iproute2/astshape (from rev 247, trunk/target/generic/target_skeleton/usr/sbin/astshape) =================================================================== --- trunk/package/iproute2/astshape (rev 0) +++ trunk/package/iproute2/astshape 2006-08-14 01:54:52 UTC (rev 250) @@ -0,0 +1,134 @@ +#!/bin/bash +# AstShape +# Based off of WonderShaper (HTB) +# Enhanced by Kristian Kielhofner <kr...@kr...> +# Make sure that all of your VoIP devices set tos on RTP to 0x18 +# iax.conf: tos=0x18 sip.conf: tos=0x18 + +. /etc/rc.conf + +DOWNLINK=$EXTDOWN +UPLINK=$EXTUP +DEV=$EXTIF + +if [ "$1" = "status" ] +then + echo "Showing AstShape status for $DEV" + echo + tc -s qdisc ls dev $DEV + tc -s class ls dev $DEV + exit +fi + + +# clean existing down- and uplink qdiscs, hide errors +tc qdisc del dev $DEV root 2> /dev/null > /dev/null +tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null + +if [ "$1" = "stop" ] +then + exit +fi + +###### uplink + +#install root HTB, point default traffic to 1:30 +tc qdisc add dev $DEV root handle 1: htb default 30 + +#shape everything at $UPLINK speed to prevent queing +tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k + +#voip class 1:10 - "the crown prince of bandwidth" +tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit burst 6k prio 1 + +#high prio class 1:20 +tc class add dev $DEV parent 1:1 classid 1:20 htb rate ${UPLINK}kbit burst 6k prio 2 + +#default class 1:30 +tc class add dev $DEV parent 1:1 classid 1:30 htb rate $[9*$UPLINK/10]kbit burst 6k prio 3 + +#bulk class 1:40 +tc class add dev $DEV parent 1:1 classid 1:40 htb rate $[8*$UPLINK/10]kbit burst 6k prio 4 + +#all get Stochastic Fairness +tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10 +tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 +tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 +tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10 + +#Voip TOS in 1:10 +tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 match ip tos 0x18 0xff flowid 1:10 + +#Ports as defined above +for a in $VOIPPORTS +do + tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 match ip dport $a 0xffff flowid 1:10 + tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 match ip sport $a 0xffff flowid 1:10 +done + +#TOS Minimum Delay (ssh, NOT scp) in 1:20 +tc filter add dev $DEV parent 1:0 protocol ip prio 20 u32 match ip tos 0x10 0xff flowid 1:20 + +#DNS in interactive class 1:20 +tc filter add dev $DEV parent 1:0 protocol ip prio 21 u32 match ip sport 53 0xffff flowid 1:20 +tc filter add dev $DEV parent 1:0 protocol ip prio 22 u32 match ip dport 53 0xffff flowid 1:20 + +#only give TCP ACK's higher priority if this connection is asymmetrical +if [ ! $DOWNLINK = $UPLINK ] +then +#give TCP ACK's higher priority in 1:20 +tc filter add dev $DEV parent 1: protocol ip prio 23 u32 \ + match ip protocol 6 0xff \ + match u8 0x05 0x0f at 0 \ + match u16 0x0000 0xffc0 at 2 \ + match u8 0x10 0xff at 33 \ + flowid 1:20 +fi + +#Ports as defined above +for a in $INTPORTS +do + tc filter add dev $DEV parent 1:0 protocol ip prio 24 u32 match ip dport $a 0xffff flowid 1:20 + tc filter add dev $DEV parent 1:0 protocol ip prio 24 u32 match ip sport $a 0xffff flowid 1:20 +done + +#ICMP (ip protocol 1) in the interactive class 1:20 +tc filter add dev $DEV parent 1: protocol ip prio 25 u32 match ip protocol 1 0xff flowid 1:20 + +#the slowest of the slow +for a in $NOPRIOPORTDST +do + tc filter add dev $DEV parent 1: protocol ip prio 40 u32 match ip dport $a 0xffff flowid 1:40 +done + +for a in $NOPRIOPORTSRC +do + tc filter add dev $DEV parent 1: protocol ip prio 41 u32 match ip sport $a 0xffff flowid 1:40 +done + +for a in $NOPRIOHOSTSRC +do + tc filter add dev $DEV parent 1: protocol ip prio 42 u32 match ip src $a flowid 1:40 +done + +for a in $NOPRIOHOSTDST +do + tc filter add dev $DEV parent 1: protocol ip prio 43 u32 match ip dst $a flowid 1:40 +done + +#rest is 'non-interactive' ie 'bulk' and ends up in 1:30 +tc filter add dev $DEV parent 1: protocol ip prio 30 u32 match ip dst 0.0.0.0/0 flowid 1:30 + +########## downlink ############# +# slow downloads down to somewhat less than the real speed to prevent +# queuing at our ISP. Tune to see how high you can set it. +# ISPs tend to have *huge* queues to make sure big downloads are fast +# +# attach ingress policer: + +tc qdisc add dev $DEV handle ffff: ingress + +# filter *everything* to it (0.0.0.0/0), drop everything that's +# coming in too fast: +tc filter add dev $DEV parent ffff: protocol ip prio 100 u32 match ip src \ + 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 Modified: trunk/package/iproute2/astshape.init =================================================================== --- trunk/package/iproute2/astshape.init 2006-08-14 01:50:24 UTC (rev 249) +++ trunk/package/iproute2/astshape.init 2006-08-14 01:54:52 UTC (rev 250) @@ -7,10 +7,20 @@ then if [ "$EXTUP" -a "$EXTDOWN" ] then + +if [ -x /usr/sbin/shape ] +then echo "Starting AstShape..." /usr/sbin/astshape +else +echo "You don't have astshape installed" +exit 1 fi + fi + +fi +fi } stop () { @@ -18,10 +28,18 @@ then if [ "$EXTUP" -a "$EXTDOWN" ] then + +if [ -x /usr/sbin/astshape ] +then echo "Stopping AstShape..." /usr/sbin/astshape stop +else +echo "You don't have astshape installed" +exit 1 fi + fi +fi } case $1 in Modified: trunk/package/iproute2/iproute2.mk =================================================================== --- trunk/package/iproute2/iproute2.mk 2006-08-14 01:50:24 UTC (rev 249) +++ trunk/package/iproute2/iproute2.mk 2006-08-14 01:54:52 UTC (rev 250) @@ -39,6 +39,7 @@ $(INSTALL) -Dc $(IPROUTE2_DIR)/ip/ip $(TARGET_DIR)/sbin/ip $(INSTALL) -Dc $(IPROUTE2_DIR)/$(IPROUTE2_BINARY) $(TARGET_DIR)/$(IPROUTE2_TARGET_BINARY) $(INSTALL) -D -m 0755 package/iproute2/astshape.init $(TARGET_DIR)/etc/init.d/astshape + $(INSTALL) -D -m 0755 package/iproute2/astshape $(TARGET_DIR)/usr/sbin/astshape iproute2: uclibc linux $(TARGET_DIR)/$(IPROUTE2_TARGET_BINARY) Deleted: trunk/target/generic/target_skeleton/usr/sbin/astshape =================================================================== --- trunk/target/generic/target_skeleton/usr/sbin/astshape 2006-08-14 01:50:24 UTC (rev 249) +++ trunk/target/generic/target_skeleton/usr/sbin/astshape 2006-08-14 01:54:52 UTC (rev 250) @@ -1,134 +0,0 @@ -#!/bin/bash -# AstShape -# Based off of WonderShaper (HTB) -# Enhanced by Kristian Kielhofner <kr...@kr...> -# Make sure that all of your VoIP devices set tos on RTP to 0x18 -# iax.conf: tos=0x18 sip.conf: tos=0x18 - -. /etc/rc.conf - -DOWNLINK=$EXTDOWN -UPLINK=$EXTUP -DEV=$EXTIF - -if [ "$1" = "status" ] -then - echo "Showing AstShape status for $DEV" - echo - tc -s qdisc ls dev $DEV - tc -s class ls dev $DEV - exit -fi - - -# clean existing down- and uplink qdiscs, hide errors -tc qdisc del dev $DEV root 2> /dev/null > /dev/null -tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null - -if [ "$1" = "stop" ] -then - exit -fi - -###### uplink - -#install root HTB, point default traffic to 1:30 -tc qdisc add dev $DEV root handle 1: htb default 30 - -#shape everything at $UPLINK speed to prevent queing -tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k - -#voip class 1:10 - "the crown prince of bandwidth" -tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit burst 6k prio 1 - -#high prio class 1:20 -tc class add dev $DEV parent 1:1 classid 1:20 htb rate ${UPLINK}kbit burst 6k prio 2 - -#default class 1:30 -tc class add dev $DEV parent 1:1 classid 1:30 htb rate $[9*$UPLINK/10]kbit burst 6k prio 3 - -#bulk class 1:40 -tc class add dev $DEV parent 1:1 classid 1:40 htb rate $[8*$UPLINK/10]kbit burst 6k prio 4 - -#all get Stochastic Fairness -tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10 -tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10 -tc qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10 -tc qdisc add dev $DEV parent 1:40 handle 40: sfq perturb 10 - -#Voip TOS in 1:10 -tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 match ip tos 0x18 0xff flowid 1:10 - -#Ports as defined above -for a in $VOIPPORTS -do - tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 match ip dport $a 0xffff flowid 1:10 - tc filter add dev $DEV parent 1:0 protocol ip prio 11 u32 match ip sport $a 0xffff flowid 1:10 -done - -#TOS Minimum Delay (ssh, NOT scp) in 1:20 -tc filter add dev $DEV parent 1:0 protocol ip prio 20 u32 match ip tos 0x10 0xff flowid 1:20 - -#DNS in interactive class 1:20 -tc filter add dev $DEV parent 1:0 protocol ip prio 21 u32 match ip sport 53 0xffff flowid 1:20 -tc filter add dev $DEV parent 1:0 protocol ip prio 22 u32 match ip dport 53 0xffff flowid 1:20 - -#only give TCP ACK's higher priority if this connection is asymmetrical -if [ ! $DOWNLINK = $UPLINK ] -then -#give TCP ACK's higher priority in 1:20 -tc filter add dev $DEV parent 1: protocol ip prio 23 u32 \ - match ip protocol 6 0xff \ - match u8 0x05 0x0f at 0 \ - match u16 0x0000 0xffc0 at 2 \ - match u8 0x10 0xff at 33 \ - flowid 1:20 -fi - -#Ports as defined above -for a in $INTPORTS -do - tc filter add dev $DEV parent 1:0 protocol ip prio 24 u32 match ip dport $a 0xffff flowid 1:20 - tc filter add dev $DEV parent 1:0 protocol ip prio 24 u32 match ip sport $a 0xffff flowid 1:20 -done - -#ICMP (ip protocol 1) in the interactive class 1:20 -tc filter add dev $DEV parent 1: protocol ip prio 25 u32 match ip protocol 1 0xff flowid 1:20 - -#the slowest of the slow -for a in $NOPRIOPORTDST -do - tc filter add dev $DEV parent 1: protocol ip prio 40 u32 match ip dport $a 0xffff flowid 1:40 -done - -for a in $NOPRIOPORTSRC -do - tc filter add dev $DEV parent 1: protocol ip prio 41 u32 match ip sport $a 0xffff flowid 1:40 -done - -for a in $NOPRIOHOSTSRC -do - tc filter add dev $DEV parent 1: protocol ip prio 42 u32 match ip src $a flowid 1:40 -done - -for a in $NOPRIOHOSTDST -do - tc filter add dev $DEV parent 1: protocol ip prio 43 u32 match ip dst $a flowid 1:40 -done - -#rest is 'non-interactive' ie 'bulk' and ends up in 1:30 -tc filter add dev $DEV parent 1: protocol ip prio 30 u32 match ip dst 0.0.0.0/0 flowid 1:30 - -########## downlink ############# -# slow downloads down to somewhat less than the real speed to prevent -# queuing at our ISP. Tune to see how high you can set it. -# ISPs tend to have *huge* queues to make sure big downloads are fast -# -# attach ingress policer: - -tc qdisc add dev $DEV handle ffff: ingress - -# filter *everything* to it (0.0.0.0/0), drop everything that's -# coming in too fast: -tc filter add dev $DEV parent ffff: protocol ip prio 100 u32 match ip src \ - 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1 This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-14 01:50:32
|
Revision: 249 Author: krisk84 Date: 2006-08-13 18:50:24 -0700 (Sun, 13 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=249&view=rev Log Message: ----------- don't install astfw if you don't have iptables Modified Paths: -------------- trunk/package/iptables/iptables.init trunk/package/iptables/iptables.mk Added Paths: ----------- trunk/package/iptables/astfw Removed Paths: ------------- trunk/target/generic/target_skeleton/usr/sbin/astfw Copied: trunk/package/iptables/astfw (from rev 247, trunk/target/generic/target_skeleton/usr/sbin/astfw) =================================================================== --- trunk/package/iptables/astfw (rev 0) +++ trunk/package/iptables/astfw 2006-08-14 01:50:24 UTC (rev 249) @@ -0,0 +1,207 @@ +#!/bin/sh + +. /etc/rc.conf + +if [ "$DENYACT" ] +then +DACTION=$DENYACT +else +DACTION=DROP +fi + +IPBASE=`echo $INTIP | cut -d. -f1-3` + +if [ "$INT2IF" ] +then +IP2BASE=`echo $INT2IP | cut -d. -f1-3` +fi + +if [ "$INT3IF" ] +then +IP3BASE=`echo $INT3IP | cut -d. -f1-3` +fi + +# some basic setup +# ignore_all not yet used: this should be satisfactory +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts +# drop spoofed addr: turn this off on non-loop-free networks +echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter +echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter +# do not honor source route flags +echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route +echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route +# protect against syn flood attacks +echo 1 >/proc/sys/net/ipv4/tcp_syncookies + +modprobe ip_conntrack_ftp +modprobe ip_conntrack_tftp +modprobe ip_conntrack_irc +modprobe ip_nat_ftp +modprobe ip_nat_tftp +modprobe ip_nat_irc + +#Allow traffic with loopback +iptables -A INPUT -i lo -j ACCEPT + +#Allow INPUT from INTIF +iptables -A INPUT -i $INTIF -j ACCEPT + +if [ "$INT2IF" ] +then +iptables -A INPUT -i $INT2IF -j ACCEPT +fi + +if [ "$INT3IF" ] +then +iptables -A INPUT -i $INT3IF -j ACCEPT +fi + +#Already established traffic from anywhere +iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + +#DMZ Support +if [ "$DMZIF" ] +then + +if [ "$DMZTYPE" = "extonly" ] +then +#Pass traffic out EXTIF +iptables -A FORWARD -i $DMZIF -o $EXTIF -j ACCEPT +#DNS, ICMP support to AstLinux machine +iptables -A INPUT -i $DMZIF -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT +iptables -A INPUT -i $DMZIF -p icmp --icmp-type any -j ACCEPT +fi + +if [ "$DMZTYPE" = "extme" ] +then +#Pass traffic out EXTIF +iptables -A FORWARD -i $DMZIF -o $EXTIF -j ACCEPT +# Allow all traffic to AstLinux machine +iptables -A INPUT -i $DMZIF -j ACCEPT +fi + +if [ "$DMZTYPE" = "open" ] +then +# Forget it all and open the gates +iptables -A INPUT -i $DMZIF -j ACCEPT +iptables -A FORWARD -i $DMZIF -j ACCEPT +fi + +if [ "$DMZTYPE" = "manual" ] +then +echo "Fill in some rules. You are on your own!" +fi + +fi + + +if [ "$EXTOPEN" ] +then +for i in $EXTOPEN +do +if `echo $i | grep -q "u"` +then +PROTOCOL=udp +fi + +if `echo $i | grep -q "t"` +then +PROTOCOL=tcp +fi + +if `echo $i | grep -q "i"` +then +PROTOCOL=icmp +fi + +PORT=`echo $i | tr -d itu` + +if [ "$PROTOCOL" = "icmp" ] +then +iptables -A INPUT -i $EXTIF -m icmp -p icmp --icmp-type $PORT -j ACCEPT +else +iptables -A INPUT -m state --state NEW -i $EXTIF -m $PROTOCOL -p $PROTOCOL --dport $PORT -j ACCEPT +fi + +done +fi + +#allow forwaring from each interface to the internet... +iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT + +if [ "$INT2IF" ] +then +iptables -A FORWARD -i $INT2IF -o $EXTIF -j ACCEPT +fi + +if [ "$INT3IF" ] +then +iptables -A FORWARD -i $INT3IF -o $EXTIF -j ACCEPT +fi + +#Setup 1:1 Maps... +if [ "$EXTMAP10" ] +then +COUNT=10 + +while [ "$COUNT" ] +do + +IPLINE=`set | grep EXTMAP$COUNT|tr -d \'` +PORTMAP=`set | grep OPENMAP$COUNT|tr -d \'` +IFALIAS=`expr $COUNT - 9` + +if [ $IPLINE ] + then + NATEXTIP=`echo $IPLINE | cut -d"=" -f2` + NATINTIP=`echo $IPLINE | cut -d"=" -f3` + ifconfig $EXTIF:$IFALIAS $NATEXTIP netmask $EXTNM + iptables -t nat -A PREROUTING -d $NATEXTIP -i $EXTIF -j DNAT --to-destination $NATINTIP + iptables -t nat -A POSTROUTING -s $NATEXTIP -o $EXTIF -j SNAT --to-source $NATINTIP + iptables -t nat -A POSTROUTING -s $NATINTIP -o $EXTIF -j SNAT --to-source $NATEXTIP + # iptables -A FORWARD -i $EXTIF -o $INTIF -d $NATINTIP -m state --state NEW -j ACCEPT + + if [ $PORTMAP ] + then + PORTS=`echo $PORTMAP | cut -d"=" -f2` + (IFS=: + for i in $PORTS + do + iptables -A FORWARD -i $EXTIF -o $INTIF -d $NATINTIP -m state --state NEW -p tcp -m multiport --dport $i -j ACCEPT + iptables -A FORWARD -i $EXTIF -o $INTIF -d $NATINTIP -m state --state NEW -p udp -m multiport --dport $i -j ACCEPT + + done) + fi + + COUNT=`expr $COUNT + 1` + +else + + COUNT= + +fi + +done + +fi + +#turn on NAT (PAT) for everything\everyone else... +iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $EXTIF -j MASQUERADE + +if [ "$INT2IF" ] +then +iptables -t nat -A POSTROUTING -s $IP2BASE.0/$INT2NM -o $EXTIF -j MASQUERADE +fi + +if [ "$INT3IF" ] +then +iptables -t nat -A POSTROUTING -s $IP3BASE.0/$INT3NM -o $EXTIF -j MASQUERADE +fi + +#Default Deny FOR ALL REMAINING INTERFACES +iptables -A INPUT -j $DACTION +iptables -A FORWARD -j $DACTION + +#activate forwarding in the kernel +sysctl -w net.ipv4.ip_forward=1 Modified: trunk/package/iptables/iptables.init =================================================================== --- trunk/package/iptables/iptables.init 2006-08-14 01:44:34 UTC (rev 248) +++ trunk/package/iptables/iptables.init 2006-08-14 01:50:24 UTC (rev 249) @@ -19,6 +19,8 @@ /usr/sbin/arno-iptables-firewall start else echo "You don't have arno iptables firewall installed" +echo "I'll use astfw for now" +/usr/sbin/astfw fi else Modified: trunk/package/iptables/iptables.mk =================================================================== --- trunk/package/iptables/iptables.mk 2006-08-14 01:44:34 UTC (rev 248) +++ trunk/package/iptables/iptables.mk 2006-08-14 01:50:24 UTC (rev 249) @@ -40,6 +40,7 @@ $(STRIP) -g $(TARGET_DIR)/usr/sbin/iptables* $(STRIP) -g $(TARGET_DIR)/usr/lib/iptables/*.so $(INSTALL) -D -m 0755 package/iptables/iptables.init $(TARGET_DIR)/etc/init.d/iptables + $(INSTALL) -D -m 0755 package/iptables/astfw $(TARGET_DIR)/usr/sbin/astfw iptables: uclibc linux $(TARGET_DIR)/usr/sbin/iptables Deleted: trunk/target/generic/target_skeleton/usr/sbin/astfw =================================================================== --- trunk/target/generic/target_skeleton/usr/sbin/astfw 2006-08-14 01:44:34 UTC (rev 248) +++ trunk/target/generic/target_skeleton/usr/sbin/astfw 2006-08-14 01:50:24 UTC (rev 249) @@ -1,207 +0,0 @@ -#!/bin/sh - -. /etc/rc.conf - -if [ "$DENYACT" ] -then -DACTION=$DENYACT -else -DACTION=DROP -fi - -IPBASE=`echo $INTIP | cut -d. -f1-3` - -if [ "$INT2IF" ] -then -IP2BASE=`echo $INT2IP | cut -d. -f1-3` -fi - -if [ "$INT3IF" ] -then -IP3BASE=`echo $INT3IP | cut -d. -f1-3` -fi - -# some basic setup -# ignore_all not yet used: this should be satisfactory -echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -# drop spoofed addr: turn this off on non-loop-free networks -echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter -echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter -# do not honor source route flags -echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route -echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route -# protect against syn flood attacks -echo 1 >/proc/sys/net/ipv4/tcp_syncookies - -modprobe ip_conntrack_ftp -modprobe ip_conntrack_tftp -modprobe ip_conntrack_irc -modprobe ip_nat_ftp -modprobe ip_nat_tftp -modprobe ip_nat_irc - -#Allow traffic with loopback -iptables -A INPUT -i lo -j ACCEPT - -#Allow INPUT from INTIF -iptables -A INPUT -i $INTIF -j ACCEPT - -if [ "$INT2IF" ] -then -iptables -A INPUT -i $INT2IF -j ACCEPT -fi - -if [ "$INT3IF" ] -then -iptables -A INPUT -i $INT3IF -j ACCEPT -fi - -#Already established traffic from anywhere -iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT - -#DMZ Support -if [ "$DMZIF" ] -then - -if [ "$DMZTYPE" = "extonly" ] -then -#Pass traffic out EXTIF -iptables -A FORWARD -i $DMZIF -o $EXTIF -j ACCEPT -#DNS, ICMP support to AstLinux machine -iptables -A INPUT -i $DMZIF -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -iptables -A INPUT -i $DMZIF -p icmp --icmp-type any -j ACCEPT -fi - -if [ "$DMZTYPE" = "extme" ] -then -#Pass traffic out EXTIF -iptables -A FORWARD -i $DMZIF -o $EXTIF -j ACCEPT -# Allow all traffic to AstLinux machine -iptables -A INPUT -i $DMZIF -j ACCEPT -fi - -if [ "$DMZTYPE" = "open" ] -then -# Forget it all and open the gates -iptables -A INPUT -i $DMZIF -j ACCEPT -iptables -A FORWARD -i $DMZIF -j ACCEPT -fi - -if [ "$DMZTYPE" = "manual" ] -then -echo "Fill in some rules. You are on your own!" -fi - -fi - - -if [ "$EXTOPEN" ] -then -for i in $EXTOPEN -do -if `echo $i | grep -q "u"` -then -PROTOCOL=udp -fi - -if `echo $i | grep -q "t"` -then -PROTOCOL=tcp -fi - -if `echo $i | grep -q "i"` -then -PROTOCOL=icmp -fi - -PORT=`echo $i | tr -d itu` - -if [ "$PROTOCOL" = "icmp" ] -then -iptables -A INPUT -i $EXTIF -m icmp -p icmp --icmp-type $PORT -j ACCEPT -else -iptables -A INPUT -m state --state NEW -i $EXTIF -m $PROTOCOL -p $PROTOCOL --dport $PORT -j ACCEPT -fi - -done -fi - -#allow forwaring from each interface to the internet... -iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT - -if [ "$INT2IF" ] -then -iptables -A FORWARD -i $INT2IF -o $EXTIF -j ACCEPT -fi - -if [ "$INT3IF" ] -then -iptables -A FORWARD -i $INT3IF -o $EXTIF -j ACCEPT -fi - -#Setup 1:1 Maps... -if [ "$EXTMAP10" ] -then -COUNT=10 - -while [ "$COUNT" ] -do - -IPLINE=`set | grep EXTMAP$COUNT|tr -d \'` -PORTMAP=`set | grep OPENMAP$COUNT|tr -d \'` -IFALIAS=`expr $COUNT - 9` - -if [ $IPLINE ] - then - NATEXTIP=`echo $IPLINE | cut -d"=" -f2` - NATINTIP=`echo $IPLINE | cut -d"=" -f3` - ifconfig $EXTIF:$IFALIAS $NATEXTIP netmask $EXTNM - iptables -t nat -A PREROUTING -d $NATEXTIP -i $EXTIF -j DNAT --to-destination $NATINTIP - iptables -t nat -A POSTROUTING -s $NATEXTIP -o $EXTIF -j SNAT --to-source $NATINTIP - iptables -t nat -A POSTROUTING -s $NATINTIP -o $EXTIF -j SNAT --to-source $NATEXTIP - # iptables -A FORWARD -i $EXTIF -o $INTIF -d $NATINTIP -m state --state NEW -j ACCEPT - - if [ $PORTMAP ] - then - PORTS=`echo $PORTMAP | cut -d"=" -f2` - (IFS=: - for i in $PORTS - do - iptables -A FORWARD -i $EXTIF -o $INTIF -d $NATINTIP -m state --state NEW -p tcp -m multiport --dport $i -j ACCEPT - iptables -A FORWARD -i $EXTIF -o $INTIF -d $NATINTIP -m state --state NEW -p udp -m multiport --dport $i -j ACCEPT - - done) - fi - - COUNT=`expr $COUNT + 1` - -else - - COUNT= - -fi - -done - -fi - -#turn on NAT (PAT) for everything\everyone else... -iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $EXTIF -j MASQUERADE - -if [ "$INT2IF" ] -then -iptables -t nat -A POSTROUTING -s $IP2BASE.0/$INT2NM -o $EXTIF -j MASQUERADE -fi - -if [ "$INT3IF" ] -then -iptables -t nat -A POSTROUTING -s $IP3BASE.0/$INT3NM -o $EXTIF -j MASQUERADE -fi - -#Default Deny FOR ALL REMAINING INTERFACES -iptables -A INPUT -j $DACTION -iptables -A FORWARD -j $DACTION - -#activate forwarding in the kernel -sysctl -w net.ipv4.ip_forward=1 This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-14 01:44:41
|
Revision: 248 Author: krisk84 Date: 2006-08-13 18:44:34 -0700 (Sun, 13 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=248&view=rev Log Message: ----------- more small arno/astfw/iptables fixes Modified Paths: -------------- trunk/package/iptables/iptables.init trunk/target/generic/target_skeleton/stat/etc/rc.conf trunk/target/generic/target_skeleton/usr/sbin/genkd Modified: trunk/package/iptables/iptables.init =================================================================== --- trunk/package/iptables/iptables.init 2006-08-14 01:13:14 UTC (rev 247) +++ trunk/package/iptables/iptables.init 2006-08-14 01:44:34 UTC (rev 248) @@ -5,24 +5,47 @@ start () { if [ "$INTIF" ] then -if [ "$FWVERS" = "arno" ] + +if [ ! -x /usr/sbin/iptables ] then +echo "You don't have iptables installed." +exit 1 +fi + +if [ "$FWVERS" -a "$FWVERS" = "arno" ] +then + +if [ -x /usr/sbin/arno-iptables-firewall ] /usr/sbin/arno-iptables-firewall start else +echo "You don't have arno iptables firewall installed" +fi + +else echo "Starting iptables..." + if [ -x /mnt/kd/astfw ] then /mnt/kd/astfw else /usr/sbin/astfw fi + fi + fi } stop () { if [ "$INTIF" ] then + +if [ ! -x /usr/sbin/iptables ] +then +echo "You don't have iptables installed." +exit 1 +fi + if [ "$FWVERS" = "arno" ] then /usr/sbin/arno-iptables-firewall stop Modified: trunk/target/generic/target_skeleton/stat/etc/rc.conf =================================================================== --- trunk/target/generic/target_skeleton/stat/etc/rc.conf 2006-08-14 01:13:14 UTC (rev 247) +++ trunk/target/generic/target_skeleton/stat/etc/rc.conf 2006-08-14 01:44:34 UTC (rev 248) @@ -152,14 +152,13 @@ #PPOEIF="w1ad" PPPOEKERNEL="YES" -### Firewall support. Two firewall scripts are now included. Set that variable +### Firewall support. Two firewall scripts are now available. Set that variable ### here. Values are astfw or arno. If not set, defaults to astfw. ### Settings for Arno's firewall should be made by copying the config file from ### /stat/etc/arno-iptables-firewall.conf to /mnt/kd. REBOOT or restart iptables ### If using Arno's firewall, the firewall settings in rc.conf are presently ignored. +FWVERS="astfw" -FWVERS= - ### astfw Firewall (iptables) ##If you have more than one IP on the EXTIF, here is where you configure 1:1 NAT maps Modified: trunk/target/generic/target_skeleton/usr/sbin/genkd =================================================================== --- trunk/target/generic/target_skeleton/usr/sbin/genkd 2006-08-14 01:13:14 UTC (rev 247) +++ trunk/target/generic/target_skeleton/usr/sbin/genkd 2006-08-14 01:44:34 UTC (rev 248) @@ -98,7 +98,6 @@ touch /mnt/kd/dnsmasq.leases fi -cp -a /usr/sbin/astfw /mnt/kd/ cp -a /var/log/asterisk/cdr-csv /mnt/kd/ cp -a /stat/etc/wanpipe /mnt/kd/ cp -a /var/spool/cron/crontabs /mnt/kd/ @@ -110,5 +109,17 @@ touch /mnt/kd/astdb fi +if [ "$FWVERS" -a "$FWVERS" = "arno" ] +then + +if [ -f /stat/etc/arno-iptables-firewall.conf ] +then +cp -a /stat/etc/arno-iptables-firewall.conf /mnt/kd/ +else +echo "You haven't installed the arno iptables firewall." +fi + +fi + echo "Done. I STRONGLY URGE YOU TO REBOOT NOW." echo "Type reboot to cleanly restart now." This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-14 01:13:18
|
Revision: 247 Author: krisk84 Date: 2006-08-13 18:13:14 -0700 (Sun, 13 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=247&view=rev Log Message: ----------- arnofw fix Modified Paths: -------------- trunk/package/arno-fw/arnofw.mk Modified: trunk/package/arno-fw/arnofw.mk =================================================================== --- trunk/package/arno-fw/arnofw.mk 2006-08-14 00:06:05 UTC (rev 246) +++ trunk/package/arno-fw/arnofw.mk 2006-08-14 01:13:14 UTC (rev 247) @@ -10,7 +10,7 @@ $(INSTALL) -D -m 0755 $(ARNOFW_DIR)/arno-iptables-firewall $(TARGET_DIR)/usr/sbin/arno-iptables-firewall $(INSTALL) -D -m 0700 $(ARNOFW_DIR)/arno-iptables-firewall.conf $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf -arnofw: uclibc linux asterisk $(ARNOFW_TARGET_BINARY) +arnofw: uclibc linux iptables $(ARNOFW_TARGET_BINARY) arnofw-clean: rm $(ARNOFW_TARGET_BINARY) @@ -25,5 +25,5 @@ # ############################################################# ifeq ($(strip $(BR2_PACKAGE_ARNOFW)),y) -TARGETS+= +TARGETS+=arnofw endif This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2006-08-14 00:06:12
|
Revision: 246 Author: dhartman Date: 2006-08-13 17:06:05 -0700 (Sun, 13 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=246&view=rev Log Message: ----------- fixes to Arno's firewall. Modified Paths: -------------- trunk/package/arno-fw/Config.in Added Paths: ----------- trunk/package/arno-fw/arnofw.mk trunk/target/generic/target_skeleton/etc/arno-iptables-firewall.conf Removed Paths: ------------- trunk/package/arno-fw/arno-firewall.mk Modified: trunk/package/arno-fw/Config.in =================================================================== --- trunk/package/arno-fw/Config.in 2006-08-13 05:49:35 UTC (rev 245) +++ trunk/package/arno-fw/Config.in 2006-08-14 00:06:05 UTC (rev 246) @@ -1,4 +1,4 @@ -config BR2_PACKAGE_ARNO_FW +config BR2_PACKAGE_ARNOFW bool "Arno's Firewall Support" default n help Deleted: trunk/package/arno-fw/arno-firewall.mk =================================================================== --- trunk/package/arno-fw/arno-firewall.mk 2006-08-13 05:49:35 UTC (rev 245) +++ trunk/package/arno-fw/arno-firewall.mk 2006-08-14 00:06:05 UTC (rev 246) @@ -1,29 +0,0 @@ -############################################################# -# -# Arno's IPtables Firewall Script -# -############################################################# -ARNO_FW_DIR:=package/arno-fw -ARNO_FW_TARGET_BINARY=$(TARGET_DIR)/usr/sbin/arno-iptables-firewall - -$(ARNO_FW_TARGET_BINARY): - $(INSTALL) -D -m 0755 $(ARNO_FW_DIR)/arno-iptables-firewall $(TARGET_DIR)/usr/sbin/arno-iptables-firewall - $(INSTALL) -D -m 0755 $(ARNO_FW_DIR)/arno-iptables-firewall.conf $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf - -arno_fw: uclibc linux asterisk $(ARNO_FW_TARGET_BINARY) - -arno_fw-clean: - rm $(ARNO_FW_TARGET_BINARY) - rm $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf - -arno_fw-dirclean: - echo "Nothing to do" - -############################################################# -# -# Toplevel Makefile options -# -############################################################# -ifeq ($(strip $(BR2_PACKAGE_ARNO_FW)),y) -TARGETS+= -endif Added: trunk/package/arno-fw/arnofw.mk =================================================================== --- trunk/package/arno-fw/arnofw.mk (rev 0) +++ trunk/package/arno-fw/arnofw.mk 2006-08-14 00:06:05 UTC (rev 246) @@ -0,0 +1,29 @@ +############################################################# +# +# Arno's IPtables Firewall Script +# +############################################################# +ARNOFW_DIR:=package/arno-fw +ARNOFW_TARGET_BINARY=$(TARGET_DIR)/usr/sbin/arno-iptables-firewall + +$(ARNOFW_TARGET_BINARY): + $(INSTALL) -D -m 0755 $(ARNOFW_DIR)/arno-iptables-firewall $(TARGET_DIR)/usr/sbin/arno-iptables-firewall + $(INSTALL) -D -m 0700 $(ARNOFW_DIR)/arno-iptables-firewall.conf $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf + +arnofw: uclibc linux asterisk $(ARNOFW_TARGET_BINARY) + +arnofw-clean: + rm $(ARNOFW_TARGET_BINARY) + rm $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf + +arnofw-dirclean: + echo "Nothing to do" + +############################################################# +# +# Toplevel Makefile options +# +############################################################# +ifeq ($(strip $(BR2_PACKAGE_ARNOFW)),y) +TARGETS+= +endif Added: trunk/target/generic/target_skeleton/etc/arno-iptables-firewall.conf =================================================================== --- trunk/target/generic/target_skeleton/etc/arno-iptables-firewall.conf (rev 0) +++ trunk/target/generic/target_skeleton/etc/arno-iptables-firewall.conf 2006-08-14 00:06:05 UTC (rev 246) @@ -0,0 +1 @@ +link /tmp/etc/arno-iptables-firewall.conf \ No newline at end of file Property changes on: trunk/target/generic/target_skeleton/etc/arno-iptables-firewall.conf ___________________________________________________________________ Name: svn:special + * This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2006-08-13 05:49:40
|
Revision: 245 Author: dhartman Date: 2006-08-12 22:49:35 -0700 (Sat, 12 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=245&view=rev Log Message: ----------- openvpn init fixes Modified Paths: -------------- trunk/package/openvpn/openvpn.init trunk/target/generic/target_skeleton/etc/openvpn.conf Added Paths: ----------- trunk/target/generic/target_skeleton/etc/openvpn Modified: trunk/package/openvpn/openvpn.init =================================================================== --- trunk/package/openvpn/openvpn.init 2006-08-12 16:47:39 UTC (rev 244) +++ trunk/package/openvpn/openvpn.init 2006-08-13 05:49:35 UTC (rev 245) @@ -15,7 +15,7 @@ if [ -d /mnt/kd/openvpn ] then -ln -s /mnt/kd/openvpn /etc/openvpn +ln -s /mnt/kd/openvpn /tmp/etc/openvpn else echo "No openvpn certificate directory found. A directory on the keydisk is required. Added: trunk/target/generic/target_skeleton/etc/openvpn =================================================================== --- trunk/target/generic/target_skeleton/etc/openvpn (rev 0) +++ trunk/target/generic/target_skeleton/etc/openvpn 2006-08-13 05:49:35 UTC (rev 245) @@ -0,0 +1 @@ +link /tmp/etc/openvpn \ No newline at end of file Property changes on: trunk/target/generic/target_skeleton/etc/openvpn ___________________________________________________________________ Name: svn:special + * Modified: trunk/target/generic/target_skeleton/etc/openvpn.conf =================================================================== --- trunk/target/generic/target_skeleton/etc/openvpn.conf 2006-08-12 16:47:39 UTC (rev 244) +++ trunk/target/generic/target_skeleton/etc/openvpn.conf 2006-08-13 05:49:35 UTC (rev 245) @@ -1 +1 @@ -link /tmp/openvpn.conf \ No newline at end of file +link /tmp/etc/openvpn.conf \ No newline at end of file This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2006-08-12 16:47:43
|
Revision: 244 Author: dhartman Date: 2006-08-12 09:47:39 -0700 (Sat, 12 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=244&view=rev Log Message: ----------- openvpn init fixes Modified Paths: -------------- trunk/package/openvpn/openvpn.init trunk/package/openvpn/openvpn.mk Modified: trunk/package/openvpn/openvpn.init =================================================================== --- trunk/package/openvpn/openvpn.init 2006-08-11 21:10:22 UTC (rev 243) +++ trunk/package/openvpn/openvpn.init 2006-08-12 16:47:39 UTC (rev 244) @@ -13,6 +13,16 @@ modprobe tun fi +if [ -d /mnt/kd/openvpn ] +then +ln -s /mnt/kd/openvpn /etc/openvpn +else +echo "No openvpn certificate directory found. +A directory on the keydisk is required. +Manual configuration of certificates is also required." +exit +fi + echo "Creating OpenVPN config files" echo "#openvpn.conf created from rc.conf settings dynamically at boot dev $OVPN_DEV Modified: trunk/package/openvpn/openvpn.mk =================================================================== --- trunk/package/openvpn/openvpn.mk 2006-08-11 21:10:22 UTC (rev 243) +++ trunk/package/openvpn/openvpn.mk 2006-08-12 16:47:39 UTC (rev 244) @@ -59,10 +59,12 @@ $(TARGET_DIR)/$(OPENVPN_TARGET_BINARY): $(OPENVPN_DIR)/$(OPENVPN_BINARY) $(MAKE) DESTDIR=$(TARGET_DIR) -C $(OPENVPN_DIR) install - mkdir -p $(TARGET_DIR)/etc/openvpn +# mkdir -p $(TARGET_DIR)/etc/openvpn rm -rf $(TARGET_DIR)/share/locale $(TARGET_DIR)/usr/info \ $(TARGET_DIR)/usr/man $(TARGET_DIR)/usr/share/doc + $(INSTALL) -D -m 0755 package/openvpn/openvpn.init $(TARGET_DIR)/etc/init.d/openvpn + openvpn: uclibc lzo openssl $(TARGET_DIR)/$(OPENVPN_TARGET_BINARY) openvpn-clean: This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2006-08-11 21:10:25
|
Revision: 243 Author: dhartman Date: 2006-08-11 14:10:22 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=243&view=rev Log Message: ----------- init script and arno-firewall.mk typos Modified Paths: -------------- trunk/package/arno-fw/arno-firewall.mk trunk/package/iptables/iptables.init Modified: trunk/package/arno-fw/arno-firewall.mk =================================================================== --- trunk/package/arno-fw/arno-firewall.mk 2006-08-11 19:31:56 UTC (rev 242) +++ trunk/package/arno-fw/arno-firewall.mk 2006-08-11 21:10:22 UTC (rev 243) @@ -3,7 +3,7 @@ # Arno's IPtables Firewall Script # ############################################################# -ARNO_FW_DIR:=package/arno_fw +ARNO_FW_DIR:=package/arno-fw ARNO_FW_TARGET_BINARY=$(TARGET_DIR)/usr/sbin/arno-iptables-firewall $(ARNO_FW_TARGET_BINARY): Modified: trunk/package/iptables/iptables.init =================================================================== --- trunk/package/iptables/iptables.init 2006-08-11 19:31:56 UTC (rev 242) +++ trunk/package/iptables/iptables.init 2006-08-11 21:10:22 UTC (rev 243) @@ -5,7 +5,7 @@ start () { if [ "$INTIF" ] then -if [ $FWVERS = arno ] +if [ "$FWVERS" = "arno" ] then /usr/sbin/arno-iptables-firewall start else @@ -23,7 +23,7 @@ stop () { if [ "$INTIF" ] then -if [ $FWVERS = arno ] +if [ "$FWVERS" = "arno" ] then /usr/sbin/arno-iptables-firewall stop else This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2006-08-11 19:32:03
|
Revision: 242 Author: dhartman Date: 2006-08-11 12:31:56 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=242&view=rev Log Message: ----------- correction to arno-firewall.mk Modified Paths: -------------- trunk/package/arno-fw/arno-firewall.mk Modified: trunk/package/arno-fw/arno-firewall.mk =================================================================== --- trunk/package/arno-fw/arno-firewall.mk 2006-08-11 19:25:48 UTC (rev 241) +++ trunk/package/arno-fw/arno-firewall.mk 2006-08-11 19:31:56 UTC (rev 242) @@ -8,7 +8,7 @@ $(ARNO_FW_TARGET_BINARY): $(INSTALL) -D -m 0755 $(ARNO_FW_DIR)/arno-iptables-firewall $(TARGET_DIR)/usr/sbin/arno-iptables-firewall - $(INSTALL) -D -m 0755 $(ARNO_FW_DIR)/arno-iptables-firewall.conf $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf + $(INSTALL) -D -m 0755 $(ARNO_FW_DIR)/arno-iptables-firewall.conf $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf arno_fw: uclibc linux asterisk $(ARNO_FW_TARGET_BINARY) This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2006-08-11 19:25:55
|
Revision: 241 Author: dhartman Date: 2006-08-11 12:25:48 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=241&view=rev Log Message: ----------- Add Arno's iptables firewall as an option Modified Paths: -------------- trunk/package/Config.in trunk/package/iptables/iptables.init trunk/target/generic/target_skeleton/stat/etc/rc.conf Added Paths: ----------- trunk/package/arno-fw/ trunk/package/arno-fw/Config.in trunk/package/arno-fw/arno-firewall.mk trunk/package/arno-fw/arno-iptables-firewall trunk/package/arno-fw/arno-iptables-firewall.conf Modified: trunk/package/Config.in =================================================================== --- trunk/package/Config.in 2006-08-11 18:47:46 UTC (rev 240) +++ trunk/package/Config.in 2006-08-11 19:25:48 UTC (rev 241) @@ -25,6 +25,7 @@ comment "Other stuff" source "package/acpid/Config.in" +source "package/arno-fw/Config.in" source "package/asterisk/Config.in" source "package/asterisknativesounds/Config.in" source "package/app_bundle/Config.in" Added: trunk/package/arno-fw/Config.in =================================================================== --- trunk/package/arno-fw/Config.in (rev 0) +++ trunk/package/arno-fw/Config.in 2006-08-11 19:25:48 UTC (rev 241) @@ -0,0 +1,8 @@ +config BR2_PACKAGE_ARNO_FW + bool "Arno's Firewall Support" + default n + help + Arno's IPtables Firewall is a complete + Firewall script. + + http://rocky.molphys.leidenuniv.nl/ Added: trunk/package/arno-fw/arno-firewall.mk =================================================================== --- trunk/package/arno-fw/arno-firewall.mk (rev 0) +++ trunk/package/arno-fw/arno-firewall.mk 2006-08-11 19:25:48 UTC (rev 241) @@ -0,0 +1,29 @@ +############################################################# +# +# Arno's IPtables Firewall Script +# +############################################################# +ARNO_FW_DIR:=package/arno_fw +ARNO_FW_TARGET_BINARY=$(TARGET_DIR)/usr/sbin/arno-iptables-firewall + +$(ARNO_FW_TARGET_BINARY): + $(INSTALL) -D -m 0755 $(ARNO_FW_DIR)/arno-iptables-firewall $(TARGET_DIR)/usr/sbin/arno-iptables-firewall + $(INSTALL) -D -m 0755 $(ARNO_FW_DIR)/arno-iptables-firewall.conf $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf + +arno_fw: uclibc linux asterisk $(ARNO_FW_TARGET_BINARY) + +arno_fw-clean: + rm $(ARNO_FW_TARGET_BINARY) + rm $(TARGET_DIR)/stat/etc/arno-iptables-firewall.conf + +arno_fw-dirclean: + echo "Nothing to do" + +############################################################# +# +# Toplevel Makefile options +# +############################################################# +ifeq ($(strip $(BR2_PACKAGE_ARNO_FW)),y) +TARGETS+= +endif Added: trunk/package/arno-fw/arno-iptables-firewall =================================================================== --- trunk/package/arno-fw/arno-iptables-firewall (rev 0) +++ trunk/package/arno-fw/arno-iptables-firewall 2006-08-11 19:25:48 UTC (rev 241) @@ -0,0 +1,4230 @@ +#!/bin/sh +# +# chkconfig: 2345 11 89 +# description: Arno's iptables firewall + +MY_VERSION="1.8.6c" + +# Astlinux modifications by Darrick Hartman +# +############################################################################################ +# You should put this script in eg. "/etc/init.d/" (or "/etc/rc.d/"). # +# Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it # +# If you want to run it upon boot, either add an entry in your "/etc/rc.d/rc.local" or # +# (for ie. Debian) in "/etc/rcS.d/" create a symlink to the arno-iptables-firewall script # +# ("ln -s /etc/init.d/arno-iptables-firewall script S99-arno-iptables-firewall script"). # +############################################################################################ + +# Location of the configuration file for this firewall: +####################################################### +CONFIG_FILE=/etc/arno-iptables-firewall.conf + +# ------------------------------------------------------------------------------------------ +# -= Arno's iptables firewall =- +# Single- & multi-homed firewall script with DSL/ADSL support +# +# ~ In memory of my dear father ~ +# +# (C) Copyright 2001-2006 by Arno van Amersfoort +# Homepage : http://rocky.eld.leidenuniv.nl/ +# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 +# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l +# (note: you must remove all spaces and substitute the @ and the . +# at the proper locations!) +# ------------------------------------------------------------------------------------------ +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# ------------------------------------------------------------------------------------------ + +printf "\033[40m\033[1;32mArno's Iptables Firewall Script v$MY_VERSION\033[0m\n" +echo "-------------------------------------------------------------------------------" + +# Astlinux mod: check if config file is on key disk or use default from stat +############################################################################# +if [ -e /mnt/kd/arno-iptables-firewall.conf ]; then + ln -s /mnt/kd/arno-iptables-firewall.conf /tmp/etc/arno-iptables-firewall.conf +else + cp /stat/etc/arno-iptables-firewall.conf /tmp/etc/arno-iptables-firewall.conf +fi + +# Check if config file exists and if so load it +############################################### +if [ -e "$CONFIG_FILE" ]; then + . $CONFIG_FILE + # Check whether we also need to drop messages in a dedicated firewall log file + if [ -z "$FIREWALL_LOG" ]; then FIREWALL_LOG="/dev/null"; fi +else + printf "\033[40m\033[1;31mERROR: Could not read configuration file $CONFIG_FILE!\033[0m\n" + printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n" + exit 2 +fi + +# if $LOGLEVEL is not set, default to "info" +############################################ +if [ -z "$LOGLEVEL" ]; then + LOGLEVEL="info" +fi + + +sanity_check() +{ + # root check + if [ "$(id -u)" != "0" ]; then + printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" + exit 1 + fi + + # Make sure EXT_IF != "" + ######################## + if [ -z "$EXT_IF" ]; then + printf "\033[40m\033[1;31mERROR: The required variable EXT_IF is empty!\033[0m\n" + printf "\033[40m\033[1;31m Please, check the configuration file.\033[0m\n" + exit 2 + fi + + # Check whether EXT_IF's exists + ############################### + for interface in $EXT_IF; do + if [ -z "$(echo $interface |grep '\+')" ]; then + result=`ifconfig $interface >/dev/null 2>&1` + return_val=$? + if [ "$return_val" != "0" ]; then + printf "\033[40m\033[1;31mNOTE: External interface $interface does NOT exist (yet?)\033[0m\n" + printf "\033[40m\033[1;31mResult was: $result\033[0m\n" + fi + fi + done + + # Check whether MODEM_IF exists + ############################### + if [ -n "$MODEM_IF" ]; then + result=`ifconfig $MODEM_IF >/dev/null 2>&1` + return_val=$? + if [ "$return_val" != "0" ]; then + printf "\033[40m\033[1;31mNOTE: Modem interface $interface does NOT exist (yet?)\033[0m\n" + printf "\033[40m\033[1;31mResult was: $result\033[0m\n" + fi + fi + + # Check whether INT_IF's exists + ############################### + for interface in $INT_IF; do + if [ -z "$(echo $interface |grep '\+')" ]; then + result=`ifconfig $MODEM_IF >/dev/null 2>&1` + return_val=$? + if [ "$return_val" != "0" ]; then + printf "\033[40m\033[1;31mNOTE: Internal interface $interface does NOT exist (yet?)\033[0m\n" + printf "\033[40m\033[1;31mResult was: $result\033[0m\n" + fi + fi + done + + # Check whether DMZ_IF's exists + ############################### + for interface in $DMZ_IF; do + if [ -z "$(echo $interface |grep '\+')" ]; then + result=`ifconfig $MODEM_IF >/dev/null 2>&1` + return_val=$? + if [ "$return_val" != "0" ]; then + printf "\033[40m\033[1;31mNOTE: DMZ interface $interface does NOT exist (yet?)\033[0m\n" + printf "\033[40m\033[1;31mResult was: $result\033[0m\n" + fi + fi + done + + # Check whether TRUSTED_IF's exists + ################################### + for interface in $TRUSTED_IF; do + if [ -z "$(echo $interface |grep '\+')" ]; then + result=`ifconfig $MODEM_IF >/dev/null 2>&1` + return_val=$? + if [ "$return_val" != "0" ]; then + printf "\033[40m\033[1;31mNOTE: Trusted interface $interface does NOT exist (yet?)\033[0m\n" + printf "\033[40m\033[1;31mResult was: $result\033[0m\n" + fi + fi + done + + # Make sure INT_IF != EXT_IF + ############################ + for eif in $EXT_IF; do + for iif in $INT_IF; do + if [ "$iif" = "$eif" ]; then + printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as one in\033[0m\n" + printf "\033[40m\033[1;31m INT_IF! Please, check the configuration file.\033[0m\n" + exit 3 + fi + done + done + + # Make sure EXT_IF != MODEM_IF + ############################## + for eif in $EXT_IF; do + if [ "$eif" = "$MODEM_IF" ]; then + printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as the\033[0m\n" + printf "\033[40m\033[1;31m MODEM_IF! Please, check the configuration file.\033[0m\n" + exit 4 + fi + done + + # Make sure INT_IF != MODEM_IF + ############################## + if [ -n "$MODEM_IF" ]; then + for iif in $INT_IF; do + if [ "$iif" = "$MODEM_IF" ]; then + printf "\033[40m\033[1;31mERROR: One or more interfaces specified in INT_IF is the same as the one in\033[0m\n" + printf "\033[40m\033[1;31m MODEM_IF! Please, check the configuration file.\033[0m\n" + exit 5 + fi + done + fi + + # Make sure EXT_IF != lo / 127.0.0.1 + #################################### + for eif in $EXT_IF; do + if [ "$eif" = "lo" ] || [ "$eif" = "127.0.0.1" ]; then + printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF has the address or name of the\033[0m\n" + printf "\033[40m\033[1;31m local loopback device! Please, check the configuration file.\033[0m\n" + exit 6 + fi + done + + # Make sure INT_IF != lo / 127.0.0.1 + #################################### + for iif in $INT_IF; do + if [ "$iif" = "lo" ] || [ "$iif" = "127.0.0.1" ]; then + printf "\033[40m\033[1;31mERROR: At least one of the interfaces specified in INT_IF has the address or\033[0m\n" + printf "\033[40m\033[1;31m name of the local loopback device! Please, check the configuration file.\033[0m\n" + exit 7 + fi + done + + # Make sure MODEM_IF != lo / 127.0.0.1 + ###################################### + if [ "$MODEM_IF" = "lo" ] || [ "$MODEM_IF" = "127.0.0.1" ]; then + printf "\033[40m\033[1;31mERROR: The interface specified in MODEM_IF has the address or name of the local\033[0m\n" + printf "\033[40m\033[1;31m loopback device! Please, check the configuration file.\033[0m\n" + exit 8 + fi + + # Make sure than when multi route masquerade is enabled, multiple external + # interfaces exist + ########################################################################## + if [ "$MASQ_MULTI_ROUTE" = "1" ] && [ -z "$(echo $EXT_IF |grep ' ')" ]; then + printf "\033[40m\033[1;31mERROR: Multiroute masquerade is enabled but only one external interface is\033[0m\n" + printf "\033[40m\033[1;31m specified! Please, check the configuration file.\033[0m\n" + exit 9 + fi + + # If support for an DHCP server serving an external net is enabled, we + # also need to know what the external net is. + ########################################################################## + if [ "$EXTERNAL_DHCP_SERVER" = "1" ] && [ -z "$EXTERNAL_NET" ]; then + printf "\033[40m\033[1;31mERROR: You have enabled external DHCP server support but required variable\033[0m\n" + printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" + exit 10 + fi + + # We can only perform NAT if NAT_INTERNAL_NET is defined + if [ "$NAT" = "1" ] && [ -z "$NAT_INTERNAL_NET" ]; then + printf "\033[40m\033[1;31mERROR: Unable to enable NAT because there's no (NAT_)INTERNAL_NET specified!\033[0m\n" + exit 11 + fi + + # If support the nmb_broadcast_fix is enabled we need the EXTERNAL_NET set + ########################################################################## + if [ "$NMB_BROADCAST_FIX" = "1" ] && [ -z "$EXTERNAL_NET" ]; then + printf "\033[40m\033[1;31mERROR: You have enabled the NMB_BROADCAST_FIX but required variable\033[0m\n" + printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" + exit 12 + fi + + # Warn if no_broadcast variables are used and external net is NOT defined + ########################################################################## + if [ -n "$BROADCAST_TCP_NOLOG" ] || [ -n "$BROADCAST_UDP_NOLOG" ]; then + if [ -z "$EXTERNAL_NET" ]; then + printf "\033[40m\033[1;31mWARNING: You are using the BROADCAST_xxx_NOLOG variables but the EXTERNAL_NET\033[0m\n" + printf "\033[40m\033[1;31m has NOT been defined! This could be a problem.\033[0m\n" + fi + fi + + # Check whether the iptables binary exists and if it's executable + ################################################################# + if [ ! -x $IPTABLES ]; then + printf "\033[40m\033[1;31mERROR: Binary \"$IPTABLES\" does not exist or is not executable!\033[0m\n" + printf "\033[40m\033[1;31m Please, make sure that IPTABLES is (properly) installed!\033[0m\n" + exit 13 + fi + + # Check that we have at least kernel 2.4 else generate a warning (no error as 2.2 kernels could be iptables patched) + #################################################################################################################### + KERNELMAJ=`uname -r |sed -e 's,\..*,,'` + KERNELMIN=`uname -r |sed -e 's,[^\.]*\.,,' -e 's,\..*,,'` + if [ "$KERNELMAJ" -lt 2 ] || [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ]; then + printf "\033[40m\033[1;31mWARNING: Your kernel version is older than 2.4! Your kernel probably doesn't\033[0m\n" + printf "\033[40m\033[1;31m support IPTABLES unless an IPTABLES patch is compiled in it.\033[0m\n" + fi + + # Check whether IPCHAINS is active else IPTABLES won't work (RedHat <7.2 for example) + ########################################################################################### + if /sbin/lsmod 2>/dev/null |grep -q ipchains; then + printf "\033[40m\033[1;31mERROR: Found IPCHAINS module loaded in the kernel. Unable to load IPTABLES module because of this!\033[0m\n" + printf "\033[40m\033[1;31m Please, use \"rmmod ipchains\" (as root) to remove the IPCHAINS module and then run this script again.\033[0m\n" + exit 14 + fi + + # Passed all sanity checks :-) + ############################## + echo "Sanity checks passed...OK" +} + + +# Helper function to load a module +module_probe() +{ + if [ -x /sbin/modprobe ]; then + result=`/sbin/modprobe $1 2>&1` + else + # Let the path figure it out + result=`modprobe $1 2>&1` + fi + + if [ "$?" != "0" ]; then + printf "\033[40m\033[1;31m$result\033[0m\n" # Show any (error) messages generated by modprobe in red + else + if [ -n "$result" ]; then # If result is not empty, show it + echo "$result" + fi + fi +} + + +load_modules() +{ + if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.* ]; then + echo "Detected IPTABLES module... Loading additional IPTABLES modules:" + + module_probe ip_tables # Required; all ipv4 modules depend on this one + module_probe ip_conntrack # Allows connection tracking state match, which allows you to + # write rules matching the state of a connection + module_probe ip_conntrack_ftp # Permits active FTP; requires ip_conntrack + + module_probe ipt_conntrack # Allows tracking for various protocols, placing entries + # in the conntrack table etc. + module_probe ipt_limit # Allows log limits + module_probe ipt_state # Permits packet state checking (SYN, SYN-ACK, ACK, and so on). + module_probe ipt_multiport # Allows packet specifications on multiple ports + + module_probe iptable_filter # Implements the filter table + module_probe iptable_nat # Implements the nat table + + if [ -n "$MAC_ADDRESS_FILE" ]; then + module_probe ipt_mac # Allows specifying MAC address + fi + +# (Currently) unused modules: +# module_probe ipt_iprange # Allows to use IP ranges in rules +# module_probe ipt_addrtype # Allows matching src/dst address type (BROKEN!) +# module_probe ipt_pkttype # Permits checking for packet type (BROADCAST, MULTICAST etc.) (BROKEN!) +# module_probe ipt_recent # Allows checking for recent packets +# module_probe ip_queue # Allows queuing packets to user space +# module_probe ipt_owner # Permits user/group checking on OUTPUT packets +# module_probe ipt_mark # Allows use of mark match +# module_probe ip_conntrack_egg + + if [ "$USE_IRC" = "1" ]; then +# echo "Enabling IRC DCC module support..." + module_probe ip_conntrack_irc #ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001 + + if [ "$NAT" = "1" ]; then + module_probe ip_nat_irc #ports=6661,6662,6663,6664,6665,6666,6667,6668,6669,7000,7001 + fi + fi + + if [ "$SET_MSS" != "0" ]; then + module_probe ipt_tcpmss # Permits TCPMSS checking on a packet + fi + + if [ "$NAT" = "1" ]; then + module_probe iptable_nat # Implements nat table + module_probe ip_nat_ftp # Permits active FTP via nat; requires ip_conntrack, iptables_nat + fi + + if [ "$MANGLE_TOS" != "0" ] || [ "$PACKET_TTL" = "1" ] || [ "$TTL_INC" = "1" ]; then + module_probe iptable_mangle # Implements the mangle table + fi + + if [ "$MANGLE_TOS" != "0" ]; then + module_probe ipt_tos # Permits TOS checking on a packet + fi + + if [ "$PACKET_TTL" = "1" ] || [ "$TTL_INC" = "1" ]; then + module_probe ipt_ttl # Enable ttl manipulation + fi + +# if [ "$TRAFFIC_SHAPING" = "1" ]; then +# module_probe ipt_length +# fi + + echo "All IPTABLES modules loaded!" + else + echo "No module found for IPTABLES, assuming ALL modules are compiled in the kernel." + fi +} + + +setup_misc() +{ + # Most people don't want to get any firewall logs being spit to the console + # This option makes the kernel ring buffer to only log messages with level "panic" + if [ "$DMESG_PANIC_ONLY" = "1" ]; then + echo "Setting the kernel ring buffer to only log panic messages to the console" +# dmesg -c # Clear ring buffer + dmesg -n 1 # Only show panic messages on the console + fi +} + + +setup_proc_settings() +{ + echo "Configuring /proc/.... settings:" + + # Use /proc rp_filter values to drop connections from non-routable IPs + ###################################################################### + if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then + if [ "$RP_FILTER" = "1" ]; then + echo " Enabling anti-spoof with rp_filter." + else + echo " Disabling anti-spoof with rp_filter." + fi + + for i in /proc/sys/net/ipv4/conf/*/rp_filter; do +# if [ "$i" = "/proc/sys/net/ipv4/conf/$EXT_IF/rp_filter" ] || [ "$RP_FILTER" != "0" ]; then + if [ "$RP_FILTER" = "1" ]; then + echo "1" > $i + else + echo "0" > $i + fi + done + fi + + # Block ALL ICMP echo requests? + ############################### + if [ "$ECHO_IGNORE" = "1" ]; then + echo " Blocking all ICMP echo-requests" + echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all + else + echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all + fi + + # Add synflood protection? + ########################## + if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then + if [ "$SYN_PROT" != 0 ]; then + echo " Enabling SYN-flood protection via SYN-cookies." + echo "1" > /proc/sys/net/ipv4/tcp_syncookies + else + echo " Disabling SYN-flood protection via SYN-cookies." + echo "0" > /proc/sys/net/ipv4/tcp_syncookies + fi + fi + + # Log martians? + ############### + if [ "$LOG_MARTIANS" = "1" ]; then + echo " Enabling the logging of martians." + echo "1" > /proc/sys/net/ipv4/conf/all/log_martians + else + echo " Disabling the logging of martians." + echo "0" > /proc/sys/net/ipv4/conf/all/log_martians + fi + + # Accept ICMP redirect messages? + ################################ + if [ "$ICMP_REDIRECT" = "1" ]; then + echo " Enabling the acception of ICMP-redirect messages." + echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects + else + echo " Disabling the acception of ICMP-redirect messages." + echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects + fi + + # Set the maximum number of connections to track. + # The kernel "default" depends on the available amount of RAM, 128 MB of RAM -> 8192 + # possible entries, 256 MB of RAM --> 16376 possible entries, etc... + ####################################################################################### + if [ ! -f /proc/sys/net/ipv4/ip_conntrack_max ] && [ ! -f /proc/sys/net/ipv4/netfilter/ip_conntrack_max ] \ + && [ -n "$CONNTRACK" ]; then + printf "\033[40m\033[1;31m WARNING: /proc/../ip_conntrack_max was NOT found. This may be a problem!\033[0m\n" + else + if [ -n "$CONNTRACK" ]; then + echo " Setting the max. amount of simultaneous connections to $CONNTRACK." + else + echo " Setting the max. amount of simultaneous connections to 4096 (default)." + fi + + # Default location for ip_conntrack_max + if [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then + if [ -n "$CONNTRACK" ]; then + echo "$CONNTRACK" > /proc/sys/net/ipv4/ip_conntrack_max + else + echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max + fi + fi + + # Alternate location for ip_conntrack_max + if [ -f /proc/sys/net/ipv4/netfilter/ip_conntrack_max ]; then + if [ -n "$CONNTRACK" ]; then + echo "$CONNTRACK" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max + else + echo "4096" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max + fi + fi + fi + + # Disable ICMP send_redirect + ############################ + if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then + for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do + echo "0" > $interface + done + fi + + # Don't accept source routed packets. + # Attackers can use source routing to generate + # traffic pretending to be from inside your network, but which is routed back along + # the path from which it came, namely outside, so attackers can compromise your + # network. Source routing is rarely used for legitimate purposes. + ################################################################################### + if [ "$SOURCE_ROUTE_PROTECTION" = "0" ]; then + echo " DISABLING protection against source routed packets." + for interface in /proc/sys/net/ipv4/conf/*/accept_source_route; do + echo "1" > $interface + done + else + echo " Enabling protection against source routed packets." + for interface in /proc/sys/net/ipv4/conf/*/accept_source_route; do + echo "0" > $interface + done + fi + + # ICMP Broadcasting protection (smurf amplifier protection) + ########################################################### + if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then + echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + fi + + # ICMP Dead Error Messages protection + ##################################### + if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then + echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + fi + + # Enable automatic IP defragmenting (is obsolete for 2.4 kernels, but still used for 2.2 legacy support) + ######################################################################################################## + if [ -e /proc/sys/net/ipv4/ip_always_defrag ]; then + echo "1" > /proc/sys/net/ipv4/ip_always_defrag + fi + + # LooseUDP patch is required by some internet-based games + # + # If you are trying to get an internet game to work through your IP MASQ box, + # and you have set it up to the best of your ability without it working., try + # enabling this option. This option is disabled by default due to possible + # internal machine UDP port scanning vulnerabilities. + ############################################################################# + if [ "$LOOSE_UDP_PATCH" = "1" ]; then + if [ -e /proc/sys/net/ipv4/ip_masq_udp_dloose ]; then + echo " Enabling the LOOSE_UDP_PATCH (required for some internet games, but less secure!)." + echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose + else + printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/ip_masq_udp_dloose does not exist!\033[0m\n" + fi + else + if [ -e /proc/sys/net/ipv4/ip_masq_udp_dloose ]; then + echo " Disabling the LOOSE_UDP_PATCH (more secure)." + echo "0" > /proc/sys/net/ipv4/ip_masq_udp_dloose + fi + fi + + # IP forwarding (need it to perform for example NAT) + #################################################### + if [ "$IP_FORWARDING" != "0" ]; then + if [ -e /proc/sys/net/ipv4/ip_forward ]; then + echo "1" > /proc/sys/net/ipv4/ip_forward + else + printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/ip_forward does not exist! If you're using\033[0m\n" + printf "\033[40m\033[1;31m NAT or any other type of forwarding this may be a problem.\033[0m\n" + fi + else + if [ -e /proc/sys/net/ipv4/ip_forward ]; then + echo "0" > /proc/sys/net/ipv4/ip_forward + fi + fi + + # Change some default timings to fix false logs generated by "lost connections" + ############################################################################### + echo " Setting default conntrack timeouts." + echo "60" > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout + echo "180" > /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream +# echo 10 >/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close +# echo 300 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans +# echo 600 > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout +# echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout +# echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait +# echo 30 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack +# echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait +# echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait +# echo 60 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv +# echo 120 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent + + + # Reduce DoS'ing ability by reducing timeouts + # Defaults: + # echo 60 > /proc/sys/net/ipv4/tcp_fin_timeout + # echo 7200 > /proc/sys/net/ipv4/tcp_keepalive_time + # echo 1 > /proc/sys/net/ipv4/tcp_window_scaling + # echo 1 > /proc/sys/net/ipv4/tcp_sack + ############################################################# + if [ "$REDUCE_DOS_ABILITY" = "1" ]; then + echo " Enabling reduction of the DoS'ing ability." + + echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout + echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time + echo "0" > /proc/sys/net/ipv4/tcp_window_scaling + echo "0" > /proc/sys/net/ipv4/tcp_sack + fi + + # Set out local port range. Kernel default = "1024 4999" + ######################################################## + if [ -z "$LOCAL_PORT_RANGE" ]; then + LOCAL_PORT_RANGE="32768 61000" + fi + echo "$LOCAL_PORT_RANGE" > /proc/sys/net/ipv4/ip_local_port_range + # Now we change the LOCAL_PORT_RANGE for further use by iptables (replace space with :) + LOCAL_PORT_RANGE="$(echo $LOCAL_PORT_RANGE |sed s,' ',':',)" + + # Time To Live (TTL) is the term for a data field in the internet protocol. + # TTL is today interpreted to indicate the maximum number of routers a packet may transit. + # Each router that handles a packet will decrement the TTL field by 1. + # Raise if you have a huge network. + # Set the default ttl. (Kernel Default: 64) + ########################################################################################### + if [ -n "$DEFAULT_TTL" ]; then + if [ ! -e /proc/sys/net/ipv4/ip_default_ttl ]; then + printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/ip_default_ttl does not exist!\033[0m\n" + else + if [ $DEFAULT_TTL -gt 9 ] && [ $DEFAULT_TTL -lt 256 ]; then + echo " Setting Default TTL=$DEFAULT_TTL" + echo "$DEFAULT_TTL" > /proc/sys/net/ipv4/ip_default_ttl + else + printf "\033[40m\033[1;31m WARNING: Ingoring invalid value for DEFAULT_TTL ($DEFAULT_TTL), it should be between 10 and 255!\033[0m\n" + fi + fi + else + # If no Variable is set... + if [ -e /proc/sys/net/ipv4/ip_default_ttl ]; then + echo " Setting default TTL to 64" + echo "64" > /proc/sys/net/ipv4/ip_default_ttl + fi + fi + + # Increase the default queuelength. (Kernel Default: 1024) + ########################################################## + if [ -e /proc/sys/net/ipv4/ipv4/ip_queue_maxlen ]; then + echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen + fi + + # Enable ECN? (Explicit Congestion Notification) + ################################################ + if [ "$ECN" = "1" ]; then + if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then + echo " Enabling ECN (Explicit Congestion Notification)." + echo "1" > /proc/sys/net/ipv4/tcp_ecn + else + printf "\033[40m\033[1;31m WARNING: /proc/sys/net/ipv4/tcp_ecn does not exist!\033[0m\n" + fi + else + if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then + echo " Disabling ECN (Explicit Congestion Notification)." + echo "0" > /proc/sys/net/ipv4/tcp_ecn + fi + fi + + # This enables dynamic-address hacking which makes the + # life with Diald and similar programs much easier. + ###################################################### + if [ "$EXT_IF_DHCP_IP" = "1" ]; then + echo " Enabling support for dynamic IP's" + echo "1" > /proc/sys/net/ipv4/ip_dynaddr + else + echo "0" > /proc/sys/net/ipv4/ip_dynaddr + fi + + # In most cases pmtu discovery is ok, but in some rare cases (when having problems) + # you might want to disable it. + if [ "$NO_PMTU_DISCOVERY" = "1" ]; then + echo " Disabling PMTU discovery" + echo "1" > /proc/sys/net/ipv4/ip_no_pmtu_disc + else + echo "0" > /proc/sys/net/ipv4/ip_no_pmtu_disc + fi + + echo "/proc/ setup done..." +} + + +setup_filter_table() +{ + echo "Flushing rules in the filter table." + + # Attempt to flush all rules in filter table + ############################################ + $IPTABLES -F + $IPTABLES -X + + # Flush built-in rules + ###################### + $IPTABLES -F INPUT + $IPTABLES -F OUTPUT + $IPTABLES -F FORWARD + $IPTABLES -t nat -F 2>/dev/null + $IPTABLES -t nat -X 2>/dev/null + $IPTABLES -t mangle -F 2>/dev/null + $IPTABLES -t mangle -X 2>/dev/null + + # New table named HOST_BLOCK, the block user defined hosts (blackhole) + ###################################################################### + $IPTABLES -N HOST_BLOCK + + # New table named MAC_FILTER, to filter internal hosts using their MAC address + ############################################################################## + $IPTABLES -N MAC_FILTER + + echo "Setting default (secure) policies." + # Set standard policies for the built-in tables (drop = very secure) + #################################################################### + $IPTABLES -P INPUT DROP + $IPTABLES -P FORWARD DROP + $IPTABLES -P OUTPUT ACCEPT + + $IPTABLES -t nat -P POSTROUTING ACCEPT 2>/dev/null + $IPTABLES -t nat -P PREROUTING ACCEPT 2>/dev/null + + $IPTABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null + $IPTABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null + + # Reset the iptables counters + $IPTABLES -Z + $IPTABLES -t nat -Z 2>/dev/null + $IPTABLES -t mangle -Z 2>/dev/null +} + + +# Helper function to split get hostname(s) from variable +get_dhost() +{ + # Get variable from stdin + read hosts_ports + + if [ -z "$(echo "$hosts_ports" |grep ":")" ]; then + echo "$hosts_ports" + return 1 + else + CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')" + # IP or hostname? + if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]' )" ]; then + echo "$CHK_HOST" + else + echo "0/0" + fi + fi + + return 0 +} + + +# Helper function to split get port(s) from variable +get_dport() +{ + # Get variable from stdin + read hosts_ports + + if [ -z "$(echo "$hosts_ports" |grep ":")" ]; then + printf "" + return 1 + else + CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')" + # IP or hostname? + if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]')" ]; then + hostname="$CHK_HOST" + echo "$(echo "$hosts_ports" |sed s/"^$hostname:"// |sed s/'-'/':'/g)" + else + echo "$(echo "$hosts_ports" |sed s/'-'/':'/g)" + fi + fi + + return 0 +} + + +# Helper function to split get hostname(s) from variable +get_shost() +{ + # Get variable from stdin + read hosts_ports + + if [ -z "$(echo "$hosts_ports" |grep ":")" ]; then + echo "0/0" + return 1 + else + CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')" + # IP or hostname? + if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]')" ]; then + echo "$CHK_HOST" + else + echo "0/0" + fi + fi + + return 0 +} + + +# Helper function to split get port(s) from variable +get_sport() +{ + # Get variable from stdin + read hosts_ports + + if [ -z "$(echo "$hosts_ports" |grep ":")" ]; then + echo "$hosts_ports" |sed s/'-'/':'/g + return 1 + else + CHK_HOST="$(echo "$hosts_ports" |awk -F: '{ print $1 }')" + # IP or hostname? + if [ -n "$(echo "$CHK_HOST" |grep -i -e '\.' -e '[a-z]')" ]; then + hostname="$CHK_HOST" + echo "$(echo "$hosts_ports" |sed s/"^$hostname:"// |sed s/'-'/':'/g)" + else + echo "$(echo "$hosts_ports" |sed s/'-'/':'/g)" + fi + fi + + return 0 +} + + +# Helper function to resolve an IP to a DNS name +# $1 = IP. stdout = DNS name +get_hostname() +{ + if [ -n "$(echo "$1" |grep '/')" ]; then + return 1 + else + printf "$(dig +short +tries=1 +time=1 -x "$1" 2>/dev/null |grep -v "^;;" |head -n1)" + fi + + return 0 +} + + +################################################################################################################## +## Chain VALID_CHK - Check packets for invalid flags etc. ## +################################################################################################################## +setup_valid_chk_chain() +{ + # Create new chain: + $IPTABLES -N VALID_CHK + + ## Log scanning of nmap etc. + ############################ + if [ "$SCAN_LOG" != "0" ]; then + echo "Logging of stealth scans (nmap probes etc.) enabled." + + # (NMAP) FIN/URG/PSH + #################### + $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH \ + -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS scan: " + + # SYN/RST/ACK/FIN/URG + ##################### + $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \ + -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS-PSH scan: " + + # ALL/ALL + ######### + $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL ALL \ + -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth XMAS-ALL scan: " + + # NMAP FIN Stealth + ################## + $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL FIN \ + -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth FIN scan: " + + # SYN/RST + ######### + $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST \ + -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth SYN/RST scan: " + + # SYN/FIN (probably) + #################### + $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN \ + -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth SYN/FIN scan(?): " + + # Null scan + ########### + $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL NONE \ + -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth Null scan: " + + else + echo "Logging of stealth scans (nmap probes etc.) disabled." + fi + + # Drop (NMAP) scan packets: + ########################### + + # NMAP FIN/URG/PSH + ################## + $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP + + # SYN/RST/ACK/FIN/URG + ##################### + $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP + + # ALL/ALL Scan + ############## + $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL ALL -j DROP + + # NMAP FIN Stealth + ################## + $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL FIN -j DROP + + # SYN/RST + ######### + $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + + # SYN/FIN -- Scan(probably) + ########################### + $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + + # NMAP Null Scan + ################ + $IPTABLES -A VALID_CHK -p tcp --tcp-flags ALL NONE -j DROP + + # Log packets with bad flags? + ############################# + if [ "$BAD_FLAGS_LOG" != "0" ]; then + echo "Logging of packets with bad TCP-flags enabled." + $IPTABLES -A VALID_CHK -p tcp --tcp-option 64 \ + -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Bad TCP flag(64): " + + $IPTABLES -A VALID_CHK -p tcp --tcp-option 128 \ + -m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Bad TCP flag(128): " + else + echo "Logging of packets with bad TCP-flags disabled." + fi + + # Drop packets with bad tcp flags + ################################# + $IPTABLES -A VALID_CHK -p tcp --tcp-option 64 -j DROP + $IPTABLES -A VALID_CHK -p tcp --tcp-option 128 -j DROP + + # These packets are normally from "lost connection" and thus can generate false alarms + # So we might want to ignore such packets + ###################################################################################### + if [ "$LOST_CONNECTION_LOG" != "1" ]; then + $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK -j DROP + $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j DROP + $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP + $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,FIN -j DROP + $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST ACK,RST -j DROP + $IPTABLES -A VALID_CHK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j DROP + fi + + # Logging of possible stealth scans + ################################### + if [ "$POSSIBLE_SCAN_LOG" = "1" ]; then + echo "Logging of possible stealth scans enabled." + if [ "$UNPRIV_TCP_LOG" != "0" ]; then + $IPTABLES -A VALID_CHK -p tcp ! --syn --dport 1024: \ + -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth scan (UNPRIV)?: " + fi + + if [ "$PRIV_TCP_LOG" != "0" ]; then + $IPTABLES -A VALID_CHK -p tcp ! --syn --dport :1023 \ + -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "Stealth scan (PRIV)?: " + fi + else + echo "Logging of possible stealth scans disabled." + fi + + # Possible stealth scan drop (we don't like "new"-packets which don't have SYN-only set) + ######################################################################################## + $IPTABLES -A VALID_CHK -p tcp ! --syn -j DROP + + # Here we add some protection from random packets we receive, such as random sweeps from other + # (possible) hacked computers, or just packets who are invalid, not belonging to ANY connection + ############################################################################################### + if [ "$INVALID_PACKET_LOG" != "0" ]; then + echo "Logging of INVALID packets enabled." + + # Only log INVALID ICMP-request packets when we also want to log "normal" ICMP-request packets + if [ "$ICMP_REQUEST_LOG" != "0" ]; then + $IPTABLES -A VALID_CHK -p icmp --icmp-type echo-request -m state --state INVALID \ + -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "INVALID packet: " + fi + + # Only log INVALID ICMP-other packets when we also want to log "normal" ICMP-other packets + if [ "$ICMP_OTHER_LOG" != "0" ]; then + $IPTABLES -A VALID_CHK -p icmp ! --icmp-type echo-request -m state --state INVALID \ + -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "INVALID packet: " + fi + + $IPTABLES -A VALID_CHK -p ! icmp -m state --state INVALID \ + -m limit --limit 1/m --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "INVALID packet: " + else + echo "Logging of INVALID packets disabled." + fi + + # Drop invalid packets + ###################### + $IPTABLES -A VALID_CHK -m state --state INVALID -j DROP + + ## Log fragmented packets + ######################### + if [ "$FRAG_LOG" = "1" ]; then + echo "Logging of fragmented packets enabled." + $IPTABLES -A VALID_CHK -f -m limit --limit 3/m --limit-burst 1 -j LOG --log-prefix "Fragmented packet: " + else + echo "Logging of fragmented packets disabled." + fi + + # Drop fragmented packets + ######################### + $IPTABLES -A VALID_CHK -f -j DROP +} + + +################################################################################################################ +## Chain RESERVED_NET_CHK - Check if the source addresses of the packets are (in)valid ## +################################################################################################################ +setup_reserved_net_chk_chain() +{ + # Create new chain: + $IPTABLES -N RESERVED_NET_CHK + + # Log access from reserved addresses + #################################### + if [ "$RESERVED_NET_LOG" != "0" ]; then + echo "Logging of access from reserved addresses enabled." + $IPTABLES -A RESERVED_NET_CHK -s 10.0.0.0/8 \ + -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Class A address: " + + $IPTABLES -A RESERVED_NET_CHK -s 172.16.0.0/12 \ + -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Class B address: " + + $IPTABLES -A RESERVED_NET_CHK -s 192.168.0.0/16 \ + -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Class C address: " + + $IPTABLES -A RESERVED_NET_CHK -s 169.254.0.0/16 \ + -m limit --limit 1/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Class M$ address: " + else + echo "Logging of access from reserved addresses disabled." + fi + + + # rp_filter drops some of these addresses, but just to be sure :) + ################################################################ + #echo "Denying access from reserved addresses..." + $IPTABLES -A RESERVED_NET_CHK -s 10.0.0.0/8 -j DROP + $IPTABLES -A RESERVED_NET_CHK -s 172.16.0.0/12 -j DROP + $IPTABLES -A RESERVED_NET_CHK -s 192.168.0.0/16 -j DROP + $IPTABLES -A RESERVED_NET_CHK -s 169.254.0.0/16 -j DROP +} + + +################################################################################################################ +## Chain SPOOF_CHK - Check if the source address is not spoofed ## +################################################################################################################ +setup_spoof_chk_chain() +{ + # Create new chain: + $IPTABLES -N SPOOF_CHK + + echo "Setting up anti-spoof rules." + + # Anti-spoof protection for the internal net + for net in $INTERNAL_NET; do + for interface in $INT_IF; do + # Any internal net is valid + $IPTABLES -A SPOOF_CHK -i $interface -s $net -j RETURN + done + $IPTABLES -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "Spoofed packet: " + $IPTABLES -A SPOOF_CHK -s $net -j DROP + done + + # Anti-spoof protection for the DMZ net + for net in $DMZ_NET; do + for interface in $DMZ_IF; do + # Any dmz net is valid + $IPTABLES -A SPOOF_CHK -i $interface -s $net -j RETURN + done + $IPTABLES -A SPOOF_CHK -s $net -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "Spoofed packet: " + $IPTABLES -A SPOOF_CHK -s $net -j DROP + done + + if [ -n "$MODEM_IF" ] && [ -n "$MODEM_IF_IP" ]; then + # Anti spoof protection for the modem net + ######################################### + $IPTABLES -A SPOOF_CHK -i ! $MODEM_IF -s "$MODEM_IF_IP/24" \ + -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "Spoofed (MODEM) packet: " + $IPTABLES -A SPOOF_CHK -i ! $MODEM_IF -s "$MODEM_IF_IP/24" -j DROP + fi + + # Everything else is valid + $IPTABLES -A SPOOF_CHK -j RETURN +} + + +################################################## +# Setup chain for the DMZ input traffic # +################################################## +setup_dmz_input_chain() +{ + # Create new chain: + $IPTABLES -N DMZ_INPUT_CHAIN 2>/dev/null + + # Adding TCP ports NOT to be firewalled + ####################################### + if [ -n "$DMZ_OPEN_TCP" ]; then + echo "Allowing DMZ hosts to connect to TCP port(s): $DMZ_OPEN_TCP" + for port in $DMZ_OPEN_TCP; do + $IPTABLES -A DMZ_INPUT_CHAIN -p tcp --syn --dport $port -j ACCEPT + done + fi + + # Adding UDP ports NOT to be firewalled + ####################################### + if [ -n "$DMZ_OPEN_UDP" ]; then + echo "Allowing DMZ hosts to connect to UDP port(s): $DMZ_OPEN_UDP" + for port in $DMZ_OPEN_UDP; do + $IPTABLES -A DMZ_INPUT_CHAIN -p udp --dport $port -j ACCEPT + done + fi + + # Adding IP protocols NOT to be firewalled + ########################################## + if [ -n "$DMZ_OPEN_IP" ]; then + echo "Allowing DMZ hosts to connect to IP protocol(s): $DMZ_OPEN_IP" + for proto in $DMZ_OPEN_IP; do + $IPTABLES -A DMZ_INPUT_CHAIN -p $proto -j ACCEPT + done + fi + + # Allow to send ICMP packets? + ############################# + if [ "$DMZ_OPEN_ICMP" = "1" ]; then + echo "Allowing DMZ hosts to send ICMP-requests(ping)." + $IPTABLES -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT + fi + + # Add TCP ports to allow for certain hosts + ########################################## + for rule in $DMZ_HOST_OPEN_TCP; do + echo "$rule" | { + IFS='>' read hosts ports + + IFS=',' + + for host in $hosts; do + echo " Allowing DMZ host $host to connect to TCP port(s): $ports" + + for port in $ports; do + $IPTABLES -A DMZ_INPUT_CHAIN -s $host -p tcp --syn --dport $port -j ACCEPT + done + done + } + unset IFS + done + + # Add UDP ports to allow for certain hosts + ########################################## + for rule in $DMZ_HOST_OPEN_UDP; do + echo "$rule" | { + IFS='>' read hosts ports + + IFS=',' + for host in $hosts; do + echo " Allowing DMZ host $host to connect to UDP port(s): $ports" + + for port in $ports; do + $IPTABLES -A DMZ_INPUT_CHAIN -s $host -p udp --dport $port -j ACCEPT + done + done + } + unset IFS + done + + # Add ICMP to allow for certain hosts + ##################################### + for host in `echo "$DMZ_HOST_OPEN_ICMP" |sed s/' '/','/g`; do + echo " Allowing DMZ host $host to send ICMP-requests(ping)." + $IPTABLES -A DMZ_INPUT_CHAIN -s $host -p icmp --icmp-type echo-request -j ACCEPT + done + + # Add IP protocols to allow for certain hosts + ############################################# + for rule in $DMZ_HOST_OPEN_IP; do + echo "$rule" | { + IFS='>' read hosts protos + + IFS=',' + for host in $hosts; do + echo " Allowing DMZ host $host to connect to connect to IP protocol(s): $protos" + + for proto in $protos; do + $IPTABLES -A DMZ_INPUT_CHAIN -s $host -p $proto -j ACCEPT + done + done + } + unset IFS + done + + # Log everything else + $IPTABLES -A DMZ_INPUT_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "Denied DMZ input packet: " + + # Everything else is denied + $IPTABLES -A DMZ_INPUT_CHAIN -j DROP +} + + +################################################## +# Setup chain for the DMZ-to-LAN forward traffic # +################################################## +setup_dmz_lan_forward_chain() +{ + # Create new chain: + $IPTABLES -N DMZ_LAN_FORWARD_CHAIN + + # DMZ-to-LAN TCP rules + for rule in $DMZ_LAN_HOST_OPEN_TCP; do + echo "$rule" | { + IFS='>' read shosts dhost_ports + + # SRC IP specified? + if [ -z "$dhost_ports" ]; then + dhost_ports="$shosts" + shosts="0/0" + fi + + if [ "$shosts" = "0/0" ]; then + echo " DMZ-TO-LAN: Allowing TCP port(s) $dhost_ports" + else + echo " DMZ-TO-LAN: Allowing TCP port(s) $dhost_ports for $shosts" + fi + + dhost=`echo "$dhost_ports" |get_dhost` + ports=`echo "$dhost_ports" |get_dport` + + IFS=',' + for shost in $shosts; do + for dport in $ports; do + $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --syn --dport $dport -j ACCEPT + done + done + } + unset IFS + done + + # DMZ-to-LAN UDP rules + for rule in $DMZ_LAN_HOST_OPEN_UDP; do + echo "$rule" | { + IFS='>' read shosts dhost_ports + + # SRC IP specified? + if [ -z "$dhost_ports" ]; then + dhost_ports="$shosts" + shosts="0/0" + fi + + if [ "$shosts" = "0/0" ]; then + echo " DMZ-TO-LAN: Allowing UDP port(s) $dhost_ports" + else + echo " DMZ-TO-LAN: Allowing UDP port(s) $dhost_ports for $shosts" + fi + + dhost=`echo "$dhost_ports" |get_dhost` + ports=`echo "$dhost_ports" |get_dport` + + IFS=',' + for shost in $shosts; do + for dport in $ports; do + $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $dport -j ACCEPT + done + done + } + unset IFS + done + + # DMZ-to-LAN IP-protocol rules + for rule in $DMZ_LAN_HOST_IP_FORWARD; do + echo "$rule" | { + IFS='>' read shosts dhost_protos + + # SRC IP specified? + if [ -z "$dhost_protos" ]; then + dhost_protos="$shosts" + shosts="0/0" + fi + + if [ "$shosts" = "0/0" ]; then + echo " DMZ-TO-LAN: Allowing IP protocol(s) $dhost_protos" + else + echo " DMZ-TO-LAN: Allowing IP protocol(s) $dhost_protos for $shosts" + fi + + dhost=`echo "$dhost_protos" |get_dhost` + protos=`echo "$dhost_protos" |get_dport` + + IFS=',' + for shost in $shosts; do + for proto in $protos; do + $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT + done + done + } + unset IFS + done + + # Log everything else + $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "Denied DMZ->LAN packet: " + + # Everything else is denied + $IPTABLES -A DMZ_LAN_FORWARD_CHAIN -j DROP +} + + +################################################### +# Setup chain for the INET-to-DMZ forward traffic # +################################################### +setup_inet_dmz_forward_chain() +{ + # Create new chain: + $IPTABLES -N INET_DMZ_FORWARD_CHAIN + + # TCP ports to DENY for certain LAN hosts + ######################################### + for rule in $INET_DMZ_HOST_DENY_TCP; do + echo "$rule" | { + IFS='>' read hosts ports + + IFS=',' + for host in $hosts; do + echo " Denying $host to connect to TCP port(s): $ports" + + for port in $ports; do + if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -d $host -p tcp --dport $port \ + -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Hostwise INET->DMZ denied: " + fi + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -d $host -p tcp --dport $port -j DROP + done + done + } + unset IFS + done + + # UDP ports to DENY for certain LAN hosts + ######################################### + for rule in $INET_DMZ_HOST_DENY_UDP; do + echo "$rule" | { + IFS='>' read hosts ports + + IFS=',' + for host in $hosts; do + echo " Denying $host to connect to UDP port(s): $ports" + + for port in $ports; do + if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -d $host -p udp --dport $port \ + -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Hostwise INET->DMZ denied: " + fi + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -d $host -p udp --dport $port -j DROP + done + done + } + unset IFS + done + + # IP protocols to DENY for certain LAN hosts + ############################################ + for rule in $INET_DMZ_HOST_DENY_IP; do + echo "$rule" | { + IFS='>' read hosts protos + + IFS=',' + for host in $hosts; do + echo " Denying $host to connect to IP protocol(s): $protos" + + for proto in $protos; do + if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -d $host -p $proto \ + -m limit --limit 1/h --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Hostwise INET->DMZ denied: " + fi + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -d $host -p $proto -j DROP + done + done + } + unset IFS + done + + # TCP ports to OPEN for certain LAN hosts + ######################################### + for rule in $INET_DMZ_HOST_OPEN_TCP; do + echo "$rule" | { + IFS='>' read hosts ports + + IFS=',' + for port in $ports; do + echo " Allowing $hosts (exclusively) for TCP port: $port" + + for host in $hosts; do + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -d $host -p tcp --dport $port -j ACCEPT + done + + if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p tcp --dport $port -m limit \ + --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "INET->DMZ denied: " + fi + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p tcp --dport $port -j DROP + done + } + unset IFS + done + + # UDP ports to OPEN for certain LAN hosts + ######################################### + for rule in $INET_DMZ_HOST_OPEN_UDP; do + echo "$rule" | { + IFS='>' read hosts ports + + IFS=',' + for port in $ports; do + echo " Allowing $hosts (exclusively) for UDP port: $port" + + for host in $hosts; do + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -d $host -p udp --dport $port -j ACCEPT + done + + if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p udp --dport $port -m limit \ + --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "INET->DMZ denied: " + fi + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p udp --dport $port -j DROP + done + } + unset IFS + done + + # IP protocols to OPEN for certain LAN hosts + ############################################ + for rule in $INET_DMZ_HOST_OPEN_IP; do + echo "$rule" | { + IFS='>' read hosts protos + + IFS=',' + for proto in $protos; do + echo " Allowing $hosts (exclusively) for IP protocol: $proto" + + for host in $hosts; do + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -d $host -p $proto -j ACCEPT + done + + if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p $proto -m limit \ + --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "INET->DMZ denied: " + fi + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p $proto -j DROP + done + } + unset IFS + done + + # This rule is for LAN output (FORWARD) TCP blocking + #################################################### + if [ -n "$INET_DMZ_DENY_TCP" ]; then + echo " Denying TCP port(s): $INET_DMZ_DENY_TCP" + for port in $INET_DMZ_DENY_TCP; do + if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p tcp --dport $port -m limit \ + --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "INET->DMZ denied: " + fi + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p tcp --dport $port -j DROP + done + fi + + # This rule is for LAN output (FORWARD) UDP blocking + #################################################### + if [ -n "$INET_DMZ_DENY_UDP" ]; then + echo " Denying UDP port(s): $INET_DMZ_DENY_UDP" + for port in $INET_DMZ_DENY_UDP; do + if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p udp --dport $port -m limit \ + --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "INET->DMZ denied: " + fi + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p udp --dport $port -j DROP + done + fi + + # This rule is for LAN output (FORWARD) IP blocking + ################################################### + if [ -n "$INET_DMZ_DENY_IP" ]; then + echo " Denying IP protocol(s): $INET_DMZ_DENY_IP" + for proto in $INET_DMZ_DENY_IP; do + if [ "$DMZ_INPUT_DENY_LOG" != "0" ]; then + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p $proto -m limit \ + --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "INET->DMZ denied: " + fi + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p $proto -j DROP + done + fi + + # Allow only certain TCP ports to be used from the INET->DMZ? + if [ -n "$INET_DMZ_OPEN_TCP" ]; then + echo " Allowing TCP port(s): $INET_DMZ_OPEN_TCP" + for port in $INET_DMZ_OPEN_TCP; do + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p tcp --dport $port -j ACCEPT + done + fi + + # Allow only certain UDP ports to be used from the INET->DMZ? + if [ -n "$INET_DMZ_OPEN_UDP" ]; then + echo " Allowing UDP port(s): $INET_DMZ_OPEN_UDP" + for port in $INET_DMZ_OPEN_UDP; do + $IPTABLES -A INET_DMZ_FORWARD_CHAIN -p udp --dport $port -j ACCEPT + done + fi + + # Allow only certain IP protocols to be used from the INET->DMZ? + if [ -n "$INET_DMZ_OPEN_IP" ]; then + echo " Allowing IP protocol(s): $INET_DMZ_OPEN_IP" + for proto in $INET_DMZ_OPEN_IP; do + $IPTABLES -A INET_DMZ_F... [truncated message content] |
|
From: <kr...@us...> - 2006-08-11 18:47:49
|
Revision: 240 Author: krisk84 Date: 2006-08-11 11:47:46 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=240&view=rev Log Message: ----------- include chan_sccp config file so we don't get prompted any annoyed Modified Paths: -------------- trunk/package/chansccp/chansccp.mk Added Paths: ----------- trunk/package/chansccp/chansccp-config.h Added: trunk/package/chansccp/chansccp-config.h =================================================================== --- trunk/package/chansccp/chansccp-config.h (rev 0) +++ trunk/package/chansccp/chansccp-config.h 2006-08-11 18:47:46 UTC (rev 240) @@ -0,0 +1,28 @@ +/* + * automatically generated by ./create_config.sh Fri Aug 11 13:59:45 EDT 2006 + */ + +#ifndef CHAN_SCCP_CONFIG_H +#define CHAN_SCCP_CONFIG_H + +#define CS_SCCP_PARK +#define CS_SCCP_PICKUP +#define CS_AST_HAS_TECH_PVT +#define CS_AST_HAS_BRIDGED_CHANNEL +#define CS_AST_CHANNEL_HAS_CID +#define CS_AST_CONTROL_HOLD +#define sccp_copy_string(x,y,z) ast_copy_string(x,y,z) +#define CS_AST_HAS_FLAG_MOH +#define CS_AST_HAS_ENDIAN +#define CS_AST_HAS_STRINGS +#define CS_AST_HAS_NEW_VOICEMAIL +#define CS_AST_HAS_NEW_HINT +#define CS_AST_HAS_NEW_DEVICESTATE +#define CS_AST_DEVICE_RINGING +#define CS_AST_HAS_AST_GROUP_T +#define CS_AST_HAS_APP_SEPARATE_ARGS +#define sccp_app_separate_args(x,y,z,w) ast_app_separate_args(x,y,z,w) +#define CS_AST_HAS_EXTENSION_RINGING + +#endif /* CHAN_CAPI_CONFIG_H */ + Modified: trunk/package/chansccp/chansccp.mk =================================================================== --- trunk/package/chansccp/chansccp.mk 2006-08-11 18:40:58 UTC (rev 239) +++ trunk/package/chansccp/chansccp.mk 2006-08-11 18:47:46 UTC (rev 240) @@ -20,6 +20,7 @@ $(CHANSCCP_DIR)/.configured: $(CHANSCCP_DIR)/.unpacked # toolchain/patch-kernel.sh $(CHANSCCP_DIR) package/chansccp/ chansccp\*.patch + cp package/chansccp/chansccp-config.h $(CHANSCCP_DIR)/config.h touch $(CHANSCCP_DIR)/.configured $(CHANSCCP_DIR)/$(CHANSCCP_BINARY): $(CHANSCCP_DIR)/.configured This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-11 18:41:04
|
Revision: 239 Author: krisk84 Date: 2006-08-11 11:40:58 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=239&view=rev Log Message: ----------- remove old persist logging support Modified Paths: -------------- trunk/target/generic/target_skeleton/etc/rc Modified: trunk/target/generic/target_skeleton/etc/rc =================================================================== --- trunk/target/generic/target_skeleton/etc/rc 2006-08-11 18:39:03 UTC (rev 238) +++ trunk/target/generic/target_skeleton/etc/rc 2006-08-11 18:40:58 UTC (rev 239) @@ -171,22 +171,6 @@ mkdir /tmp/root mkdir /tmp/bin -if [ "$PERSISTLOG" ] -then - -if [ ! -d /mnt/kd/log ] -then -mkdir /mnt/kd/log -touch /var/log/wtmp -fi - -ln -s /mnt/kd/log /var/log - -else -mkdir /var/log -touch /var/log/wtmp -fi - if `cat /proc/cmdline | grep -q depmod` then echo "Running depmod as requested..." This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-11 18:39:09
|
Revision: 238 Author: krisk84 Date: 2006-08-11 11:39:03 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=238&view=rev Log Message: ----------- init order changes Modified Paths: -------------- trunk/package/lmsensors/lmsensors.init trunk/package/netsnmp/netsnmp.init Added Paths: ----------- trunk/target/generic/target_skeleton/etc/runlevels/default/K29snmpd Removed Paths: ------------- trunk/target/generic/target_skeleton/etc/runlevels/default/K31snmpd Modified: trunk/package/lmsensors/lmsensors.init =================================================================== --- trunk/package/lmsensors/lmsensors.init 2006-08-11 18:33:37 UTC (rev 237) +++ trunk/package/lmsensors/lmsensors.init 2006-08-11 18:39:03 UTC (rev 238) @@ -39,7 +39,7 @@ stop () { if [ -r /etc/sensors.conf ] then -echo "Stopping sensors" +echo "Stopping sensors..." if [ "$SENSEMODS" ] then Modified: trunk/package/netsnmp/netsnmp.init =================================================================== --- trunk/package/netsnmp/netsnmp.init 2006-08-11 18:33:37 UTC (rev 237) +++ trunk/package/netsnmp/netsnmp.init 2006-08-11 18:39:03 UTC (rev 238) @@ -25,7 +25,7 @@ stop () { if [ -r /var/run/snmpd.pid ] then -echo "Stopping snmpd" +echo "Stopping snmpd..." kill `cat /var/run/snmpd.pid` fi } Copied: trunk/target/generic/target_skeleton/etc/runlevels/default/K29snmpd (from rev 237, trunk/target/generic/target_skeleton/etc/runlevels/default/K31snmpd) =================================================================== --- trunk/target/generic/target_skeleton/etc/runlevels/default/K29snmpd (rev 0) +++ trunk/target/generic/target_skeleton/etc/runlevels/default/K29snmpd 2006-08-11 18:39:03 UTC (rev 238) @@ -0,0 +1 @@ +link ../../init.d/snmpd \ No newline at end of file Deleted: trunk/target/generic/target_skeleton/etc/runlevels/default/K31snmpd =================================================================== --- trunk/target/generic/target_skeleton/etc/runlevels/default/K31snmpd 2006-08-11 18:33:37 UTC (rev 237) +++ trunk/target/generic/target_skeleton/etc/runlevels/default/K31snmpd 2006-08-11 18:39:03 UTC (rev 238) @@ -1 +0,0 @@ -link ../../init.d/snmpd \ No newline at end of file This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-11 18:33:40
|
Revision: 237 Author: krisk84 Date: 2006-08-11 11:33:37 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=237&view=rev Log Message: ----------- you can't read variables before they are set Modified Paths: -------------- trunk/target/generic/target_skeleton/etc/rc Modified: trunk/target/generic/target_skeleton/etc/rc =================================================================== --- trunk/target/generic/target_skeleton/etc/rc 2006-08-11 18:16:04 UTC (rev 236) +++ trunk/target/generic/target_skeleton/etc/rc 2006-08-11 18:33:37 UTC (rev 237) @@ -165,7 +165,6 @@ mkdir /var/db mkdir /var/run touch /var/run/utmp -touch /var/log/wtmp mkdir /var/run/screen mkdir /var/state mkdir /var/tmp @@ -178,12 +177,14 @@ if [ ! -d /mnt/kd/log ] then mkdir /mnt/kd/log +touch /var/log/wtmp fi ln -s /mnt/kd/log /var/log else mkdir /var/log +touch /var/log/wtmp fi if `cat /proc/cmdline | grep -q depmod` @@ -328,6 +329,22 @@ ln -sf /usr/share/zoneinfo/$TIMEZONE /tmp/etc/localtime fi +if [ "$PERSISTLOG" ] +then + +if [ ! -d /mnt/kd/log ] +then +mkdir /mnt/kd/log +touch /var/log/wtmp +fi + +ln -s /mnt/kd/log /var/log + +else +mkdir /var/log +touch /var/log/wtmp +fi + if [ -d /mnt/kd/wanpipe ] then ln -s /mnt/kd/wanpipe /tmp/etc/wanpipe This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-11 18:16:07
|
Revision: 236 Author: krisk84 Date: 2006-08-11 11:16:04 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=236&view=rev Log Message: ----------- asterisk init changes for persistent logging Modified Paths: -------------- trunk/package/asterisk/asterisk.init Modified: trunk/package/asterisk/asterisk.init =================================================================== --- trunk/package/asterisk/asterisk.init 2006-08-11 18:06:36 UTC (rev 235) +++ trunk/package/asterisk/asterisk.init 2006-08-11 18:16:04 UTC (rev 236) @@ -12,7 +12,12 @@ init () { mkdir /var/run/asterisk + +if [ ! -d /var/log/asterisk ] +then mkdir /var/log/asterisk +fi + mkdir /var/spool/asterisk cp -a /stat/var/spool/asterisk/* /var/spool/asterisk/ ln -s /stat/var/lib/asterisk /var/lib/asterisk @@ -47,10 +52,15 @@ then ln -s /mnt/kd/cdr-csv /var/log/asterisk/cdr-csv else -mkdir /var/log/asterisk/cdr-csv +mkdir -p /var/log/asterisk/cdr-csv fi -ln -s /var/log/asterisk/cdr-csv /var/log/asterisk/cdr-custom +if [ -d /mnt/kd/cdr-custom ] +then +ln -s /mnt/kd/cdr-custom /var/log/asterisk/cdr-custom +else +mkdir -p /var/log/asterisk/cdr-custom +fi if [ "$ASTMANPROXY_USER" ] then This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2006-08-11 18:06:40
|
Revision: 235 Author: dhartman Date: 2006-08-11 11:06:36 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=235&view=rev Log Message: ----------- add acpid and openvpn init scripts Added Paths: ----------- trunk/package/acpid/acpid.init trunk/package/openvpn/openvpn.init Added: trunk/package/acpid/acpid.init =================================================================== --- trunk/package/acpid/acpid.init (rev 0) +++ trunk/package/acpid/acpid.init 2006-08-11 18:06:36 UTC (rev 235) @@ -0,0 +1,45 @@ +#!/bin/sh + +. /etc/rc.conf + +start () { +if [ -x /usr/sbin/acpid ] +then +echo "Starting acpid..." +/usr/sbin/acpid +fi +} + +stop () { +if `ps | grep -q acpid` +then +echo "Stopping acpid..." +killall acpid 2> /dev/null +fi +} + +case $1 in + +start) +start +;; + +stop) +stop +;; + +init) +start +;; + +restart) +stop +sleep 2 +start +;; + +*) +echo "Usage: start|stop|restart" +;; + +esac Property changes on: trunk/package/acpid/acpid.init ___________________________________________________________________ Name: svn:executable + * Added: trunk/package/openvpn/openvpn.init =================================================================== --- trunk/package/openvpn/openvpn.init (rev 0) +++ trunk/package/openvpn/openvpn.init 2006-08-11 18:06:36 UTC (rev 235) @@ -0,0 +1,86 @@ +#!/bin/sh +. /etc/rc.conf + +init () { +#check for existing of tun adapter +if [ -e /dev/net/tun ] +then +echo "Tun device was found." +else +echo "No tun device found. We'll make one now." +mkdir /dev/net +mknod /dev/net/tun c 10 200 +modprobe tun +fi + +echo "Creating OpenVPN config files" +echo "#openvpn.conf created from rc.conf settings dynamically at boot +dev $OVPN_DEV +proto $OVPN_PROTOCOL +ca $OVPN_CA +cert $OVPN_CERT +key $OVPN_KEY +dh $OVPN_DH +server $OVPN_SERVER +verb $OVPN_VERBOSITY +push \"$OVPN_PUSH1 $OVPN_PUSH2 $OVPN_PUSH3\"" > /tmp/etc/openvpn.conf + +echo "#static setting--modify openvpn init script to change +port 1194 +ifconfig-pool-persist /etc/openvpn/ipp.txt +user nobody +group nobody +persist-key +persist-tun +status /var/log/openvpn-status.log +log-append /var/log/openvpn.log +daemon" >> /tmp/etc/openvpn.conf + +} + +start () { +if [ $VPN -a $VPN = "raccoon" ] +then +echo "You have selected raccoon for your VPN service. Configure manually." +fi + +if [ $VPN -a $VPN = "openvpn" ] +then +echo "Starting OpenVPN with settings from /etc/openvpn" +/usr/sbin/openvpn /etc/openvpn.conf +fi +} + +stop () { +echo "Stopping OpenVPN" +killall openvpn +} + +case $1 in + +start) +start +;; + +stop) +stop +;; + +init) +init +start +;; + +restart) +stop +sleep 2 +start +;; + +*) +echo "Usage: start|stop|restart" +;; + +esac + + Property changes on: trunk/package/openvpn/openvpn.init ___________________________________________________________________ Name: svn:executable + * This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-11 18:06:11
|
Revision: 234 Author: krisk84 Date: 2006-08-11 11:06:08 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=234&view=rev Log Message: ----------- add persistent logs Modified Paths: -------------- trunk/target/generic/target_skeleton/etc/rc trunk/target/generic/target_skeleton/stat/etc/rc.conf Modified: trunk/target/generic/target_skeleton/etc/rc =================================================================== --- trunk/target/generic/target_skeleton/etc/rc 2006-08-11 18:05:08 UTC (rev 233) +++ trunk/target/generic/target_skeleton/etc/rc 2006-08-11 18:06:08 UTC (rev 234) @@ -163,7 +163,6 @@ mkdir /var/empty mkdir /var/lock mkdir /var/db -mkdir /var/log mkdir /var/run touch /var/run/utmp touch /var/log/wtmp @@ -173,6 +172,20 @@ mkdir /tmp/root mkdir /tmp/bin +if [ "$PERSISTLOG" ] +then + +if [ ! -d /mnt/kd/log ] +then +mkdir /mnt/kd/log +fi + +ln -s /mnt/kd/log /var/log + +else +mkdir /var/log +fi + if `cat /proc/cmdline | grep -q depmod` then echo "Running depmod as requested..." Modified: trunk/target/generic/target_skeleton/stat/etc/rc.conf =================================================================== --- trunk/target/generic/target_skeleton/stat/etc/rc.conf 2006-08-11 18:05:08 UTC (rev 233) +++ trunk/target/generic/target_skeleton/stat/etc/rc.conf 2006-08-11 18:06:08 UTC (rev 234) @@ -350,6 +350,10 @@ ##syslog's remote logging features. #SYSLOGHOST="" +##Persistent Logs +##If this variable is defined, logs are saved to the keydisk instead of RAM +#PERSISTLOG=yes + ##NFSROOTPATH ##For diskless clients, the path to use for a root filesystem. #NFSROOTPATH="$INTIP:/mnt/kd/nfsroot" This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <dha...@us...> - 2006-08-11 18:05:17
|
Revision: 233 Author: dhartman Date: 2006-08-11 11:05:08 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=233&view=rev Log Message: ----------- merge acpid button support and openvpn support from dhartman branch Modified Paths: -------------- trunk/package/acpid/acpid.mk trunk/target/device/geni586/linux-geni586-wlan-2.6.16.12.config Added Paths: ----------- trunk/target/generic/target_skeleton/etc/openvpn.conf trunk/target/generic/target_skeleton/etc/runlevels/default/K26openvpn trunk/target/generic/target_skeleton/etc/runlevels/default/S14openvpn trunk/target/generic/target_skeleton/etc/runlevels/default/S24acpid Modified: trunk/package/acpid/acpid.mk =================================================================== --- trunk/package/acpid/acpid.mk 2006-08-11 17:42:25 UTC (rev 232) +++ trunk/package/acpid/acpid.mk 2006-08-11 18:05:08 UTC (rev 233) @@ -26,6 +26,7 @@ mkdir -p $(TARGET_DIR)/etc/acpi/events echo -e "event=button[ /]power\naction=/sbin/poweroff" > $(TARGET_DIR)/etc/acpi/events/powerbtn touch -c $(TARGET_DIR)/usr/sbin/acpid + $(INSTALL) -D -m 0755 package/acpid/acpid.init $(TARGET_DIR)/etc/init.d/acpid acpid: $(TARGET_DIR)/usr/sbin/acpid @@ -33,6 +34,9 @@ acpid-clean: -make -C $(ACPID_DIR) clean + rm -f $(TARGET_DIR)/usr/sbin/acpid + rm -f $(TARGET_DIR)/etc/init.d/acpid + rm -rf $(TARGET_DIR)/etc/acpi acpid-dirclean: rm -rf $(ACPID_DIR) Modified: trunk/target/device/geni586/linux-geni586-wlan-2.6.16.12.config =================================================================== --- trunk/target/device/geni586/linux-geni586-wlan-2.6.16.12.config 2006-08-11 17:42:25 UTC (rev 232) +++ trunk/target/device/geni586/linux-geni586-wlan-2.6.16.12.config 2006-08-11 18:05:08 UTC (rev 233) @@ -216,7 +216,7 @@ CONFIG_ACPI=y # CONFIG_ACPI_AC is not set # CONFIG_ACPI_BATTERY is not set -# CONFIG_ACPI_BUTTON is not set +CONFIG_ACPI_BUTTON=yes # CONFIG_ACPI_VIDEO is not set # CONFIG_ACPI_HOTKEY is not set # CONFIG_ACPI_FAN is not set Added: trunk/target/generic/target_skeleton/etc/openvpn.conf =================================================================== --- trunk/target/generic/target_skeleton/etc/openvpn.conf (rev 0) +++ trunk/target/generic/target_skeleton/etc/openvpn.conf 2006-08-11 18:05:08 UTC (rev 233) @@ -0,0 +1 @@ +link /tmp/openvpn.conf \ No newline at end of file Property changes on: trunk/target/generic/target_skeleton/etc/openvpn.conf ___________________________________________________________________ Name: svn:special + * Added: trunk/target/generic/target_skeleton/etc/runlevels/default/K26openvpn =================================================================== --- trunk/target/generic/target_skeleton/etc/runlevels/default/K26openvpn (rev 0) +++ trunk/target/generic/target_skeleton/etc/runlevels/default/K26openvpn 2006-08-11 18:05:08 UTC (rev 233) @@ -0,0 +1 @@ +link ../../init.d/openvpn \ No newline at end of file Property changes on: trunk/target/generic/target_skeleton/etc/runlevels/default/K26openvpn ___________________________________________________________________ Name: svn:special + * Added: trunk/target/generic/target_skeleton/etc/runlevels/default/S14openvpn =================================================================== --- trunk/target/generic/target_skeleton/etc/runlevels/default/S14openvpn (rev 0) +++ trunk/target/generic/target_skeleton/etc/runlevels/default/S14openvpn 2006-08-11 18:05:08 UTC (rev 233) @@ -0,0 +1 @@ +link ../../init.d/openvpn \ No newline at end of file Property changes on: trunk/target/generic/target_skeleton/etc/runlevels/default/S14openvpn ___________________________________________________________________ Name: svn:special + * Added: trunk/target/generic/target_skeleton/etc/runlevels/default/S24acpid =================================================================== --- trunk/target/generic/target_skeleton/etc/runlevels/default/S24acpid (rev 0) +++ trunk/target/generic/target_skeleton/etc/runlevels/default/S24acpid 2006-08-11 18:05:08 UTC (rev 233) @@ -0,0 +1 @@ +link ../../init.d/acpid \ No newline at end of file Property changes on: trunk/target/generic/target_skeleton/etc/runlevels/default/S24acpid ___________________________________________________________________ Name: svn:special + * This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
|
From: <kr...@us...> - 2006-08-11 17:42:28
|
Revision: 232 Author: krisk84 Date: 2006-08-11 10:42:25 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=232&view=rev Log Message: ----------- openntpd package fix Modified Paths: -------------- trunk/package/openntpd/openntpd.mk Modified: trunk/package/openntpd/openntpd.mk =================================================================== --- trunk/package/openntpd/openntpd.mk 2006-08-11 15:50:59 UTC (rev 231) +++ trunk/package/openntpd/openntpd.mk 2006-08-11 17:42:25 UTC (rev 232) @@ -42,6 +42,7 @@ $(INSTALL) -D -m 0755 package/openntpd/ntpd.init $(TARGET_DIR)/etc/init.d/ntpd echo "_ntp:x:123:123:OpenNTPD:/usr/share/empty:/bin/false" >> $(TARGET_DIR)/etc/passwd echo "_ntp:!:3656:0:99999:7:::" >> $(TARGET_DIR)/etc/shadow + mkdir -p $(TARGET_DIR)/usr/share/empty chmod 750 $(TARGET_DIR)/usr/share/empty rm -Rf $(TARGET_DIR)/usr/man rm $(TARGET_DIR)/etc/ntpd.conf This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |
1 message has been excluded from this view by a project administrator.
