Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux: [229] trunk/package
|
From: <dha...@us...> - 2006-08-11 15:31:50
|
Revision: 229 Author: dhartman Date: 2006-08-11 08:31:17 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=229&view=rev Log Message: ----------- merge changes from trunk Modified Paths: -------------- trunk/package/Config.in trunk/package/acpid/acpid.mk trunk/package/file/file.mk trunk/package/iptables/iptables.init trunk/package/iptables/iptables.mk trunk/target/generic/target_skeleton/etc/init.d/misc Added Paths: ----------- trunk/package/acpid/acpid.init trunk/package/iaxmodem/ trunk/package/iaxmodem/Config.in trunk/package/iaxmodem/iaxmodem.mk trunk/package/iptables/arno-iptables-firewall.conf trunk/package/libtiff/ trunk/package/libtiff/Config.in trunk/package/libtiff/libtiff.mk trunk/package/openvpn/openvpn.init trunk/target/generic/target_skeleton/etc/openvpn.conf trunk/target/generic/target_skeleton/etc/runlevels/default/K26openvpn trunk/target/generic/target_skeleton/etc/runlevels/default/S02iptables trunk/target/generic/target_skeleton/etc/runlevels/default/S03network trunk/target/generic/target_skeleton/etc/runlevels/default/S04ntpclient trunk/target/generic/target_skeleton/etc/runlevels/default/S14openvpn trunk/target/generic/target_skeleton/etc/runlevels/default/S24acpid Removed Paths: ------------- trunk/package/iaxmodem/Config.in trunk/package/iaxmodem/iaxmodem.mk trunk/package/libtiff/Config.in trunk/package/libtiff/libtiff.mk trunk/target/generic/target_skeleton/etc/runlevels/default/S02network trunk/target/generic/target_skeleton/etc/runlevels/default/S03ntpclient Modified: trunk/package/Config.in =================================================================== --- trunk/package/Config.in 2006-08-11 07:04:51 UTC (rev 228) +++ trunk/package/Config.in 2006-08-11 15:31:17 UTC (rev 229) @@ -61,6 +61,7 @@ source "package/gzip/Config.in" source "package/hostap/Config.in" source "package/hotplug/Config.in" +source "package/iaxmodem/Config.in" source "package/inadyn/Config.in" source "package/iostat/Config.in" source "package/iproute2/Config.in" @@ -81,6 +82,7 @@ source "package/libpq/Config.in" source "package/libpri/Config.in" source "package/libsysfs/Config.in" +source "package/libtiff/Config.in" source "package/libtool/Config.in" source "package/libusb/Config.in" source "package/lighttpd/Config.in" Copied: trunk/package/acpid/acpid.init (from rev 228, branches/dhartman/package/acpid/acpid.init) =================================================================== --- trunk/package/acpid/acpid.init (rev 0) +++ trunk/package/acpid/acpid.init 2006-08-11 15:31:17 UTC (rev 229) @@ -0,0 +1,45 @@ +#!/bin/sh + +. /etc/rc.conf + +start () { +if [ -x /usr/sbin/acpid ] +then +echo "Starting acpid..." +/usr/sbin/acpid +fi +} + +stop () { +if `ps | grep -q acpid` +then +echo "Stopping acpid..." +killall acpid 2> /dev/null +fi +} + +case $1 in + +start) +start +;; + +stop) +stop +;; + +init) +start +;; + +restart) +stop +sleep 2 +start +;; + +*) +echo "Usage: start|stop|restart" +;; + +esac Property changes on: trunk/package/acpid/acpid.init ___________________________________________________________________ Name: svn:executable + * Modified: trunk/package/acpid/acpid.mk =================================================================== --- trunk/package/acpid/acpid.mk 2006-08-11 07:04:51 UTC (rev 228) +++ trunk/package/acpid/acpid.mk 2006-08-11 15:31:17 UTC (rev 229) @@ -26,6 +26,7 @@ mkdir -p $(TARGET_DIR)/etc/acpi/events echo -e "event=button[ /]power\naction=/sbin/poweroff" > $(TARGET_DIR)/etc/acpi/events/powerbtn touch -c $(TARGET_DIR)/usr/sbin/acpid + $(INSTALL) -D -m 0755 package/acpid/acpid.init $(TARGET_DIR)/etc/init.d/acpid acpid: $(TARGET_DIR)/usr/sbin/acpid @@ -33,6 +34,9 @@ acpid-clean: -make -C $(ACPID_DIR) clean + rm -f $(TARGET_DIR)/usr/sbin/acpid + rm -f $(TARGET_DIR)/etc/init.d/acpid + rm -rf $(TARGET_DIR)/etc/acpi acpid-dirclean: rm -rf $(ACPID_DIR) Modified: trunk/package/file/file.mk =================================================================== --- trunk/package/file/file.mk 2006-08-11 07:04:51 UTC (rev 228) +++ trunk/package/file/file.mk 2006-08-11 15:31:17 UTC (rev 229) @@ -3,7 +3,7 @@ # file # ############################################################# -FILE_VER:=4.15 +FILE_VER:=4.17 FILE_SOURCE:=file-$(FILE_VER).tar.gz FILE_SITE:=ftp://ftp.astron.com/pub/file FILE_DIR1:=$(TOOL_BUILD_DIR)/file-$(FILE_VER) Copied: trunk/package/iaxmodem (from rev 228, branches/dhartman/package/iaxmodem) Deleted: trunk/package/iaxmodem/Config.in =================================================================== --- branches/dhartman/package/iaxmodem/Config.in 2006-08-11 07:04:51 UTC (rev 228) +++ trunk/package/iaxmodem/Config.in 2006-08-11 15:31:17 UTC (rev 229) @@ -1,9 +0,0 @@ -config BR2_PACKAGE_IAXMODEM - bool "iaxmodem" - default n - select BR2_PACKAGE_LIBTIFF - help - iaxmodem simulator for use with Asterisk - WARNING: currently does not compile - - http://iaxmodem.sf.net Copied: trunk/package/iaxmodem/Config.in (from rev 228, branches/dhartman/package/iaxmodem/Config.in) =================================================================== --- trunk/package/iaxmodem/Config.in (rev 0) +++ trunk/package/iaxmodem/Config.in 2006-08-11 15:31:17 UTC (rev 229) @@ -0,0 +1,9 @@ +config BR2_PACKAGE_IAXMODEM + bool "iaxmodem" + default n + select BR2_PACKAGE_LIBTIFF + help + iaxmodem simulator for use with Asterisk + WARNING: currently does not compile + + http://iaxmodem.sf.net Deleted: trunk/package/iaxmodem/iaxmodem.mk =================================================================== --- branches/dhartman/package/iaxmodem/iaxmodem.mk 2006-08-11 07:04:51 UTC (rev 228) +++ trunk/package/iaxmodem/iaxmodem.mk 2006-08-11 15:31:17 UTC (rev 229) @@ -1,91 +0,0 @@ -############################################################# -# -# iaxmodem (text based web browser) -# -############################################################# -IAXMODEM_VER:=0.1.14 -IAXMODEM_SITE:=http://$(BR2_SOURCEFORGE_MIRROR).dl.sourceforge.net/sourceforge/iaxmodem/ -IAXMODEM_SOURCE:=iaxmodem-$(IAXMODEM_VER).tar.gz -IAXMODEM_DIR:=$(BUILD_DIR)/iaxmodem-$(IAXMODEM_VER) -IAXMODEM_BINARY:=iaxmodem -IAXMODEM_TARGET_BINARY:=usr/sbin/iaxmodem - -$(DL_DIR)/$(IAXMODEM_SOURCE): - $(WGET) -P $(DL_DIR) $(IAXMODEM_SITE)/$(IAXMODEM_SOURCE) - -iaxmodem-source: $(DL_DIR)/$(IAXMODEM_SOURCE) - -$(IAXMODEM_DIR)/.unpacked: $(DL_DIR)/$(IAXMODEM_SOURCE) - zcat $(DL_DIR)/$(IAXMODEM_SOURCE) | tar -C $(BUILD_DIR) $(TAR_OPTIONS) - - touch $(IAXMODEM_DIR)/.unpacked - -# must compile spandsp first -$(IAXMODEM_DIR)/lib/spandsp/.configured: $(IAXMODEM_DIR)/.unpacked - (cd $(IAXMODEM_DIR)/lib/spandsp; rm -rf config.cache; \ - $(TARGET_CONFIG_OPTS) \ - CFLAGS="$(TARGET_CFLAGS)" \ - ./configure \ - --target=$(GNU_TARGET_NAME) \ - --host=$(GNU_TARGET_NAME) \ - --build=$(GNU_HOST_NAME) \ - ); - touch $(IAXMODEM_DIR)/lib/spandsp/.configured - -$(IAXMODEM_DIR)/lib/spandsp/.compiled: $(IAXMODEM_DIR)/lib/spandsp/.configured - $(MAKE) CC=$(TARGET_CC) -C $(IAXMODEM_DIR)/lib/spandsp - $(STRIP) $(IAXMODEM_DIR)/lib/spandsp/src/.lib/libspandsp.a - touch $(IAXMODEM_DIR)/lib/spandsp/.compiled - -# then must compile libiax - - -$(IAXMODEM_DIR)/lib/libiax2/.configured: $(IAXMODEM_DIR)/lib/spandsp/.compiled -#$(IAXMODEM_DIR)/lib/libiax2/.configured: $(IAXMODEM_DIR)/.unpacked - (cd $(IAXMODEM_DIR)/lib/libiax2; rm -rf config.cache; \ - $(TARGET_CONFIG_OPTS) \ - CFLAGS="$(TARGET_CFLAGS)" \ - ./configure \ - --target=$(GNU_TARGET_NAME) \ - --host=$(GNU_TARGET_NAME) \ - --build=$(GNU_HOST_NAME) \ - ); - touch $(IAXMODEM_DIR)/lib/libiax2/.configured - -$(IAXMODEM_DIR)/lib/libiax2/.compiled: $(IAXMODEM_DIR)/lib/libiax2/.configured - $(MAKE) CC=$(TARGET_CC) -C $(IAXMODEM_DIR)/lib/libiax2 - $(STRIP) $(IAXMODEM_DIR)/lib/libiax2/src/.lib/libiax.a - touch $(IAXMODEM_DIR)/lib/libiax2/.compiled - -# then compile iaxmodem - -#$(IAXMODEM_DIR)/$(IAXMODEM_BINARY): $(IAXMODEM_DIR)/lib/libiax2/.compiled $(IAXMODEM_DIR)/lib/spandsp/.compiled -$(IAXMODEM_DIR)/$(IAXMODEM_BINARY): $(IAXMODEM_DIR)/lib/libiax2/.compiled - (cd $(IAXMODEM_DIR); \ - $(TARGET_CC) -Wall -O2 -g -DSTATICLIBS -D_GNU_SOURCE -std=c99 \ - -Ilib/libiax2/src -Ilib/spandsp/src -c -o iaxmodem.o iaxmodem.c; \ - $(TARGET_CC) -lm -lutil -o iaxmodem iaxmodem.o \ - lib/spandsp/src/.libs/libspandsp.a lib/libiax2/src/.libs/libiax.a \ - $(TARGET_DIR)/usr/lib/libtiff.so \ - ); - $(STRIP) $(IAXMODEM_DIR)/$(IAXMODEM_BINARY) - -$(TARGET_DIR)/$(IAXMODEM_TARGET_BINARY): $(IAXMODEM_DIR)/$(IAXMODEM_BINARY) - install -c $(IAXMODEM_DIR)/$(IAXMODEM_BINARY) $(TARGET_DIR)/$(IAXMODEM_TARGET_BINARY) - -iaxmodem-clean: - $(MAKE) -C $(IAXMODEM_DIR)/lib/spandsp clean - $(MAKE) -C $(IAXMODEM_DIR)/lib/libiax2 clean - -iaxmodem-dirclean: - rm -rf $(IAXMODEM_DIR) - -iaxmodem: uclibc $(TARGET_DIR)/$(IAXMODEM_TARGET_BINARY) - -############################################################# -# -# Toplevel Makefile options -# -############################################################# -ifeq ($(strip $(BR2_PACKAGE_IAXMODEM)),y) -TARGETS+=iaxmodem -endif Copied: trunk/package/iaxmodem/iaxmodem.mk (from rev 228, branches/dhartman/package/iaxmodem/iaxmodem.mk) =================================================================== --- trunk/package/iaxmodem/iaxmodem.mk (rev 0) +++ trunk/package/iaxmodem/iaxmodem.mk 2006-08-11 15:31:17 UTC (rev 229) @@ -0,0 +1,91 @@ +############################################################# +# +# iaxmodem (text based web browser) +# +############################################################# +IAXMODEM_VER:=0.1.14 +IAXMODEM_SITE:=http://$(BR2_SOURCEFORGE_MIRROR).dl.sourceforge.net/sourceforge/iaxmodem/ +IAXMODEM_SOURCE:=iaxmodem-$(IAXMODEM_VER).tar.gz +IAXMODEM_DIR:=$(BUILD_DIR)/iaxmodem-$(IAXMODEM_VER) +IAXMODEM_BINARY:=iaxmodem +IAXMODEM_TARGET_BINARY:=usr/sbin/iaxmodem + +$(DL_DIR)/$(IAXMODEM_SOURCE): + $(WGET) -P $(DL_DIR) $(IAXMODEM_SITE)/$(IAXMODEM_SOURCE) + +iaxmodem-source: $(DL_DIR)/$(IAXMODEM_SOURCE) + +$(IAXMODEM_DIR)/.unpacked: $(DL_DIR)/$(IAXMODEM_SOURCE) + zcat $(DL_DIR)/$(IAXMODEM_SOURCE) | tar -C $(BUILD_DIR) $(TAR_OPTIONS) - + touch $(IAXMODEM_DIR)/.unpacked + +# must compile spandsp first +$(IAXMODEM_DIR)/lib/spandsp/.configured: $(IAXMODEM_DIR)/.unpacked + (cd $(IAXMODEM_DIR)/lib/spandsp; rm -rf config.cache; \ + $(TARGET_CONFIG_OPTS) \ + CFLAGS="$(TARGET_CFLAGS)" \ + ./configure \ + --target=$(GNU_TARGET_NAME) \ + --host=$(GNU_TARGET_NAME) \ + --build=$(GNU_HOST_NAME) \ + ); + touch $(IAXMODEM_DIR)/lib/spandsp/.configured + +$(IAXMODEM_DIR)/lib/spandsp/.compiled: $(IAXMODEM_DIR)/lib/spandsp/.configured + $(MAKE) CC=$(TARGET_CC) -C $(IAXMODEM_DIR)/lib/spandsp + $(STRIP) $(IAXMODEM_DIR)/lib/spandsp/src/.lib/libspandsp.a + touch $(IAXMODEM_DIR)/lib/spandsp/.compiled + +# then must compile libiax + + +$(IAXMODEM_DIR)/lib/libiax2/.configured: $(IAXMODEM_DIR)/lib/spandsp/.compiled +#$(IAXMODEM_DIR)/lib/libiax2/.configured: $(IAXMODEM_DIR)/.unpacked + (cd $(IAXMODEM_DIR)/lib/libiax2; rm -rf config.cache; \ + $(TARGET_CONFIG_OPTS) \ + CFLAGS="$(TARGET_CFLAGS)" \ + ./configure \ + --target=$(GNU_TARGET_NAME) \ + --host=$(GNU_TARGET_NAME) \ + --build=$(GNU_HOST_NAME) \ + ); + touch $(IAXMODEM_DIR)/lib/libiax2/.configured + +$(IAXMODEM_DIR)/lib/libiax2/.compiled: $(IAXMODEM_DIR)/lib/libiax2/.configured + $(MAKE) CC=$(TARGET_CC) -C $(IAXMODEM_DIR)/lib/libiax2 + $(STRIP) $(IAXMODEM_DIR)/lib/libiax2/src/.lib/libiax.a + touch $(IAXMODEM_DIR)/lib/libiax2/.compiled + +# then compile iaxmodem + +#$(IAXMODEM_DIR)/$(IAXMODEM_BINARY): $(IAXMODEM_DIR)/lib/libiax2/.compiled $(IAXMODEM_DIR)/lib/spandsp/.compiled +$(IAXMODEM_DIR)/$(IAXMODEM_BINARY): $(IAXMODEM_DIR)/lib/libiax2/.compiled + (cd $(IAXMODEM_DIR); \ + $(TARGET_CC) -Wall -O2 -g -DSTATICLIBS -D_GNU_SOURCE -std=c99 \ + -Ilib/libiax2/src -Ilib/spandsp/src -c -o iaxmodem.o iaxmodem.c; \ + $(TARGET_CC) -lm -lutil -o iaxmodem iaxmodem.o \ + lib/spandsp/src/.libs/libspandsp.a lib/libiax2/src/.libs/libiax.a \ + $(TARGET_DIR)/usr/lib/libtiff.so \ + ); + $(STRIP) $(IAXMODEM_DIR)/$(IAXMODEM_BINARY) + +$(TARGET_DIR)/$(IAXMODEM_TARGET_BINARY): $(IAXMODEM_DIR)/$(IAXMODEM_BINARY) + install -c $(IAXMODEM_DIR)/$(IAXMODEM_BINARY) $(TARGET_DIR)/$(IAXMODEM_TARGET_BINARY) + +iaxmodem-clean: + $(MAKE) -C $(IAXMODEM_DIR)/lib/spandsp clean + $(MAKE) -C $(IAXMODEM_DIR)/lib/libiax2 clean + +iaxmodem-dirclean: + rm -rf $(IAXMODEM_DIR) + +iaxmodem: uclibc $(TARGET_DIR)/$(IAXMODEM_TARGET_BINARY) + +############################################################# +# +# Toplevel Makefile options +# +############################################################# +ifeq ($(strip $(BR2_PACKAGE_IAXMODEM)),y) +TARGETS+=iaxmodem +endif Copied: trunk/package/iptables/arno-iptables-firewall.conf (from rev 228, branches/dhartman/package/iptables/arno-iptables-firewall.conf) =================================================================== --- trunk/package/iptables/arno-iptables-firewall.conf (rev 0) +++ trunk/package/iptables/arno-iptables-firewall.conf 2006-08-11 15:31:17 UTC (rev 229) @@ -0,0 +1,961 @@ +############################################################################### +# Modified by Darrick Hartman for use with Astlinux # +# basic settings in rc.conf. # +# These settings are commented out with two ## example ## EXT_IF="ppp+" # +# Make advanced setting in /mnt/kd/firewall.conf # +############################################################################### + +# --------------------------- Configuration file ------------------------------ +# -= Arno's iptables firewall =- +# Single- & multi-homed firewall script with DSL/ADSL support +# +# (C) Copyright 2001-2006 by Arno van Amersfoort +# Homepage : http://rocky.eld.leidenuniv.nl/ +# Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 +# Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl +# (note: you must remove all spaces and substitute the @ and the . +# at the proper locations!) +# ----------------------------------------------------------------------------- +# This program is free software; you can redistribute it and/or modify it under +# the terms of the GNU General Public License as published by the Free Software +# Foundation; either version 2 of the License, or (at your option) any later +# version. + +# This program is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for +# more details. + +# You should have received a copy of the GNU General Public License along with +# this program; if not, write to the Free Software Foundation Inc., 59 Temple +# Place - Suite 330, Boston, MA 02111-1307, USA. +# ----------------------------------------------------------------------------- + +## Astlinux mod ## +# source rc.conf for basic settings + +. /etc/rc.conf + +# Location of the iptables-binary (use 'locate iptables' or 'whereis iptables' +# to manually locate it). +# ----------------------------------------------------------------------------- +IPTABLES="/usr/sbin/iptables" + +############################################################################### +# External (internet) interface settings # +############################################################################### + +# The external interface(s) that will be protected (and used as internet +# connection). This is probably ppp+ for non-transparent(!) (A)DSL modems +# otherwise it should be "ethX" (eg. eth0). Multiple interfaces should be space +# separated. +# ----------------------------------------------------------------------------- +##EXT_IF="ppp+" + +# Enable if THIS machines (dynamically) obtains its IP through DHCP (from your +# ISP). +# ----------------------------------------------------------------------------- +##EXT_IF_DHCP_IP=0 + +# (EXPERT SETTING!) Here you can specify your external(!) subnet(s). You should +# only use this if you for example have a corporate network and/or running a +# DHCP server on your external(!) interface. Home users should normally NOT +# touch this setting. Multiple subnets should be space separated. +# Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)! +# ----------------------------------------------------------------------------- +EXTERNAL_NET="" + +# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts +# on your external subnet. You only need to set this option if you want to use +# the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast +# address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving +# this empty should work fine. Multiple addresses (if you have more than one +# external interface) should be space separated. +# ----------------------------------------------------------------------------- +EXT_NET_BCAST_ADDRESS="" + +# Enable this if THIS MACHINE is running a DHCP(BOOTP) server for a subnet on +# the external(!) interface. Note that you don't need this for internal +# subnets, as for these nets everything is accepted by default. Don't forget to +# configure the EXTERNAL_NET variable, to make this work. +# ----------------------------------------------------------------------------- +EXTERNAL_DHCP_SERVER=0 + + +############################################################################### +# Internal (LAN) interface settings # +############################################################################### + +# Internal network interface or interfaces (multiple(!) interfaces should be +# space separated). Remark this if you don't have any internal network +# interfaces. Note that ALL traffic is accepted from these interfaces. +# ----------------------------------------------------------------------------- +##INT_IF="" + +# Specify here the internal subnet which is connected to the internal interface +# (INT_IF). For multiple interfaces(!) you can either specify multiple subnets +# here or specify one big subnet for all internal interfaces. +# ----------------------------------------------------------------------------- +##INTERNAL_NET="192.168.0.0/24" + +# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts +# on your internal subnet. You only need to set this option if you want to use +# the MAC filter AND you use a non-standard broadcast address +# (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving +# this empty should work fine. Multiple addresses (if you have more than one +# external interface) should be space separated. +# ----------------------------------------------------------------------------- +INT_NET_BCAST_ADDRESS="" + +# Uncomment & specify here the location of the file that contains the MAC +# addresses of INTERNAL hosts that are allowed. The MAC addresses should be +# written like 00:11:22:33:44:55 +# Note that the last line of this +# file should always contain a carriage-return (enter)! +# ----------------------------------------------------------------------------- +#MAC_ADDRESS_FILE=/etc/arno-firewall-mac-addresses + + +############################################################################### +# DMZ (aka DeMilitarized Zone) settings # +############################################################################### + +# Put in the following variable the network interfaces that are DMZ-classified. +# You can also use this interface if you want to shield your Wireless network +# from your LAN. +# ----------------------------------------------------------------------------- +##DMZ_IF="" + +# Specify here the subnet which is connected to the DMZ interface (DMZ_IF). +# For multiple interfaces(!) you can either specify multiple subnets here or +# specify one big subnet for all DMZ interfaces. +# ----------------------------------------------------------------------------- +##DMZ_NET="" + + +############################################################################### +# NAT (Masquerade, SNAT, DNAT) settings # +############################################################################### + +# Enable this if you want to perform NAT (masquerading) for your internal +# network (LAN) (eg. share your internet connection with your internal +# net(s) connected to eg. INT_IF). +# ----------------------------------------------------------------------------- +##NAT=0 + +# (EXPERT SETTING!). By default only the first external interface (EXT_IF) +# is used for masquerading (NAT). By enabling this option ALL external +# interfaces *can* be used (load balancing / multi-route). Note that you should +# properly configure your route-table to make this work. Check the INSTALL file +# for more info. +# ----------------------------------------------------------------------------- +MASQ_MULTI_ROUTE=0 + +# (EXPERT SETTING!). In case you would like to use SNAT instead of +# MASQUERADING then uncomment and set the IP or IP's here of your static +# external address(es). Note that when multiple IP's are specified, SNAT +# multiroute is enabled (load balancing over multiple external (internet) +# interfaces, check the README file for more info). Note that the order of IP's +# should match the order of interfaces (they belond to) in $EXT_IF! +# ----------------------------------------------------------------------------- +#NAT_STATIC_IP="193.2.1.1" + +# (EXPERT SETTING!). Use this variable only if you want specific subnets or +# hosts to be able to access the internet. When no value is specified, your +# whole internal net will have access. In both cases it's obviously only +# meaningful when NAT is enabled. Note that you can also use this variable if +# you want to use NAT for your DMZ. +# ----------------------------------------------------------------------------- +NAT_INTERNAL_NET="$INTERNAL_NET" + +# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to +# an internal client through (D)NAT. Note that you can also use these +# variables to forward ports to DMZ hosts +# +# TCP/UDP form: +# "{SRCIP1,SRCIP2,...:}PORT1,PORT2-PORT3,...>DESTIP1{:port} \ +# {SRCIP3,...:}PORT3,...>DESTIP2:port}" +# +# IP form: +# "{SRCIP1,SRCIP2,...:}PROTO1,PROTO2,...>DESTIP1 \ +# {SRCIP3:}PROTO3,PROTO4,...>DESTIP2" +# +# TCP/UDP port forward examples: +# Simple (forward port 80 to internal host 192.168.0.10): +# NAT_xxx_FORWARD="80>192.168.0.10" +# Advanced (forward port 20 & 21 to 192.168.0.10 and +# forward from 1.2.3.4 port 81 to 192.168.0.11 port 80: +# NAT_xxx_FORWARD="20,21>192.168.0.10 1.2.3.4:81>192.168.0.11:80" +# +# IP protocol forward example: +# "47,48>192.168.0.10" (forward protocols 47 & 48 to 192.168.0.10 +# +# NOTE 1: {:port} is optional. Use it to redirect a specific port to a +# different port on the internal client. +# NOTE 2: {SRCIPx} is optional. Use it to restrict access to specific source +# IP addresses. +# NOTE 3: Port ranges can be written as "PORT1:PORT3" (ie. "1024:1030" would +# include ports 1024 until 1030). +# ----------------------------------------------------------------------------- +##NAT_TCP_FORWARD="" +##NAT_UDP_FORWARD="" +##NAT_IP_FORWARD="" + + +############################################################################### +# (ADSL) Modem settings # +# # +# The MODEM_xxx options should (only) be used when you have an ((A)DSL) # +# modem which works with a ppp-connection between the modem and the # +# host the modem is connected to. # +# # +# You can check whether this applies for your (hardware) setup with # +# 'ifconfig' (a 'ppp' device is shown). # +# This means that if your modem is bridging or an NAT router) or the # +# network interface the modem is connected to doesn't have an IP, you # +# should leave the MODEM_xxx options disabled (=default)! # +############################################################################### + +# The physical(!) network interface your ADSL modem is connected to (this is +# not ppp0!). +# ----------------------------------------------------------------------------- +##MODEM_IF="eth1" + +# (optional) The IP of the network interface (MODEM_IF) your ADSL modem is +# connected to (IP shown for the modem interface (MODEM_IF) in 'ifconfig'). +# ----------------------------------------------------------------------------- +##MODEM_IF_IP="10.0.0.150" + +# (optional) The IP of your (A)DSL modem itself. +# ----------------------------------------------------------------------------- +##MODEM_IP="10.0.0.138" + +# (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should +# have access to the (A)DSL modem itself (manage modem settings). The default +# setting ($INTERNAL_NET) allows access from everybody on your LAN. +# ----------------------------------------------------------------------------- +MODEM_INTERNAL_NET=$INTERNAL_NET + + +############################################################################### +# General settings # +############################################################################### + +# Most people don't want to get any firewall logs being spit to the console. +# This option makes the kernel ring buffer only log messages with level +# "panic". +# ----------------------------------------------------------------------------- +##DMESG_PANIC_ONLY=1 + +# Enable this if you want TOS mangling (RFC) (recommended). +# ----------------------------------------------------------------------------- +##MANGLE_TOS=1 + +# Enable this if you want to set the maximum packet size via the +# Maximum Segment Size(through MSS field) (recommended). +# ----------------------------------------------------------------------------- +##SET_MSS=1 + +# Enable this if you want to increase the TTL value by one in the prerouting +# chain. This hides the firewall when performing eg. traceroutes to internal +# hosts. +# ----------------------------------------------------------------------------- +##TTL_INC=0 + +# (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in +# the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels +# (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target +# support. Don't mess with this unless you really know what you are doing! +# ----------------------------------------------------------------------------- +#PACKET_TTL="64" + +# Enable this to resolve names of DNS IP's etc. +# ----------------------------------------------------------------------------- +##RESOLV_IPS=0 + +# Enable this to support the IRC-protocol. +# ----------------------------------------------------------------------------- +##USE_IRC=0 + +# (EXPERT SETTING!). Loosen the forward chain for the external interface(s). +# Enable it to allow the use of protocols like UPnP. Note that it *could* be +# less secure. +# ----------------------------------------------------------------------------- +LOOSE_FORWARD=0 + +# (EXPERT SETTING!). Enable this if you want to drop packets originating from a +# private address. +# ----------------------------------------------------------------------------- +DROP_PRIVATE_ADDRESSES=0 + +# (EXPERT SETTING!). Protect this machine from being abused for a DRDOS-attack +# ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!) +# ----------------------------------------------------------------------------- +DRDOS_PROTECT=0 + +# Enable this if you want to allow/enable IPv6 traffic. Note that my firewall +# does NOT filter IPv6 traffic (yet), and thus NO checking is performed on it! +# ----------------------------------------------------------------------------- +IPV6_SUPPORT=0 + +# This option fixes problems with SMB broadcasts when using nmblookup +# ----------------------------------------------------------------------------- +NMB_BROADCAST_FIX=0 + +# (EXPERT SETTING!). Enter your remote Freeswan subnet(s) here to enable +# "Virtual IP" support for Freeswan. This allows you to have remote +# "Virtual IP's" which are in the same subnet as yourself, to be routed into +# your network (via NAT). Make sure you understand what this is and that you +# really want this (else leave it empty)! +# ----------------------------------------------------------------------------- +FREESWAN_NET="" + +# (EXPERT SETTING!). (Other) trusted network interfaces for which ALL IP +# traffic should be ACCEPTED. (multiple(!) interfaces should be space +# separated). Be warned that anything TO and FROM these interfaces is allowed +# (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world +# (internet)! +# ----------------------------------------------------------------------------- +TRUSTED_IF="" + +# (EXPERT SETTING!). Put here the (internal) interfaces that should trust +# (accept forward traffic) each other. +# ----------------------------------------------------------------------------- +INT_IF_TRUST="" + +# Location of the custom iptables rules file (if any). +# ----------------------------------------------------------------------------- +##CUSTOM_RULES=/etc/arno-firewall-custom-rules + + +############################################################################### +# Logging options - All logging is rate limited to prevent log flooding # +############################################################################### + +# Enable logging for explicitly blocked hosts. +# ----------------------------------------------------------------------------- +BLOCKED_HOST_LOG=1 + +# Enable logging for various stealth scans (reliable). +# ----------------------------------------------------------------------------- +SCAN_LOG=1 + +# Enable logging for possible stealth scans (less reliable). +# ----------------------------------------------------------------------------- +POSSIBLE_SCAN_LOG=1 + +# Enable logging for TCP-packets with bad flags. +# ----------------------------------------------------------------------------- +BAD_FLAGS_LOG=1 + +# Enable logging of invalid packets. +# ----------------------------------------------------------------------------- +INVALID_PACKET_LOG=1 + +# Enable logging of source IP's with reserved addresses. +# ----------------------------------------------------------------------------- +RESERVED_NET_LOG=1 + +# Enable logging of fragmented packets. +# ----------------------------------------------------------------------------- +FRAG_LOG=1 + +# Enable logging of (probable) "lost TCP connections". Keep disabled to +# reduce false alarms. +# ----------------------------------------------------------------------------- +LOST_CONNECTION_LOG=0 + +# Enable logging of denied local (OUTPUT) connections. +# ----------------------------------------------------------------------------- +OUTPUT_DENY_LOG=1 + +# Enable logging of denied LAN output (FORWARD) connections. +# ----------------------------------------------------------------------------- +LAN_OUTPUT_DENY_LOG=1 + +# Enable logging of denied DMZ output (FORWARD) connections. +# ----------------------------------------------------------------------------- +DMZ_OUTPUT_DENY_LOG=1 + +# Enable logging of denied DMZ input (FORWARD) connections. +# ----------------------------------------------------------------------------- +DMZ_INPUT_DENY_LOG=1 + +# Enable logging of dropped ICMP-request packets (ping). +# ----------------------------------------------------------------------------- +ICMP_REQUEST_LOG=1 + +# Enable logging of dropped "other" ICMP packets. +# ----------------------------------------------------------------------------- +ICMP_OTHER_LOG=1 + +# Enable logging of normal connection attempts to privileged TCP ports. +# ----------------------------------------------------------------------------- +PRIV_TCP_LOG=1 + +# Enable logging of normal connection attempts to privileged UDP ports. +# ----------------------------------------------------------------------------- +PRIV_UDP_LOG=1 + +# Enable logging of normal connection attempts to unprivileged TCP ports. +# ----------------------------------------------------------------------------- +UNPRIV_TCP_LOG=1 + +# Enable logging of normal connection attempts to unprivileged UDP ports. +# ----------------------------------------------------------------------------- +UNPRIV_UDP_LOG=1 + +# Enable logging of normal connection attempts to "other-IP"-protocols (non +# TCP/UDP/ICMP). +# ----------------------------------------------------------------------------- +OTHER_IP_LOG=1 + +# Enable logging for ICMP flooding. +# ----------------------------------------------------------------------------- +ICMP_FLOOD_LOG=1 + +# Enable logging for not-allowed MAC addresses (if used). +# ----------------------------------------------------------------------------- +MAC_ADDRESS_LOG=1 + +# (EXPERT SETTING!). The location of the dedicated firewall log file. When +# enabled the firewall script will also log start/stop etc. info to this file +# as well. Note that in order to make this work, you should also configure +# syslogd to log firewall messages to this file (see LOGLEVEL below for further +# info). +# ----------------------------------------------------------------------------- +#FIREWALL_LOG=/var/log/firewall + +# (EXPERT SETTING!). Current log-level ("info": default kernel syslog level) +# "debug": can be used to log to /var/log/firewall.log, but you have to configure +# syslogd accordingly (see included syslogd.conf examples). +# ----------------------------------------------------------------------------- +LOGLEVEL=info + +# Put in the following variables which hosts you want to log certain incoming +# connection attempts for. +# TCP/UDP port format (LOG_HOST_xxx_INPUT): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (LOG_HOST_IP_INPUT): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# ----------------------------------------------------------------------------- +LOG_HOST_TCP_INPUT="" +LOG_HOST_UDP_INPUT="" +LOG_HOST_IP_INPUT="" + +# Put in the following variables which hosts you want to log certain outgoing +# connection attempts for. +# TCP/UDP port format (LOG_HOST_xxx_OUTPUT): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (LOG_HOST_IP_OUTPUT): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# ----------------------------------------------------------------------------- +LOG_HOST_TCP_OUTPUT="" +LOG_HOST_UDP_OUTPUT="" +LOG_HOST_IP_OUTPUT="" + +# Put in the following variables which services you want to log incoming +# connection attempts for. +# ----------------------------------------------------------------------------- +LOG_TCP_INPUT="" +LOG_UDP_INPUT="" +LOG_IP_INPUT="" + +# Put in the following variables which services you want to log outgoing +# connection attempts for. +# ----------------------------------------------------------------------------- +LOG_TCP_OUTPUT="" +LOG_UDP_OUTPUT="" +LOG_IP_OUTPUT="" + +# Put in the following variable which hosts you want to log incoming connection +# (attempts) for. +# ----------------------------------------------------------------------------- +LOG_HOST_INPUT="" + +# Put in the following variable which hosts you want to log outgoing connection +# (attempts) to. +# ----------------------------------------------------------------------------- +LOG_HOST_OUTPUT="" + + +############################################################################### +# /proc based settings (EXPERT SETTINGS!) # +############################################################################### + +# Enable for synflood protection (through /proc/.../tcp_syncookies). +# ----------------------------------------------------------------------------- +SYN_PROT=1 + +# Enable this to reduce the ability of others DOS'ing your machine. +# ----------------------------------------------------------------------------- +REDUCE_DOS_ABILITY=1 + +# Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces. +# ----------------------------------------------------------------------------- +ECHO_IGNORE=0 + +# Enable to log packets with impossible addresses to the kernel log. +# ----------------------------------------------------------------------------- +LOG_MARTIANS=0 + +# Only disable this if you're NOT using forwarding (required for NAT etc.) for +# increased security. +# ----------------------------------------------------------------------------- +IP_FORWARDING=1 + +# Enable if you want to accept ICMP redirect messages. Should be set to "0" in +# case of a router. +# ----------------------------------------------------------------------------- +ICMP_REDIRECT=0 + +# Enable/modify this if you want to be a able to handle a larger (or smaller) +# number of simultaneous connections. For high traffic machines I recommend to +# use a value of at least 16384 (note that a higher value (obviously) also uses +# more memory). +# ----------------------------------------------------------------------------- +CONNTRACK=16384 + +# You may need to enable this to get some internet games to work, but note that +# it's *less* secure. +# ----------------------------------------------------------------------------- +LOOSE_UDP_PATCH=0 + +# Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default, +# as some routers are still not compatible with this. +# ----------------------------------------------------------------------------- +ECN=0 + +# Enable to drop connections from non-routable IP's, eg. prevent source +# routing. By default the firewall itself also provides rules against source +# routing. Note than when you use eg. VPN (Freeswan), you should probably +# disable this setting. +# ----------------------------------------------------------------------------- +RP_FILTER=1 + +# Protect against source routed packets. Attackers can use source routing to +# generate traffic pretending to be from inside your network, but which is +# routed back along the path from which it came, namely outside, so attackers +# can compromise your network. Source routing is rarely used for legitimate +# purposes, so normally you should always leave this enabled(1)! +# ----------------------------------------------------------------------------- +SOURCE_ROUTE_PROTECTION=1 + +# Here we set the local port range (ports from which connections are +# initiated from our site). Don't mess with this unless you really know what +# you are doing! +# ----------------------------------------------------------------------------- +LOCAL_PORT_RANGE="32768 61000" + +# Here you can change the default TTL used for sending packets. The value +# should be between 10 and 255. Don't mess with this unless you really know +# what you are doing! +# ----------------------------------------------------------------------------- +DEFAULT_TTL=64 + +# In most cases pmtu discovery is ok, but in some rare cases (when having +# problems) you might want to disable it. +# ----------------------------------------------------------------------------- +NO_PMTU_DISCOVERY=0 + + +############################################################################### +# (Transparent) proxy settings (EXPERT SETTINGS!) # +############################################################################### +#HTTP_PROXY_PORT="3128" +HTTPS_PROXY_PORT="" +FTP_PROXY_PORT="" +SMTP_PROXY_PORT="" +POP3_PROXY_PORT="" + + +############################################################################### +# Firewall policies for the LAN (EXPERT SETTINGS!) # +############################################################################### + +############################################################################### +# LAN_INET_xxx = LAN->internet access rules (forward) # +# # +# Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are NOT # +# used, the default policy for that protocol/port is accept (unless denied # +# through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! # +############################################################################### + +# Put in the following variables the TCP/UDP ports or IP +# protocols TO (remote end-point) which the LAN hosts are +# permitted to connect to via the external (internet) interface. +# ----------------------------------------------------------------------------- +LAN_INET_OPEN_TCP="" +LAN_INET_OPEN_UDP="" +LAN_INET_OPEN_IP="" + +# Put in the following variables the TCP/UDP ports or IP protocols TO (remote +# end-point) which the LAN hosts are NOT permitted to connect to +# via the external (internet) interface. Examples of usage are for blocking +# IRC (TCP 6666:6669) for the internal network. +# ----------------------------------------------------------------------------- +LAN_INET_DENY_TCP="" +LAN_INET_DENY_UDP="" +LAN_INET_DENY_IP="" + +# Put in the following variables the TCP/UDP ports or IP +# protocols TO (remote end-point) which certain LAN hosts are +# permitted to connect to via the external (internet) interface. Note that +# any ports/protocols specified here are made "exclusively" for the accompaning +# host(s), meaning that nobody else can use them! +# +# TCP/UDP port format (LAN_INET_HOST_OPEN_xxx): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (LAN_INET_HOST_OPEN_xxx): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# ----------------------------------------------------------------------------- +LAN_INET_HOST_OPEN_TCP="" +LAN_INET_HOST_OPEN_UDP="" +LAN_INET_HOST_OPEN_IP="" + +# Put in the following variables the TCP/UDP ports or IP protocols TO (remote +# end-point) which certain LAN hosts are NOT permitted to connect to +# via the external (internet) interface. +# +# TCP/UDP port format (LAN_INET_HOST_DENY_xxx): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (LAN_INET_HOST_DENY_xxx): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# ----------------------------------------------------------------------------- +LAN_INET_HOST_DENY_TCP="" +LAN_INET_HOST_DENY_UDP="" +LAN_INET_HOST_DENY_IP="" + + +############################################################################### +# Firewall policies for the DMZ (EXPERT SETTINGS!) # +############################################################################### + +############################################################################### +# INET_DMZ_xxx = Internet->DMZ access rules (forward) # +# DMZ_INET_xxx = DMZ->internet access rules (forward) # +# DMZ_LAN_xxx = DNZ->LAN access rules (forward) # +# DMZ_xxx = DMZ->local(this machine) access rules (input) # +# # +# Note that when both INET_DMZ_OPEN_xxx & INET_DMZ_HOST_OPEN_xxx are NOT # +# used, the default policy for that protocol/port is accept (unless denied # +# through INET_DMZ_DENY_xxx and/or INET_DMZ_HOST_DENY_xxx)! # +############################################################################### + +# Put in the following variables which INET hosts are permitted to connect to +# certain the TCP/UDP ports or IP protocols in the DMZ. +# ----------------------------------------------------------------------------- +INET_DMZ_OPEN_TCP="" +INET_DMZ_OPEN_UDP="" +INET_DMZ_OPEN_IP="" + +# Put in the following variables which INET hosts are NOT permitted to connect +# to certain the TCP/UDP ports or IP protocols in the DMZ. +# ----------------------------------------------------------------------------- +INET_DMZ_DENY_TCP="" +INET_DMZ_DENY_UDP="" +INET_DMZ_DENY_IP="" + +# Put in the following variables which INET hosts you want to allow for certain +# services. By default all services are allowed for DMZ hosts. +# TCP/UDP port format (INET_DMZ_HOST_OPEN_TCP & INET_DMZ_HOST_OPEN_UDP): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (INET_DMZ_HOST_OPEN_IP): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# +# ICMP protocol format (INET_DMZ_HOST_OPEN_ICMP): +# "host1 host2 ...." +# ----------------------------------------------------------------------------- +INET_DMZ_HOST_OPEN_TCP="" +INET_DMZ_HOST_OPEN_UDP="" +INET_DMZ_HOST_OPEN_IP="" + +# Put in the following variables which INET hosts you want to deny for certain +# services (and logged). By default all services are allowed for DMZ +# hosts. +# TCP/UDP port format (INET_DMZ_HOST_OPEN_TCP & INET_DMZ_HOST_OPEN_UDP): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (INET_DMZ_HOST_OPEN_IP): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# +# ICMP protocol format (INET_DMZ_HOST_OPEN_ICMP): +# "host1 host2 ...." +# ----------------------------------------------------------------------------- +INET_DMZ_HOST_DENY_TCP="" +INET_DMZ_HOST_DENY_UDP="" +INET_DMZ_HOST_DENY_IP="" + +############################################################################### +# Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are NOT # +# used, the default policy for that protocol/port is accept (unless denied # +# through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! # +############################################################################### + +# Put in the following variables the TCP/UDP ports or IP +# protocols TO (remote end-point) which the DMZ hosts are +# permitted to connect to via the external (internet) interface. +# ----------------------------------------------------------------------------- +DMZ_INET_OPEN_TCP="" +DMZ_INET_OPEN_UDP="" +DMZ_INET_OPEN_IP="" + +# Put in the following variables the TCP/UDP ports or IP protocols TO (remote +# end-point) which the DMZ hosts are NOT permitted to connect to +# via the external (internet) interface. Examples of usage are for blocking +# IRC (TCP 6666:6669) for the internal network. +# ----------------------------------------------------------------------------- +DMZ_INET_DENY_TCP="" +DMZ_INET_DENY_UDP="" +DMZ_INET_DENY_IP="" + +# Put in the following variables which DMZ hosts you want to allow to connect +# to certain internet hosts for services. By default all inet services are +# allowed for DMZ hosts. +# +# TCP/UDP port format (DMZ_INET_HOST_OPEN_TCP & DMZ_INET_HOST_OPEN_UDP): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (DMZ_INET_HOST_OPEN_IP): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# +# ICMP protocol format (DMZ_INET_HOST_OPEN_ICMP): +# "host1 host2 ...." +# ----------------------------------------------------------------------------- +DMZ_INET_HOST_OPEN_TCP="" +DMZ_INET_HOST_OPEN_UDP="" +DMZ_INET_HOST_OPEN_IP="" + +# Put in the following variables which DMZ hosts you want to deny to connect +# to certain internet hosts for services. +# +# TCP/UDP port format (DMZ_INET_HOST_OPEN_TCP & DMZ_INET_HOST_OPEN_UDP): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (DMZ_INET_HOST_OPEN_IP): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# +# ICMP protocol format (DMZ_INET_HOST_OPEN_ICMP): +# "host1 host2 ...." +# ----------------------------------------------------------------------------- +DMZ_INET_HOST_DENY_TCP="" +DMZ_INET_HOST_DENY_UDP="" +DMZ_INET_HOST_DENY_IP="" + +# (EXPERT SETTING!) DMZ-to-LAN TCP/UDP/IP open ports/protocols. Open particular +# ports / protocols on LAN hosts(on INT_IF) for certain DMZ hosts.: +# TCP/UDP form: +# "SRCIP1,SRCIP2,...>DESTIP1:port \ +# SRCIP3,...>DESTIP2:port" +# +# IP form: +# "SRCIP1,SRCIP2,...>DESTIP1:protocol \ +# SRCIP3,...>DESTIP2:protocol" +# +# TCP/UDP examples: +# Simple (open port 80 on host 192.168.0.10 for all DMZ hosts): +# DMZ_LAN_HOST_OPEN_xxx="192.168.0.10:80" +# Advanced (open port 20 & 21 on 192.168.0.10 for all DMZ hosts and +# open port 80 on 192.168.0.11 for host 1.2.3.4 only: +# DMZ_LAN_HOST_OPEN_xxx="192.168.0.10:20,21 1.2.3.4>192.168.0.11:80" +# +# IP protocol forward example: +# "192.168.0.10:47,48" (open protocols 47 & 48 on 192.168.0.10 +# for all DMZ hosts) +# +# NOTE 1: {SRCIPx} is optional. Use it to restrict access to specific +# source IP addresses. +# NOTE 2: Port ranges can be written as "PORT1:PORT3" (ie. "1024:1030" would +# include ports 1024 until 1030). +# ----------------------------------------------------------------------------- +DMZ_LAN_HOST_OPEN_TCP="" +DMZ_LAN_HOST_OPEN_UDP="" +DMZ_LAN_HOST_OPEN_IP="" + +# Put in the following variables which DMZ hosts are permitted to connect to +# certain the TCP/UDP ports, IP protocols or ICMP. By default all (local) +# services are blocked for DMZ hosts. +# ----------------------------------------------------------------------------- +DMZ_OPEN_TCP="" +DMZ_OPEN_UDP="" +DMZ_OPEN_IP="" +DMZ_OPEN_ICMP=0 + +# Put in the following variables which DMZ hosts you want to allow for certain +# services. By default all (local) services are blocked for DMZ hosts. +# TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (DMZ_HOST_OPEN_IP): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# +# ICMP protocol format (DMZ_HOST_OPEN_ICMP): +# "host1 host2 ...." +# ----------------------------------------------------------------------------- +DMZ_HOST_OPEN_TCP="" +DMZ_HOST_OPEN_UDP="" +DMZ_HOST_OPEN_IP="" +DMZ_HOST_OPEN_ICMP="" + + +############################################################################### +# Firewall policies for the external (inet) interface (default policy = drop) # +############################################################################### + +# Put in the following variable which hosts (subnets) you want have full access +# via your internet (EXT_IF) connection(!). This is especially meant for +# networks/servers which use NIS/NFS, as these protocols require all ports +# to be open. +# NOTE: Don't mistake this variable with the one used for internal nets. +# ----------------------------------------------------------------------------- +##FULL_ACCESS_HOSTS="" + +# Put in the following variables which ports or IP protocols you want to leave +# open to the whole world. +# ----------------------------------------------------------------------------- +##OPEN_TCP="" +##OPEN_UDP="" +##OPEN_IP="" +##OPEN_ICMP=0 + +# Put in the following variables the TCP/UDP ports you want to DENY(DROP) for +# everyone (and logged). Also use these variables if you want to log connection +# attempts to these ports from everyone (also trusted/full access hosts). +# In principle you don't need these variables, as everything is already blocked +# (denied) by default, but just exists for consistency. +# ----------------------------------------------------------------------------- +##DENY_TCP="" +##DENY_UDP="" + +# Put in the following variables which ports you want to DENY(DROP) for +# everyone but NOT logged. This is very useful if you have constant probes on +# the same port(s) over and over again (code red worm) and don't want your logs +# flooded with it. +# ----------------------------------------------------------------------------- +##DENY_TCP_NOLOG="" +##DENY_UDP_NOLOG="" + +# Put in the following variables the TCP/UDP ports you want to REJECT (instead +# of DROP) for everyone (and logged). +# ----------------------------------------------------------------------------- +##REJECT_TCP="" +##REJECT_UDP="" + +# Put in the following variables the TCP/UDP ports you want to REJECT (instead +# of DROP) for everyone but NOT logged. +# ----------------------------------------------------------------------------- +##REJECT_TCP_NOLOG="" +##REJECT_UDP_NOLOG="" + +# Put in the following variables which hosts you want to allow for certain +# services. +# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (HOST_OPEN_IP): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# +# ICMP protocol format (HOST_OPEN_ICMP): +# "host1 host2 ...." +# ----------------------------------------------------------------------------- +##HOST_OPEN_TCP="" +##HOST_OPEN_UDP="" +##HOST_OPEN_IP="" +##HOST_OPEN_ICMP="" + +# Put in the following variables which hosts you want to DENY(DROP) for certain +# services (and logged). +# to DENY(DROP) for certain hosts. +# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (HOST_DENY_IP): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# +# ICMP protocol format (HOST_DENY_ICMP): +# "host1 host2 ...." +# ----------------------------------------------------------------------------- +##HOST_DENY_TCP="" +##HOST_DENY_UDP="" +##HOST_DENY_IP="" +##HOST_DENY_ICMP="" + +# Put in the following variables which hosts you want to DENY(DROP) for certain +# services but NOT logged. +# TCP/UDP port format (HOST_DENY_xxx_NOLOG): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (HOST_DENY_IP_NOLOG): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# +# ICMP protocol format (HOST_DENY_ICMP_NOLOG): +# "host1 host2 ...." +# ----------------------------------------------------------------------------- +##HOST_DENY_TCP_NOLOG="" +##HOST_DENY_UDP_NOLOG="" +##HOST_DENY_IP_NOLOG="" +##HOST_DENY_ICMP_NOLOG="" + +# Put in the following variables which hosts you want to REJECT (instead of +# DROP) for certain TCP/UDP ports. +# TCP/UDP port format (HOST_REJECT_xxx): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# ----------------------------------------------------------------------------- +##HOST_REJECT_TCP="" +##HOST_REJECT_UDP="" + +# Put in the following variables which hosts you want to REJECT (instead of +# DROP) for certain services but NOT logged. +# TCP/UDP port format (HOST_REJECT_xxx_NOLOG): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# ----------------------------------------------------------------------------- +##HOST_REJECT_TCP_NOLOG="" +##HOST_REJECT_UDP_NOLOG="" + +# Put in the following variables which services THIS machine is NOT +# permitted to connect TO (remote end-point) via the external (internet) +# interface. For example for blocking IRC (tcp 6666:6669). +# ----------------------------------------------------------------------------- +##DENY_TCP_OUTPUT="" +##DENY_UDP_OUTPUT="" +##DENY_IP_OUTPUT="" + +# Put in the following variables to which hosts THIS machine is NOT +# permitted to connect TO for certain services (remote end-point) +# via the external (internet) interface. In principle you can also +# use this to put your machine in a "virtual-DMZ" by blocking all traffic +# to your local subnet. +# TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT): +# "host1,host2>port1,port2 host3,host4>port3,port4 ..." +# +# IP protocol format (HOST_DENY_IP_OUTPUT): +# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." +# ----------------------------------------------------------------------------- +##HOST_DENY_TCP_OUTPUT="" +##HOST_DENY_UDP_OUTPUT="" +##HOST_DENY_IP_OUTPUT="" + +# Put in the following variable which TCP/UDP ports you don't want to +# see broadcasts from (ie. DHCP (67/68) on your EXTERNAL interface. Note that +# to make this properly work you also need to set "EXTERNAL_NET"! +# ----------------------------------------------------------------------------- +##BROADCAST_TCP_NOLOG="" +###BROADCAST_UDP_NOLOG="67 68" + +# Put in the following variable which hosts you want to block (blackhole, +# dropping every packet from the host). +# ----------------------------------------------------------------------------- +##BLOCK_HOSTS="" + +# Uncomment & specify here the location of the file that contains a list of +# hosts(IP's) that should be BLOCKED. IP ranges can (only) be specified as +# w.x.y.z1-z2 (ie. 192.168.1.10-15). Note that the last line of this file +# should always contain a carriage-return (enter)! +# ----------------------------------------------------------------------------- +###BLOCK_HOSTS_FILE=/etc/arno-firewall-blocked-hosts + Modified: trunk/package/iptables/iptables.init =================================================================== --- trunk/package/iptables/iptables.init 2006-08-11 07:04:51 UTC (rev 228) +++ trunk/package/iptables/iptables.init 2006-08-11 15:31:17 UTC (rev 229) @@ -1,70 +1,4227 @@ #!/bin/sh +# +# chkconfig: 2345 11 89 +# description: Arno's iptables firewall -. /etc/rc.conf +MY_VERSION="1.8.6c" +############################################################################################ +# You should put this script in eg. "/etc/init.d/" (or "/etc/rc.d/"). # +# Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it # +# If you want to run it upon boot, either add an entry in your "/etc/rc.d/rc.local" or # +# (for ie. Debian) in "/etc/rcS.d/" create a symlink to the arno-iptables-firewall script # +# ("ln -s /etc/init.d/arno-iptables-firewall script S99-arno-iptables-firewall script"). # +############################################################################################ -start () { -if [ "$INTIF" ] -then -echo "Starting iptables..." -if [ -x /mnt/kd/astfw ] -then -/mnt/kd/astfw +# Location of the configuration file for this firewall: +####################################################### +CONFIG_FILE=/etc/arno-iptables-firewall.conf + +# ------------------------------------------------------------------------------------------ +# -= Arno's iptables firewall =- +# Single- & multi-homed firewall script with DSL/ADSL support +# +# ~ In memory of my dear father ~ +# +# (C) Copyright 2001-2006 by Arno van Amersfoort +# Homepage : http://rocky.eld.leidenuniv.nl/ +# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 +# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l +# (note: you must remove all spaces and substitute the @ and the . +# at the proper locations!) +# ------------------------------------------------------------------------------------------ +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# ------------------------------------------------------------------------------------------ + +printf "\033... [truncated message content] |
