Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux: [231] trunk/package
|
From: <dha...@us...> - 2006-08-11 15:51:16
|
Revision: 231 Author: dhartman Date: 2006-08-11 08:50:59 -0700 (Fri, 11 Aug 2006) ViewCVS: http://svn.sourceforge.net/astlinux/?rev=231&view=rev Log Message: ----------- undoing accidental merge from dhartman branch Modified Paths: -------------- trunk/package/Config.in trunk/package/acpid/acpid.mk trunk/package/file/file.mk trunk/package/iptables/iptables.init trunk/package/iptables/iptables.mk trunk/target/generic/target_skeleton/etc/init.d/misc Added Paths: ----------- trunk/target/generic/target_skeleton/etc/runlevels/default/S02network trunk/target/generic/target_skeleton/etc/runlevels/default/S03ntpclient Removed Paths: ------------- trunk/package/acpid/acpid.init trunk/package/iaxmodem/ trunk/package/iptables/arno-iptables-firewall.conf trunk/package/libtiff/ trunk/package/openvpn/openvpn.init trunk/target/generic/target_skeleton/etc/openvpn.conf trunk/target/generic/target_skeleton/etc/runlevels/default/K26openvpn trunk/target/generic/target_skeleton/etc/runlevels/default/S02iptables trunk/target/generic/target_skeleton/etc/runlevels/default/S03network trunk/target/generic/target_skeleton/etc/runlevels/default/S04ntpclient trunk/target/generic/target_skeleton/etc/runlevels/default/S14openvpn trunk/target/generic/target_skeleton/etc/runlevels/default/S24acpid Modified: trunk/package/Config.in =================================================================== --- trunk/package/Config.in 2006-08-11 15:33:14 UTC (rev 230) +++ trunk/package/Config.in 2006-08-11 15:50:59 UTC (rev 231) @@ -61,7 +61,6 @@ source "package/gzip/Config.in" source "package/hostap/Config.in" source "package/hotplug/Config.in" -source "package/iaxmodem/Config.in" source "package/inadyn/Config.in" source "package/iostat/Config.in" source "package/iproute2/Config.in" @@ -82,7 +81,6 @@ source "package/libpq/Config.in" source "package/libpri/Config.in" source "package/libsysfs/Config.in" -source "package/libtiff/Config.in" source "package/libtool/Config.in" source "package/libusb/Config.in" source "package/lighttpd/Config.in" Deleted: trunk/package/acpid/acpid.init =================================================================== --- trunk/package/acpid/acpid.init 2006-08-11 15:33:14 UTC (rev 230) +++ trunk/package/acpid/acpid.init 2006-08-11 15:50:59 UTC (rev 231) @@ -1,45 +0,0 @@ -#!/bin/sh - -. /etc/rc.conf - -start () { -if [ -x /usr/sbin/acpid ] -then -echo "Starting acpid..." -/usr/sbin/acpid -fi -} - -stop () { -if `ps | grep -q acpid` -then -echo "Stopping acpid..." -killall acpid 2> /dev/null -fi -} - -case $1 in - -start) -start -;; - -stop) -stop -;; - -init) -start -;; - -restart) -stop -sleep 2 -start -;; - -*) -echo "Usage: start|stop|restart" -;; - -esac Modified: trunk/package/acpid/acpid.mk =================================================================== --- trunk/package/acpid/acpid.mk 2006-08-11 15:33:14 UTC (rev 230) +++ trunk/package/acpid/acpid.mk 2006-08-11 15:50:59 UTC (rev 231) @@ -26,7 +26,6 @@ mkdir -p $(TARGET_DIR)/etc/acpi/events echo -e "event=button[ /]power\naction=/sbin/poweroff" > $(TARGET_DIR)/etc/acpi/events/powerbtn touch -c $(TARGET_DIR)/usr/sbin/acpid - $(INSTALL) -D -m 0755 package/acpid/acpid.init $(TARGET_DIR)/etc/init.d/acpid acpid: $(TARGET_DIR)/usr/sbin/acpid @@ -34,9 +33,6 @@ acpid-clean: -make -C $(ACPID_DIR) clean - rm -f $(TARGET_DIR)/usr/sbin/acpid - rm -f $(TARGET_DIR)/etc/init.d/acpid - rm -rf $(TARGET_DIR)/etc/acpi acpid-dirclean: rm -rf $(ACPID_DIR) Modified: trunk/package/file/file.mk =================================================================== --- trunk/package/file/file.mk 2006-08-11 15:33:14 UTC (rev 230) +++ trunk/package/file/file.mk 2006-08-11 15:50:59 UTC (rev 231) @@ -3,7 +3,7 @@ # file # ############################################################# -FILE_VER:=4.17 +FILE_VER:=4.15 FILE_SOURCE:=file-$(FILE_VER).tar.gz FILE_SITE:=ftp://ftp.astron.com/pub/file FILE_DIR1:=$(TOOL_BUILD_DIR)/file-$(FILE_VER) Deleted: trunk/package/iptables/arno-iptables-firewall.conf =================================================================== --- trunk/package/iptables/arno-iptables-firewall.conf 2006-08-11 15:33:14 UTC (rev 230) +++ trunk/package/iptables/arno-iptables-firewall.conf 2006-08-11 15:50:59 UTC (rev 231) @@ -1,961 +0,0 @@ -############################################################################### -# Modified by Darrick Hartman for use with Astlinux # -# basic settings in rc.conf. # -# These settings are commented out with two ## example ## EXT_IF="ppp+" # -# Make advanced setting in /mnt/kd/firewall.conf # -############################################################################### - -# --------------------------- Configuration file ------------------------------ -# -= Arno's iptables firewall =- -# Single- & multi-homed firewall script with DSL/ADSL support -# -# (C) Copyright 2001-2006 by Arno van Amersfoort -# Homepage : http://rocky.eld.leidenuniv.nl/ -# Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 -# Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl -# (note: you must remove all spaces and substitute the @ and the . -# at the proper locations!) -# ----------------------------------------------------------------------------- -# This program is free software; you can redistribute it and/or modify it under -# the terms of the GNU General Public License as published by the Free Software -# Foundation; either version 2 of the License, or (at your option) any later -# version. - -# This program is distributed in the hope that it will be useful, but WITHOUT -# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for -# more details. - -# You should have received a copy of the GNU General Public License along with -# this program; if not, write to the Free Software Foundation Inc., 59 Temple -# Place - Suite 330, Boston, MA 02111-1307, USA. -# ----------------------------------------------------------------------------- - -## Astlinux mod ## -# source rc.conf for basic settings - -. /etc/rc.conf - -# Location of the iptables-binary (use 'locate iptables' or 'whereis iptables' -# to manually locate it). -# ----------------------------------------------------------------------------- -IPTABLES="/usr/sbin/iptables" - -############################################################################### -# External (internet) interface settings # -############################################################################### - -# The external interface(s) that will be protected (and used as internet -# connection). This is probably ppp+ for non-transparent(!) (A)DSL modems -# otherwise it should be "ethX" (eg. eth0). Multiple interfaces should be space -# separated. -# ----------------------------------------------------------------------------- -##EXT_IF="ppp+" - -# Enable if THIS machines (dynamically) obtains its IP through DHCP (from your -# ISP). -# ----------------------------------------------------------------------------- -##EXT_IF_DHCP_IP=0 - -# (EXPERT SETTING!) Here you can specify your external(!) subnet(s). You should -# only use this if you for example have a corporate network and/or running a -# DHCP server on your external(!) interface. Home users should normally NOT -# touch this setting. Multiple subnets should be space separated. -# Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)! -# ----------------------------------------------------------------------------- -EXTERNAL_NET="" - -# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts -# on your external subnet. You only need to set this option if you want to use -# the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast -# address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving -# this empty should work fine. Multiple addresses (if you have more than one -# external interface) should be space separated. -# ----------------------------------------------------------------------------- -EXT_NET_BCAST_ADDRESS="" - -# Enable this if THIS MACHINE is running a DHCP(BOOTP) server for a subnet on -# the external(!) interface. Note that you don't need this for internal -# subnets, as for these nets everything is accepted by default. Don't forget to -# configure the EXTERNAL_NET variable, to make this work. -# ----------------------------------------------------------------------------- -EXTERNAL_DHCP_SERVER=0 - - -############################################################################### -# Internal (LAN) interface settings # -############################################################################### - -# Internal network interface or interfaces (multiple(!) interfaces should be -# space separated). Remark this if you don't have any internal network -# interfaces. Note that ALL traffic is accepted from these interfaces. -# ----------------------------------------------------------------------------- -##INT_IF="" - -# Specify here the internal subnet which is connected to the internal interface -# (INT_IF). For multiple interfaces(!) you can either specify multiple subnets -# here or specify one big subnet for all internal interfaces. -# ----------------------------------------------------------------------------- -##INTERNAL_NET="192.168.0.0/24" - -# (EXPERT SETTING!) Here you can specify the IP address used for broadcasts -# on your internal subnet. You only need to set this option if you want to use -# the MAC filter AND you use a non-standard broadcast address -# (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving -# this empty should work fine. Multiple addresses (if you have more than one -# external interface) should be space separated. -# ----------------------------------------------------------------------------- -INT_NET_BCAST_ADDRESS="" - -# Uncomment & specify here the location of the file that contains the MAC -# addresses of INTERNAL hosts that are allowed. The MAC addresses should be -# written like 00:11:22:33:44:55 -# Note that the last line of this -# file should always contain a carriage-return (enter)! -# ----------------------------------------------------------------------------- -#MAC_ADDRESS_FILE=/etc/arno-firewall-mac-addresses - - -############################################################################### -# DMZ (aka DeMilitarized Zone) settings # -############################################################################### - -# Put in the following variable the network interfaces that are DMZ-classified. -# You can also use this interface if you want to shield your Wireless network -# from your LAN. -# ----------------------------------------------------------------------------- -##DMZ_IF="" - -# Specify here the subnet which is connected to the DMZ interface (DMZ_IF). -# For multiple interfaces(!) you can either specify multiple subnets here or -# specify one big subnet for all DMZ interfaces. -# ----------------------------------------------------------------------------- -##DMZ_NET="" - - -############################################################################### -# NAT (Masquerade, SNAT, DNAT) settings # -############################################################################### - -# Enable this if you want to perform NAT (masquerading) for your internal -# network (LAN) (eg. share your internet connection with your internal -# net(s) connected to eg. INT_IF). -# ----------------------------------------------------------------------------- -##NAT=0 - -# (EXPERT SETTING!). By default only the first external interface (EXT_IF) -# is used for masquerading (NAT). By enabling this option ALL external -# interfaces *can* be used (load balancing / multi-route). Note that you should -# properly configure your route-table to make this work. Check the INSTALL file -# for more info. -# ----------------------------------------------------------------------------- -MASQ_MULTI_ROUTE=0 - -# (EXPERT SETTING!). In case you would like to use SNAT instead of -# MASQUERADING then uncomment and set the IP or IP's here of your static -# external address(es). Note that when multiple IP's are specified, SNAT -# multiroute is enabled (load balancing over multiple external (internet) -# interfaces, check the README file for more info). Note that the order of IP's -# should match the order of interfaces (they belond to) in $EXT_IF! -# ----------------------------------------------------------------------------- -#NAT_STATIC_IP="193.2.1.1" - -# (EXPERT SETTING!). Use this variable only if you want specific subnets or -# hosts to be able to access the internet. When no value is specified, your -# whole internal net will have access. In both cases it's obviously only -# meaningful when NAT is enabled. Note that you can also use this variable if -# you want to use NAT for your DMZ. -# ----------------------------------------------------------------------------- -NAT_INTERNAL_NET="$INTERNAL_NET" - -# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to -# an internal client through (D)NAT. Note that you can also use these -# variables to forward ports to DMZ hosts -# -# TCP/UDP form: -# "{SRCIP1,SRCIP2,...:}PORT1,PORT2-PORT3,...>DESTIP1{:port} \ -# {SRCIP3,...:}PORT3,...>DESTIP2:port}" -# -# IP form: -# "{SRCIP1,SRCIP2,...:}PROTO1,PROTO2,...>DESTIP1 \ -# {SRCIP3:}PROTO3,PROTO4,...>DESTIP2" -# -# TCP/UDP port forward examples: -# Simple (forward port 80 to internal host 192.168.0.10): -# NAT_xxx_FORWARD="80>192.168.0.10" -# Advanced (forward port 20 & 21 to 192.168.0.10 and -# forward from 1.2.3.4 port 81 to 192.168.0.11 port 80: -# NAT_xxx_FORWARD="20,21>192.168.0.10 1.2.3.4:81>192.168.0.11:80" -# -# IP protocol forward example: -# "47,48>192.168.0.10" (forward protocols 47 & 48 to 192.168.0.10 -# -# NOTE 1: {:port} is optional. Use it to redirect a specific port to a -# different port on the internal client. -# NOTE 2: {SRCIPx} is optional. Use it to restrict access to specific source -# IP addresses. -# NOTE 3: Port ranges can be written as "PORT1:PORT3" (ie. "1024:1030" would -# include ports 1024 until 1030). -# ----------------------------------------------------------------------------- -##NAT_TCP_FORWARD="" -##NAT_UDP_FORWARD="" -##NAT_IP_FORWARD="" - - -############################################################################### -# (ADSL) Modem settings # -# # -# The MODEM_xxx options should (only) be used when you have an ((A)DSL) # -# modem which works with a ppp-connection between the modem and the # -# host the modem is connected to. # -# # -# You can check whether this applies for your (hardware) setup with # -# 'ifconfig' (a 'ppp' device is shown). # -# This means that if your modem is bridging or an NAT router) or the # -# network interface the modem is connected to doesn't have an IP, you # -# should leave the MODEM_xxx options disabled (=default)! # -############################################################################### - -# The physical(!) network interface your ADSL modem is connected to (this is -# not ppp0!). -# ----------------------------------------------------------------------------- -##MODEM_IF="eth1" - -# (optional) The IP of the network interface (MODEM_IF) your ADSL modem is -# connected to (IP shown for the modem interface (MODEM_IF) in 'ifconfig'). -# ----------------------------------------------------------------------------- -##MODEM_IF_IP="10.0.0.150" - -# (optional) The IP of your (A)DSL modem itself. -# ----------------------------------------------------------------------------- -##MODEM_IP="10.0.0.138" - -# (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should -# have access to the (A)DSL modem itself (manage modem settings). The default -# setting ($INTERNAL_NET) allows access from everybody on your LAN. -# ----------------------------------------------------------------------------- -MODEM_INTERNAL_NET=$INTERNAL_NET - - -############################################################################### -# General settings # -############################################################################### - -# Most people don't want to get any firewall logs being spit to the console. -# This option makes the kernel ring buffer only log messages with level -# "panic". -# ----------------------------------------------------------------------------- -##DMESG_PANIC_ONLY=1 - -# Enable this if you want TOS mangling (RFC) (recommended). -# ----------------------------------------------------------------------------- -##MANGLE_TOS=1 - -# Enable this if you want to set the maximum packet size via the -# Maximum Segment Size(through MSS field) (recommended). -# ----------------------------------------------------------------------------- -##SET_MSS=1 - -# Enable this if you want to increase the TTL value by one in the prerouting -# chain. This hides the firewall when performing eg. traceroutes to internal -# hosts. -# ----------------------------------------------------------------------------- -##TTL_INC=0 - -# (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in -# the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels -# (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target -# support. Don't mess with this unless you really know what you are doing! -# ----------------------------------------------------------------------------- -#PACKET_TTL="64" - -# Enable this to resolve names of DNS IP's etc. -# ----------------------------------------------------------------------------- -##RESOLV_IPS=0 - -# Enable this to support the IRC-protocol. -# ----------------------------------------------------------------------------- -##USE_IRC=0 - -# (EXPERT SETTING!). Loosen the forward chain for the external interface(s). -# Enable it to allow the use of protocols like UPnP. Note that it *could* be -# less secure. -# ----------------------------------------------------------------------------- -LOOSE_FORWARD=0 - -# (EXPERT SETTING!). Enable this if you want to drop packets originating from a -# private address. -# ----------------------------------------------------------------------------- -DROP_PRIVATE_ADDRESSES=0 - -# (EXPERT SETTING!). Protect this machine from being abused for a DRDOS-attack -# ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!) -# ----------------------------------------------------------------------------- -DRDOS_PROTECT=0 - -# Enable this if you want to allow/enable IPv6 traffic. Note that my firewall -# does NOT filter IPv6 traffic (yet), and thus NO checking is performed on it! -# ----------------------------------------------------------------------------- -IPV6_SUPPORT=0 - -# This option fixes problems with SMB broadcasts when using nmblookup -# ----------------------------------------------------------------------------- -NMB_BROADCAST_FIX=0 - -# (EXPERT SETTING!). Enter your remote Freeswan subnet(s) here to enable -# "Virtual IP" support for Freeswan. This allows you to have remote -# "Virtual IP's" which are in the same subnet as yourself, to be routed into -# your network (via NAT). Make sure you understand what this is and that you -# really want this (else leave it empty)! -# ----------------------------------------------------------------------------- -FREESWAN_NET="" - -# (EXPERT SETTING!). (Other) trusted network interfaces for which ALL IP -# traffic should be ACCEPTED. (multiple(!) interfaces should be space -# separated). Be warned that anything TO and FROM these interfaces is allowed -# (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world -# (internet)! -# ----------------------------------------------------------------------------- -TRUSTED_IF="" - -# (EXPERT SETTING!). Put here the (internal) interfaces that should trust -# (accept forward traffic) each other. -# ----------------------------------------------------------------------------- -INT_IF_TRUST="" - -# Location of the custom iptables rules file (if any). -# ----------------------------------------------------------------------------- -##CUSTOM_RULES=/etc/arno-firewall-custom-rules - - -############################################################################### -# Logging options - All logging is rate limited to prevent log flooding # -############################################################################### - -# Enable logging for explicitly blocked hosts. -# ----------------------------------------------------------------------------- -BLOCKED_HOST_LOG=1 - -# Enable logging for various stealth scans (reliable). -# ----------------------------------------------------------------------------- -SCAN_LOG=1 - -# Enable logging for possible stealth scans (less reliable). -# ----------------------------------------------------------------------------- -POSSIBLE_SCAN_LOG=1 - -# Enable logging for TCP-packets with bad flags. -# ----------------------------------------------------------------------------- -BAD_FLAGS_LOG=1 - -# Enable logging of invalid packets. -# ----------------------------------------------------------------------------- -INVALID_PACKET_LOG=1 - -# Enable logging of source IP's with reserved addresses. -# ----------------------------------------------------------------------------- -RESERVED_NET_LOG=1 - -# Enable logging of fragmented packets. -# ----------------------------------------------------------------------------- -FRAG_LOG=1 - -# Enable logging of (probable) "lost TCP connections". Keep disabled to -# reduce false alarms. -# ----------------------------------------------------------------------------- -LOST_CONNECTION_LOG=0 - -# Enable logging of denied local (OUTPUT) connections. -# ----------------------------------------------------------------------------- -OUTPUT_DENY_LOG=1 - -# Enable logging of denied LAN output (FORWARD) connections. -# ----------------------------------------------------------------------------- -LAN_OUTPUT_DENY_LOG=1 - -# Enable logging of denied DMZ output (FORWARD) connections. -# ----------------------------------------------------------------------------- -DMZ_OUTPUT_DENY_LOG=1 - -# Enable logging of denied DMZ input (FORWARD) connections. -# ----------------------------------------------------------------------------- -DMZ_INPUT_DENY_LOG=1 - -# Enable logging of dropped ICMP-request packets (ping). -# ----------------------------------------------------------------------------- -ICMP_REQUEST_LOG=1 - -# Enable logging of dropped "other" ICMP packets. -# ----------------------------------------------------------------------------- -ICMP_OTHER_LOG=1 - -# Enable logging of normal connection attempts to privileged TCP ports. -# ----------------------------------------------------------------------------- -PRIV_TCP_LOG=1 - -# Enable logging of normal connection attempts to privileged UDP ports. -# ----------------------------------------------------------------------------- -PRIV_UDP_LOG=1 - -# Enable logging of normal connection attempts to unprivileged TCP ports. -# ----------------------------------------------------------------------------- -UNPRIV_TCP_LOG=1 - -# Enable logging of normal connection attempts to unprivileged UDP ports. -# ----------------------------------------------------------------------------- -UNPRIV_UDP_LOG=1 - -# Enable logging of normal connection attempts to "other-IP"-protocols (non -# TCP/UDP/ICMP). -# ----------------------------------------------------------------------------- -OTHER_IP_LOG=1 - -# Enable logging for ICMP flooding. -# ----------------------------------------------------------------------------- -ICMP_FLOOD_LOG=1 - -# Enable logging for not-allowed MAC addresses (if used). -# ----------------------------------------------------------------------------- -MAC_ADDRESS_LOG=1 - -# (EXPERT SETTING!). The location of the dedicated firewall log file. When -# enabled the firewall script will also log start/stop etc. info to this file -# as well. Note that in order to make this work, you should also configure -# syslogd to log firewall messages to this file (see LOGLEVEL below for further -# info). -# ----------------------------------------------------------------------------- -#FIREWALL_LOG=/var/log/firewall - -# (EXPERT SETTING!). Current log-level ("info": default kernel syslog level) -# "debug": can be used to log to /var/log/firewall.log, but you have to configure -# syslogd accordingly (see included syslogd.conf examples). -# ----------------------------------------------------------------------------- -LOGLEVEL=info - -# Put in the following variables which hosts you want to log certain incoming -# connection attempts for. -# TCP/UDP port format (LOG_HOST_xxx_INPUT): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (LOG_HOST_IP_INPUT): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# ----------------------------------------------------------------------------- -LOG_HOST_TCP_INPUT="" -LOG_HOST_UDP_INPUT="" -LOG_HOST_IP_INPUT="" - -# Put in the following variables which hosts you want to log certain outgoing -# connection attempts for. -# TCP/UDP port format (LOG_HOST_xxx_OUTPUT): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (LOG_HOST_IP_OUTPUT): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# ----------------------------------------------------------------------------- -LOG_HOST_TCP_OUTPUT="" -LOG_HOST_UDP_OUTPUT="" -LOG_HOST_IP_OUTPUT="" - -# Put in the following variables which services you want to log incoming -# connection attempts for. -# ----------------------------------------------------------------------------- -LOG_TCP_INPUT="" -LOG_UDP_INPUT="" -LOG_IP_INPUT="" - -# Put in the following variables which services you want to log outgoing -# connection attempts for. -# ----------------------------------------------------------------------------- -LOG_TCP_OUTPUT="" -LOG_UDP_OUTPUT="" -LOG_IP_OUTPUT="" - -# Put in the following variable which hosts you want to log incoming connection -# (attempts) for. -# ----------------------------------------------------------------------------- -LOG_HOST_INPUT="" - -# Put in the following variable which hosts you want to log outgoing connection -# (attempts) to. -# ----------------------------------------------------------------------------- -LOG_HOST_OUTPUT="" - - -############################################################################### -# /proc based settings (EXPERT SETTINGS!) # -############################################################################### - -# Enable for synflood protection (through /proc/.../tcp_syncookies). -# ----------------------------------------------------------------------------- -SYN_PROT=1 - -# Enable this to reduce the ability of others DOS'ing your machine. -# ----------------------------------------------------------------------------- -REDUCE_DOS_ABILITY=1 - -# Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces. -# ----------------------------------------------------------------------------- -ECHO_IGNORE=0 - -# Enable to log packets with impossible addresses to the kernel log. -# ----------------------------------------------------------------------------- -LOG_MARTIANS=0 - -# Only disable this if you're NOT using forwarding (required for NAT etc.) for -# increased security. -# ----------------------------------------------------------------------------- -IP_FORWARDING=1 - -# Enable if you want to accept ICMP redirect messages. Should be set to "0" in -# case of a router. -# ----------------------------------------------------------------------------- -ICMP_REDIRECT=0 - -# Enable/modify this if you want to be a able to handle a larger (or smaller) -# number of simultaneous connections. For high traffic machines I recommend to -# use a value of at least 16384 (note that a higher value (obviously) also uses -# more memory). -# ----------------------------------------------------------------------------- -CONNTRACK=16384 - -# You may need to enable this to get some internet games to work, but note that -# it's *less* secure. -# ----------------------------------------------------------------------------- -LOOSE_UDP_PATCH=0 - -# Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default, -# as some routers are still not compatible with this. -# ----------------------------------------------------------------------------- -ECN=0 - -# Enable to drop connections from non-routable IP's, eg. prevent source -# routing. By default the firewall itself also provides rules against source -# routing. Note than when you use eg. VPN (Freeswan), you should probably -# disable this setting. -# ----------------------------------------------------------------------------- -RP_FILTER=1 - -# Protect against source routed packets. Attackers can use source routing to -# generate traffic pretending to be from inside your network, but which is -# routed back along the path from which it came, namely outside, so attackers -# can compromise your network. Source routing is rarely used for legitimate -# purposes, so normally you should always leave this enabled(1)! -# ----------------------------------------------------------------------------- -SOURCE_ROUTE_PROTECTION=1 - -# Here we set the local port range (ports from which connections are -# initiated from our site). Don't mess with this unless you really know what -# you are doing! -# ----------------------------------------------------------------------------- -LOCAL_PORT_RANGE="32768 61000" - -# Here you can change the default TTL used for sending packets. The value -# should be between 10 and 255. Don't mess with this unless you really know -# what you are doing! -# ----------------------------------------------------------------------------- -DEFAULT_TTL=64 - -# In most cases pmtu discovery is ok, but in some rare cases (when having -# problems) you might want to disable it. -# ----------------------------------------------------------------------------- -NO_PMTU_DISCOVERY=0 - - -############################################################################### -# (Transparent) proxy settings (EXPERT SETTINGS!) # -############################################################################### -#HTTP_PROXY_PORT="3128" -HTTPS_PROXY_PORT="" -FTP_PROXY_PORT="" -SMTP_PROXY_PORT="" -POP3_PROXY_PORT="" - - -############################################################################### -# Firewall policies for the LAN (EXPERT SETTINGS!) # -############################################################################### - -############################################################################### -# LAN_INET_xxx = LAN->internet access rules (forward) # -# # -# Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are NOT # -# used, the default policy for that protocol/port is accept (unless denied # -# through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! # -############################################################################### - -# Put in the following variables the TCP/UDP ports or IP -# protocols TO (remote end-point) which the LAN hosts are -# permitted to connect to via the external (internet) interface. -# ----------------------------------------------------------------------------- -LAN_INET_OPEN_TCP="" -LAN_INET_OPEN_UDP="" -LAN_INET_OPEN_IP="" - -# Put in the following variables the TCP/UDP ports or IP protocols TO (remote -# end-point) which the LAN hosts are NOT permitted to connect to -# via the external (internet) interface. Examples of usage are for blocking -# IRC (TCP 6666:6669) for the internal network. -# ----------------------------------------------------------------------------- -LAN_INET_DENY_TCP="" -LAN_INET_DENY_UDP="" -LAN_INET_DENY_IP="" - -# Put in the following variables the TCP/UDP ports or IP -# protocols TO (remote end-point) which certain LAN hosts are -# permitted to connect to via the external (internet) interface. Note that -# any ports/protocols specified here are made "exclusively" for the accompaning -# host(s), meaning that nobody else can use them! -# -# TCP/UDP port format (LAN_INET_HOST_OPEN_xxx): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (LAN_INET_HOST_OPEN_xxx): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# ----------------------------------------------------------------------------- -LAN_INET_HOST_OPEN_TCP="" -LAN_INET_HOST_OPEN_UDP="" -LAN_INET_HOST_OPEN_IP="" - -# Put in the following variables the TCP/UDP ports or IP protocols TO (remote -# end-point) which certain LAN hosts are NOT permitted to connect to -# via the external (internet) interface. -# -# TCP/UDP port format (LAN_INET_HOST_DENY_xxx): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (LAN_INET_HOST_DENY_xxx): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# ----------------------------------------------------------------------------- -LAN_INET_HOST_DENY_TCP="" -LAN_INET_HOST_DENY_UDP="" -LAN_INET_HOST_DENY_IP="" - - -############################################################################### -# Firewall policies for the DMZ (EXPERT SETTINGS!) # -############################################################################### - -############################################################################### -# INET_DMZ_xxx = Internet->DMZ access rules (forward) # -# DMZ_INET_xxx = DMZ->internet access rules (forward) # -# DMZ_LAN_xxx = DNZ->LAN access rules (forward) # -# DMZ_xxx = DMZ->local(this machine) access rules (input) # -# # -# Note that when both INET_DMZ_OPEN_xxx & INET_DMZ_HOST_OPEN_xxx are NOT # -# used, the default policy for that protocol/port is accept (unless denied # -# through INET_DMZ_DENY_xxx and/or INET_DMZ_HOST_DENY_xxx)! # -############################################################################### - -# Put in the following variables which INET hosts are permitted to connect to -# certain the TCP/UDP ports or IP protocols in the DMZ. -# ----------------------------------------------------------------------------- -INET_DMZ_OPEN_TCP="" -INET_DMZ_OPEN_UDP="" -INET_DMZ_OPEN_IP="" - -# Put in the following variables which INET hosts are NOT permitted to connect -# to certain the TCP/UDP ports or IP protocols in the DMZ. -# ----------------------------------------------------------------------------- -INET_DMZ_DENY_TCP="" -INET_DMZ_DENY_UDP="" -INET_DMZ_DENY_IP="" - -# Put in the following variables which INET hosts you want to allow for certain -# services. By default all services are allowed for DMZ hosts. -# TCP/UDP port format (INET_DMZ_HOST_OPEN_TCP & INET_DMZ_HOST_OPEN_UDP): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (INET_DMZ_HOST_OPEN_IP): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# -# ICMP protocol format (INET_DMZ_HOST_OPEN_ICMP): -# "host1 host2 ...." -# ----------------------------------------------------------------------------- -INET_DMZ_HOST_OPEN_TCP="" -INET_DMZ_HOST_OPEN_UDP="" -INET_DMZ_HOST_OPEN_IP="" - -# Put in the following variables which INET hosts you want to deny for certain -# services (and logged). By default all services are allowed for DMZ -# hosts. -# TCP/UDP port format (INET_DMZ_HOST_OPEN_TCP & INET_DMZ_HOST_OPEN_UDP): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (INET_DMZ_HOST_OPEN_IP): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# -# ICMP protocol format (INET_DMZ_HOST_OPEN_ICMP): -# "host1 host2 ...." -# ----------------------------------------------------------------------------- -INET_DMZ_HOST_DENY_TCP="" -INET_DMZ_HOST_DENY_UDP="" -INET_DMZ_HOST_DENY_IP="" - -############################################################################### -# Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are NOT # -# used, the default policy for that protocol/port is accept (unless denied # -# through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! # -############################################################################### - -# Put in the following variables the TCP/UDP ports or IP -# protocols TO (remote end-point) which the DMZ hosts are -# permitted to connect to via the external (internet) interface. -# ----------------------------------------------------------------------------- -DMZ_INET_OPEN_TCP="" -DMZ_INET_OPEN_UDP="" -DMZ_INET_OPEN_IP="" - -# Put in the following variables the TCP/UDP ports or IP protocols TO (remote -# end-point) which the DMZ hosts are NOT permitted to connect to -# via the external (internet) interface. Examples of usage are for blocking -# IRC (TCP 6666:6669) for the internal network. -# ----------------------------------------------------------------------------- -DMZ_INET_DENY_TCP="" -DMZ_INET_DENY_UDP="" -DMZ_INET_DENY_IP="" - -# Put in the following variables which DMZ hosts you want to allow to connect -# to certain internet hosts for services. By default all inet services are -# allowed for DMZ hosts. -# -# TCP/UDP port format (DMZ_INET_HOST_OPEN_TCP & DMZ_INET_HOST_OPEN_UDP): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (DMZ_INET_HOST_OPEN_IP): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# -# ICMP protocol format (DMZ_INET_HOST_OPEN_ICMP): -# "host1 host2 ...." -# ----------------------------------------------------------------------------- -DMZ_INET_HOST_OPEN_TCP="" -DMZ_INET_HOST_OPEN_UDP="" -DMZ_INET_HOST_OPEN_IP="" - -# Put in the following variables which DMZ hosts you want to deny to connect -# to certain internet hosts for services. -# -# TCP/UDP port format (DMZ_INET_HOST_OPEN_TCP & DMZ_INET_HOST_OPEN_UDP): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (DMZ_INET_HOST_OPEN_IP): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# -# ICMP protocol format (DMZ_INET_HOST_OPEN_ICMP): -# "host1 host2 ...." -# ----------------------------------------------------------------------------- -DMZ_INET_HOST_DENY_TCP="" -DMZ_INET_HOST_DENY_UDP="" -DMZ_INET_HOST_DENY_IP="" - -# (EXPERT SETTING!) DMZ-to-LAN TCP/UDP/IP open ports/protocols. Open particular -# ports / protocols on LAN hosts(on INT_IF) for certain DMZ hosts.: -# TCP/UDP form: -# "SRCIP1,SRCIP2,...>DESTIP1:port \ -# SRCIP3,...>DESTIP2:port" -# -# IP form: -# "SRCIP1,SRCIP2,...>DESTIP1:protocol \ -# SRCIP3,...>DESTIP2:protocol" -# -# TCP/UDP examples: -# Simple (open port 80 on host 192.168.0.10 for all DMZ hosts): -# DMZ_LAN_HOST_OPEN_xxx="192.168.0.10:80" -# Advanced (open port 20 & 21 on 192.168.0.10 for all DMZ hosts and -# open port 80 on 192.168.0.11 for host 1.2.3.4 only: -# DMZ_LAN_HOST_OPEN_xxx="192.168.0.10:20,21 1.2.3.4>192.168.0.11:80" -# -# IP protocol forward example: -# "192.168.0.10:47,48" (open protocols 47 & 48 on 192.168.0.10 -# for all DMZ hosts) -# -# NOTE 1: {SRCIPx} is optional. Use it to restrict access to specific -# source IP addresses. -# NOTE 2: Port ranges can be written as "PORT1:PORT3" (ie. "1024:1030" would -# include ports 1024 until 1030). -# ----------------------------------------------------------------------------- -DMZ_LAN_HOST_OPEN_TCP="" -DMZ_LAN_HOST_OPEN_UDP="" -DMZ_LAN_HOST_OPEN_IP="" - -# Put in the following variables which DMZ hosts are permitted to connect to -# certain the TCP/UDP ports, IP protocols or ICMP. By default all (local) -# services are blocked for DMZ hosts. -# ----------------------------------------------------------------------------- -DMZ_OPEN_TCP="" -DMZ_OPEN_UDP="" -DMZ_OPEN_IP="" -DMZ_OPEN_ICMP=0 - -# Put in the following variables which DMZ hosts you want to allow for certain -# services. By default all (local) services are blocked for DMZ hosts. -# TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (DMZ_HOST_OPEN_IP): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# -# ICMP protocol format (DMZ_HOST_OPEN_ICMP): -# "host1 host2 ...." -# ----------------------------------------------------------------------------- -DMZ_HOST_OPEN_TCP="" -DMZ_HOST_OPEN_UDP="" -DMZ_HOST_OPEN_IP="" -DMZ_HOST_OPEN_ICMP="" - - -############################################################################### -# Firewall policies for the external (inet) interface (default policy = drop) # -############################################################################### - -# Put in the following variable which hosts (subnets) you want have full access -# via your internet (EXT_IF) connection(!). This is especially meant for -# networks/servers which use NIS/NFS, as these protocols require all ports -# to be open. -# NOTE: Don't mistake this variable with the one used for internal nets. -# ----------------------------------------------------------------------------- -##FULL_ACCESS_HOSTS="" - -# Put in the following variables which ports or IP protocols you want to leave -# open to the whole world. -# ----------------------------------------------------------------------------- -##OPEN_TCP="" -##OPEN_UDP="" -##OPEN_IP="" -##OPEN_ICMP=0 - -# Put in the following variables the TCP/UDP ports you want to DENY(DROP) for -# everyone (and logged). Also use these variables if you want to log connection -# attempts to these ports from everyone (also trusted/full access hosts). -# In principle you don't need these variables, as everything is already blocked -# (denied) by default, but just exists for consistency. -# ----------------------------------------------------------------------------- -##DENY_TCP="" -##DENY_UDP="" - -# Put in the following variables which ports you want to DENY(DROP) for -# everyone but NOT logged. This is very useful if you have constant probes on -# the same port(s) over and over again (code red worm) and don't want your logs -# flooded with it. -# ----------------------------------------------------------------------------- -##DENY_TCP_NOLOG="" -##DENY_UDP_NOLOG="" - -# Put in the following variables the TCP/UDP ports you want to REJECT (instead -# of DROP) for everyone (and logged). -# ----------------------------------------------------------------------------- -##REJECT_TCP="" -##REJECT_UDP="" - -# Put in the following variables the TCP/UDP ports you want to REJECT (instead -# of DROP) for everyone but NOT logged. -# ----------------------------------------------------------------------------- -##REJECT_TCP_NOLOG="" -##REJECT_UDP_NOLOG="" - -# Put in the following variables which hosts you want to allow for certain -# services. -# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (HOST_OPEN_IP): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# -# ICMP protocol format (HOST_OPEN_ICMP): -# "host1 host2 ...." -# ----------------------------------------------------------------------------- -##HOST_OPEN_TCP="" -##HOST_OPEN_UDP="" -##HOST_OPEN_IP="" -##HOST_OPEN_ICMP="" - -# Put in the following variables which hosts you want to DENY(DROP) for certain -# services (and logged). -# to DENY(DROP) for certain hosts. -# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (HOST_DENY_IP): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# -# ICMP protocol format (HOST_DENY_ICMP): -# "host1 host2 ...." -# ----------------------------------------------------------------------------- -##HOST_DENY_TCP="" -##HOST_DENY_UDP="" -##HOST_DENY_IP="" -##HOST_DENY_ICMP="" - -# Put in the following variables which hosts you want to DENY(DROP) for certain -# services but NOT logged. -# TCP/UDP port format (HOST_DENY_xxx_NOLOG): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (HOST_DENY_IP_NOLOG): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# -# ICMP protocol format (HOST_DENY_ICMP_NOLOG): -# "host1 host2 ...." -# ----------------------------------------------------------------------------- -##HOST_DENY_TCP_NOLOG="" -##HOST_DENY_UDP_NOLOG="" -##HOST_DENY_IP_NOLOG="" -##HOST_DENY_ICMP_NOLOG="" - -# Put in the following variables which hosts you want to REJECT (instead of -# DROP) for certain TCP/UDP ports. -# TCP/UDP port format (HOST_REJECT_xxx): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# ----------------------------------------------------------------------------- -##HOST_REJECT_TCP="" -##HOST_REJECT_UDP="" - -# Put in the following variables which hosts you want to REJECT (instead of -# DROP) for certain services but NOT logged. -# TCP/UDP port format (HOST_REJECT_xxx_NOLOG): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# ----------------------------------------------------------------------------- -##HOST_REJECT_TCP_NOLOG="" -##HOST_REJECT_UDP_NOLOG="" - -# Put in the following variables which services THIS machine is NOT -# permitted to connect TO (remote end-point) via the external (internet) -# interface. For example for blocking IRC (tcp 6666:6669). -# ----------------------------------------------------------------------------- -##DENY_TCP_OUTPUT="" -##DENY_UDP_OUTPUT="" -##DENY_IP_OUTPUT="" - -# Put in the following variables to which hosts THIS machine is NOT -# permitted to connect TO for certain services (remote end-point) -# via the external (internet) interface. In principle you can also -# use this to put your machine in a "virtual-DMZ" by blocking all traffic -# to your local subnet. -# TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT): -# "host1,host2>port1,port2 host3,host4>port3,port4 ..." -# -# IP protocol format (HOST_DENY_IP_OUTPUT): -# "host1,host2>proto1,proto2 host3,host4>proto4,proto4 ..." -# ----------------------------------------------------------------------------- -##HOST_DENY_TCP_OUTPUT="" -##HOST_DENY_UDP_OUTPUT="" -##HOST_DENY_IP_OUTPUT="" - -# Put in the following variable which TCP/UDP ports you don't want to -# see broadcasts from (ie. DHCP (67/68) on your EXTERNAL interface. Note that -# to make this properly work you also need to set "EXTERNAL_NET"! -# ----------------------------------------------------------------------------- -##BROADCAST_TCP_NOLOG="" -###BROADCAST_UDP_NOLOG="67 68" - -# Put in the following variable which hosts you want to block (blackhole, -# dropping every packet from the host). -# ----------------------------------------------------------------------------- -##BLOCK_HOSTS="" - -# Uncomment & specify here the location of the file that contains a list of -# hosts(IP's) that should be BLOCKED. IP ranges can (only) be specified as -# w.x.y.z1-z2 (ie. 192.168.1.10-15). Note that the last line of this file -# should always contain a carriage-return (enter)! -# ----------------------------------------------------------------------------- -###BLOCK_HOSTS_FILE=/etc/arno-firewall-blocked-hosts - Modified: trunk/package/iptables/iptables.init =================================================================== --- trunk/package/iptables/iptables.init 2006-08-11 15:33:14 UTC (rev 230) +++ trunk/package/iptables/iptables.init 2006-08-11 15:50:59 UTC (rev 231) @@ -1,4227 +1,70 @@ #!/bin/sh -# -# chkconfig: 2345 11 89 -# description: Arno's iptables firewall -MY_VERSION="1.8.6c" -############################################################################################ -# You should put this script in eg. "/etc/init.d/" (or "/etc/rc.d/"). # -# Furthermore make sure it's executable! -> "chmod 700" or "chmod +x" it # -# If you want to run it upon boot, either add an entry in your "/etc/rc.d/rc.local" or # -# (for ie. Debian) in "/etc/rcS.d/" create a symlink to the arno-iptables-firewall script # -# ("ln -s /etc/init.d/arno-iptables-firewall script S99-arno-iptables-firewall script"). # -############################################################################################ +. /etc/rc.conf -# Location of the configuration file for this firewall: -####################################################### -CONFIG_FILE=/etc/arno-iptables-firewall.conf - -# ------------------------------------------------------------------------------------------ -# -= Arno's iptables firewall =- -# Single- & multi-homed firewall script with DSL/ADSL support -# -# ~ In memory of my dear father ~ -# -# (C) Copyright 2001-2006 by Arno van Amersfoort -# Homepage : http://rocky.eld.leidenuniv.nl/ -# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151 -# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l -# (note: you must remove all spaces and substitute the @ and the . -# at the proper locations!) -# ------------------------------------------------------------------------------------------ -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# ------------------------------------------------------------------------------------------ - -printf "\033[40m\033[1;32mArno's Iptables Firewall Script v$MY_VERSION\033[0m\n" -echo "-------------------------------------------------------------------------------" - -# Astlinux mod: check if config file is on key disk or use default from stat -############################################################################# -if [ -e /mnt/kd/arno-iptables-firewall.conf ]; then - ln -s /mnt/kd/arno-iptables-firewall.conf /tmp/etc/arno-iptables-firewall.conf +start () { +if [ "$INTIF" ] +then +echo "Starting iptables..." +if [ -x /mnt/kd/astfw ] +then +/mnt/kd/astfw else - cp /stat/etc/arno-iptables-firewall.conf /tmp/etc/arno-iptables-firewall.conf +/usr/sbin/astfw fi - -# Check if config file exists and if so load it -############################################### -if [ -e "$CONFIG_FILE" ]; then - . $CONFIG_FILE - # Check whether we also need to drop messages in a dedicated firewall log file - if [ -z "$FIREWALL_LOG" ]; then FIREWALL_LOG="/dev/null"; fi -else - printf "\033[40m\033[1;31mERROR: Could not read configuration file $CONFIG_FILE!\033[0m\n" - printf "\033[40m\033[1;31m Please, check the file's location and (root) rights.\033[0m\n" - exit 2 fi - -# if $LOGLEVEL is not set, default to "info" -############################################ -if [ -z "$LOGLEVEL" ]; then - LOGLEVEL="info" -fi - - -sanity_check() -{ - # root check - if [ "$(id -u)" != "0" ]; then - printf "\033[40m\033[1;31mERROR: Root check FAILED (you MUST be root to use this script)! Quitting...\033[0m\n" - exit 1 - fi - - # Make sure EXT_IF != "" - ######################## - if [ -z "$EXT_IF" ]; then - printf "\033[40m\033[1;31mERROR: The required variable EXT_IF is empty!\033[0m\n" - printf "\033[40m\033[1;31m Please, check the configuration file.\033[0m\n" - exit 2 - fi - - # Check whether EXT_IF's exists - ############################### - for interface in $EXT_IF; do - if [ -z "$(echo $interface |grep '\+')" ]; then - result=`ifconfig $interface >/dev/null 2>&1` - return_val=$? - if [ "$return_val" != "0" ]; then - printf "\033[40m\033[1;31mNOTE: External interface $interface does NOT exist (yet?)\033[0m\n" - printf "\033[40m\033[1;31mResult was: $result\033[0m\n" - fi - fi - done - - # Check whether MODEM_IF exists - ############################### - if [ -n "$MODEM_IF" ]; then - result=`ifconfig $MODEM_IF >/dev/null 2>&1` - return_val=$? - if [ "$return_val" != "0" ]; then - printf "\033[40m\033[1;31mNOTE: Modem interface $interface does NOT exist (yet?)\033[0m\n" - printf "\033[40m\033[1;31mResult was: $result\033[0m\n" - fi - fi - - # Check whether INT_IF's exists - ############################### - for interface in $INT_IF; do - if [ -z "$(echo $interface |grep '\+')" ]; then - result=`ifconfig $MODEM_IF >/dev/null 2>&1` - return_val=$? - if [ "$return_val" != "0" ]; then - printf "\033[40m\033[1;31mNOTE: Internal interface $interface does NOT exist (yet?)\033[0m\n" - printf "\033[40m\033[1;31mResult was: $result\033[0m\n" - fi - fi - done - - # Check whether DMZ_IF's exists - ############################### - for interface in $DMZ_IF; do - if [ -z "$(echo $interface |grep '\+')" ]; then - result=`ifconfig $MODEM_IF >/dev/null 2>&1` - return_val=$? - if [ "$return_val" != "0" ]; then - printf "\033[40m\033[1;31mNOTE: DMZ interface $interface does NOT exist (yet?)\033[0m\n" - printf "\033[40m\033[1;31mResult was: $result\033[0m\n" - fi - fi - done - - # Check whether TRUSTED_IF's exists - ################################### - for interface in $TRUSTED_IF; do - if [ -z "$(echo $interface |grep '\+')" ]; then - result=`ifconfig $MODEM_IF >/dev/null 2>&1` - return_val=$? - if [ "$return_val" != "0" ]; then - printf "\033[40m\033[1;31mNOTE: Trusted interface $interface does NOT exist (yet?)\033[0m\n" - printf "\033[40m\033[1;31mResult was: $result\033[0m\n" - fi - fi - done - - # Make sure INT_IF != EXT_IF - ############################ - for eif in $EXT_IF; do - for iif in $INT_IF; do - if [ "$iif" = "$eif" ]; then - printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as one in\033[0m\n" - printf "\033[40m\033[1;31m INT_IF! Please, check the configuration file.\033[0m\n" - exit 3 - fi - done - done - - # Make sure EXT_IF != MODEM_IF - ############################## - for eif in $EXT_IF; do - if [ "$eif" = "$MODEM_IF" ]; then - printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF is the same as the\033[0m\n" - printf "\033[40m\033[1;31m MODEM_IF! Please, check the configuration file.\033[0m\n" - exit 4 - fi - done - - # Make sure INT_IF != MODEM_IF - ############################## - if [ -n "$MODEM_IF" ]; then - for iif in $INT_IF; do - if [ "$iif" = "$MODEM_IF" ]; then - printf "\033[40m\033[1;31mERROR: One or more interfaces specified in INT_IF is the same as the one in\033[0m\n" - printf "\033[40m\033[1;31m MODEM_IF! Please, check the configuration file.\033[0m\n" - exit 5 - fi - done - fi - - # Make sure EXT_IF != lo / 127.0.0.1 - #################################### - for eif in $EXT_IF; do - if [ "$eif" = "lo" ] || [ "$eif" = "127.0.0.1" ]; then - printf "\033[40m\033[1;31mERROR: One or more interfaces specified in EXT_IF has the address or name of the\033[0m\n" - printf "\033[40m\033[1;31m local loopback device! Please, check the configuration file.\033[0m\n" - exit 6 - fi - done - - # Make sure INT_IF != lo / 127.0.0.1 - #################################### - for iif in $INT_IF; do - if [ "$iif" = "lo" ] || [ "$iif" = "127.0.0.1" ]; then - printf "\033[40m\033[1;31mERROR: At least one of the interfaces specified in INT_IF has the address or\033[0m\n" - printf "\033[40m\033[1;31m name of the local loopback device! Please, check the configuration file.\033[0m\n" - exit 7 - fi - done - - # Make sure MODEM_IF != lo / 127.0.0.1 - ###################################### - if [ "$MODEM_IF" = "lo" ] || [ "$MODEM_IF" = "127.0.0.1" ]; then - printf "\033[40m\033[1;31mERROR: The interface specified in MODEM_IF has the address or name of the local\033[0m\n" - printf "\033[40m\033[1;31m loopback device! Please, check the configuration file.\033[0m\n" - exit 8 - fi - - # Make sure than when multi route masquerade is enabled, multiple external - # interfaces exist - ########################################################################## - if [ "$MASQ_MULTI_ROUTE" = "1" ] && [ -z "$(echo $EXT_IF |grep ' ')" ]; then - printf "\033[40m\033[1;31mERROR: Multiroute masquerade is enabled but only one external interface is\033[0m\n" - printf "\033[40m\033[1;31m specified! Please, check the configuration file.\033[0m\n" - exit 9 - fi - - # If support for an DHCP server serving an external net is enabled, we - # also need to know what the external net is. - ########################################################################## - if [ "$EXTERNAL_DHCP_SERVER" = "1" ] && [ -z "$EXTERNAL_NET" ]; then - printf "\033[40m\033[1;31mERROR: You have enabled external DHCP server support but required variable\033[0m\n" - printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" - exit 10 - fi - - # We can only perform NAT if NAT_INTERNAL_NET is defined - if [ "$NAT" = "1" ] && [ -z "$NAT_INTERNAL_NET" ]; then - printf "\033[40m\033[1;31mERROR: Unable to enable NAT because there's no (NAT_)INTERNAL_NET specified!\033[0m\n" - exit 11 - fi - - # If support the nmb_broadcast_fix is enabled we need the EXTERNAL_NET set - ########################################################################## - if [ "$NMB_BROADCAST_FIX" = "1" ] && [ -z "$EXTERNAL_NET" ]; then - printf "\033[40m\033[1;31mERROR: You have enabled the NMB_BROADCAST_FIX but required variable\033[0m\n" - printf "\033[40m\033[1;31m EXTERNAL_NET has NOT been defined!\033[0m\n" - exit 12 - fi - - # Warn if no_broadcast variables are used and external net is NOT defined - ########################################################################## - if [ -n "$BROADCAST_TCP_NOLOG" ] || [ -n "$BROADCAST_UDP_NOLOG" ]; then - if [ -z "$EXTERNAL_NET" ]; then - printf "\033[40m\033[1;31mWARNING: You are using the BROADCAST_xxx_NOLOG variables but the EXTERNAL_NET\033[0m\n" - printf "\033[40m\033[1;31m has NOT been defined! This could be a problem.\033[0m\n" - fi - fi - - # Check whether the iptables binary exists and if it's executable - ################################################################# - if [ ! -x $IPTABLES ]; then - printf "\033[40m\033[1;31mERROR: Binary \"$IPTABLES\" does not exist or is not executable!\033[0m\n" - printf "\033[40m\033[1;31m Please, make... [truncated message content] |
