def $IPS = 64.20.38.170;
def $IFS = eth0;
def $IPSPEC = "64.20.38.170/$MASK";
+def $WE = (127.0.0.1/8 $IPSPEC);
def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`;
#set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'`
def $BADGUYS = `/etc/firewall/print_badguys`;
############# Port/protocol combinations we allow in and out
-def $TCP_IN = (ssh smtp auth www ssmtp https imap imaps pop3 pop3s);
+def $TCP_IN = (ssh smtp 26 auth www ssmtp https imap imaps pop3 pop3s 10000 20000);
+# 10000 is webmin; 20000 is usermin
def $TCP_OUT_DELAY = (ssh ftp auth);
def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain);
def $TCP_OUT_THROUGHPUT = (ftp-data);
state (ESTABLISHED RELATED) ACCEPT;
- if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
+ proto tcp if lo saddr 127.0.0.1/8 sport :1023 daddr 127.0.0.1/8 ACCEPT;
+ proto tcp if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 dport :1023 ACCEPT;
+ proto (tcp udp) saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT;
if lo saddr $IPSPEC daddr $IPSPEC ACCEPT;
- if lo goto ldrop;
+# if lo goto ldrop;
#incoming traffic
goto badguys;
state (ESTABLISHED RELATED) ACCEPT;
- of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
+ proto tcp of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
+ saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT;
of lo saddr $IPSPEC ACCEPT;
- of lo goto lreject;
+# of lo goto lreject;
# queueing goes here, maybe some special fw rules as well
proto tcp goto tosqueue; # ACCEPT must be handled here