HCoop
/
hcoop
/
zz_old
/
fwtool.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
17bb0bf
)
Separate TCP_OUT on TOS, remove ppp0, let DNS through
author
Davor Ocelic
<docelic@hcoop.net>
Sun, 14 Aug 2005 10:24:07 +0000
(10:24 +0000)
committer
Davor Ocelic
<docelic@hcoop.net>
Sun, 14 Aug 2005 10:24:07 +0000
(10:24 +0000)
closed.conf
patch
|
blob
|
blame
|
history
diff --git
a/closed.conf
b/closed.conf
index
db8b559
..
5e79bb4
100644
(file)
--- a/
closed.conf
+++ b/
closed.conf
@@
-21,9
+21,14
@@
set NSIP `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
############# Port/protocol combinations we allow in and out
set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
############# Port/protocol combinations we allow in and out
set TCP_IN "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
-set TCP_OUT "1:65535"
+set TCP_OUT_DELAY "ssh,ftp"
+set TCP_OUT_RELIABILITY "http,nntp,smtp,pop3,auth,domain"
+set TCP_OUT_THROUGHPUT "ftp-data,napster,napserv"
+set TCP_OUT_COST ""
+
set UDP_IN "ntp"
set UDP_OUT "1:65535"
set UDP_IN "ntp"
set UDP_OUT "1:65535"
+
set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
set ICMP_IN "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
set ICMP_OUT "ping,pong,fragmentation-needed,source-quench,parameter-problem"
@@
-58,8
+63,6
@@
chain INPUT {
if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
if lo goto UNUSUAL DROP;
if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
if lo goto UNUSUAL DROP;
- if ppp0 ACCEPT;
-
#incoming traffic, seperate by interface
if %IFS {
goto badguys;
#incoming traffic, seperate by interface
if %IFS {
goto badguys;
@@
-79,8
+82,6
@@
chain OUTPUT {
of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
of lo goto UNUSUAL DENY;
of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
of lo goto UNUSUAL DENY;
- of ppp0 ACCEPT;
-
saddr !%IPSPEC goto UNUSUAL DENY;
# again uncomment for trojan horses protection and inside out
saddr !%IPSPEC goto UNUSUAL DENY;
# again uncomment for trojan horses protection and inside out
@@
-190,9
+191,9
@@
chain fw_udp proto udp {
}
# again no dns fumbling around
}
# again no dns fumbling around
-
#sport domain dport domain saddr (**DNS IPS**)
{
-
#
ACCEPT;
-
#
}
+
sport domain dport domain saddr %NSIP
{
+
ACCEPT;
+ }
goto LDENY;
}
goto LDENY;
}
@@
-221,19
+222,15
@@
chain tosqueue {
protocol tcp reverse {
# rapid response protocols
protocol tcp reverse {
# rapid response protocols
- dport
(ssh,ftp)
settos min-delay ACCEPT;
+ dport
%TCP_OUT_DELAY
settos min-delay ACCEPT;
# keep these from timing out
# keep these from timing out
- dport
(http,nntp,smtp,pop3,auth,domain)
settos max-reliability ACCEPT;
+ dport
%TCP_OUT_RELIABILITY
settos max-reliability ACCEPT;
# bulk stuff
# bulk stuff
- dport
(ftp-data,napster,napserv)
settos max-throughput ACCEPT;
+ dport
%TCP_OUT_THROUGHPUT
settos max-throughput ACCEPT;
dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
}
dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
}
- # remove any bits set by clients for different
- # protocols, since they might be tricking their
- # packets into a unfair priority... It wouldn't
- # surprise me if IE uses this... :-O
- settos min-cost ACCEPT;
+ proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
}
#####################################################################
}
#####################################################################