Separate TCP_OUT on TOS, remove ppp0, let DNS through

diff --git a/closed.conf b/closed.conf
index db8b559..5e79bb4 100644 (file)
--- a/closed.conf
+++ b/closed.conf
@@ -21,9 +21,14 @@ set NSIP       `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
 
 ############# Port/protocol combinations we allow in and out
 set TCP_IN        "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
 
 ############# Port/protocol combinations we allow in and out
 set TCP_IN        "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"

-set TCP_OUT       "1:65535"
+set TCP_OUT_DELAY         "ssh,ftp"
+set TCP_OUT_RELIABILITY           "http,nntp,smtp,pop3,auth,domain"
+set TCP_OUT_THROUGHPUT    "ftp-data,napster,napserv"
+set TCP_OUT_COST          ""
+

 set UDP_IN        "ntp"
 set UDP_OUT       "1:65535"
 set UDP_IN        "ntp"
 set UDP_OUT       "1:65535"

+

 set ICMP_IN       "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
 set ICMP_OUT    "ping,pong,fragmentation-needed,source-quench,parameter-problem"
 
 set ICMP_IN       "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
 set ICMP_OUT    "ping,pong,fragmentation-needed,source-quench,parameter-problem"
 


@@ -58,8 +63,6 @@ chain INPUT {
        if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
        if lo goto UNUSUAL DROP;
 
        if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
        if lo goto UNUSUAL DROP;
 

-       if ppp0 ACCEPT;
-

        #incoming traffic, seperate by interface
        if %IFS {
                goto badguys;
        #incoming traffic, seperate by interface
        if %IFS {
                goto badguys;


@@ -79,8 +82,6 @@ chain OUTPUT {
        of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
        of lo goto UNUSUAL DENY;
 
        of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
        of lo goto UNUSUAL DENY;
 

-       of ppp0 ACCEPT;
-

        saddr !%IPSPEC goto UNUSUAL DENY;
 
        # again uncomment for trojan horses protection and inside out
        saddr !%IPSPEC goto UNUSUAL DENY;
 
        # again uncomment for trojan horses protection and inside out


@@ -190,9 +191,9 @@ chain fw_udp proto udp {
        }
 
        # again no dns fumbling around
        }
 
        # again no dns fumbling around

-       #sport domain dport domain saddr (**DNS IPS**) {
-       #       ACCEPT;
-       #}
+       sport domain dport domain saddr %NSIP {
+               ACCEPT;
+       }

        goto LDENY;
 }
 
        goto LDENY;
 }
 


@@ -221,19 +222,15 @@ chain tosqueue {
 
        protocol tcp reverse {
                # rapid response protocols
 
        protocol tcp reverse {
                # rapid response protocols

-               dport (ssh,ftp) settos min-delay ACCEPT;
+               dport %TCP_OUT_DELAY settos min-delay ACCEPT;

                # keep these from timing out
                # keep these from timing out

-               dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability ACCEPT;
+               dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;

                # bulk stuff
                # bulk stuff

-               dport (ftp-data,napster,napserv) settos max-throughput ACCEPT;
+               dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;

     dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
        }
 
     dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
        }
 

-       # remove any bits set by clients for different
-       # protocols, since they might be tricking their
-       # packets into a unfair priority... It wouldn't
-       # surprise me if IE uses this... :-O
-       settos min-cost ACCEPT;
+       proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;

 }
 
 #####################################################################
 }
 
 #####################################################################