From: Davor Ocelic <docelic@hcoop.net>
Date: Sun, 14 Aug 2005 10:24:07 +0000 (+0000)
Subject: Separate TCP_OUT on TOS, remove ppp0, let DNS through
X-Git-Url: https://git.hcoop.net/hcoop/zz_old/fwtool.git/commitdiff_plain/7a910192d7651a3b8df65034f61c3841c2ba45a3?ds=sidebyside

Separate TCP_OUT on TOS, remove ppp0, let DNS through
---

diff --git a/closed.conf b/closed.conf
index db8b559..5e79bb4 100644
--- a/closed.conf
+++ b/closed.conf
@@ -21,9 +21,14 @@ set NSIP       `%CAT /etc/resolv.conf | %GREP nameserver | %AWK '{print $2}'`
 
 ############# Port/protocol combinations we allow in and out
 set TCP_IN	   "ssh,smtp,auth,www,ssmtp,https,imap,imaps,pop3,pop3s"
-set TCP_OUT	   "1:65535"
+set TCP_OUT_DELAY	   "ssh,ftp"
+set TCP_OUT_RELIABILITY	   "http,nntp,smtp,pop3,auth,domain"
+set TCP_OUT_THROUGHPUT	   "ftp-data,napster,napserv"
+set TCP_OUT_COST	   ""
+
 set UDP_IN	   "ntp"
 set UDP_OUT	   "1:65535"
+
 set ICMP_IN	   "ping,pong,destination-unreachable,source-quench,time-exceeded,parameter-problem"
 set ICMP_OUT	 "ping,pong,fragmentation-needed,source-quench,parameter-problem"
 
@@ -58,8 +63,6 @@ chain INPUT {
 	if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
 	if lo goto UNUSUAL DROP;
 
-	if ppp0 ACCEPT;
-
 	#incoming traffic, seperate by interface
 	if %IFS {
 		goto badguys;
@@ -79,8 +82,6 @@ chain OUTPUT {
 	of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT;
 	of lo goto UNUSUAL DENY;
 
-	of ppp0 ACCEPT;
-
 	saddr !%IPSPEC goto UNUSUAL DENY;
 
 	# again uncomment for trojan horses protection and inside out
@@ -190,9 +191,9 @@ chain fw_udp proto udp {
 	}
 
 	# again no dns fumbling around
-	#sport domain dport domain saddr (**DNS IPS**) {
-	#	ACCEPT;
-	#}
+	sport domain dport domain saddr %NSIP {
+		ACCEPT;
+	}
 	goto LDENY;
 }
 
@@ -221,19 +222,15 @@ chain tosqueue {
 
 	protocol tcp reverse {
 		# rapid response protocols
-		dport (ssh,ftp) settos min-delay ACCEPT;
+		dport %TCP_OUT_DELAY settos min-delay ACCEPT;
 		# keep these from timing out
-		dport (http,nntp,smtp,pop3,auth,domain) settos max-reliability ACCEPT;
+		dport %TCP_OUT_RELIABILITY settos max-reliability ACCEPT;
 		# bulk stuff
-		dport (ftp-data,napster,napserv) settos max-throughput ACCEPT;
+		dport %TCP_OUT_THROUGHPUT settos max-throughput ACCEPT;
     dport (ftp-data,8888,6699) settos max-throughput ACCEPT;
 	}
 
-	# remove any bits set by clients for different
-	# protocols, since they might be tricking their
-	# packets into a unfair priority... It wouldn't
-	# surprise me if IE uses this... :-O
-	settos min-cost ACCEPT;
+	proto tcp dport %TCP_OUT_COST settos min-cost ACCEPT;
 }
 
 #####################################################################