From d901c26ad7335fce2dc08f3b88d88b83b5485596 Mon Sep 17 00:00:00 2001 From: Adam Chlipala Date: Sun, 2 Oct 2005 15:03:37 +0000 Subject: [PATCH] Use newest config files --- closed.conf | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/closed.conf b/closed.conf index 4c785b6..92b64b4 100644 --- a/closed.conf +++ b/closed.conf @@ -14,6 +14,7 @@ def $MASK = 29; # Our netmask is /29 = 255.255.255.248 def $IPS = 64.20.38.170; def $IFS = eth0; def $IPSPEC = "64.20.38.170/$MASK"; +def $WE = (127.0.0.1/8 $IPSPEC); def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk '{print $2}'`; #set NTPIP `$CAT /etc/ntp.conf | $GREP server | $AWK '{print $2}'` @@ -21,7 +22,8 @@ def $NSIP = `/bin/cat /etc/resolv.conf | /bin/grep nameserver | /usr/bin/awk def $BADGUYS = `/etc/firewall/print_badguys`; ############# Port/protocol combinations we allow in and out -def $TCP_IN = (ssh smtp auth www ssmtp https imap imaps pop3 pop3s); +def $TCP_IN = (ssh smtp 26 auth www ssmtp https imap imaps pop3 pop3s 10000 20000); +# 10000 is webmin; 20000 is usermin def $TCP_OUT_DELAY = (ssh ftp auth); def $TCP_OUT_RELIABILITY = (http nntp smtp pop3 auth domain); def $TCP_OUT_THROUGHPUT = (ftp-data); @@ -55,9 +57,11 @@ chain INPUT { state (ESTABLISHED RELATED) ACCEPT; - if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; + proto tcp if lo saddr 127.0.0.1/8 sport :1023 daddr 127.0.0.1/8 ACCEPT; + proto tcp if lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 dport :1023 ACCEPT; + proto (tcp udp) saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT; if lo saddr $IPSPEC daddr $IPSPEC ACCEPT; - if lo goto ldrop; +# if lo goto ldrop; #incoming traffic goto badguys; @@ -74,9 +78,10 @@ chain OUTPUT { state (ESTABLISHED RELATED) ACCEPT; - of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; + proto tcp of lo saddr 127.0.0.1/8 daddr 127.0.0.1/8 ACCEPT; + saddr 127.0.0.1/8 daddr 127.0.0.1/8 mod owner uid-owner 0 ACCEPT; of lo saddr $IPSPEC ACCEPT; - of lo goto lreject; +# of lo goto lreject; # queueing goes here, maybe some special fw rules as well proto tcp goto tosqueue; # ACCEPT must be handled here -- 2.20.1