Hi Charles,
Thanks again fro all the great work on Eiger and DachStein, they are
both working really well for me. After a bit of fighting and learning
of ipchains, I gotten a couple of sucesses here while trying to fix
some problems.
The first was that I could not port forward SSH to an internal box
with either Eiger or Dach. I had the proper stuff uncommented in
/etc/network.conf, but it just didn't work. I ended up having to do
the following:
ipchains -I input -i eth0 -j ACCEPT -p tcp -s 0/0 -d 0/0 24
to get the rule early enough in the input chain to be effective. But
I think this is actually too early now, since I'm bypassing some of
the good input rules.
My ipchains ruleset looks like this now:
# ipchains -L input
Chain input (policy DENY):
target prot opt source destination ports
ACCEPT tcp ------ anywhere anywhere any -> 24
DENY udp ------ 10.2.0.1 anywhere any -> bootps
DENY icmp ----l- anywhere anywhere redirect
DENY icmp ----l- anywhere anywhere
timestamp-request
DENY icmp ----l- anywhere anywhere timestamp-reply
DENY all ----l- 0.0.0.0 anywhere n/a
DENY all ----l- 255.255.255.255 anywhere n/a
DENY all ----l- localnet/8 anywhere n/a
DENY all ----l- BASE-ADDRESS.MCAST.NET/4 anywhere n/a
DENY all ------ 10.0.0.0/8 anywhere n/a
DENY all ------ 172.16.0.0/12 anywhere n/a
DENY all ------ 192.168.0.0/16 anywhere n/a
DENY all ----l- 0.0.0.0/8 anywhere n/a
DENY all ----l- 128.0.0.0/16 anywhere n/a
DENY all ----l- 191.255.0.0/16 anywhere n/a
DENY all ----l- 192.0.0.0/24 anywhere n/a
DENY all ----l- 223.255.255.0/24 anywhere n/a
DENY all ----l- 240.0.0.0/4 anywhere n/a
DENY all ----l- 192.168.1.0/24 anywhere n/a
DENY all ----l- 24-240-176-224.hsacorp.net anywhere n/a
REJECT all ----l- anywhere localnet/8 n/a
REJECT all ----l- anywhere 192.168.1.0/24 n/a
REJECT tcp ------ anywhere anywhere any ->
netbios-ns
REJECT tcp ------ anywhere anywhere any -> 135
REJECT udp ------ anywhere anywhere any ->
netbios-ns
REJECT udp ------ anywhere anywhere any -> 135
REJECT tcp ------ anywhere anywhere any ->
netbios-dgm:netbios-ssn
REJECT udp ------ anywhere anywhere any ->
netbios-dgm
REJECT udp ------ anywhere anywhere
netbios-ns:netbios-dgm -> any
REJECT udp ------ anywhere anywhere 135 -> any
REJECT tcp ------ anywhere anywhere
netbios-ns:netbios-ssn -> any
REJECT tcp ------ anywhere anywhere 135 -> any
ACCEPT tcp ------ anywhere anywhere any -> ssh
REJECT tcp ------ anywhere anywhere any -> auth
ACCEPT tcp ------ anywhere anywhere any ->
1024:65535
REJECT udp ----l- anywhere anywhere any ->
snmp:snmp-trap
ACCEPT udp ------ anywhere anywhere any -> domain
ACCEPT udp ------ anywhere anywhere any -> bootpc
DENY udp ------ anywhere anywhere any -> bootps
ACCEPT udp ------ anywhere anywhere any ->
1024:65535
ACCEPT icmp ------ anywhere anywhere any -> any
ACCEPT ospf ------ anywhere anywhere n/a
DENY all ----l- anywhere anywhere n/a
REJECT udp ----l- anywhere anywhere any ->
snmp:snmp-trap
REJECT udp ----l- anywhere anywhere snmp:snmp-trap
-> any
ACCEPT all ------ anywhere anywhere n/a
The second problem was that I was getting tons and tons of the
following messages in the /var/log/[messages,kern.log,syslog] files:
Dec 16 20:42:22 jfsgw kernel: Packet log: input DENY eth0 PROTO=17 10.2.0.1:67
255.255.255.255:68 L=350 S=0x00 I=22593 F=0x0000 T=255 (#9)
Dec 16 20:42:22 jfsgw kernel: Packet log: input DENY eth0 PROTO=17 10.2.0.1:67
255.255.255.255:68 L=350 S=0x00 I=22595 F=0x0000 T=255 (#9)
Dec 16 20:42:49 jfsgw kernel: Packet log: input DENY eth0 PROTO=2
192.168.100.1:65535 224.0.0.1:65535 L=28 S=0xC0 I=0 F=0x0000 T=1 (#11)
Dec 16 20:44:22 jfsgw kernel: Packet log: input DENY eth0 PROTO=17 10.2.0.1:67
255.255.255.255:68 L=344 S=0x00 I=22697 F=0x0000 T=255 (#9)
Dec 16 20:44:30 jfsgw kernel: Packet log: input DENY eth0 PROTO=17 10.2.0.1:67
255.255.255.255:68 L=344 S=0x00 I=22700 F=0x0000 T=255 (#9)
Even though I had the settings to turn off the logging of martians. I
ended up changing the /etc/ipfilters.conf file so that in the
'stopMartians' function, I didn't bother to log packets for the RFC
1918, 1627 and 1597 blocks. I just removed the '-l' flag from those
three lines, saved /etc o floppy and rebooted.
I think this should be a general setting no matter what. Block the
those ranges, but don't bother to log them. I used the following
ipchains rules to fix this until the reboot.
ipchains -R input 9 -j DENY -p all -s 10.0.0.0/8 -d 0/0 -i eth0
ipchains -R input 10 -j DENY -p all -s 172.16.0.0/12 -d 0/0 -i eth0
ipchains -R input 11 -j DENY -p all -s 192.168.0.0/16 -d 0/0 -i eth0
I've also included my /etc/network.conf settings as well, incase I'm
doing something really stupid and wrong in them.
Question: would it be possible to pull out all the user settings and
just put them into a totally seperate set of config file(s) so that
the user doesn't have to edit such large chunks of the script? In the
CDROM version of DachStein, since space is now now an issue, this
would seem to make more sense. And even in the floppy version, it
shouldn't take much more space to offer this.
# cat /etc/network.conf
###############################################################################
# Extended firewall configruation scripts
# By Charles Steinkuehler
# Version 1.3.2
# September 29, 2001
###############################################################################
# Brief instructions for this file
###############################################################################
#
# VERBOSE=(YES/NO) Default: Yes
# Be verbose about settings.
#
# MAX_LOOP=(int) Default: 10
# Maximum number of incrementable entries to search for.
# IE: If you create a DNS7=, and MAX_LOOP=7, it will not be reached.
# (DNS0 - DNS7 == 8 entires)
# Setting this value too high will decrease the speed of the configuation
# system.
#
# IPFWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO
# Enable IP forwarding in the kernel. FILTER_ON means forwarding will
# only happen when IP filtering rules are loaded
#
# IPALWAYSDEFRAG_KERNEL=(YES/NO) Default: NO
# Enable IP Global defragmentation in the kernel.
#
# **WARNING** - If this was turned on everywhere in a network of routers,
# it can result in TCP connections failing and TCP connection resets.
#
# ONLY turn this on if the box is a firewall or the single point of
# entry for a network, or an endpoint for port forwarding or a load
# balancer for a WWW server farm. DO NOT turn this on if the box is a
# conventional router as it breaks the TCP/IP RFCes. This option is
# needed when using IP NAT, IP masquerading, IP autofw, IP portfw,
# transperent proxying or other kernel operations that intercept a
# packet flow and redirect it.
#
# It is a usful tool when using a packet filtering router to protect
# directly attached ethernet networks of servers as it stops fragment
# attacks on the servers in behind the router. Another use is packet
# filtering router to protect dial-in Internet users on NASes
# (Portmasters, TC racks etc) from various SMB and fragment attacks
# and to redirect all WWW connections into a WWW proxy-caching server.
#
# CONFIG_HOSTNAME=(YES/NO) Default: NO
# Create /etc/hostname file using HOSTNAME entry.
# Any current hostname file will be **OVERWRITTEN**
#
# CONFIG_HOSTSFILE=(YES/NO) Default: NO
# Create /etc/hosts file using HOSTSx entries.
# Any current hosts file will be **OVERWRITTEN**
#
# CONFIG_DNS=(YES/NO) Default: NO
# Create /etc/resolv.conf file using DOMAINS and DNSx entries.
# Any current resolv.conf file will be **OVERWRITTEN**
#
# IF_LIST Default: "$IF_AUTO"
# A space seperated list of interfaces that can be ACTIVE on this machine
# This controls which interfaces can be brought up and down manually.
#
# IF_AUTO Default: "eth0"
# A space seperated list of interfaces that get started on boot. Tunneling
# interfaces like CIPE should be after the raw interfaces they depend on.
# The interfaces are started in the order they occur on the list, and are
# shutdown in the reverse order of IF_LIST.
#
# IPFILTER_SWITCH=(none|router|firewall) Default: "none"
# Selects the basic IP filtering/firewalling setup of the router. "None"
# is used for a straight through router, "router" for a filtering router with
# IP spoof protection and Martian protection and "firewall" for a basic IP
# masquerading/NAT firewall. The basic filter types are provided in
# /etc/ipfilter.conf. If you want more than what is provided read the man
# pages for ipchains or ipfwadm and BE CAREFUL when you edit this!
#
###############################################################################
# General Settings
###############################################################################
VERBOSE=YES
MAX_LOOP=10
IPFWDING_KERNEL=FILTER_ON
IPALWAYSDEFRAG_KERNEL=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=NO
###############################################################################
# Interfaces
###############################################################################
# Start pppd PPP interfaces first as pppd's use of DNS can delay startup.
#
# Interfaces to start on boot go here - ie "ppp0 eth0"
# Do NOT include interfaces configured by dhcp!
IF_AUTO="eth1"
# List of all configured interfaces, manual start and boot start
IF_LIST="$IF_AUTO"
# Accept ICMP Redirects on ALL interfaces, also depends on /proc
# per interface IP forwarding flag. - YES/NO
ALLIF_ACCEPT_REDIRECTS=NO
# Need these both for interfaces run by daemons - ie PPP, CIPE, some
# WAN interfaces
# IP spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=NO
# Bridge Setup - Global stuff
#
# Enable bridging - YES/NO
BRG_SWITCH=NO
# Exempt ethernet protocol types - type "brcfg list" to find out allowed
# values
BRG_EXEMPT_PROTOS=""
###############################################################################
eth0_IPADDR=1.1.1.2
eth0_MASKLEN=30
eth0_BROADCAST=+
# Use this to set the default route if required - ONLY one to be set.
# routed or gated could be used to set this so only use if not running these.
eth0_DEFAULT_GW=1.1.1.1
# Secondary IP addresses/networks on same wire - add them here
#eth0_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24"
# Additional routes for this interface, if any
# Space seperated list: <PREFIX>[_<more ip route options>]
#eth0_ROUTES="1.1.1.13 2.2.2.0/24_via_1.1.1.18"
# IP spoofing protection on this interface - YES/NO
eth0_IP_SPOOF=NO
# Kernel logging of spoofed packets on this interface - YES/NO
eth0_IP_KRNL_LOGMARTIANS=NO
# This setting affects the processing of ICMP redirects. Setting it to NO
# makes this more secure. Don't turn this off if you have two IP
# networks/subnets on the same media - YES/NO
eth0_IP_SHARED_MEDIA=NO
# Bridge this interface - YES/NO
eth0_BRIDGE=NO
# Proxy-arp from this interface, no other config required to turn on proxy ARP!
# - YES/NO
eth0_PROXY_ARP=NO
# Simple QoS/fair queueing support
# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO
eth0_FAIRQ=NO
# Ethernet Transmit Queue Length
# eth0_TXQLEN=100
# Complex QoS - Enable all of these + above to turn it on
#eth0_BNDWIDTH=10Mbit # Device bandwidth
#eth0_HNDL=2 # Queue Handle - must be unique
#eth0_IABURST=100 # Interactive Burst
#eth0_IARATE=1Mbit # Interactive Rate
#eth0_PXMTU=1514 # Physical MTU - includes Link Layer header
###############################################################################
eth1_IPADDR=192.168.1.254
eth1_MASKLEN=24
eth1_BROADCAST=+
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=NO
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO
###############################################################################
#eth2_IPADDR=
#eth2_MASKLEN=
#eth2_BROADCAST=+
#eth2_ROUTES=
#eth2_IP_SPOOF=YES
#eth2_IP_KRNL_LOGMARTIANS=YES
#eth2_IP_SHARED_MEDIA=NO
#eth2_BRIDGE=NO
#eth2_PROXY_ARP=
#eth2_FAIRQ=NO
###############################################################################
# NAT 'virtual' interface (optional: required only for static-NAT DMZ systems)
###############################################################################
# Configured as an interface to allow flexible handling of bringing the
# routing rules up/down in conjunction with the physical interfaces
# interface spec is an indexed list of IP address pairs and a base priority
# number for ip rule creation
#nat0_BASE_PRI=100 # Unique base value for ip rules
# Indexed list: <public IP> <private DMZ IP>
#nat0_PAIR0="1.1.2.3 192.168.2.13"
#nat0_PAIR1="1.1.2.4 192.168.2.14"
#nat0_PAIR2="1.1.2.5 192.168.2.15"
# Sangoma FR example
#fr498_IPADDR=10.0.10.1
#fr498_PTPADDR=10.0.10.2
#fr498_IP_SPOOF=YES
#fr498_IP_KRNL_LOGMARTIANS=YES
# Simple QoS support
#fr498_FAIRQ=YES
#fr498_TXQLEN=50
# Complex FR QoS - Enable ALL of these + above to turn it on
#fr498_FRBURST=960Kbit # FR Burst capacity (a rate)
#fr498_BULKRATE=320Kbit # Usually you set this to the CIR
#fr498_BULKBURST=50 # Number of packets that can burst in bulk class
#fr498_BNDWIDTH=1920Kbit # The bandwidth of the interface
#fr498_IABURST=512 # No of Interactive Burst packets
#fr498_IARATE=640Kbit # Burst capicity bandwith between
# BURST and CIR
#fr498_HNDL=2 # The queue handle - must be unique Dialup PPP is 1000+
#fr498_PXMTU=1508 # The Physical MTU of the interface (data + MAC header)
# PPP interface stuff - these apply to all ASYNC ppp interfaces, options
# same as ethernet above.
#ppp_BNDWIDTH=30Kbit
#ppp_FAIRQ=YES
#ppp_TXQLEN=30
#ppp_IABURST=20
#ppp_IARATE=10Kbit
#ppp_PXMTU=1500
###############################################################################
# IP Filter setup - can pull in settings from above
###############################################################################
# Set up the basic type of filtering. Can be one of (none|router|firewall)
# You must load the ip_masq_* modules to enable full IP masquerading, and
# ip_masq_portfw if you want to forward external ports pop-3, mtp, www
# to internal machines below.
IPFILTER_SWITCH=firewall
# This set of variables is used with both sets of filters
SNMP_BLOCK=YES # Block all SNMP (YES/NO)
# List of IP Nos used for SNMP management
#SNMP_MANAGER_IPS="10.100.1.2"
# Fair Queuing support
# List of Mark values
MRK_CRIT=1 # Critical traffic, routing, DNS
MRK_IA=2 # Interactive traffic - telnet, ssh, IRC
# List of traffic types and maps to mark values
# Setting this variable turns on the
# fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp
${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet
${MRK_IA}_tcp_0/0_ssh"
# NOTE: Do NOT turn on the DMZ network or ANY external port masquerading/
# port forwarding when EXTERN_DYNADDR is on because some security
# leaks will result. You may also want to limit the external open
# ports to domain (UDP) for DNS. Anyhow, these features are not that
# usable unless you have a static external address
#
EXTERN_IF="eth0" # External Interface
# Added for DHCP support
# Setting this to YES causes the dhcp client to try to configure the
# interfaces listed in IF_DHCP, and causes EXTERN_IP to be read directly
# from the interfaceB
EXTERN_DHCP=YES # YES/NO
# The interface(s) to configure via dhcp
IF_DHCP=$EXTERN_IF
# If YES, your firewall filters use 0/0 for your IP address, instead of your
# actual IP address. Set this to NO for typical ethernet setups, even if you
# are using DHCP
EXTERN_DYNADDR=NO # YES/NO
# - or -
# External Interface IP number...the default should be fine for most folks
eval EXTERN_IP=\"\${"$EXTERN_IF"_IPADDR:-""}\"
# Set EXTERN_IP to "DYNAMIC" if you need the rules to read the IP from the
# interface, but you arn't using DHCP (ie PPPoE and dialup users)
#EXTERN_IP=DYNAMIC
# If external interface IP is dynamic, read the configured IP address
# This should probably be moved to the init.d network script, but I put it
# here for now, as it is more obvious what it is doing, in case it
# messes something else up.
if [ "$EXTERN_DHCP" = "YES" -o \
"$EXTERN_DHCP" = "Yes" -o \
"$EXTERN_DHCP" = "yes" -o \
"$EXTERN_IP" = "DYNAMIC" ] ; then
# This computes the IP address of $EXTERN_IF
EXTERN_IP=`ip addr list label $EXTERN_IF | \
grep inet | sed '1!d' | \
sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'`
# If the external address is not configured, use a bogus address for the
# external interface to prevent a bunch of (harmless) errors that spit out
# when the IPCHAINS script is called.
if [ x$EXTERN_IP = x ]; then
EXTERN_IP=192.168.254.254
fi
fi
# Traffic to completely ignore...define here to prevent filling your logs
# Space seperated list: protocol_srcip[/mask][_dstport]
#SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37"
SILENT_DENY="17_10.2.0.1_67"
# Extra rule scripts added by Charles Steinkuehler to more easily support
# non-standard extentions of the pre-configured ipchains rules
IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output
# ICMP types to open
# Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]"
#EXTERN_ICMP_PORT0="0/0 : 1.1.1.12"
## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc"
# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_UDP_PORT0="0/0 domain"
#EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12"
# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
#EXTERN_TCP_PORTS="216.171.153.128/25_ssh 0/0_www 0/0_1023"
EXTERN_TCP_PORTS="0/0_ssh"
# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12"
#EXTERN_TCP_PORT1="0/0 www"
# Generic Services open to outside world
# Space seperated list: protocol_srcip/mask_dstport
#EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8"
# -or-
# Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]"
#EXTERN_PROTO0="50 5.6.7.8/32"
#EXTERN_PROTO1="51 5.6.7.8/32"
###############################################################################
# Internal Interface
###############################################################################
# Comment 3 settings below for no internal network (DMZ only configuration)
INTERN_IF="eth1" # Internal Interface
INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s)
INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=YES # Masquerade internal network to outside
# world - YES/NO
# These services are not masqueraded from int to ext/DMZ, preventing access
# Space seperated list: proto_destIP/mask_port
#
# JFS - not clear what to do here, commenting out.
#NOMASQ_DEST="tcp_0/0_ssh"
# Override for above...only the listed dest IP's can be accessed
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh"
###############################################################################
# Port Forwarding
###############################################################################
# Remember to open appropriate holes in the firewall rules, above
# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port>
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp"
# These lines use the primary external IP address...if you need to port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available
#INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available
#INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available
#INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available
#INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available
INTERN_SSH_SERVER=192.168.1.6 # Internal SSH server to make available
EXTERN_SSH_PORT=24 # External port to use for internal SSH access
# Advanced settings: parameters passed directly to portfw and autofw
# Indexed list: "<ipmasqadm portfw options>"
#INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]"
#INTERN_SERVER1=""
# Indexed list: "<ipmasqadm autofw options>"
#INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1"
#INTERN_AUTOFW1=""
###############################################################################
# DMZ setup (optional)
###############################################################################
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
DMZ_SWITCH=NO
DMZ_IF="eth2"
DMZ_NET=192.168.2.0/24
# DMZ switches for all flavors except PRIVATE
###############################################################################
# For NAT DMZ's:
# DMZ_NET, above is likely a private IP range...DMZ_SRC should encompass the
# public IP range being NAT'd to DMZ_NET. Any systems
DMZ_SRC=1.1.1.0/27
# For Proxy-Arp or NAT DMZ's only:
# For security, any IP's within the DMZ_NET (PROXY) or DMZ_SRC (NAT)
# specification, above, that are NOT remote systems reached via DMZ_IF must
# be listed here. This potentially includes IP's of this LRP system, your
# gateway, and systems connected to your external interface.
DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP"
## Both of the following should be used together - ie if you turn on
## DMZ_HIGH_TCP_CONNECT - DO specify DMZ_CLOSED_DEST!
# Allows inbound connections to high tcp ports (>1023)
# You can also allow to specific machines using 1024: (or a smaller range)
# as the dest port range in DMZ_OPEN_DEST (RECOMMENDED)
DMZ_HIGH_TCP_CONNECT=NO
## 3306 MySQL, 6000 X, 2049 NFS, 7100 xfs
DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
# Inbound services to allow to the DMZ
# <protocol>_<destination IP/network>_<destination port or range>
DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_domain
icmp_${DMZ_NET}_:
tcp_1.1.2.13_www"
# PRIVATE DMZ switches
###############################################################################
# Services port-forwarded to the DMZ network
# Indexed list: "Protocol LocalIP LocalPort RemoteIP [ RemotePort ]"
#DMZ_SERVER0="udp $EXTERN_IP domain 192.168.2.1 domain"
#DMZ_SERVER1="tcp $EXTERN_IP domain 192.168.2.1 domain"
#DMZ_SERVER2="tcp 1.2.3.13 www 192.168.2.1 www"
#DMZ_SERVER3="tcp 1.2.3.13 smtp 192.168.2.1 smtp"
#DMZ_SERVER4="tcp 1.2.3.12 www 192.168.2.1 8080"
# Allow all outbound traffic from DMZ (YES)
# or just traffic from port-forwarded servers (NO)
#DMZ_OUTBOUND_ALL=YES
###############################################################################
# Interface activation/deactivation functions
# Here so that special interface commands can be called and daemons started
#
# Arps can be set up here, network/host routes and so forth.
#
# This appears to be a little messy but is needed to achieve maximum
# functionality and flexibility.
#
###############################################################################
echo_rtepfx () {
local IFS='_'
set -- $1
echo $1
}
echo_rteargs () {
local IFS='_'
set -- $1
shift
echo $@
}
# Function to add a static NAT translation
# $1 = Name of environment variable which contains IP address
# $2 = Action (add or del)
# $3 = Base priority value
# $y = Current walklist index count
do_nat () {
local PRIORITY=$(($3 + $y ))
local ACTION=$2
eval local args=\$$1
set -- $args
ip route $ACTION nat $1 via $2
ip rule $ACTION prio $PRIORITY from $2 nat $1
}
if_up () {
local ADDR
# sort out a few things to make life easier - here so that you
# can see what is done and so that you can add anything if needed
eval local IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius
eval local MASKLEN=\${"$1"_MASKLEN:-""}
eval local BROADCAST=\${"$1"_BROADCAST:-""}
eval local PTPADDR=\${"$1"_PTPADDR:-""}
eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""}
eval local IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""}
eval local ROUTES=\${"$1"_ROUTES:-""}
eval local FAIRQ=\${"$1"_FAIRQ:-""}
eval local TXQLEN=\${"$1"_TXQLEN:-""}
eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""}
eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""}
eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""}
eval local BRIDGE=\${"$1"_BRIDGE:-""}
eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""}
if [ -n "$BROADCAST" ] ; then
IFCFG_BROADCAST="broadcast $BROADCAST"
fi
# Do dee global bridge stuff
brg_global
# Set default interface flags here - used for PPP and WAN interfaces
if_setproc default rp_filter $DEF_IP_SPOOF
if_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS
if_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS
# Set up each interface
case $1 in
ppp0)
pppd call provider
;;
fr*)
wanconfig card wanpipe1 dev $1 start
ip addr add $IPADDR peer $PTPADDR dev $1
ip link set $1 up
# Fair queuing - this can be selected for any interface
ip_frQoS $1
;;
nat*)
eval local BASE_PRI=\${"$1"_BASE_PRI:-""}
walk_list $1_PAIR $INIT_INDEX do_nat add $BASE_PRI
;;
*) # default interface startup
brg_iface $1 up $BRIDGE
[ -n "$IPADDR" ] \
&& ip addr add $IPADDR/$MASKLEN $IFCFG_BROADCAST dev $1
for ADDR in $IP_EXTRA_ADDRS; do
ip addr add $ADDR dev $1
done
ip link set $1 up
case "$PROXY_ARP" in
YES|Yes|yes)
ip route flush dev $1
;;
*)
;;
esac
# Fair queuing - this can be selected for any interface
ip_QoS $1
;;
esac
for route in $ROUTES; do
ip route add `echo_rtepfx $route` dev $1 `echo_rteargs $route`
done
# Do universal interface config items here
# Default route support
[ -n "$DEFAULT_GW" ] \
&& ip route replace default via $DEFAULT_GW dev $1
# Set the TX Queue Length
[ -n "$TXQLEN" ] \
&& ip link set $1 txqlen $TXQLEN
# Spoof protection
if_setproc $1 rp_filter $IP_SPOOF
# Kernel logging of martians on this interface
if_setproc $1 log_martians $IP_KRNL_LOGMARTIANS
# Shared Media stuff
if_setproc $1 shared_media $IP_SHARED_MEDIA
# Proxy ARP support
if_setproc $1 proxy_arp $PROXY_ARP
return 0
}
if_down () {
# Do Dee global bridge stuff
brg_global
case $1 in
ppp*)
[ -f /var/run/$1.pid ] && qt kill `cat /var/run/$1.pid`
sleep 5 # Wait for pppd to die
;;
fr*)
qt ip link set $1 down
qt ip addr flush dev $1
qt wanconfig card wanpipe1 dev $1 stop
;;
nat*)
eval local BASE_PRI=\${"$1"_BASE_PRI:-""}
walk_list $1_PAIR $INIT_INDEX do_nat del $BASE_PRI
;;
*) # default action
brg_iface $1 down
ip link set $1 down # This also kills any routes
qt ip addr flush dev $1
;;
esac
# Clean up any QoS/fair queuing stuff
ip_QoSclear $1
true
} #END if_down
###############################################################################
# Hostname Requires: CONFIG_HOSTNAME=YES
###############################################################################
HOSTNAME=jfsgw
###############################################################################
# Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES
###############################################################################
# IP FQDN hostname alias1 alias2..
HOSTS0="$eth1_IPADDR $HOSTNAME.private.network $HOSTNAME fw"
#HOSTS1="192.168.1.22 host2.private.network host2 h2"
HOSTS1="192.168.1.6 jfsnew.stoffel.home jfsnew"
###############################################################################
# Domain Search Order and Name Servers Requires: CONFIG_DNS=YES
###############################################################################
DOMAINS="stoffel.home"
DNS0=127.0.0.1
#DNS0=Your.Primary.DNS.Server
#DNS1=Your.Secondary.DNS.Server
###############################################################################
# QoS/Fariqueing functions
###############################################################################
ip_QoSclear () {
[ -x /sbin/tc ] \
&& qt tc qdisc del dev $1 root
return 0
}
ip_frQoS () {
# Set some vaiables
eval local FAIRQ=\${"$1"_FAIRQ:-""}
eval local BULKRATE=\${"$1"_BULKRATE:-""}
eval local BULKBURST=\${"$1"_BULKBURST:-""}
eval local FRBURST=\${"$1"_FRBURST:-""}
eval local HNDL=\${"$1"_HNDL:-""}
eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""}
eval local IARATE=\${"$1"_IARATE:-""}
eval local IABURST=\${"$1"_IABURST:-""}
eval local PXMTU=\${"$1"_PXMTU:-""}
if [ ! -x /sbin/tc ]; then
return 1
fi
if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ]
then
return 1
fi
if [ -z "$BULKRATE" -o -z "$FRBURST" -o -z "$HNDL" -o -z "$PXMTU" \
-o -z "$BNDWIDTH" -o -z "$IARATE" -o -z "$IABURST" \
-o -z "$BULKBURST" ]; then
tc qdisc replace dev $1 root sfq
return 0
fi
# Attach CBQ to device
tc qdisc add dev $1 root handle $HNDL: cbq \
bandwidth $BNDWIDTH avpkt 1000
# Set up classes
# Bulk class
tc class add dev $1 parent $HNDL:0 classid :1 \
est 1sec 8sec cbq bandwidth $BNDWIDTH \
rate $BULKRATE allot $PXMTU bounded weight 1 prio 6 \
avpkt 1000 maxburst $BULKBURST \
split $HNDL:0 defmap ff7f
tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15
# Interactive Class
tc class add dev $1 parent $HNDL:0 classid :2 \
est 2sec 16sec cbq bandwidth $BNDWIDTH \
rate $IARATE allot $PXMTU bounded weight 1 prio 6 \
avpkt 1000 maxburst $IABURST \
split $HNDL:0 defmap 80
tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15
# Priority class
tc class add dev $1 parent $HNDL:0 classid :3 \
est 1sec 8sec cbq bandwidth $BNDWIDTH \
rate $FRBURST allot $PXMTU bounded weight 1 prio 1 \
avpkt 1000 maxburst 21
tc qdisc add dev $1 parent $HNDL:3 pfifo
# Add filters
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 50 handle $MRK_CRIT fw classid $HNDL:3
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 60 handle $MRK_IA fw classid $HNDL:2
return 0
}
ip_QoS () {
# Set some vaiables
eval local HNDL=\${"$1"_HNDL:-""}
eval local FAIRQ=\${"$1"_FAIRQ:-""}
if [ -z "$FAIRQ" -a -n "$2" ]; then
local FAIRQ=$2
fi
eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""}
if [ -z "$BNDWIDTH" -a -n "$3" ]; then
local BNDWIDTH=$3
fi
eval local PXMTU=\${"$1"_PXMTU:-""}
if [ -z "$PXMTU" -a -n "$4" ]; then
local PXMTU=$4
fi
eval local IARATE=\${"$1"_IARATE:-""}
if [ -z "$IARATE" -a -n "$5" ]; then
local IARATE=$5
fi
eval local IABURST=\${"$1"_IABURST:-""}
if [ -z "$IABURST" -a -n "$6" ]; then
local IABURST=$6
fi
if [ ! -x /sbin/tc ]; then
return 1
fi
if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ]
then
return 1
fi
if [ -z "$BNDWIDTH" -o -z "$IABURST" -o -z "$IARATE" -o -z "$HNDL" \
-o -z "$PXMTU" ]; then
tc qdisc replace dev $1 root sfq
return 0
fi
# Attach CBQ to device
tc qdisc add dev $1 root handle $HNDL: cbq \
bandwidth $BNDWIDTH \
avpkt 1000
# Set up classes
# Bulk class
tc class add dev $1 parent $HNDL:0 classid :1 est 1sec 8sec \
cbq bandwidth $BNDWIDTH rate $BNDWIDTH \
allot $PXMTU avpkt 1000 bounded weight 1 prio 6 \
split $HNDL:0 defmap ff7f
tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15
# Interactive class
tc class add dev $1 parent $HNDL:0 classid :2 est 2sec 16sec \
cbq bandwidth $BNDWIDTH rate $IARATE maxburst $IABURST \
allot $PXMTU avpkt 1000 bounded isolated weight 1 \
prio 2 split $HNDL:0 defmap 80
tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15
# Priority class
tc class add dev $1 parent $HNDL:0 classid :3 est 1sec 8sec \
cbq bandwidth $BNDWIDTH rate $BNDWIDTH \
allot $PXMTU avpkt 1000 bounded weight 1 prio 1
tc qdisc add dev $1 parent $HNDL:3 pfifo
# Add filters
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 50 handle $MRK_CRIT fw classid $HNDL:3
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 60 handle $MRK_IA fw classid $HNDL:2 \
return 0
}
###############################################################################
# End
###############################################################################
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
