+++ /dev/null
-#!/bin/sh
-#
-# firewall-masq This script sets up firewall rules for a machine
-# acting as a masquerading gateway
-#
-# Copyright (C) 2000 Roaring Penguin Software Inc. This software may
-# be distributed under the terms of the GNU General Public License, version
-# 2 or any later version.
-# LIC: GPL
-
-# Interface to Internet
-EXTIF=ppp+
-
-# NAT-Tables are different, so we can use ACCEPT everywhere (?)
-iptables -t nat -P PREROUTING ACCEPT
-iptables -t nat -P OUTPUT ACCEPT
-iptables -t nat -P POSTROUTING ACCEPT
-
-# Flush the NAT-Table
-iptables -t nat -F
-
-iptables -t filter -P INPUT DROP
-iptables -t filter -F
-
-# Allow incoming SSH
-#iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
-
-# Log & Deny the rest of the privileged ports
-iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG
-iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG
-iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j DROP
-iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j DROP
-
-# Log & Deny NFS
-iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG
-iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG
-iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP
-iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP
-
-# Log & Deny X11
-iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG
-iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP
-
-# Log & Deny XFS
-iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG
-iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP
-
-# Deny TCP connection attempts
-iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG
-iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP
-
-# Deny ICMP echo-requests
-iptables -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP
-
-# Do masquerading
-iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
-
-# Enable forwarding
-echo 1 > /proc/sys/net/ipv4/ip_forward
-
-# no IP spoofing
-if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
- for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
- echo 1 > $i
- done
-fi
-
-# Disable Source Routed Packets
-for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
- echo 0 > $i
-done
+++ /dev/null
-#!/bin/sh
-#
-# firewall-standalone This script sets up firewall rules for a standalone
-# machine
-#
-# Copyright (C) 2005 Roaring Penguin Software Inc. This software may
-# be distributed under the terms of the GNU General Public License, version
-# 2 or any later version.
-# LIC: GPL
-
-# Interface to Internet
-EXTIF=ppp+
-
-iptables -P INPUT ACCEPT
-iptables -P OUTPUT ACCEPT
-iptables -P FORWARD DROP
-
-iptables -F FORWARD
-iptables -F INPUT
-iptables -F OUTPUT
-
-# Deny TCP and UDP packets to privileged ports
-iptables -A INPUT -p udp -i $EXTIF --dport 0:1023 -j LOG
-iptables -A INPUT -p tcp -i $EXTIF --dport 0:1023 -j LOG
-iptables -A INPUT -p udp -i $EXTIF --dport 0:1023 -j DROP
-iptables -A INPUT -p tcp -i $EXTIF --dport 0:1023 -j DROP
-
-# Deny TCP connection attempts
-iptables -A INPUT -i $EXTIF -p tcp --syn -j LOG
-iptables -A INPUT -i $EXTIF -p tcp --syn -j DROP
-
-# Deny ICMP echo-requests
-iptables -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP
-
+++ /dev/null
-#***********************************************************************
-#
-# pppoe.conf
-#
-# Configuration file for rp-pppoe. Edit as appropriate and install in
-# /etc/ppp/pppoe.conf
-#
-# NOTE: This file is used by the pppoe-start, pppoe-stop, pppoe-connect and
-# pppoe-status shell scripts. It is *not* used in any way by the
-# "pppoe" executable.
-#
-# Copyright (C) 2000 Roaring Penguin Software Inc.
-#
-# This file may be distributed under the terms of the GNU General
-# Public License.
-#
-# LIC: GPL
-# $Id$
-#***********************************************************************
-
-# When you configure a variable, DO NOT leave spaces around the "=" sign.
-
-# Ethernet card connected to DSL modem
-#
-# NB: Gentoo overrides ETH when pppoe-start is called from the
-# networking scripts. This setting has no effect in that case.
-ETH=eth1
-
-# PPPoE user name. You may have to supply "@provider.com" Sympatico
-# users in Canada do need to include "@sympatico.ca"
-# Sympatico uses PAP authentication. Make sure /etc/ppp/pap-secrets
-# contains the right username/password combination.
-# For Magma, use xxyyzz@magma.ca
-USER=bxxxnxnx@sympatico.ca
-
-# Bring link up on demand? Default is to leave link up all the time.
-# If you want the link to come up on demand, set DEMAND to a number indicating
-# the idle time after which the link is brought down.
-DEMAND=no
-#DEMAND=300
-
-# DNS type: SERVER=obtain from server; SPECIFY=use DNS1 and DNS2;
-# NOCHANGE=do not adjust.
-DNSTYPE=SERVER
-
-# Obtain DNS server addresses from the peer (recent versions of pppd only)
-# In old config files, this used to be called USEPEERDNS. Changed to
-# PEERDNS for better Red Hat compatibility
-PEERDNS=yes
-
-DNS1=
-DNS2=
-
-# Make the PPPoE connection your default route. Set to
-# DEFAULTROUTE=no if you don't want this.
-DEFAULTROUTE=yes
-
-### ONLY TOUCH THE FOLLOWING SETTINGS IF YOU'RE AN EXPERT
-
-# How long pppoe-start waits for a new PPP interface to appear before
-# concluding something went wrong. If you use 0, then pppoe-start
-# exits immediately with a successful status and does not wait for the
-# link to come up. Time is in seconds.
-#
-# WARNING WARNING WARNING:
-#
-# If you are using rp-pppoe on a physically-inaccessible host, set
-# CONNECT_TIMEOUT to 0. This makes SURE that the machine keeps trying
-# to connect forever after pppoe-start is called. Otherwise, it will
-# give out after CONNECT_TIMEOUT seconds and will not attempt to
-# connect again, making it impossible to reach.
-CONNECT_TIMEOUT=30
-
-# How often in seconds pppoe-start polls to check if link is up
-CONNECT_POLL=2
-
-# Specific desired AC Name
-ACNAME=
-
-# Specific desired service name
-SERVICENAME=
-
-# Character to echo at each poll. Use PING="" if you don't want
-# anything echoed
-PING="."
-
-# File where the pppoe-connect script writes its process-ID.
-# Three files are actually used:
-# $PIDFILE contains PID of pppoe-connect script
-# $PIDFILE.pppoe contains PID of pppoe process
-# $PIDFILE.pppd contains PID of pppd process
-#
-# NB: Gentoo overrides PIDFILE when pppoe-start is run from the
-# networking scripts. This setting has no effect in that case.
-PIDFILE="/var/run/rp-pppoe.pid"
-
-# Do you want to use synchronous PPP? "yes" or "no". "yes" is much
-# easier on CPU usage, but may not work for you. It is safer to use
-# "no", but you may want to experiment with "yes". "yes" is generally
-# safe on Linux machines with the n_hdlc line discipline; unsafe on others.
-SYNCHRONOUS=no
-
-# Do you want to clamp the MSS? Here's how to decide:
-# - If you have only a SINGLE computer connected to the DSL modem, choose
-# "no".
-# - If you have a computer acting as a gateway for a LAN, choose "1412".
-# The setting of 1412 is safe for either setup, but uses slightly more
-# CPU power.
-CLAMPMSS=1412
-#CLAMPMSS=no
-
-# LCP echo interval and failure count.
-LCP_INTERVAL=20
-LCP_FAILURE=3
-
-# PPPOE_TIMEOUT should be about 4*LCP_INTERVAL
-PPPOE_TIMEOUT=80
-
-# Firewalling: One of NONE, STANDALONE or MASQUERADE
-FIREWALL=NONE
-
-# Linux kernel-mode plugin for pppd. If you want to try the kernel-mode
-# plugin, use LINUX_PLUGIN=rp-pppoe.so
-LINUX_PLUGIN=
-
-# Any extra arguments to pass to pppoe. Normally, use a blank string
-# like this:
-PPPOE_EXTRA=""
-
-# Rumour has it that "Citizen's Communications" with a 3Com
-# HomeConnect DSL Modem DualLink requires these extra options:
-# PPPOE_EXTRA="-f 3c12:3c13 -S ISP"
-
-# Any extra arguments to pass to pppd. Normally, use a blank string
-# like this:
-PPPD_EXTRA=""
-
-
-########## DON'T CHANGE BELOW UNLESS YOU KNOW WHAT YOU ARE DOING
-# If you wish to COMPLETELY overrride the pppd invocation:
-# Example:
-# OVERRIDE_PPPD_COMMAND="pppd call dsl"
-
-# If you want pppoe-connect to exit when connection drops:
-# RETRY_ON_FAILURE=no
projects / config / bruni / etc.git / commitdiff