summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonas Smedegaard <dr@jones.dk>2001-09-18 08:51:02 +0000
committerJonas Smedegaard <dr@jones.dk>2001-09-18 08:51:02 +0000
commit529182b23e3849b7717e8f6f741d9dd7cbc57bcf (patch)
tree3ebb0cbbdc9bdebde18cde92a7db4c9c30fc6573
parent17759a25f6946416e18c8d1329aee7a1fa0750d2 (diff)
Added ipmasq/rules/*
-rw-r--r--ipmasq/rules/A01interfaces.rul19
-rw-r--r--ipmasq/rules/A10dhcpcd.rul31
-rw-r--r--ipmasq/rules/A10dhcpd.rul30
-rw-r--r--ipmasq/rules/Z91kerneldynaddr.rul11
-rw-r--r--ipmasq/rules/Z99windows-smb-broadcast.rul27
5 files changed, 118 insertions, 0 deletions
diff --git a/ipmasq/rules/A01interfaces.rul b/ipmasq/rules/A01interfaces.rul
new file mode 100644
index 0000000..56808c6
--- /dev/null
+++ b/ipmasq/rules/A01interfaces.rul
@@ -0,0 +1,19 @@
+# You should not edit this file. Instead, create a file with the same
+# name as this one, but with a .rul extension instead of .def. The
+# .rul file will override this one.
+#
+# However, any changes you make to this file will be preserved.
+#
+# Correction:
+# Ignore irda interfaces as well.
+# Jonas Smedegaard <dr@jones.dk> Sat, 17 Jun 2000 15:10:17 +0200
+
+# find interface names
+EXTERNAL=$(default-if | sort -u)
+INTERNAL=$(enumerate-if | sort -u | grep -v lo | grep -v irda)
+if [ -n "$EXTERNAL" ]; then
+ for i in $EXTERNAL; do
+ INTERNAL=$(echo $INTERNAL | sed -e s/$i//)
+ done
+fi
+
diff --git a/ipmasq/rules/A10dhcpcd.rul b/ipmasq/rules/A10dhcpcd.rul
new file mode 100644
index 0000000..5ac66a1
--- /dev/null
+++ b/ipmasq/rules/A10dhcpcd.rul
@@ -0,0 +1,31 @@
+# From Kalle Olavi Niemitalo <tosi@ees2.oulu.fi>:
+
+# Here's my /etc/ipmasq/rules/A10dhcpd.rul file in case you'd
+# like to add it in the examples directory. It's somewhat
+# stricter than /usr/doc/ipmasq/examples/Z99dhcpd.rul. Also, I'm
+# using priority A10 rather than Z99 because some of my other
+# rules would reject the packets.
+#
+# This works with dhcp_1.0.2-0.1 and the Windows 95 DHCP client.
+# The ipfwadm invocations are untested.
+
+if [ -n "$INTERNAL" ]; then
+ for i in $INTERNAL; do
+ ipnm_cache $i
+ case $MASQMETHOD in
+ ipfwadm)
+ $IPFWADM -I -i accept -S 0.0.0.0/0 67 -D 255.255.255.255/32 68 -W $i -P udp
+# $IPFWADM -O -i accept -S $IPOFIF/32 68 -D 255.255.255.255/32 67 -W $i -P udp
+ ;;
+ ipchains)
+ $IPCHAINS -I input -j ACCEPT -s 0.0.0.0/0 67 -d 255.255.255.255/32 68 -i $i -p udp
+# $IPCHAINS -I output -j ACCEPT -s $IPOFIF/32 68 -d 255.255.255.255/32 67 -i $i -p udp
+ ;;
+ iptables)
+ $IPTABLES -I INPUT -j ACCEPT -s 0.0.0.0/0 67 -d 255.255.255.255/32 68 -i $i -p udp
+# $IPTABLES -I OUTPUT -j ACCEPT -s $IPOFIF/32 68 -d 255.255.255.255/32 67 -i $i -p udp
+ ;;
+ esac
+ done
+fi
+
diff --git a/ipmasq/rules/A10dhcpd.rul b/ipmasq/rules/A10dhcpd.rul
new file mode 100644
index 0000000..7be8c1e
--- /dev/null
+++ b/ipmasq/rules/A10dhcpd.rul
@@ -0,0 +1,30 @@
+# From Kalle Olavi Niemitalo <tosi@ees2.oulu.fi>:
+
+# Here's my /etc/ipmasq/rules/A10dhcpd.rul file in case you'd
+# like to add it in the examples directory. It's somewhat
+# stricter than /usr/doc/ipmasq/examples/Z99dhcpd.rul. Also, I'm
+# using priority A10 rather than Z99 because some of my other
+# rules would reject the packets.
+#
+# This works with dhcp_1.0.2-0.1 and the Windows 95 DHCP client.
+# The ipfwadm invocations are untested.
+
+if [ -n "$INTERNAL" ]; then
+ for i in $INTERNAL; do
+ ipnm_cache $i
+ case $MASQMETHOD in
+ ipfwadm)
+ $IPFWADM -I -i accept -S 0.0.0.0/32 68 -D 255.255.255.255/32 67 -W $i -P udp
+ $IPFWADM -O -i accept -S $IPOFIF/32 67 -D 255.255.255.255/32 68 -W $i -P udp
+ ;;
+ ipchains)
+ $IPCHAINS -I input -j ACCEPT -s 0.0.0.0/32 68 -d 255.255.255.255/32 67 -i $i -p udp
+ $IPCHAINS -I output -j ACCEPT -s $IPOFIF/32 67 -d 255.255.255.255/32 68 -i $i -p udp
+ ;;
+ netfilter)
+ $IPTABLES -I INPUT -j ACCEPT -s 0.0.0.0/32 68 -d 255.255.255.255/32 67 -i $i -p udp
+ $IPTABLES -I OUTPUT -j ACCEPT -s $IPOFIF/32 67 -d 255.255.255.255/32 68 -i $i -p udp
+ esac
+ done
+fi
+
diff --git a/ipmasq/rules/Z91kerneldynaddr.rul b/ipmasq/rules/Z91kerneldynaddr.rul
new file mode 100644
index 0000000..4b25add
--- /dev/null
+++ b/ipmasq/rules/Z91kerneldynaddr.rul
@@ -0,0 +1,11 @@
+# turn on the kernel's notion of dynamic addressing
+if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
+ if [ "$NOACT" != "yes" ]; then
+ echo "1" > /proc/sys/net/ipv4/ip_dynaddr
+ fi
+
+ if [ "$SHOWRULES" = "yes" ]; then
+ echo "echo \"1\" > /proc/sys/net/ipv4/ip_dynaddr"
+ fi
+fi
+
diff --git a/ipmasq/rules/Z99windows-smb-broadcast.rul b/ipmasq/rules/Z99windows-smb-broadcast.rul
new file mode 100644
index 0000000..836d825
--- /dev/null
+++ b/ipmasq/rules/Z99windows-smb-broadcast.rul
@@ -0,0 +1,27 @@
+# Accept Windows SMB broadcasts, so as to avoid spurious syslog entries from
+# ZZZdenyandlog.def
+
+if [ -n "$INTERNAL" -o -n "$EXTERNAL" ]; then
+ for i in $INTERNAL $EXTERNAL; do
+ ipnm_cache $i
+ case $MASQMETHOD in
+ ipfwadm)
+ if [ -n "$BCOFIF" ]; then
+ $IPFWADM -I -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF -D $BCOFIF/32 137:139
+ fi
+ ;;
+ ipchains)
+ if [ -n "$BCOFIF" ]; then
+ $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 137:139 -p tcp
+ $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 137:139 -p udp
+ fi
+ ;;
+ netfilter)
+ if [ -n "$BCOFIF" ]; then
+ $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 -p tcp --dport 137:139
+ $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 -p udp --dport 137:139
+ fi
+ esac
+ done
+fi
+