diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2017-01-26 14:30:08 +0100 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2017-01-26 14:30:08 +0100 |
| commit | e042b7bced715a9d0d6c660df453b1b68f263316 (patch) | |
| tree | 13f1bcd2f7cccf87718d92b5fc9a112d4c3ea455 /ipmasq/rules | |
| parent | c778483fbd7829e2d41157ae6be2d7f1eef709f5 (diff) | |
Drop ancient unused files.
Diffstat (limited to 'ipmasq/rules')
| -rw-r--r-- | ipmasq/rules/A01interfaces.rul | 15 | ||||
| -rw-r--r-- | ipmasq/rules/A01interfaces_ipsec.def | 23 | ||||
| -rw-r--r-- | ipmasq/rules/A01precompute.rul | 56 | ||||
| -rw-r--r-- | ipmasq/rules/A01precompute_ipsec.def | 26 | ||||
| -rw-r--r-- | ipmasq/rules/A10dhcpd.rul | 31 | ||||
| -rw-r--r-- | ipmasq/rules/A80firewall.def | 62 | ||||
| -rw-r--r-- | ipmasq/rules/A80pfw.rul | 41 | ||||
| -rw-r--r-- | ipmasq/rules/A80precompute_pfw.def | 56 | ||||
| -rw-r--r-- | ipmasq/rules/F50ipsec.def | 40 | ||||
| -rw-r--r-- | ipmasq/rules/F50ipsec.rul | 26 | ||||
| -rw-r--r-- | ipmasq/rules/I50ipsec.rul | 22 | ||||
| -rw-r--r-- | ipmasq/rules/I80firewall.def | 158 | ||||
| -rw-r--r-- | ipmasq/rules/M70masq.def | 40 | ||||
| -rw-r--r-- | ipmasq/rules/M80pfw.def | 48 | ||||
| -rw-r--r-- | ipmasq/rules/O50ipsec.rul | 22 | ||||
| -rw-r--r-- | ipmasq/rules/O80firewall.def | 159 | ||||
| -rw-r--r-- | ipmasq/rules/Z91kerneldynaddr.rul | 11 | ||||
| -rw-r--r-- | ipmasq/rules/Z99windows-smb-broadcast.rul | 27 | ||||
| -rw-r--r-- | ipmasq/rules/ZZZ|Lipac.rul | 12 |
19 files changed, 0 insertions, 875 deletions
diff --git a/ipmasq/rules/A01interfaces.rul b/ipmasq/rules/A01interfaces.rul deleted file mode 100644 index 3ce53da..0000000 --- a/ipmasq/rules/A01interfaces.rul +++ /dev/null @@ -1,15 +0,0 @@ -# You should not edit this file. Instead, create a file with the same -# name as this one, but with a .rul extension instead of .def. The -# .rul file will override this one. -# -# However, any changes you make to this file will be preserved. - -# find interface names -EXTERNAL=$(default-if | sort -u) -INTERNAL=$(enumerate-if | sort -u | grep -v lo | grep -v irda | grep -v ipsec) -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - INTERNAL=$(echo $INTERNAL | sed -e s/$i//) - done -fi -IPSEC=$(enumerate-if | sort -u | grep ipsec) diff --git a/ipmasq/rules/A01interfaces_ipsec.def b/ipmasq/rules/A01interfaces_ipsec.def deleted file mode 100644 index 484fb9e..0000000 --- a/ipmasq/rules/A01interfaces_ipsec.def +++ /dev/null @@ -1,23 +0,0 @@ -# You should not edit this file. Instead, create a file with the same -# name as this one, but with a .rul extension instead of .def. The -# .rul file will override this one. -# -# However, any changes you make to this file will be preserved. - -# find IPsec interface names, and separate them from INTERNAL -IPSEC=$(enumerate-if | sort -u | grep ipsec) -if [ -n "$IPSEC" ]; then - for i in $IPSEC; do - INTERNAL=$(echo $INTERNAL | sed -e "s/\( *\|^\)$i\( *\|$\)/\1/") - done -fi - -# remove interfaces that don't have networks attached to them -if [ -n "$IPSEC" ]; then - for i in $IPSEC; do - nm=$(nmofif $i) - if [ -z "${nm}" ]; then - IPSEC=$(echo $IPSEC | sed -e "s/\( *\|^\)$i\( *\|$\)/\1/") - fi - done -fi diff --git a/ipmasq/rules/A01precompute.rul b/ipmasq/rules/A01precompute.rul deleted file mode 100644 index b1bc4ce..0000000 --- a/ipmasq/rules/A01precompute.rul +++ /dev/null @@ -1,56 +0,0 @@ -if [ "$SHOWRULES" = "yes" ]; then - echo "Interfaces found:" -fi - -# precompute ips and netmasks -if [ -n "$EXTERNAL" -o -n "$INTERNAL" -o -n "$IPSEC" ]; then - for i in $EXTERNAL $INTERNAL $IPSEC; do - ii=$(echo $i | sed -e 's/\:/_/g') - ip=$(ipofif $i) - nm=$(nmofif $i) - peer=$(peerofif $i) - bc=$(bcofif $i) - eval "IPOFIF_$ii=$ip" - eval "NMOFIF_$ii=$nm" - eval "PEEROFIF_$ii=$peer" - eval "BCOFIF_$ii=$bc" - if [ "$SHOWRULES" = "yes" ]; then - /bin/echo -e " $i\t$ip/$nm" - fi - done -fi - -# precompute ipsec connections -if [ -n "$IPSEC" ]; then - if [ "$SHOWRULES" = "yes" ]; then - echo "IPSec connections found:" - fi - IPSECCONN="" - for i in $IPSEC; do - ii=$(echo $i | sed -e 's/\:/_/g') - eval "ip=\$IPOFIF_$ii" - eval "nm=\$IPOFIF_$ii" - igw=$(ipsec look | grep IPIP:.*src=$ip | sed 's/^\([^[:blank:]]*\).*/\1/') - conncollect="" - for ipsecgw in $igw; do - conn=$(ipsec look | grep "=> $ipsecgw" | sed 's/^.*=>[[:blank:]]*\([^@[:blank:]]*\).*/\1/') - conncollect="$conncollect $conn" - eval "IPSEC_IF_$conn=$i" - cidrleft=$(ipsec look | grep "=> $ipsecgw" | sed 's/^\([^[:blank:]]*\)[[:blank:]]*->[[:blank:]]*[^[:blank:]]*.*/\1/') - eval "IPSEC_HERE_$conn=$cidrleft" - cidrright=$(ipsec look | grep "=> $ipsecgw" | sed 's/^[^[:blank:]]*[[:blank:]]*->[[:blank:]]*\([^[:blank:]]*\).*/\1/') - eval "IPSEC_THERE_$conn=$cidrright" - eval "IPSEC_THERE_$conn=$cidrright" - done - IPSECCONN="$IPSECCONN $conncollect" - eval "IPSECCONN_${ii}=\"$conncollect\"" - if [ "$SHOWRULES" = "yes" ]; then - /bin/echo -e " $i\t$ip/$nm" - for conn in $conncollect; do - eval "IPSEC_HERE=\$IPSEC_HERE_$conn" - eval "IPSEC_THERE=\$IPSEC_THERE_$conn" - /bin/echo -e " $IPSEC_HERE -> $IPSEC_THERE" - done - fi - done -fi diff --git a/ipmasq/rules/A01precompute_ipsec.def b/ipmasq/rules/A01precompute_ipsec.def deleted file mode 100644 index 5d90913..0000000 --- a/ipmasq/rules/A01precompute_ipsec.def +++ /dev/null @@ -1,26 +0,0 @@ -# You should not edit this file. Instead, create a file with the same -# name as this one, but with a .rul extension instead of .def. The -# .rul file will override this one. -# -# However, any changes you make to this file will be preserved. - -# precompute ips and netmasks -if [ -n "$IPSEC" ]; then - if [ "$SHOWRULES" = "yes" ]; then - echo "#: IPSec interfaces found:" - fi - IPSECGW="" - for i in $IPSEC; do - ii=$(echo $i | sed -e 's/\:/_/g') - igw=$(ipsec look | grep IPIP:.*src=$ip | sed 's/^\([^[:blank:]]*\).*/\1/') - cidrcollect="" - for ipsecgw in $igw; do - cidr=$(ipsec look | grep "=> $ipsecgw" | sed 's/^\([^[:blank:]]*\).*/\1/') - cidrcollect="$cidrcollect $cidr" - done - eval "CIDROFIPSEC_${ii}=\"$cidrcollect\"" - if [ "$SHOWRULES" = "yes" ]; then - /bin/echo -e "#: $i\t$ip/$nm\t$cidrcollect" - fi - done -fi diff --git a/ipmasq/rules/A10dhcpd.rul b/ipmasq/rules/A10dhcpd.rul deleted file mode 100644 index ff3cd29..0000000 --- a/ipmasq/rules/A10dhcpd.rul +++ /dev/null @@ -1,31 +0,0 @@ -# From Kalle Olavi Niemitalo <tosi@ees2.oulu.fi>: - -# Here's my /etc/ipmasq/rules/A10dhcpd.rul file in case you'd -# like to add it in the examples directory. It's somewhat -# stricter than /usr/doc/ipmasq/examples/Z99dhcpd.rul. Also, I'm -# using priority A10 rather than Z99 because some of my other -# rules would reject the packets. -# -# This works with dhcp_1.0.2-0.1 and the Windows 95 DHCP client. -# The ipfwadm invocations are untested. - -if [ -n "$INTERNAL" ]; then - for i in $INTERNAL; do - ipnm_cache $i - case $MASQMETHOD in - ipfwadm) - $IPFWADM -I -i accept -S 0.0.0.0/32 68 -D 255.255.255.255/32 67 -W ${i%%:*} -P udp - $IPFWADM -O -i accept -S $IPOFIF/32 67 -D 255.255.255.255/32 68 -W ${i%%:*} -P udp - ;; - ipchains) - $IPCHAINS -A input -j ACCEPT -s 0.0.0.0/32 68 -d 255.255.255.255/32 67 -i ${i%%:*} -p udp - $IPCHAINS -A output -j ACCEPT -s $IPOFIF/32 67 -d 255.255.255.255/32 68 -i ${i%%:*} -p udp - ;; - netfilter) - $IPTABLES -A INPUT -j ACCEPT -s 0.0.0.0/32 -d 255.255.255.255/32 -i ${i%%:*} -p udp --source-port 68 --destination-port 67 - $IPTABLES -A OUTPUT -j ACCEPT -s $IPOFIF/32 -d 255.255.255.255/32 -o ${i%%:*} -p udp --source-port 67 --destination-port 68 - ;; - esac - done -fi - diff --git a/ipmasq/rules/A80firewall.def b/ipmasq/rules/A80firewall.def deleted file mode 100644 index 80045db..0000000 --- a/ipmasq/rules/A80firewall.def +++ /dev/null @@ -1,62 +0,0 @@ -# You should not edit this file. Instead, create a file with the same -# name as this one, but with a .rul extension instead of .def. The -# .rul file will override this one. -# -# However, any changes you make to this file will be preserved. - -# Packet filter firewall script for ipmasq (GPL) -# By Osamu Aoki <osamu@aokiconsulting.com> -# -# Firewall are set for external network connection ports listed in $EXTERNAL -# Little consideration taken for shared port, eth0:0, etc. (Deny=Drop) -# -############################################################################### -# -# CONFIGURE FIREWALL RULES -# -## QADDR: deny(in)/reject(out) foreign hosts by address of forein host -# w/o log -# List all all annoying sites -# Default = none -QADDR="" -# ATT@HOME nntp port scan daemon: 24.0.94.130 24.0.0.203 -# pop-up ad sites: -# ads.x10.com 64.85.92.20 -# ad.doubleclick.net 206.65.183.125 -# network status check: -# pnap.com 216.52.223.0/24 ICMP -#QADDR="24.0.94.130/32 24.0.0.203/32 64.85.92.20/32 206.65.183.125/32 216.52.223.0/24" - -## ATCPSVR: allow foreign host by port of this PC for TCP -# List open port server services (Both in and out) -# Default = All open. -ATCPSVR="1:1023" -# Very open (No netbios nor sunrpc) -#ATCPSVR="ftp ftp-data ssh telnet smtp nameserver whois domain finger www kerberos pop2 pop3 auth imap2 irc imap3 ldap https who talk uucp ldaps imaps pop3s" -# Normal -#ATCPSVR="ssh auth smtp telnet www pop3 https" -# My choice -#ATCPSVR="ssh auth smtp" - -## AUDPSVR: allow foreign host by port of this PC for UDP -# List open port server services (Both in and out) -# Default = All open. -ATCPSVR="1:1023" -# Normal = just accept dhcp server <-> dhcp client -#AUDPSVR="bootpc" - -## QTCPSVR: deny foreign host by port of this PC w/o log for TCP -# do not service these to outside but useful inside -QTCPSVR="137:139 80 111" - -## QUDPSVR: deny foreign host by port of this PC w/o log for UDP -# do not service these to outside but useful inside -QUDPSVR="137:139" - -## DTCPSVR: deny foreign host by port of this PC with log for TCP -# server port range (LOG) -DTCPSVR="1:1023" - -## DUDPSVR: deny foreign host by port of this PC with log for UDP -# server port range (LOG) -DUDPSVR="1:1023" diff --git a/ipmasq/rules/A80pfw.rul b/ipmasq/rules/A80pfw.rul deleted file mode 100644 index de86102..0000000 --- a/ipmasq/rules/A80pfw.rul +++ /dev/null @@ -1,41 +0,0 @@ -# Define masqueraded hosts with an IP address or a range of addresses: -# -# portfw_ip_<hostname>="<ipaddr>[-<ipaddr>]" -# -# <hostname> must be lowercase -# <ipaddr>-ranges works only with iptables/netfilter (2.4.x kernels) -# - -#portfw_ip_foo="10.42.42.1" -#portfw_ip_bar="10.42.42.2" - -# Define pools either forwarding port (ranges) to same port on -# masqueraded host or redirecting a single port to another port: -# -# portfw_pool_<pool>="<protocol>[,<protocol>...] <port>[:<port>][,<port>...]] <hostname>" -# portfw_pool_<pool>="<protocol>[,<protocol>...] <port> <hostname> [<dest port>]" -# -# <pool> can only contain lowercase a-z and underscore (_) -# <protocol> is either tcp or udp (or possibly others) -# <port> can be either numbers or service names -# <port>-ranges is denoted with colon (:) and only works with iptables/netfilter (2.4.x kernels) -# <hostname> must be lowercase. -# - -#portfw_pool_ssh=" tcp ssh foo" -#portfw_pool_dns=" tcp,udp domain foo" -#portfw_pool_mail=" tcp smtp,pop3,imap foo" -#portfw_pool_mailsec=" tcp ssmtp,pop3s,imaps foo" -#portfw_pool_http=" tcp http,https foo" - -#portfw_pool_bar_ssh=" tcp 2222 bar 22" -#portfw_pool_foobar=" tcp 88,8080:8089 bar " - -# Requests from inside to the external IP of a portforwarded host will fail. -# Remap local requests so they look like coming from the firewall itself? -# (This works only eith iptables/netfilter) -# (Alternatively you need a local nameserver setup with the inside address) -# -############ This doesn't work yet... -#PORTFW_REMAP_LOCAL="y" -############ This doesn't work yet... diff --git a/ipmasq/rules/A80precompute_pfw.def b/ipmasq/rules/A80precompute_pfw.def deleted file mode 100644 index ba8aaec..0000000 --- a/ipmasq/rules/A80precompute_pfw.def +++ /dev/null @@ -1,56 +0,0 @@ -# You should not edit this file. Instead, create a file with the same -# name as this one, but with a .rul extension instead of .def. The -# .rul file will override this one. -# -# However, any changes you make to this file will be preserved. - -# Some reused regex'es -re_protos='[a-z\,]\+' -re_ports='[a-z0-9\,:]\+' -re_port='[a-z0-9:]\+' -re_host='[a-z0-9]\+' -re_pool='[a-z0-9_]\+' -re_cfg="[[:space:]]*\($re_protos\)[[:space:]]\+\($re_ports\)[[:space:]]\+\($re_host\)\([[:space:]]\+\($re_port\)\)\?[[:space:]]*" -re_cfgline="portfw_pool_\($re_pool\)[[:space:]]*=[[:space:]]*'$re_cfg'" - -# Extract portforward hosts -PFW=$(set | grep '^portfw_ip_' | sed "s/^portfw_ip_\($re_host\).*/\1/") - -# remove hosts with no pools attached -if [ -n "$PFW" ]; then - for i in $PFW; do - poolhits=$(set | grep '^portfw_pool_' | sed "s/$re_cfgline/\4/" | grep "^$i$") - if [ -z "$poolhits" ]; then - PFW=$(echo $PFW | sed "s/\( *\|^\)$i\( *\|$\)/\1/") - fi - done -fi - -# Extract ips and ports -if [ -n "$PFW" ]; then - if [ "$SHOWRULES" = "yes" ]; then - echo "#: These ports are forwarded:" - fi - PFWPOOLS="" - for i in $PFW; do - eval "ip=\"\$portfw_ip_$i\"" - pools=$(set | grep '^portfw_pool_' | sed "s/$re_cfgline/\1:\4/" | grep ":$i$" | sed "s/:$i$//") - for pool in $pools; do - PFWPOOLS="$PFWPOOLS $pool" - eval "config=\"\$portfw_pool_$pool\"" - protos_bulk=$(echo $config | sed "s/$re_cfg/\1/") - protos=$(echo $protos_bulk | sed 's/,/ /g') - origports_bulk=$(echo $config | sed "s/$re_cfg/\2/") - origports=$(echo $origports_bulk | sed 's/,/ /g') - destport=$(echo $config | sed "s/$re_cfg/\5/") - [ "$origports" = "$destport" ] && destport="" - eval "PFWPROTO_$pool=\"\$protos\"" - eval "PFWORIGPORTS_$pool=\"$origports\"" - eval "PFWIP_$pool=\"$ip\"" - eval "PFWPORT_$pool=\"$destport\"" - if [ "$SHOWRULES" = "yes" ]; then - /bin/echo -e "#: $protos_bulk \t$origports_bulk \t->\t $ip $destport \t($pool->$i)" - fi - done - done -fi diff --git a/ipmasq/rules/F50ipsec.def b/ipmasq/rules/F50ipsec.def deleted file mode 100644 index cad4d78..0000000 --- a/ipmasq/rules/F50ipsec.def +++ /dev/null @@ -1,40 +0,0 @@ -# You should not edit this file. Instead, create a file with the same -# name as this one, but with a .rul extension instead of .def. The -# .rul file will override this one. -# -# However, any changes you make to this file will be preserved. - -#: Forward packets among internal and IPsec networks -if [ -n "$IPSEC" ]; then - for j in $IPSEC; do - jj=$(echo $j | sed -e 's/\:/_/g') - eval "CIDROFIPSEC=\$CIDROFIPSEC_$jj" - for DESTCIDR in $CIDROFIPSEC; do - for i in $INTERNAL; do - if [ "$i" != "$j" ]; then - ipnm_cache $i - case $MASQMETHOD in - ipfwadm) - if [ -n "$PEEROFIF" ]; then - $IPFWADM -F -a accept -S $PEEROFIF/$NMOFIF -D $DESTCIDR - fi - $IPFWADM -F -a accept -S $IPOFIF/$NMOFIF -D $DESTCIDR - ;; - ipchains) - if [ -n "$PEEROFIF" ]; then - $IPCHAINS --no-warnings -A forward -j ACCEPT -s $PEEROFIF/$NMOFIF -d $DESTCIDR - fi - $IPCHAINS --no-warnings -A forward -j ACCEPT -s $IPOFIF/$NMOFIF -d $DESTCIDR - ;; - netfilter) - if [ -n "$PEEROFIF" ]; then - $IPTABLES -A FORWARD -j ACCEPT -s $PEEROFIF/$NMOFIF -d $DESTCIDR - fi - $IPTABLES -A FORWARD -j ACCEPT -s $IPOFIF/$NMOFIF -d $DESTCIDR - ;; - esac - fi - done - done - done -fi diff --git a/ipmasq/rules/F50ipsec.rul b/ipmasq/rules/F50ipsec.rul deleted file mode 100644 index 817325a..0000000 --- a/ipmasq/rules/F50ipsec.rul +++ /dev/null @@ -1,26 +0,0 @@ -#: forward packets between internal and ipsec networks -if [ -n "$IPSECCONN" ]; then - for j in $IPSECCONN; do - eval "IPSEC_IF=\$IPSEC_IF_$j" - eval "IPSEC_HERE=\$IPSEC_HERE_$j" - eval "IPSEC_THERE=\$IPSEC_THERE_$j" - for i in $INTERNAL; do - ipnm_cache $i - case $MASQMETHOD in - ipfwadm) - $IPFWADM -F -a accept -b -S $IPOFIF/$NMOFIF -D $IPSEC_THERE - ;; - ipchains) - $IPCHAINS -A forward -b -j ACCEPT -s $IPSEC_HERE -d $IPSEC_THERE - ;; - netfilter) - $IPTABLES -t nat -A POSTROUTING -s $IPSEC_HERE -d $IPSEC_THERE -j ACCEPT - $IPTABLES -A FORWARD -j ACCEPT -s $IPSEC_HERE -d $IPSEC_THERE - $IPTABLES -A FORWARD -j ACCEPT -d $IPSEC_HERE -s $IPSEC_THERE -# $IPTABLES -A FORWARD -j ACCEPT -s $IPOFIF/$NMOFIF -d $IPSEC_THERE -# $IPTABLES -A FORWARD -j ACCEPT -d $IPOFIF/$NMOFIF -s $IPSEC_THERE - ;; - esac - done - done -fi diff --git a/ipmasq/rules/I50ipsec.rul b/ipmasq/rules/I50ipsec.rul deleted file mode 100644 index 8d6e859..0000000 --- a/ipmasq/rules/I50ipsec.rul +++ /dev/null @@ -1,22 +0,0 @@ -#: Accept packets from remote ipsec networks on ipsec interfaces -if [ -n "$IPSECCONN" ]; then - for i in $IPSECCONN; do - eval "IPSEC_IF=\$IPSEC_IF_$i" - eval "IPSEC_HERE=\$IPSEC_HERE_$i" - eval "IPSEC_THERE=\$IPSEC_THERE_$i" - case $MASQMETHOD in - ipfwadm) - $IPFWADM -I -a accept -W ${IPSEC_IF%%:*} -S $IPSEC_HERE - $IPFWADM -I -a accept -W ${IPSEC_IF%%:*} -S $IPSEC_THERE - ;; - ipchains) - $IPCHAINS -A input -j ACCEPT -i ${IPSEC_IF%%:*} -s $IPSEC_HERE - $IPCHAINS -A input -j ACCEPT -i ${IPSEC_IF%%:*} -s $IPSEC_THERE - ;; - netfilter) - $IPTABLES -A INPUT -j ACCEPT -i ${IPSEC_IF%%:*} -s $IPSEC_HERE - $IPTABLES -A INPUT -j ACCEPT -i ${IPSEC_IF%%:*} -s $IPSEC_THERE - ;; - esac - done -fi diff --git a/ipmasq/rules/I80firewall.def b/ipmasq/rules/I80firewall.def deleted file mode 100644 index ee1a507..0000000 --- a/ipmasq/rules/I80firewall.def +++ /dev/null @@ -1,158 +0,0 @@ -# You should not edit this file. Instead, create a file with the same -# name as this one, but with a .rul extension instead of .def. The -# .rul file will override this one. -# -# However, any changes you make to this file will be preserved. - -# Packet filter firewall script for ipmasq (GPL) -# By Osamu Aoki <osamu@aokiconsulting.com> -# -# Firewall are set for external network connection ports listed in $EXTERNAL -# Little consideration taken for shared port. -# -echo "# Firewall for incoming packets" -############################################################################### -# QUIET INPUT ADDRESS (Deny for forein packet) RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $QADDR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -I -a deny -W ${i%%:*} -S $j - ;; - ipchains) - $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -s $j - ;; - netfilter) - $IPTABLES -A INPUT -j DROP -i ${i%%:*} -s $j - ;; - esac - done - done -fi -############################################################################### -# ALLOW INPUT TCP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $ATCPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -I -a accept -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp - ;; - ipchains) - $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp - ;; - netfilter) - $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j - ;; - esac - done - done -fi - -# ALLOW INPUT UDP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $AUDPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -I -a accept -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp - ;; - ipchains) - $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp - ;; - netfilter) - $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j - ;; - esac - done - done -fi - -############################################################################### -# QUIET INPUT TCP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $QTCPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp - ;; - ipchains) - $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp - ;; - netfilter) - $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j - ;; - esac - done - done -fi - -# QUIET INPUT UDP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $QUDPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp - ;; - ipchains) - $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp - ;; - netfilter) - $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j - ;; - esac - done - done -fi - -############################################################################### -# DENY INPUT TCP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $DTCPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp -o - ;; - ipchains) - $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp -l - ;; - netfilter) - $IPTABLES -A INPUT -j LOG -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j - $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j - ;; - esac - done - done -fi - -# DENY INPUT UDP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $DUDPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp -o - ;; - ipchains) - $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp -l - ;; - netfilter) - $IPTABLES -A INPUT -j LOG -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j - $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j - ;; - esac - done - done -fi -echo "#" diff --git a/ipmasq/rules/M70masq.def b/ipmasq/rules/M70masq.def deleted file mode 100644 index 8c75509..0000000 --- a/ipmasq/rules/M70masq.def +++ /dev/null @@ -1,40 +0,0 @@ -# You should not edit this file. Instead, create a file with the same -# name as this one, but with a .rul extension instead of .def. The -# .rul file will override this one. -# -# However, any changes you make to this file will be preserved. - -#: Masquerade packets from internal networks -if [ -n "$INTERNAL" -a -n "$EXTERNAL" ]; then - for j in $EXTERNAL; do - for i in $INTERNAL; do - ipnm_cache $i - case $MASQMETHOD in - ipfwadm) - $IPFWADM -F -a masq -W ${j%%:*} -S $IPOFIF/$NMOFIF - ;; - ipchains) - if [ -n "$PEEROFIF" ]; then - $IPCHAINS --no-warnings -A forward -j MASQ -i ${j%%:*} -s $PEEROFIF/$NMOFIF - else - $IPCHAINS --no-warnings -A forward -j MASQ -i ${j%%:*} -s $IPOFIF/$NMOFIF - fi - ;; - netfilter) - i=$(echo $i | cut -d ":" -f 1) - j=$(echo $j | cut -d ":" -f 1) - if [ -n "$PEEROFIF" ]; then - $IPTABLES -t nat -A POSTROUTING -s $PEEROFIF/$NMOFIF -o ${j%%:*} -j MASQUERADE - $IPTABLES -A FORWARD -i $i -o ${j%%:*} -s $PEEROFIF/$NMOFIF -j ACCEPT - $IPTABLES -A FORWARD -o $i -i ${j%%:*} -d $PEEROFIF/$NMOFIF -j ACCEPT - else - $IPTABLES -t nat -A POSTROUTING -s $IPOFIF/$NMOFIF -o ${j%%:*} -j MASQUERADE - $IPTABLES -A FORWARD -i $i -o ${j%%:*} -s $IPOFIF/$NMOFIF -j ACCEPT - $IPTABLES -A FORWARD -o $i -i ${j%%:*} -d $IPOFIF/$NMOFIF -j ACCEPT - fi - ;; - esac - done - done -fi - diff --git a/ipmasq/rules/M80pfw.def b/ipmasq/rules/M80pfw.def deleted file mode 100644 index b3792ac..0000000 --- a/ipmasq/rules/M80pfw.def +++ /dev/null @@ -1,48 +0,0 @@ -# You should not edit this file. Instead, create a file with the same -# name as this one, but with a .rul extension instead of .def. The -# .rul file will override this one. -# -# However, any changes you make to this file will be preserved. - -#: Masquerade packets from internal networks -#if [ -n "$INTERNAL" -a -n "$EXTERNAL_IN" -a -n "$PFW" ]; then -if [ -n "$EXTERNAL_IN" -a -n "$PFW" ]; then - for pool in $PFWPOOLS; do - eval "PROTOS=\"\$PFWPROTO_$pool\"" - eval "ORIGPORTS=\"\$PFWORIGPORTS_$pool\"" - eval "PFWIP=\"\$PFWIP_$pool\"" - eval "PFWPORT=\"\$PFWPORT_$pool\"" - for PROTO in $PROTOS; do - for ORIGPORT in $ORIGPORTS; do - ORIGPORT_DASH=$(echo $ORIGPORT | sed 's/:/-/g') - for j in $EXTERNAL_IN; do - ipnm_cache $j - EXTIP=$IPOFIF - case $MASQMETHOD in - ipfwadm) - ipmasqadm portfw -a -P $PROTO -L $EXTIP $ORIGPORT_DASH -R $PFWIP $PFWPORT - ;; - ipchains) - ipmasqadm portfw -a -P $PROTO -L $EXTIP $ORIGPORT_DASH -R $PFWIP $PFWPORT - ;; - netfilter) - $IPTABLES -A PREROUTING -t nat -p $PROTO -d $EXTIP --dport $ORIGPORT -j DNAT --to $PFWIP${PFWPORT:+:$PFWPORT} - ;; - esac - for i in $INTERNAL; do - ipnm_cache $i - case $MASQMETHOD in - netfilter) - $IPTABLES -A FORWARD -i $j -o $i -p $PROTO --dport $ORIGPORT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -# TODO: This should be done only for the interface containing the portforward host -# if [ "$PORTFW_REMAP_LOCAL" = "y" ]; then -# $IPTABLES -A POSTROUTING -t nat -p $PROTO -d $PFWIP ${PFWPORT:+--dport $PFWPORT} -s $IPOFIF/$NMOFIF -j SNAT --to $IPOFIF -# fi - ;; - esac - done - done - done - done - done -fi diff --git a/ipmasq/rules/O50ipsec.rul b/ipmasq/rules/O50ipsec.rul deleted file mode 100644 index c0b5b5c..0000000 --- a/ipmasq/rules/O50ipsec.rul +++ /dev/null @@ -1,22 +0,0 @@ -#: Allow packets for ipsec hosts to be delivered using ipsec interfaces -if [ -n "$IPSECCONN" ]; then - for i in $IPSECCONN; do - eval "IPSEC_IF=\$IPSEC_IF_$i" - eval "IPSEC_HERE=\$IPSEC_HERE_$i" - eval "IPSEC_THERE=\$IPSEC_THERE_$i" - case $MASQMETHOD in - ipfwadm) - $IPFWADM -O -a accept -W ${i%%:*} -D $IPSEC_HERE - $IPFWADM -O -a accept -W ${i%%:*} -D $IPSEC_THERE - ;; - ipchains) - $IPCHAINS -A output -j ACCEPT -i ${IPSEC_IF%%:*} -d $IPSEC_HERE - $IPCHAINS -A output -j ACCEPT -i ${IPSEC_IF%%:*} -d $IPSEC_THERE - ;; - netfilter) - $IPTABLES -A OUTPUT -j ACCEPT -o ${IPSEC_IF%%:*} -d $IPSEC_HERE - $IPTABLES -A OUTPUT -j ACCEPT -o ${IPSEC_IF%%:*} -d $IPSEC_THERE - ;; - esac - done -fi diff --git a/ipmasq/rules/O80firewall.def b/ipmasq/rules/O80firewall.def deleted file mode 100644 index d6fe9f8..0000000 --- a/ipmasq/rules/O80firewall.def +++ /dev/null @@ -1,159 +0,0 @@ -# You should not edit this file. Instead, create a file with the same -# name as this one, but with a .rul extension instead of .def. The -# .rul file will override this one. -# -# However, any changes you make to this file will be preserved. - -# Packet filter firewall script for ipmasq (GPL) -# By Osamu Aoki <osamu@aokiconsulting.com> -# -# Firewall are set for external network connection ports listed in $EXTERNAL -# Little consideration taken for shared port. -# -echo "# Firewall for outgoing packets" -############################################################################### -# QUIET ADDRESS (REJECT for internal request) RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $QADDR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -O -a reject -W ${i%%:*} -D $j - ;; - ipchains) - $IPCHAINS --no-warnings -A output -j REJECT -i ${i%%:*} -d $j - ;; - netfilter) - $IPTABLES -A OUTPUT -j REJECT -o ${i%%:*} -d $j - ;; - esac - done - done -fi - -############################################################################### -# ALLOW OUTPUT TCP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $ATCPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P tcp - ;; - ipchains) - $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p tcp - ;; - netfilter) - $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p tcp --source-port $j - ;; - esac - done - done -fi - -# ALLOW OUTPUT UDP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $AUDPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P udp - ;; - ipchains) - $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p udp - ;; - netfilter) - $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p udp --source-port $j - ;; - esac - done - done -fi - -############################################################################### -# QUIET OUTPUT TCP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $QTCPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp - ;; - ipchains) - $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp - ;; - netfilter) - $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j - ;; - esac - done - done -fi - -# QUIET OUTPUT UDP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $QUDPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp - ;; - ipchains) - $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp - ;; - netfilter) - $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j - ;; - esac - done - done -fi - -############################################################################### -# DENY OUTPUT TCP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $DTCPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp -o - ;; - ipchains) - $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp -l - ;; - netfilter) - $IPTABLES -A OUTPUT -j LOG -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j - $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j - ;; - esac - done - done -fi - -# DENY OUTPUT UDP RULES -if [ -n "$EXTERNAL" ]; then - for i in $EXTERNAL; do - ipnm_cache $i - for j in $DUDPSVR; do - case $MASQMETHOD in - ipfwadm) - $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp -o - ;; - ipchains) - $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp -l - ;; - netfilter) - $IPTABLES -A OUTPUT -j LOG -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j - $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j - ;; - esac - done - done -fi -echo "#" diff --git a/ipmasq/rules/Z91kerneldynaddr.rul b/ipmasq/rules/Z91kerneldynaddr.rul deleted file mode 100644 index 4b25add..0000000 --- a/ipmasq/rules/Z91kerneldynaddr.rul +++ /dev/null @@ -1,11 +0,0 @@ -# turn on the kernel's notion of dynamic addressing -if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then - if [ "$NOACT" != "yes" ]; then - echo "1" > /proc/sys/net/ipv4/ip_dynaddr - fi - - if [ "$SHOWRULES" = "yes" ]; then - echo "echo \"1\" > /proc/sys/net/ipv4/ip_dynaddr" - fi -fi - diff --git a/ipmasq/rules/Z99windows-smb-broadcast.rul b/ipmasq/rules/Z99windows-smb-broadcast.rul deleted file mode 100644 index 836d825..0000000 --- a/ipmasq/rules/Z99windows-smb-broadcast.rul +++ /dev/null @@ -1,27 +0,0 @@ -# Accept Windows SMB broadcasts, so as to avoid spurious syslog entries from -# ZZZdenyandlog.def - -if [ -n "$INTERNAL" -o -n "$EXTERNAL" ]; then - for i in $INTERNAL $EXTERNAL; do - ipnm_cache $i - case $MASQMETHOD in - ipfwadm) - if [ -n "$BCOFIF" ]; then - $IPFWADM -I -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF -D $BCOFIF/32 137:139 - fi - ;; - ipchains) - if [ -n "$BCOFIF" ]; then - $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 137:139 -p tcp - $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 137:139 -p udp - fi - ;; - netfilter) - if [ -n "$BCOFIF" ]; then - $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 -p tcp --dport 137:139 - $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 -p udp --dport 137:139 - fi - esac - done -fi - diff --git a/ipmasq/rules/ZZZ|Lipac.rul b/ipmasq/rules/ZZZ|Lipac.rul deleted file mode 100644 index 544570f..0000000 --- a/ipmasq/rules/ZZZ|Lipac.rul +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/ipmasq/rules/ZZZ|L_ipac.rul -# -# Restarting IP-ACCOUNTING. -# Very last rule in the ipmasq chain. -# -# To speed-up the system start-up don't check at boot time. -[ ! $runlevel ] && for SCRIPT in /etc/init.d/ipac /etc/init.d/ipac-ng;do - test -s $SCRIPT && if [ "$SHOWRULES" = "yes" ] - then echo $SCRIPT force-reload;else $SCRIPT force-reload 2> /dev/null - fi -done - |