1 files changed, 158 insertions, 0 deletions
diff --git a/ipmasq/rules/I80firewall.def b/ipmasq/rules/I80firewall.def
new file mode 100644
index 0000000..ee1a507
--- /dev/null
+++ b/ipmasq/rules/I80firewall.def
@@ -0,0 +1,158 @@
+# You should not edit this file.  Instead, create a file with the same
+# name as this one, but with a .rul extension instead of .def.  The
+# .rul file will override this one.
+#
+# However, any changes you make to this file will be preserved.
+
+# Packet filter firewall script for ipmasq (GPL)
+#                   By Osamu Aoki <osamu@aokiconsulting.com>
+#
+# Firewall are set for external network connection ports listed in $EXTERNAL
+# Little consideration taken for shared port.
+#
+echo "# Firewall for incoming packets"
+###############################################################################
+# QUIET INPUT ADDRESS (Deny for forein packet) RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $QADDR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -I -a deny -W ${i%%:*} -S $j
+	        ;;
+	    ipchains)
+	        $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -s $j
+	        ;;
+	    netfilter)
+	        $IPTABLES -A INPUT -j DROP -i ${i%%:*} -s $j
+	        ;;
+	    esac
+        done
+    done
+fi
+###############################################################################
+# ALLOW INPUT TCP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $ATCPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -I -a accept -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp
+	        ;;
+	    ipchains)
+	        $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp
+	        ;;
+	    netfilter)
+	        $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+
+# ALLOW INPUT UDP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $AUDPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -I -a accept -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp
+	        ;;
+	    ipchains)
+	        $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp
+	        ;;
+	    netfilter)
+	        $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+
+###############################################################################
+# QUIET INPUT TCP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $QTCPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp
+	        ;;
+	    ipchains)
+	        $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp
+	        ;;
+	    netfilter)
+	        $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+
+# QUIET INPUT UDP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $QUDPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp
+	        ;;
+	    ipchains)
+	        $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp
+	        ;;
+	    netfilter)
+	        $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+
+###############################################################################
+# DENY INPUT TCP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $DTCPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P tcp -o
+	        ;;
+	    ipchains)
+	        $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p tcp -l
+	        ;;
+	    netfilter)
+	        $IPTABLES -A INPUT -j LOG  -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j
+	        $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p tcp --destination-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+
+# DENY INPUT UDP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $DUDPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -I -a deny -W ${i%%:*} -D $IPOFIF/$NMOFIF $j -P udp -o
+	        ;;
+	    ipchains)
+	        $IPCHAINS --no-warnings -A input -j DENY -i ${i%%:*} -d $IPOFIF/$NMOFIF $j -p udp -l
+	        ;;
+	    netfilter)
+	        $IPTABLES -A INPUT -j LOG  -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j
+	        $IPTABLES -A INPUT -j DROP -i ${i%%:*} -d $IPOFIF/$NMOFIF -p udp --destination-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+echo "#"