1 files changed, 159 insertions, 0 deletions

diff --git a/ipmasq/rules/O80firewall.def b/ipmasq/rules/O80firewall.def
new file mode 100644
index 0000000..d6fe9f8
--- /dev/null
+++ b/ipmasq/rules/O80firewall.def
@@ -0,0 +1,159 @@
+# You should not edit this file.  Instead, create a file with the same
+# name as this one, but with a .rul extension instead of .def.  The
+# .rul file will override this one.
+#
+# However, any changes you make to this file will be preserved.
+
+# Packet filter firewall script for ipmasq (GPL)
+#                   By Osamu Aoki <osamu@aokiconsulting.com>
+#
+# Firewall are set for external network connection ports listed in $EXTERNAL
+# Little consideration taken for shared port.
+#
+echo "# Firewall for outgoing packets"
+###############################################################################
+# QUIET ADDRESS (REJECT for internal request) RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $QADDR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -O -a reject -W ${i%%:*} -D $j
+	        ;;
+	    ipchains)
+	        $IPCHAINS --no-warnings -A output -j REJECT -i ${i%%:*} -d $j
+	        ;;
+	    netfilter)
+	        $IPTABLES -A OUTPUT -j REJECT -o ${i%%:*} -d $j
+	        ;;
+	    esac
+        done
+    done
+fi
+
+###############################################################################
+# ALLOW OUTPUT TCP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $ATCPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P tcp
+	        ;;
+	    ipchains)
+	        $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p tcp
+	        ;;
+	    netfilter)
+	        $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p tcp --source-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+
+# ALLOW OUTPUT UDP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $AUDPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -O -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF $j -P udp
+	        ;;
+	    ipchains)
+	        $IPCHAINS -A output -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF $j -p udp
+	        ;;
+	    netfilter)
+	        $IPTABLES -A OUTPUT -j ACCEPT -o ${i%%:*} -s $IPOFIF/$NMOFIF -p udp --source-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+
+###############################################################################
+# QUIET OUTPUT TCP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $QTCPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp
+	        ;;
+	    ipchains)
+	        $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp
+	        ;;
+	    netfilter)
+	        $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+
+# QUIET OUTPUT UDP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $QUDPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp
+	        ;;
+	    ipchains)
+	        $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp
+	        ;;
+	    netfilter)
+	        $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+
+###############################################################################
+# DENY OUTPUT TCP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $DTCPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P tcp -o
+	        ;;
+	    ipchains)
+	        $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p tcp -l
+	        ;;
+	    netfilter)
+	        $IPTABLES -A OUTPUT -j LOG  -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j
+	        $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p tcp --source-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+
+# DENY OUTPUT UDP RULES
+if [ -n "$EXTERNAL" ]; then
+    for i in $EXTERNAL; do
+        ipnm_cache $i
+        for j in $DUDPSVR; do
+	    case $MASQMETHOD in
+	    ipfwadm)
+	        $IPFWADM -O -a deny -W ${i%%:*} -S 0.0.0.0/0 $j -P udp -o
+	        ;;
+	    ipchains)
+	        $IPCHAINS --no-warnings -A output -j DENY -i ${i%%:*} -s 0.0.0.0/0 $j -p udp -l
+	        ;;
+	    netfilter)
+	        $IPTABLES -A OUTPUT -j LOG  -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j
+	        $IPTABLES -A OUTPUT -j DROP -o ${i%%:*} -s 0.0.0.0/0 -p udp --source-port $j
+	        ;;
+	    esac
+        done
+    done
+fi
+echo "#"