From 529182b23e3849b7717e8f6f741d9dd7cbc57bcf Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Tue, 18 Sep 2001 08:51:02 +0000 Subject: Added ipmasq/rules/* --- ipmasq/rules/A01interfaces.rul | 19 +++++++++++++++++++ ipmasq/rules/A10dhcpcd.rul | 31 +++++++++++++++++++++++++++++++ ipmasq/rules/A10dhcpd.rul | 30 ++++++++++++++++++++++++++++++ ipmasq/rules/Z91kerneldynaddr.rul | 11 +++++++++++ ipmasq/rules/Z99windows-smb-broadcast.rul | 27 +++++++++++++++++++++++++++ 5 files changed, 118 insertions(+) create mode 100644 ipmasq/rules/A01interfaces.rul create mode 100644 ipmasq/rules/A10dhcpcd.rul create mode 100644 ipmasq/rules/A10dhcpd.rul create mode 100644 ipmasq/rules/Z91kerneldynaddr.rul create mode 100644 ipmasq/rules/Z99windows-smb-broadcast.rul (limited to 'ipmasq/rules') diff --git a/ipmasq/rules/A01interfaces.rul b/ipmasq/rules/A01interfaces.rul new file mode 100644 index 0000000..56808c6 --- /dev/null +++ b/ipmasq/rules/A01interfaces.rul @@ -0,0 +1,19 @@ +# You should not edit this file. Instead, create a file with the same +# name as this one, but with a .rul extension instead of .def. The +# .rul file will override this one. +# +# However, any changes you make to this file will be preserved. +# +# Correction: +# Ignore irda interfaces as well. +# Jonas Smedegaard Sat, 17 Jun 2000 15:10:17 +0200 + +# find interface names +EXTERNAL=$(default-if | sort -u) +INTERNAL=$(enumerate-if | sort -u | grep -v lo | grep -v irda) +if [ -n "$EXTERNAL" ]; then + for i in $EXTERNAL; do + INTERNAL=$(echo $INTERNAL | sed -e s/$i//) + done +fi + diff --git a/ipmasq/rules/A10dhcpcd.rul b/ipmasq/rules/A10dhcpcd.rul new file mode 100644 index 0000000..5ac66a1 --- /dev/null +++ b/ipmasq/rules/A10dhcpcd.rul @@ -0,0 +1,31 @@ +# From Kalle Olavi Niemitalo : + +# Here's my /etc/ipmasq/rules/A10dhcpd.rul file in case you'd +# like to add it in the examples directory. It's somewhat +# stricter than /usr/doc/ipmasq/examples/Z99dhcpd.rul. Also, I'm +# using priority A10 rather than Z99 because some of my other +# rules would reject the packets. +# +# This works with dhcp_1.0.2-0.1 and the Windows 95 DHCP client. +# The ipfwadm invocations are untested. + +if [ -n "$INTERNAL" ]; then + for i in $INTERNAL; do + ipnm_cache $i + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -i accept -S 0.0.0.0/0 67 -D 255.255.255.255/32 68 -W $i -P udp +# $IPFWADM -O -i accept -S $IPOFIF/32 68 -D 255.255.255.255/32 67 -W $i -P udp + ;; + ipchains) + $IPCHAINS -I input -j ACCEPT -s 0.0.0.0/0 67 -d 255.255.255.255/32 68 -i $i -p udp +# $IPCHAINS -I output -j ACCEPT -s $IPOFIF/32 68 -d 255.255.255.255/32 67 -i $i -p udp + ;; + iptables) + $IPTABLES -I INPUT -j ACCEPT -s 0.0.0.0/0 67 -d 255.255.255.255/32 68 -i $i -p udp +# $IPTABLES -I OUTPUT -j ACCEPT -s $IPOFIF/32 68 -d 255.255.255.255/32 67 -i $i -p udp + ;; + esac + done +fi + diff --git a/ipmasq/rules/A10dhcpd.rul b/ipmasq/rules/A10dhcpd.rul new file mode 100644 index 0000000..7be8c1e --- /dev/null +++ b/ipmasq/rules/A10dhcpd.rul @@ -0,0 +1,30 @@ +# From Kalle Olavi Niemitalo : + +# Here's my /etc/ipmasq/rules/A10dhcpd.rul file in case you'd +# like to add it in the examples directory. It's somewhat +# stricter than /usr/doc/ipmasq/examples/Z99dhcpd.rul. Also, I'm +# using priority A10 rather than Z99 because some of my other +# rules would reject the packets. +# +# This works with dhcp_1.0.2-0.1 and the Windows 95 DHCP client. +# The ipfwadm invocations are untested. + +if [ -n "$INTERNAL" ]; then + for i in $INTERNAL; do + ipnm_cache $i + case $MASQMETHOD in + ipfwadm) + $IPFWADM -I -i accept -S 0.0.0.0/32 68 -D 255.255.255.255/32 67 -W $i -P udp + $IPFWADM -O -i accept -S $IPOFIF/32 67 -D 255.255.255.255/32 68 -W $i -P udp + ;; + ipchains) + $IPCHAINS -I input -j ACCEPT -s 0.0.0.0/32 68 -d 255.255.255.255/32 67 -i $i -p udp + $IPCHAINS -I output -j ACCEPT -s $IPOFIF/32 67 -d 255.255.255.255/32 68 -i $i -p udp + ;; + netfilter) + $IPTABLES -I INPUT -j ACCEPT -s 0.0.0.0/32 68 -d 255.255.255.255/32 67 -i $i -p udp + $IPTABLES -I OUTPUT -j ACCEPT -s $IPOFIF/32 67 -d 255.255.255.255/32 68 -i $i -p udp + esac + done +fi + diff --git a/ipmasq/rules/Z91kerneldynaddr.rul b/ipmasq/rules/Z91kerneldynaddr.rul new file mode 100644 index 0000000..4b25add --- /dev/null +++ b/ipmasq/rules/Z91kerneldynaddr.rul @@ -0,0 +1,11 @@ +# turn on the kernel's notion of dynamic addressing +if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then + if [ "$NOACT" != "yes" ]; then + echo "1" > /proc/sys/net/ipv4/ip_dynaddr + fi + + if [ "$SHOWRULES" = "yes" ]; then + echo "echo \"1\" > /proc/sys/net/ipv4/ip_dynaddr" + fi +fi + diff --git a/ipmasq/rules/Z99windows-smb-broadcast.rul b/ipmasq/rules/Z99windows-smb-broadcast.rul new file mode 100644 index 0000000..836d825 --- /dev/null +++ b/ipmasq/rules/Z99windows-smb-broadcast.rul @@ -0,0 +1,27 @@ +# Accept Windows SMB broadcasts, so as to avoid spurious syslog entries from +# ZZZdenyandlog.def + +if [ -n "$INTERNAL" -o -n "$EXTERNAL" ]; then + for i in $INTERNAL $EXTERNAL; do + ipnm_cache $i + case $MASQMETHOD in + ipfwadm) + if [ -n "$BCOFIF" ]; then + $IPFWADM -I -a accept -W ${i%%:*} -S $IPOFIF/$NMOFIF -D $BCOFIF/32 137:139 + fi + ;; + ipchains) + if [ -n "$BCOFIF" ]; then + $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 137:139 -p tcp + $IPCHAINS -A input -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 137:139 -p udp + fi + ;; + netfilter) + if [ -n "$BCOFIF" ]; then + $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 -p tcp --dport 137:139 + $IPTABLES -A INPUT -j ACCEPT -i ${i%%:*} -s $IPOFIF/$NMOFIF -d $BCOFIF/32 -p udp --dport 137:139 + fi + esac + done +fi + -- cgit v1.2.3