holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Correct version of firewall script

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@234 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-09-02 20:51:00 +00:00
parent 4c9ce990a8
commit 3a107844d5
1 changed files with 16 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Lrp/etc/init.d/shorewall
View File

@ -200,7 +200,6 @@ createchain() # $1 = chain name, $2 = If non-null, don't create default rules
state="ESTABLISHED" state="ESTABLISHED"
[ -n "$ALLOWRELATED" ] && state="$state,RELATED" [ -n "$ALLOWRELATED" ] && state="$state,RELATED"
run_iptables -A $1 -m state --state $state -j ACCEPT run_iptables -A $1 -m state --state $state -j ACCEPT
[ -z "$NEWNOTSYN" ] && \
run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn run_iptables -A $1 -m state --state NEW -p tcp !--syn -j newnotsyn
fi fi
@ -2397,10 +2396,6 @@ setup_masq()
interface="${interface%:*}" interface="${interface%:*}"
fi fi
if ! list_search $interface $all_interfaces; then
fatal_error "Error: Unknown interface $interface"
fi
if [ "$subnet" = "${subnet%!*}" ]; then if [ "$subnet" = "${subnet%!*}" ]; then
nomasq= nomasq=
else else
@ -2731,14 +2726,12 @@ initialize_netfilter () {
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no createchain newnotsyn no
run_user_exit newnotsyn run_user_exit newnotsyn
[ -n "$LOGNEWNOTSYN" ] && \ [ -n "$LOGNEWNOTSYN" ] && \
run_iptables -A newnotsyn -j LOG \ run_iptables -A newnotsyn -j LOG \
--log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN --log-prefix "Shorewall:newnotsyn:DROP:" --log-level $LOGNEWNOTSYN
run_iptables -A newnotsyn -j DROP run_iptables -A newnotsyn -j DROP
fi
createchain icmpdef no createchain icmpdef no
createchain common no createchain common no
@ -2836,7 +2829,7 @@ add_common_rules() {
# PING # PING
# #
[ -n "$FORWARDPING" ] && \ [ -n "$FORWARDPING" ] && \
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################ ############################################################################
# Common ICMP rules # Common ICMP rules
# #
@ -3310,6 +3303,11 @@ refresh_firewall()
run_iptables -F common run_iptables -F common
echo "Adding Common Rules" echo "Adding Common Rules"
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################ ############################################################################
# Common rules in each chain # Common rules in each chain
# #
@ -3418,7 +3416,6 @@ do_initialize() {
DETECT_DNAT_IPADDRS= DETECT_DNAT_IPADDRS=
MERGE_HOSTS= MERGE_HOSTS=
MUTEX_TIMEOUT= MUTEX_TIMEOUT=
NEWNOTSYN=
LOGNEWNOTSYN= LOGNEWNOTSYN=
FORWARDPING= FORWARDPING=
stopping= stopping=
@ -3498,7 +3495,6 @@ do_initialize() {
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS` MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING` FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`
} }
################################################################################ ################################################################################