As suggested by Florian Thiel <thiel@ksan.de>:

a. Fixed service IRC to work on TCP instead of UDP. b. Added services: UUCP, VNC, WEBCACHE, IMAPS, IKE. Also fixed the home-router.conf example (it was outdated).
2024-06-29 18:32:16 +00:00 · 2002-11-30 14:33:33 +00:00 · 2002-11-30 14:33:33 +00:00 · e3d2e9d43c
commit e3d2e9d43c
parent bfa1b9a25f
2 changed files with 104 additions and 93 deletions
--- a/examples/home-router.conf
+++ b/examples/home-router.conf
@ -1,13 +1,20 @@
 #
-# $Id: home-router.conf,v 1.2 2002/10/27 12:47:48 ktsaou Exp $
+# $Id: home-router.conf,v 1.3 2002/11/30 14:33:33 ktsaou Exp $
 #
 # $Log: home-router.conf,v $
+# Revision 1.3  2002/11/30 14:33:33  ktsaou
+# As suggested by Florian Thiel <thiel@ksan.de>:
+# a. Fixed service IRC to work on TCP instead of UDP.
+# b. Added services: UUCP, VNC, WEBCACHE, IMAPS, IKE.
+#
+# Also fixed the home-router.conf example (it was outdated).
+#
 # Revision 1.2  2002/10/27 12:47:48  ktsaou
 # Added CVS versioning to all files.
 #
 #

-version 1
+version 5

 # ----------------------------------------------------------
 # Custom Rules
@ -23,34 +30,15 @@ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 ! -d 1.1.1.1 -j REDIRECT
 # Some definitions, you can define whatever you like...
 # ----------------------------------------------------------
 # The IP address space on our LAN
-tsaousis="1.1.1.1/28"
+lan="1.1.1.1/28"

 # The tructed IPs from our office
 secure="2.2.2.2/32"


-# ----------------------------------------------------------
-# IMPORTANT NOTE:
-# ----------------------------------------------------------
-# This script has a very simple rule:
-# INPUT or SOURCE (inface, src, etc) always refers to the CLIENT.
-# OUTPUT or DESTINATION (outface, dst, etc) always refers to the SERVER.
-#
-# So, when you say:
-#                 interface ppp0 myname src x.y.z.w/m
-# you are matching all CLIENTS comming from ppp0, AND from the x.y.z.w/m network.
-#
-# Similarly, when you say:
-#               router myclients inface eth0 outface ppp0
-# you are matching all CLIENTS on eth0 trying to use services from ppp0
-# while, with:
-#               router myservers inface ppp0 outface eth0
-# you are matching all CLIENTS on ppp0 trying to use services from eth0
-# ----------------------------------------------------------
-
 # Give the name "internet" to everything comming from ppp+
 # making sure they don't have our LAN IP addresses.
-interface ppp+ internet src not "${tsaousis}"
+interface ppp+ internet src not "${lan}"
 	policy drop			# This is also the default
 	protection strong 1/sec 1	# Also, limit incoming reqs to 1/sec
 	
@ -72,6 +60,5 @@ interface eth0 home

 # Give the name "router" to all requests comming from eth0 AND our local IP
 # address space, and going out to ppp+
-router router inface eth0 outface ppp+ src "${tsaousis}"
-	policy		drop		# This is also the default
+router router inface eth0 outface ppp+ src "${lan}"
 	route all	accept		# Accept all client from eth0 to ppp+
--- a/firehol.sh
+++ b/firehol.sh
@ -10,9 +10,16 @@
 #
 # config: /etc/firehol.conf
 #
-# $Id: firehol.sh,v 1.18 2002/11/03 13:17:39 ktsaou Exp $
+# $Id: firehol.sh,v 1.19 2002/11/30 14:33:33 ktsaou Exp $
 #
 # $Log: firehol.sh,v $
+# Revision 1.19  2002/11/30 14:33:33  ktsaou
+# As suggested by Florian Thiel <thiel@ksan.de>:
+# a. Fixed service IRC to work on TCP instead of UDP.
+# b. Added services: UUCP, VNC, WEBCACHE, IMAPS, IKE.
+#
+# Also fixed the home-router.conf example (it was outdated).
+#
 # Revision 1.18  2002/11/03 13:17:39  ktsaou
 # Minor aesthetic changes.
 #
@ -324,57 +331,23 @@ work_created_chains=
 # The following are definitions for simple services.
 # We define as "simple" the services that are implemented using a single socket,
 # initiated by the client and used by the server.
-
-server_echo_ports="tcp/echo"
-client_echo_ports="default"
+# The following list is sorted by service name.

 server_daytime_ports="tcp/daytime"
 client_daytime_ports="default"

-server_finger_ports="tcp/finger"
-client_finger_ports="default"
-
-server_rndc_ports="tcp/rndc"
-client_rndc_ports="default"
-
-server_nntp_ports="tcp/nntp"
-client_nntp_ports="default"
-
-server_smtp_ports="tcp/smtp"
-client_smtp_ports="default"
-
-server_ident_ports="tcp/auth"
-client_ident_ports="default"
-
-server_imap_ports="tcp/imap"
-client_imap_ports="default"
-
-server_pop3_ports="tcp/pop3"
-client_pop3_ports="default"
-
-server_ssh_ports="tcp/ssh"
-client_ssh_ports="default"
-
-server_telnet_ports="tcp/telnet"
-client_telnet_ports="default"
-
-# TFTP is more complicated than this.
-# TFTP communicates through high ports. The problem is that there is
-# no relevant iptables module in most distributions.
-server_tftp_ports="udp/tftp"
-client_tftp_ports="default"
-
-server_irc_ports="udp/ircd"
-client_irc_ports="default"
-require_irc_modules="ip_conntrack_irc"
-require_irc_nat_modules="ip_nat_irc"
-ALL_SHOULD_ALSO_RUN="${ALL_SHOULD_ALSO_RUN} irc"
-
 server_dhcp_ports="udp/bootps"
 client_dhcp_ports="bootpc"

-server_ldap_ports="tcp/ldap"
-client_ldap_ports="default"
+server_echo_ports="tcp/echo"
+client_echo_ports="default"
+
+server_finger_ports="tcp/finger"
+client_finger_ports="default"
+
+# We assume heartbeat uses ports in the range 690 to 699
+server_heartbeat_ports="udp/690:699"
+client_heartbeat_ports="default"

 server_http_ports="tcp/http"
 client_http_ports="default"
@ -382,17 +355,32 @@ client_http_ports="default"
 server_https_ports="tcp/https"
 client_https_ports="default"

-server_mysql_ports="tcp/mysql"
-client_mysql_ports="default"
+server_ident_ports="tcp/auth"
+client_ident_ports="default"
+
+server_ike_ports="udp/500"
+client_ike_ports="default"
+
+server_imap_ports="tcp/imap"
+client_imap_ports="default"
+
+server_imaps_ports="tcp/imaps"
+client_imaps_ports="default"
+
+server_irc_ports="tcp/ircd"
+client_irc_ports="default"
+require_irc_modules="ip_conntrack_irc"
+require_irc_nat_modules="ip_nat_irc"
+ALL_SHOULD_ALSO_RUN="${ALL_SHOULD_ALSO_RUN} irc"
+
+server_ldap_ports="tcp/ldap"
+client_ldap_ports="default"

 server_lpd_ports="tcp/printer"
 client_lpd_ports="default"

-server_radius_ports="udp/radius udp/radius-acct"
-client_radius_ports="default"
-
-server_radiusold_ports="udp/1645 udp/1646"
-client_radiusold_ports="default"
+server_mysql_ports="tcp/mysql"
+client_mysql_ports="default"

 server_netbios_ns_ports="udp/netbios-ns"
 client_netbios_ns_ports="default udp/netbios-ns"
@ -403,14 +391,58 @@ client_netbios_dgm_ports="default netbios-dgm"
 server_netbios_ssn_ports="tcp/netbios-ssn"
 client_netbios_ssn_ports="default"

-server_syslog_ports="udp/syslog"
-client_syslog_ports="syslog"
+server_nntp_ports="tcp/nntp"
+client_nntp_ports="default"
+
+server_ntp_ports="udp/ntp tcp/ntp"
+client_ntp_ports="ntp default"
+
+server_pop3_ports="tcp/pop3"
+client_pop3_ports="default"
+
+# Portmap clients appear to use ports bellow 1024
+server_portmap_ports="udp/sunrpc tcp/sunrpc"
+client_portmap_ports="500:65535"
+
+server_radius_ports="udp/radius udp/radius-acct"
+client_radius_ports="default"
+
+server_radiusold_ports="udp/1645 udp/1646"
+client_radiusold_ports="default"
+
+server_rndc_ports="tcp/rndc"
+client_rndc_ports="default"
+
+server_rsync_ports="tcp/rsync udp/rsync"
+client_rsync_ports="default"
+
+server_smtp_ports="tcp/smtp"
+client_smtp_ports="default"

 server_snmp_ports="udp/snmp"
 client_snmp_ports="default"

-server_rsync_ports="tcp/rsync udp/rsync"
-client_rsync_ports="default"
+server_ssh_ports="tcp/ssh"
+client_ssh_ports="default"
+
+# Sun RCP is an alias for service portmap
+server_sunrpc_ports="${server_portmap_ports}"
+client_sunrpc_ports="${client_portmap_ports}"
+
+server_syslog_ports="udp/syslog"
+client_syslog_ports="syslog"
+
+server_telnet_ports="tcp/telnet"
+client_telnet_ports="default"
+
+# TFTP is more complicated than this.
+# TFTP communicates through high ports. The problem is that there is
+# no relevant iptables module in most distributions.
+server_tftp_ports="udp/tftp"
+client_tftp_ports="default"
+
+server_uucp_ports="tcp/uucp"
+client_uucp_ports="default"

 server_vmware_ports="tcp/902"
 client_vmware_ports="default"
@ -421,19 +453,11 @@ client_vmwareauth_ports="default"
 server_vmwareweb_ports="tcp/8222"
 client_vmwareweb_ports="default"

-server_ntp_ports="udp/ntp tcp/ntp"
-client_ntp_ports="ntp default"
+server_vnc_ports="tcp/5900:5903"
+client_vnc_ports="default"

-# Portmap clients appear to use ports bellow 1024
-server_portmap_ports="udp/sunrpc tcp/sunrpc"
-client_portmap_ports="500:65535"
-
-server_sunrpc_ports="${server_portmap_ports}"
-client_sunrpc_ports="${client_portmap_ports}"
-
-# We assume heartbeat uses ports in the range 690 to 699
-server_heartbeat_ports="udp/690:699"
-client_heartbeat_ports="default"
+server_webcache_ports="tcp/webcache"
+client_webcache_ports="default"


 # ------------------------------------------------------------------------------