[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r16344: Revised comments for iptables rules. (incognito/trunk/root_overlay/var/lib/iptables)



Author: anonym
Date: 2008-08-01 21:07:30 -0400 (Fri, 01 Aug 2008)
New Revision: 16344

Modified:
   incognito/trunk/root_overlay/var/lib/iptables/rules-save
Log:
Revised comments for iptables rules.


Modified: incognito/trunk/root_overlay/var/lib/iptables/rules-save
===================================================================
--- incognito/trunk/root_overlay/var/lib/iptables/rules-save	2008-08-02 00:20:01 UTC (rev 16343)
+++ incognito/trunk/root_overlay/var/lib/iptables/rules-save	2008-08-02 01:07:30 UTC (rev 16344)
@@ -1,45 +1,43 @@
-# Generated by iptables-save v1.3.8 on Wed Jan 16 02:17:09 2008
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 
-# Established connections are accepted
+# Established connections are accepted.
 [0:0] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
-# Local networks should not go through Tor
+# Local network connections should not fo through Tor.
 [0:0] -A OUTPUT -d 192.168.0.0/255.255.0.0 -j ACCEPT
 [0:0] -A OUTPUT -d 10.0.0.0/255.0.0.0 -j ACCEPT
 [0:0] -A OUTPUT -d 172.16.0.0/255.240.0.0 -j ACCEPT
 [0:0] -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT
 
-# Tor is allowed to do anything it wants to, everything else is dropped
+# Tor is allowed to do anything it wants to, everything else is dropped.
 [0:0] -A OUTPUT -m owner --uid-owner tor -j ACCEPT
 [0:0] -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
 
 COMMIT
-# Completed on Wed Jan 16 02:17:09 2008
-# Generated by iptables-save v1.3.8 on Wed Jan 16 02:17:09 2008
+
 *nat
 :PREROUTING ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 
-# Local networks should not go through Tor
+# Local network connections should not fo through Tor. Note that we
+# exclude the VirtualAddrNetwork used for .onion:s here.
 [0:0] -A OUTPUT -d 192.168.0.0/255.255.0.0 -j RETURN
 [0:0] -A OUTPUT -d 10.0.0.0/255.0.0.0 -j RETURN
 [0:0] -A OUTPUT -d 172.16.0.0/255.240.0.0 -j RETURN
 [0:0] -A OUTPUT -d 127.0.0.0/255.128.0.0 -j RETURN
 [0:0] -A OUTPUT -d 127.128.0.0/255.192.0.0 -j RETURN
 
-# Tor is allowed to do anything it wants to
-[0:0] -A OUTPUT -m owner --uid-owner tor -j ACCEPT
+# Tor is allowed to do anything it wants to.
+[0:0] -A OUTPUT -m owner --uid-owner tor -j RETURN
 
-# .onion mapped addresses redirection to Tor
+# .onion mapped addresses redirection to Tor.
 [0:0] -A OUTPUT -d 127.192.0.0/255.192.0.0 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040
 
-# Redirect all remaining TCP traffic to Tor
+# Redirect all remaining TCP traffic to Tor.
 [0:0] -A OUTPUT -o ! lo -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DNAT --to-destination 127.0.0.1:9040
 
 COMMIT
-# Completed on Wed Jan 16 02:17:09 2008