[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r14858: Remove stuff that we don't need and add two iptables firewal (in torwall/trunk: . iptable-state src)

To: or-cvs@xxxxxxxxxxxxx
Subject: [or-cvs] r14858: Remove stuff that we don't need and add two iptables firewal (in torwall/trunk: . iptable-state src)
From: ioerror@xxxxxxxx
Date: Sat, 31 May 2008 03:38:56 -0400 (EDT)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-cvs-outgoing@xxxxxxxx
Delivered-to: or-cvs@xxxxxxxx
Delivery-date: Sat, 31 May 2008 03:38:59 -0400
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-cvs@xxxxxxxxxxxxx
Author: ioerror
Date: 2008-05-31 03:38:55 -0400 (Sat, 31 May 2008)
New Revision: 14858

Added:
   torwall/trunk/iptable-state/
   torwall/trunk/iptable-state/iptables-accept-all
   torwall/trunk/iptable-state/torrules
Removed:
   torwall/trunk/autom4te.cache/
   torwall/trunk/src/.deps/
Log:
Remove stuff that we don't need and add two iptables firewalls that aren't entirely useful but are good place holders.


Added: torwall/trunk/iptable-state/iptables-accept-all
===================================================================
--- torwall/trunk/iptable-state/iptables-accept-all	                        (rev 0)
+++ torwall/trunk/iptable-state/iptables-accept-all	2008-05-31 07:38:55 UTC (rev 14858)
@@ -0,0 +1,7 @@
+# Generated by iptables-save v1.3.6 on Fri May 30 21:13:01 2008
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+# Completed on Fri May 30 21:13:01 2008

Added: torwall/trunk/iptable-state/torrules
===================================================================
--- torwall/trunk/iptable-state/torrules	                        (rev 0)
+++ torwall/trunk/iptable-state/torrules	2008-05-31 07:38:55 UTC (rev 14858)
@@ -0,0 +1,201 @@
+# Generated by iptables-save v1.3.3 on Wed Feb 27 16:02:36 2008
+*raw
+:PREROUTING ACCEPT [83389:68605019]
+:OUTPUT ACCEPT [37909:2510292]
+COMMIT
+# Completed on Wed Feb 27 16:02:36 2008
+# Generated by iptables-save v1.3.3 on Wed Feb 27 16:02:36 2008
+*mangle
+:PREROUTING ACCEPT [83389:68605019]
+:INPUT ACCEPT [69009:66868847]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [37909:2510292]
+:POSTROUTING ACCEPT [37839:2506220]
+:tcfor - [0:0]
+:tcout - [0:0]
+:tcpost - [0:0]
+:tcpre - [0:0]
+-A PREROUTING -m state --state NEW -j LOG --log-prefix "Shorewall:mangle:PREROUTING:" --log-level 7 
+-A PREROUTING -j tcpre 
+-A INPUT -m state --state NEW -j LOG --log-prefix "Shorewall:mangle:INPUT:" --log-level 7 
+-A FORWARD -m state --state NEW -j LOG --log-prefix "Shorewall:mangle:FORWARD:" --log-level 7 
+-A FORWARD -j tcfor 
+-A OUTPUT -j tcout 
+-A POSTROUTING -m state --state NEW -j LOG --log-prefix "Shorewall:mangle:POSTROUTING:" --log-level 7 
+-A POSTROUTING -j tcpost 
+COMMIT
+# Completed on Wed Feb 27 16:02:36 2008
+# Generated by iptables-save v1.3.3 on Wed Feb 27 16:02:36 2008
+*nat
+:PREROUTING ACCEPT [29537:4154131]
+:POSTROUTING ACCEPT [3294:259343]
+:OUTPUT ACCEPT [3348:262583]
+-A PREROUTING -m state --state NEW -j LOG --log-prefix "Shorewall:nat:PREROUTING:" --log-level 7 
+-A POSTROUTING -m state --state NEW -j LOG --log-prefix "Shorewall:nat:POSTROUTING:" --log-level 7 
+-A OUTPUT -m state --state NEW -j LOG --log-prefix "Shorewall:nat:OUTPUT:" --log-level 7 
+COMMIT
+# Completed on Wed Feb 27 16:02:36 2008
+# Generated by iptables-save v1.3.3 on Wed Feb 27 16:02:36 2008
+*filter
+:Drop - [0:0]
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:Reject - [0:0]
+:all2all - [0:0]
+:dropBcast - [0:0]
+:dropInvalid - [0:0]
+:dropNotSyn - [0:0]
+:dynamic - [0:0]
+:eth0_fwd - [0:0]
+:eth0_in - [0:0]
+:fw2all - [0:0]
+:fw2fw - [0:0]
+:fw2net - [0:0]
+:logflags - [0:0]
+:net2all - [0:0]
+:net2fw - [0:0]
+:net2net - [0:0]
+:reject - [0:0]
+:shorewall - [0:0]
+:smurfs - [0:0]
+:tcpflags - [0:0]
+-A Drop -p tcp -m tcp --dport 113 -j reject 
+-A Drop -j dropBcast 
+-A Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT 
+-A Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT 
+-A Drop -j dropInvalid 
+-A Drop -p udp -m multiport --dports 135,445 -j DROP 
+-A Drop -p udp -m udp --dport 137:139 -j DROP 
+-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP 
+-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP 
+-A Drop -p udp -m udp --dport 1900 -j DROP 
+-A Drop -p tcp -j dropNotSyn 
+-A Drop -p udp -m udp --sport 53 -j DROP 
+-A INPUT -m state --state NEW -j LOG --log-prefix "Shorewall:filter:INPUT:" --log-level 7 
+-A INPUT -i lo -j ACCEPT 
+-A INPUT -i eth0 -j eth0_in 
+-A INPUT -j Drop 
+-A INPUT -j LOG --log-prefix "Shorewall:INPUT:DROP:" --log-level 6 
+-A INPUT -j DROP 
+-A FORWARD -m state --state NEW -j LOG --log-prefix "Shorewall:filter:FORWARD:" --log-level 7 
+-A FORWARD -i eth0 -j eth0_fwd 
+-A FORWARD -j Drop 
+-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:DROP:" --log-level 6 
+-A FORWARD -j DROP 
+-A OUTPUT -m state --state NEW -j LOG --log-prefix "Shorewall:filter:OUTPUT:" --log-level 7 
+-A OUTPUT -o eth0 -j fw2net 
+-A OUTPUT -o lo -j fw2fw 
+-A OUTPUT -j Drop 
+-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:DROP:" --log-level 6 
+-A OUTPUT -j DROP 
+-A Reject -p tcp -m tcp --dport 113 -j reject 
+-A Reject -j dropBcast 
+-A Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT 
+-A Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT 
+-A Reject -j dropInvalid 
+-A Reject -p udp -m multiport --dports 135,445 -j reject 
+-A Reject -p udp -m udp --dport 137:139 -j reject 
+-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject 
+-A Reject -p tcp -m multiport --dports 135,139,445 -j reject 
+-A Reject -p udp -m udp --dport 1900 -j DROP 
+-A Reject -p tcp -j dropNotSyn 
+-A Reject -p udp -m udp --sport 53 -j DROP 
+-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A all2all -j Drop 
+-A all2all -j LOG --log-prefix "Shorewall:all2all:DROP:" --log-level 6 
+-A all2all -j DROP 
+-A dropBcast -m pkttype --pkt-type broadcast -j DROP 
+-A dropBcast -m pkttype --pkt-type multicast -j DROP 
+-A dropInvalid -m state --state INVALID -j DROP 
+-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP 
+-A eth0_fwd -m state --state INVALID,NEW -j dynamic 
+-A eth0_fwd -m state --state INVALID,NEW -j smurfs 
+-A eth0_fwd -p tcp -j tcpflags 
+-A eth0_in -m state --state INVALID,NEW -j dynamic 
+-A eth0_in -m state --state INVALID,NEW -j smurfs 
+-A eth0_in -p tcp -j tcpflags 
+-A eth0_in -j net2fw 
+-A fw2all -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A fw2all -j Drop 
+-A fw2all -j LOG --log-prefix "Shorewall:fw2all:DROP:" --log-level 6 
+-A fw2all -j DROP 
+-A fw2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A fw2fw -p tcp -m tcp --dport 9050 -j ACCEPT 
+-A fw2fw -p tcp -m tcp --dport 8118 -j ACCEPT 
+-A fw2fw -j Drop 
+-A fw2fw -j LOG --log-prefix "Shorewall:fw2fw:DROP:" --log-level 6 
+-A fw2fw -j DROP 
+-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A fw2net -d 10.0.0.0/255.0.0.0 -p icmp -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.2.3.1 -p tcp -m tcp --dport 1812 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.1.3.1 -p tcp -m tcp --dport 1812 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.2.3.1 -p udp -m udp --dport 1812 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.1.3.1 -p udp -m udp --dport 1812 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.2.3.1 -p tcp -m tcp --dport 1813 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.1.3.1 -p tcp -m tcp --dport 1813 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.2.3.1 -p udp -m udp --dport 1813 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.1.3.1 -p udp -m udp --dport 1813 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.2.9.1 -p tcp -m tcp --dport 9999 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 86.59.21.35 -p tcp -m tcp --dport 9999 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.2.2.1 -p udp -m owner --uid-owner root -m udp --dport 53 -j LOG --log-prefix "Shorewall:fw2net:ACCEPT:" --log-level 6 
+-A fw2net -d 10.2.2.1 -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.1.2.1 -p udp -m owner --uid-owner root -m udp --dport 53 -j LOG --log-prefix "Shorewall:fw2net:ACCEPT:" --log-level 6 
+-A fw2net -d 10.1.2.1 -p udp -m udp --dport 53 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.2.2.1 -p tcp -m owner --uid-owner root -m tcp --dport 53 -j LOG --log-prefix "Shorewall:fw2net:ACCEPT:" --log-level 6 
+-A fw2net -d 10.2.2.1 -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.1.2.1 -p tcp -m owner --uid-owner root -m tcp --dport 53 -j LOG --log-prefix "Shorewall:fw2net:ACCEPT:" --log-level 6 
+-A fw2net -d 10.1.2.1 -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT 
+-A fw2net -d 10.2.2.1 -p udp -m udp --dport 53 -j LOG --log-prefix "Shorewall:fw2net:DROP:" --log-level 6 
+-A fw2net -d 10.2.2.1 -p udp -m udp --dport 53 -j DROP 
+-A fw2net -d 10.1.2.1 -p udp -m udp --dport 53 -j LOG --log-prefix "Shorewall:fw2net:DROP:" --log-level 6 
+-A fw2net -d 10.1.2.1 -p udp -m udp --dport 53 -j DROP 
+-A fw2net -d 10.2.2.1 -p tcp -m tcp --dport 53 -j LOG --log-prefix "Shorewall:fw2net:DROP:" --log-level 6 
+-A fw2net -d 10.2.2.1 -p tcp -m tcp --dport 53 -j DROP 
+-A fw2net -d 10.1.2.1 -p tcp -m tcp --dport 53 -j LOG --log-prefix "Shorewall:fw2net:DROP:" --log-level 6 
+-A fw2net -d 10.1.2.1 -p tcp -m tcp --dport 53 -j DROP 
+-A fw2net -d 10.2.4.1 -p tcp -m tcp --dport 25 -m owner --uid-owner mail -j ACCEPT 
+-A fw2net -p tcp -m owner --uid-owner debian-tor -j ACCEPT 
+-A fw2net -j Drop 
+-A fw2net -j LOG --log-prefix "Shorewall:fw2net:DROP:" --log-level 6 
+-A fw2net -j DROP 
+-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options 
+-A logflags -j DROP 
+-A net2all -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A net2all -j Drop 
+-A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6 
+-A net2all -j DROP 
+-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A net2fw -p icmp -j ACCEPT 
+-A net2fw -p tcp -m tcp --dport 22 -j ACCEPT 
+-A net2fw -s 10.2.5.10 -p udp -m udp --dport 161:162 -j ACCEPT 
+-A net2fw -s 10.2.5.11 -p udp -m udp --dport 161:162 -j ACCEPT 
+-A net2fw -s 10.2.5.10 -p tcp -m tcp --dport 161 -j ACCEPT 
+-A net2fw -s 10.2.5.11 -p tcp -m tcp --dport 161 -j ACCEPT 
+-A net2fw -j net2all 
+-A net2net -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A net2net -j Drop 
+-A net2net -j LOG --log-prefix "Shorewall:net2net:DROP:" --log-level 6 
+-A net2net -j DROP 
+-A reject -m pkttype --pkt-type broadcast -j DROP 
+-A reject -m pkttype --pkt-type multicast -j DROP 
+-A reject -s 10.2.10.255 -j DROP 
+-A reject -s 255.255.255.255 -j DROP 
+-A reject -s 224.0.0.0/240.0.0.0 -j DROP 
+-A reject -p tcp -j REJECT --reject-with tcp-reset 
+-A reject -p udp -j REJECT --reject-with icmp-port-unreachable 
+-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable 
+-A reject -j REJECT --reject-with icmp-host-prohibited 
+-A smurfs -s 10.2.10.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
+-A smurfs -s 10.2.10.255 -j DROP 
+-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
+-A smurfs -s 255.255.255.255 -j DROP 
+-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6 
+-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP 
+-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags 
+-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags 
+-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags 
+-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags 
+-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags 
+COMMIT
+# Completed on Wed Feb 27 16:02:36 2008
Prev by Author: [or-cvs] r14857: At the suggestion of arma. (torwall/trunk)
Next by Author: [or-cvs] r14860: Update note about translation limits with babelzila. (website/trunk/en)
Previous by thread: [or-cvs] r14857: At the suggestion of arma. (torwall/trunk)
Next by thread: [or-cvs] r14859: Relocate Farsi translations to proper lang+country code. (torbutton/trunk/src/chrome/locale)
Index(es):
- Author
- Thread