From eb10ac0e97c1e5e98ce73a1966c97a7cedb9d086 Mon Sep 17 00:00:00 2001 From: Waldemar Brodkorb Date: Tue, 1 Dec 2009 19:40:13 +0100 Subject: use pkill for startup scripts - seems to solve the issue, that the same init script get killed otherwise - fine tune dansguardian, squid and iptables package - add default firewall config file (from freewrt) - add an example for transparent proxy via an ethernet bridge --- package/iptables/files/iptables.postinst | 5 +-- package/iptables/files/l7/aim.pat | 27 ---------------- package/iptables/files/l7/bittorrent.pat | 14 --------- package/iptables/files/l7/edonkey-dl.pat | 8 ----- package/iptables/files/l7/edonkey.pat | 29 ----------------- package/iptables/files/l7/fasttrack.pat | 25 --------------- package/iptables/files/l7/ftp.pat | 34 -------------------- package/iptables/files/l7/gnutella.pat | 36 --------------------- package/iptables/files/l7/http.pat | 28 ----------------- package/iptables/files/l7/ident.pat | 14 --------- package/iptables/files/l7/irc.pat | 20 ------------ package/iptables/files/l7/jabber.pat | 24 -------------- package/iptables/files/l7/msnmessenger.pat | 15 --------- package/iptables/files/l7/ntp.pat | 17 ---------- package/iptables/files/l7/pop3.pat | 50 ------------------------------ package/iptables/files/l7/smtp.pat | 39 ----------------------- package/iptables/files/l7/ssl.pat | 15 --------- package/iptables/files/l7/vnc.pat | 23 -------------- 18 files changed, 1 insertion(+), 422 deletions(-) delete mode 100644 package/iptables/files/l7/aim.pat delete mode 100644 package/iptables/files/l7/bittorrent.pat delete mode 100644 package/iptables/files/l7/edonkey-dl.pat delete mode 100644 package/iptables/files/l7/edonkey.pat delete mode 100644 package/iptables/files/l7/fasttrack.pat delete mode 100644 package/iptables/files/l7/ftp.pat delete mode 100644 package/iptables/files/l7/gnutella.pat delete mode 100644 package/iptables/files/l7/http.pat delete mode 100644 package/iptables/files/l7/ident.pat delete mode 100644 package/iptables/files/l7/irc.pat delete mode 100644 package/iptables/files/l7/jabber.pat delete mode 100644 package/iptables/files/l7/msnmessenger.pat delete mode 100644 package/iptables/files/l7/ntp.pat delete mode 100644 package/iptables/files/l7/pop3.pat delete mode 100644 package/iptables/files/l7/smtp.pat delete mode 100644 package/iptables/files/l7/ssl.pat delete mode 100644 package/iptables/files/l7/vnc.pat (limited to 'package/iptables/files') diff --git a/package/iptables/files/iptables.postinst b/package/iptables/files/iptables.postinst index fd2865a31..89b0af164 100644 --- a/package/iptables/files/iptables.postinst +++ b/package/iptables/files/iptables.postinst @@ -1,7 +1,4 @@ #!/bin/sh . $IPKG_INSTROOT/etc/functions.sh -if [ -f $IPKG_INSTROOT/etc/init.d/S45firewall ]; then - add_rcconf iptables firewall NO -fi - +add_rcconf iptables firewall NO diff --git a/package/iptables/files/l7/aim.pat b/package/iptables/files/l7/aim.pat deleted file mode 100644 index 9768dbbdc..000000000 --- a/package/iptables/files/l7/aim.pat +++ /dev/null @@ -1,27 +0,0 @@ -# AIM - AOL instant messenger (OSCAR and TOC) -# Pattern quality: good notsofast -# Usually runs on port 5190 -# -# This may also match ICQ traffic. -# -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers - -aim -# See http://gridley.acns.carleton.edu/~straitm/final (and various other places) -# The first bit matches OSCAR signon and data commands, but not sure what -# \x03\x0b matches, but it works apparently. -# The next three bits match various parts of the TOC signon process. -# The third one is the magic number "*", then 0x01 for "signon", then up to four -# bytes ("up to" because l7-filter strips out nulls) which contain a sequence -# number (2 bytes) the data length (2 more) and 3 nulls (which don't count), -# then 0x01 for the version number (not sure if there ever has been another -# version) -# The fourth one is a command string, followed by some stuff, then the -# beginning of the "roasted" password - -# This pattern is too slow! - -^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x diff --git a/package/iptables/files/l7/bittorrent.pat b/package/iptables/files/l7/bittorrent.pat deleted file mode 100644 index c1804ee4b..000000000 --- a/package/iptables/files/l7/bittorrent.pat +++ /dev/null @@ -1,14 +0,0 @@ -# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com -# Pattern quality: great veryfast -# -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers -bittorrent - -# Does not attempt to match the HTTP download of the tracker -# 0x13 is the length of "bittorrent protocol" -# Second two bits match UDP wierdness, commented out until it's tested -#^(\x13bittorrent protocol|d1:ad2:id20:|\x08'7P\)[RP]) -^\x13bittorrent protocol diff --git a/package/iptables/files/l7/edonkey-dl.pat b/package/iptables/files/l7/edonkey-dl.pat deleted file mode 100644 index d344d169d..000000000 --- a/package/iptables/files/l7/edonkey-dl.pat +++ /dev/null @@ -1,8 +0,0 @@ -# eDonkey2000 - P2P filesharing (download part) - http://edonkey2000.com -# Pattern quality: good veryfast overmatch usepacket - -edonkey-dl - -^[\xe3\xe4\xc5\xe5\xd4](....)?[\x01\x0a\x0e\x0f\x10\x18\x19\x1b\x1c\x47\x4a\x4f\x51\x53\x54\x58\x60\x81\x90\x96\x9a\x9c\xa2] - - diff --git a/package/iptables/files/l7/edonkey.pat b/package/iptables/files/l7/edonkey.pat deleted file mode 100644 index efbc3f361..000000000 --- a/package/iptables/files/l7/edonkey.pat +++ /dev/null @@ -1,29 +0,0 @@ -# eDonkey2000 - P2P filesharing - http://edonkey2000.com -# Pattern quality: good veryfast overmatch -# -# Please post to l7-filter-developers@lists.sf.net as to whether this pattern -# works for you or not. If you believe it could be improved please post your -# suggestions to that list as well. You may subscribe to this list at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers - -# Thanks to Matt Skidmore - -edonkey - -# http://gd.tuwien.ac.at/opsys/linux/sf/p/pdonkey/eDonkey-protocol-0.6 -# -# In addition to \xe3, \xc5 and \xd4, I see a lot of \xe5 -# -# God this is a mess. What an irritating protocol. -# This will match about 1% of streams with random data in them! - -^[\xe3\xc5\xe5\xd4](....)?([\x01\x02\x05\x14\x15\x16\x18\x19\x1a\x1b\x1c\x20\x21\x32\x33\x34\x35\x36\x38\x40\x41\x42\x43\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x5b\x5c\x60\x81\x82\x90\x91\x93\x96\x97\x98\x99\x9a\x9b\x9c\x9e\xa0\xa1\xa2\xa3\xa4]|\x59................?[ -~]|\x96....$) - -# matches everything and too much -# ^(\xe3|\xc5|\xd4) - -# ipp2p essentially uses "\xe3....\x47", which doesn't seem at all right to me. - -# bandwidtharbitrator uses -# e0.*@.*6[a-z].*p$|e0.*@.*[a-z]6[a-z].*p0$|e.*@.*[0-9]6.*p$|emule|edonkey -# no comments to explain what all the mush is, of course... diff --git a/package/iptables/files/l7/fasttrack.pat b/package/iptables/files/l7/fasttrack.pat deleted file mode 100644 index 46295c6bb..000000000 --- a/package/iptables/files/l7/fasttrack.pat +++ /dev/null @@ -1,25 +0,0 @@ -# FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc) -# Pattern quality: good notsofast -# -# Tested with Kazaa Lite Resurrection 0.0.7.6F -# -# This appears to match the download connections well, but not the search -# connections (I think they are encrypted :-( ). -# -# Please post to l7-filter-developers@lists.sf.net as to whether it works -# for you or not. If you believe it could be improved please post your -# suggestions to that list as well. You may subscribe to this list at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers - -fasttrack -# while this is a valid http request, this will be caught because -# the http pattern matches the response (and therefore the next packet) -# Even so, it's best to put this match earlier in the chain. -# http://cvs.berlios.de/cgi-bin/viewcvs.cgi/gift-fasttrack/giFT-FastTrack/PROTOCOL?rev=HEAD&content-type=text/vnd.viewcvs-markup - -# This pattern is kinda slow, but not too bad. -^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? - -# This isn't much faster: -#^get (/.download/.*|/.supernode.|/.status.|/.network.*|/.files|/.hash=[0-9a-f]*/.*) http/1.1|user-agent: kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^give [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]?[0-9]?[0-9]? - diff --git a/package/iptables/files/l7/ftp.pat b/package/iptables/files/l7/ftp.pat deleted file mode 100644 index 9593ffd1b..000000000 --- a/package/iptables/files/l7/ftp.pat +++ /dev/null @@ -1,34 +0,0 @@ -# FTP - File Transfer Protocol - RFC 959 -# Pattern quality: great fast -# -# Usually runs on port 21. Note that the data stream is on a dynamically -# assigned port, which means that you will need the FTP connection -# tracking module in your kernel to usefully match FTP data transfers. -# -# This pattern is well tested. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers -# -# Matches the first two things a server should say. Most servers say -# something after 220, even though they don't have to, and it usually -# includes the string "ftp" (l7-filter is case insensitive). -# This includes proftpd, vsftpd, wuftpd, warftpd, pureftpd, Bulletproof -# FTP Server, and whatever ftp.microsoft.com uses. Just in case, the next -# thing the server sends is a 331. All the above servers also send -# something including "password" after this code. -ftp -# actually, let's just do the first for now, it's faster -^220[\x09-\x0d -~]*ftp - -# This is ~10x faster if the stream starts with "220" -#^220.*ftp - -# This will match more, but much slower -#^220[\x09-\x0d -~]*ftp|331[\x09-\x0d -~]*password - -# This pattern is more precise, but takes longer to match. (3 packets vs. 1) -#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a331 - -# same as above, but slightly less precise and only takes 2 packets. -#^220[\x09-\x0d -~]*\x0d\x0aUSER[\x09-\x0d -~]*\x0d\x0a diff --git a/package/iptables/files/l7/gnutella.pat b/package/iptables/files/l7/gnutella.pat deleted file mode 100644 index ebbd5c621..000000000 --- a/package/iptables/files/l7/gnutella.pat +++ /dev/null @@ -1,36 +0,0 @@ -# Gnutella - P2P filesharing -# Pattern quality: good fast -# -# This should match both Gnutella and "Gnutella2" ("Mike's protocol") -# -# Various clients use this protocol including Mactella, Shareaza, -# GTK-gnutella, Gnucleus, Gnotella, LimeWire, BearShare, and iMesh. -# -# This is tested with gtk-gnutella and Shareaza. -# -# Please report on how this pattern works for you at -# l7-filter-developers@lists.sf.net . If you can improve on this -# pattern, please also post to that list. You may subscribe at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers - -# http://www.gnutella2.com/tiki-index.php?page=UDP%20Transceiver -# http://rfc-gnutella.sf.net/ -# http://www.gnutella2.com/tiki-index.php?page=Gnutella2%20Specification -# http://en.wikipedia.org/wiki/Shareaza - -gnutella - -# The first part matches UDP messages - All start with "GND", then have -# a flag byte which is either \x00, \x01 or \x02, then two sequence bytes -# that can be anything, then a fragment number, which must start at 1. -# The rest matches TCP first client message or first server message (in case -# we can't see client messages). Some parts of this are empirical rather than -# document based. Assumes version is between 0.0 and 2.9. (usually is -# 0.4 or 0.6). I'm guessing at many of the user-agents. -# The last bit is emprical and probably only matches Limewire. -^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella.*content-type: application/x-gnutella|..................lime) - -# Needlessly precise, at the expense of time -#^(gnd[\x01\x02]?.?.?\x01|gnutella connect/[012]\.[0-9]\x0d\x0a|get /uri-res/n2r\?urn:sha1:|get /[\x09-\x0d -~]*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /[\x09-\x0d -~]*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?\.[1-9][0-9]?[0-9]?:[1-9][0-9]?[0-9]?[0-9]?|gnutella[\x09-\x0d -~]*content-type: application/x-gnutella|..................lime) - - diff --git a/package/iptables/files/l7/http.pat b/package/iptables/files/l7/http.pat deleted file mode 100644 index 520e7fe21..000000000 --- a/package/iptables/files/l7/http.pat +++ /dev/null @@ -1,28 +0,0 @@ -# HTTP - HyperText Transfer Protocol - RFC 2616 -# Pattern quality: great notsofast -# Usually runs on port 80 -# -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers -# -# this intentionally catches the response from the server -# rather than the request so that other protocols which use -# http (like kazaa) can be caught based on specific http requests -# regardless of the ordering of filters... -# also matches posts - -# Sites that serve really long cookies may break this by pushing the -# server response too far away from the beginning of the connection. To -# fix this, increase the kernel's data buffer length. - -http -# Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF (rfc 2616) -# As specified in rfc 2616 a status code is preceeded and followed by a -# space. -http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* http/[01]\.[019] -# A slightly faster version that might be good enough: -#http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* http/[01]\.[019] -# old pattern(s): -#(http[\x09-\x0d -~]*(200 ok|302 |304 )[\x09-\x0d -~]*(connection:|content-type:|content-length:))|^(post [\x09-\x0d -~]* http/) diff --git a/package/iptables/files/l7/ident.pat b/package/iptables/files/l7/ident.pat deleted file mode 100644 index 672b0753c..000000000 --- a/package/iptables/files/l7/ident.pat +++ /dev/null @@ -1,14 +0,0 @@ -# Ident - Identification Protocol - RFC 1413 -# Pattern quality: good veryfast -# Usually runs on port 113 -# -# This pattern is believed to work. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers - -ident -# "number , numberCRLF" possibly without the CR and/or LF. -# ^$ is appropriate because the first packet should never have anything -# else in it. -^[1-9][0-9]?[0-9]?[0-9]?[0-9]?[\x09-\x0d]*,[\x09-\x0d]*[1-9][0-9]?[0-9]?[0-9]?[0-9]?(\x0d\x0a|[\x0d\x0a])?$ diff --git a/package/iptables/files/l7/irc.pat b/package/iptables/files/l7/irc.pat deleted file mode 100644 index 6643f6c2f..000000000 --- a/package/iptables/files/l7/irc.pat +++ /dev/null @@ -1,20 +0,0 @@ -# IRC - Internet Relay Chat - RFC 1459 -# Pattern quality: good veryfast -# -# Usually runs on port 6666 or 6667 -# Note that chat traffic runs on these ports, but IRC-DCC traffic (which -# can use much more bandwidth) uses a dynamically assigned port, so you -# must have the IRC connection tracking module in your kernel to classify -# this. -# -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers - -irc -# First thing that happens is that the client sends NICK and USER, in -# either order. This allows MIRC color codes (\x02-\x0d instead of -# \x09-\x0d). -^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a) - diff --git a/package/iptables/files/l7/jabber.pat b/package/iptables/files/l7/jabber.pat deleted file mode 100644 index 7a0c6840e..000000000 --- a/package/iptables/files/l7/jabber.pat +++ /dev/null @@ -1,24 +0,0 @@ -# Jabber (XMPP) - an open instant messenger protocol - http://jabber.org -# Pattern quality: good fast -# -# This pattern has been tested with Gaim and Gabber. It is only tested -# with non-SSL mode Jabber with no proxies. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers - -# Thanks to Jan Hudec for some improvements. - -# Jabber seems to take a long time to set up a connection. I'm -# connecting with Gabber 0.8.8 to 12jabber.org and the first 8 packets -# is this: -# -# -# No mention of my username or password yet, you'll note. - -jabber - -# mail.dreamhost.com: +OK Hello there. -# pop.carleton.edu: +OK POP3D(*) Server PMDFV6.2.2 at Fri, 12 Sep 2003 19:28:10 -0500 (CDT) (APOP disabled) -# mail.earthlink.net: +OK NGPopper vEL_4_38 at earthlink.net ready <25509.1063412951@falcon> -# *.email.umn.edu: +OK Cubic Circle's v1.22 1998/04/11 POP3 ready <7d1e0000da67623f@aquamarine.tc.umn.edu> -# mail.yale.edu: +OK POP3 pantheon-po01 v2002.81 server ready -# mail.gustavus.edu: +OK POP3 solen v2001.78 server ready -# mail.reed.edu: +OK POP3 letra.reed.edu v2002.81 server ready -# mail.bowdoin.edu: +OK mail.bowdoin.edu POP3 service (iPlanet Messaging Server 5.2 HotFix 1.15 (built Apr 28 2003)) -# pop.colby.edu: +OK Qpopper (version 4.0.5) at basalt starting. -# mail.mac.com: +OK Netscape Messaging Multiplexor ready - -# various error strings: -#-ERR Invalid command. -#-ERR invalid command -#-ERR unimplemented -#-ERR Invalid command, try one of: USER name, PASS string, QUIT -#-ERR Unknown AUTHORIZATION state command -#-ERR Unrecognized command -#-ERR Unknown command: "sadf'". diff --git a/package/iptables/files/l7/smtp.pat b/package/iptables/files/l7/smtp.pat deleted file mode 100644 index 1bab7a1df..000000000 --- a/package/iptables/files/l7/smtp.pat +++ /dev/null @@ -1,39 +0,0 @@ -# SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869) -# Pattern quality: great fast -# usually runs on port 25 -# -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers - -smtp -# As usual, no text is required after "220", but all known servers have some -# there. It (almost?) always has string "smtp" in it. The RFC examples -# does not, so we match those too, just in case anyone has copied them -# literally. -^220[\x09-\x0d -~]* (e?smtp|simple mail) - -# This is ~3x faster if the stream starts with "220" -#^220.* (e?smtp|simple mail) - -# Some examples: -# 220 mail.stalker.com ESMTP CommuniGate Pro 4.1.3 -# 220 mail.vieodata.com ESMTP Merak 6.1.0; Mon, 15 Sep 2003 13:48:11 -0400 -# 220 mail.ut.caldera.com ESMTP -# 220 persephone.pmail.gen.nz ESMTP server ready. -# 220 smtp1.superb.net ESMTP -# 220 mail.kerio.com Kerio MailServer 5.6.7 ESMTP ready -# 220-mail.deerfield.com ESMTP VisNetic.MailServer.v6.0.9.0; Mon, 15 Sep 2003 13:4 -# 220 altn.com ESMTP MDaemon 6.8.5; Mon, 15 Sep 2003 12:46:42 -0500 -# 220 X1 NT-ESMTP Server ipsmin0165atl2.interland.net (IMail 6.06 73062-3) -# 220 mail.icewarp.com ESMTP Merak 6.1.1; Mon, 15 Sep 2003 19:43:23 +0200 -# 220-mail.email-scan.com ESMTP -# 220 smaug.dreamhost.com ESMTP -# 220 kona.carleton.edu -- Server ESMTP (PMDF V6.2#30648) -# 220 letra.reed.edu ESMTP Sendmail 8.12.9/8.12.9; Mon, 15 Sep 2003 10:35:57 -0700 (PDT) -# 220-swan.mail.pas.earthlink.net ESMTP Exim 3.33 #1 Mon, 15 Sep 2003 10:32:15 -0700 -# -# RFC examples: -# 220 xyz.com Simple Mail Transfer Service Ready (RFC example) -# 220 dbc.mtview.ca.us SMTP service ready diff --git a/package/iptables/files/l7/ssl.pat b/package/iptables/files/l7/ssl.pat deleted file mode 100644 index ab5f62caa..000000000 --- a/package/iptables/files/l7/ssl.pat +++ /dev/null @@ -1,15 +0,0 @@ -# SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 -# Pattern quality: good fast -# Usually runs on port 443 -# -# This is a superset validcertssl. For it to match, it must be first. -# -# This pattern has been tested and is believed to work well. If it does not -# work for you, or you believe it could be improved, please post to -# l7-filter-developers@lists.sf.net . This list may be subscribed to at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers - -ssl -# Client Hello | Server Hello with certificate -# This allows SSL 3.X, which includes TLS 1.0, known internally as SSL 3.1 -^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b) diff --git a/package/iptables/files/l7/vnc.pat b/package/iptables/files/l7/vnc.pat deleted file mode 100644 index 35bfbd4ba..000000000 --- a/package/iptables/files/l7/vnc.pat +++ /dev/null @@ -1,23 +0,0 @@ -# VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer -# Pattern quality: good fast -# http://www.realvnc.com/documentation.html -# -# This pattern has been verified with vnc v3.3.7 on WinXP and Linux -# Please report on how this pattern works for you at -# l7-filter-developers@lists.sf.net . If you can improve on this pattern, -# please also post to that list. You may subscribe at -# http://lists.sourceforge.net/lists/listinfo/l7-filter-developers -# -# Thanks to Trevor Paskett for this pattern. - -vnc -# Assumes single digit major and minor version numbers -# This message should be all alone in the first packet, so ^$ is appropriate -^rfb 00[1-9]\.00[0-9]\x0a$ - -# This is a more restrictive version which assumes the version numbers -# are ones actually in existance at the time of this writing, i.e. 3.3, -# 3.7 and 3.8 (with some clients wrongly reporting 3.5). It should be -# slightly faster, but probably not worth the extra maintenance. -# ^rfb 003\.00[3578]\x0a$ - -- cgit v1.2.3 From 1be6ebb92966edeea8a49f34a5e2e664f86c2946 Mon Sep 17 00:00:00 2001 From: Waldemar Brodkorb Date: Wed, 2 Dec 2009 19:48:18 +0100 Subject: finetune iptables, tinyproxy and dansguardian --- package/iptables/files/firewall.conf | 119 +++++++++++++++++++++++++++++++++++ package/iptables/files/firewall.init | 35 +++++++++++ 2 files changed, 154 insertions(+) create mode 100644 package/iptables/files/firewall.conf create mode 100755 package/iptables/files/firewall.init (limited to 'package/iptables/files') diff --git a/package/iptables/files/firewall.conf b/package/iptables/files/firewall.conf new file mode 100644 index 000000000..bc9a39c41 --- /dev/null +++ b/package/iptables/files/firewall.conf @@ -0,0 +1,119 @@ +#!/bin/sh + + +echo "configure /etc/firewall.conf first." +exit 1 + +### Interfaces +WAN=ppp0 +LAN=br0 +WLAN= + +###################################################################### +### Default ruleset +###################################################################### + +### Create chains +iptables -N input_rule +iptables -N forwarding_rule +iptables -t nat -N prerouting_rule +iptables -t nat -N postrouting_rule + +### Default policy +iptables -P INPUT DROP +iptables -P FORWARD DROP + +### INPUT +### (connections with the router as destination) + +# base case +iptables -A INPUT -m state --state INVALID -j DROP +iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP + +# custom rules +iptables -A INPUT -j input_rule + +# allow access from anything but WAN +iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT +# allow icmp messages +iptables -A INPUT -p icmp -j ACCEPT + +# reject +iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset +iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable + +### OUTPUT +### (connections with the router as source) + +# base case +iptables -A OUTPUT -m state --state INVALID -j DROP +iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +### FORWARD +### (connections routed through the router) + +# base case +iptables -A FORWARD -m state --state INVALID -j DROP +iptables -A FORWARD -p tcp -o $WAN --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu +iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + +# custom rules +iptables -A FORWARD -j forwarding_rule +iptables -t nat -A PREROUTING -j prerouting_rule +iptables -t nat -A POSTROUTING -j postrouting_rule + +# allow LAN +iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT + +### MASQUERADING +echo 1 > /proc/sys/net/ipv4/ip_dynaddr +iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE + +###################################################################### +### Default ruleset end +###################################################################### + +### +### Connections to the router +### + +# ssh +#iptables -A input_rule -i $WAN -p tcp -s --dport 22 -j ACCEPT + +# IPSec +#iptables -A input_rule -i $WAN -p esp -s -j ACCEPT +#iptables -A input_rule -i $WAN -p udp -s --dport 500 -j ACCEPT + +# OpenVPN +#iptables -A input_rule -i $WAN -p udp -s --dport 1194 -j ACCEPT + +# PPTP +#iptables -A input_rule -i $WAN -p gre -j ACCEPT +#iptables -A input_rule -i $WAN -p tcp --dport 1723 -j ACCEPT + +### +### VPN traffic +### + +# IPSec +#iptables -A forwarding_rule -o ipsec+ -j ACCEPT +#iptables -A forwarding_rule -i ipsec+ -j ACCEPT + +# OpenVPN +#iptables -A forwarding_rule -o tun+ -j ACCEPT +#iptables -A forwarding_rule -i tun+ -j ACCEPT + +### +### Port forwardings to LAN +### + +#iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 3389 -j DNAT --to 192.168.1.10 +#iptables -A forwarding_rule -i $WAN -p tcp --dport 3389 -d 192.168.1.10 -j ACCEPT + +# Transparent Bridging Proxy +#ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ +# --ip-destination-port 80 -j redirect --redirect-target ACCEPT +#iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \ +# -j REDIRECT --to-port 8080 + diff --git a/package/iptables/files/firewall.init b/package/iptables/files/firewall.init new file mode 100755 index 000000000..b3ea698d6 --- /dev/null +++ b/package/iptables/files/firewall.init @@ -0,0 +1,35 @@ +#!/bin/sh +#PKG iptables +#INIT 45 +. /etc/rc.conf + +case $1 in +autostop) ;; +autostart) + test x"${firewall:-NO}" = x"NO" && exit 0 + exec sh $0 start + ;; +start) + . /etc/firewall.conf + ;; +stop) + ### Clear tables + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -P INPUT ACCEPT + iptables -P FORWARD ACCEPT + iptables -P OUTPUT ACCEPT + iptables -t nat -P PREROUTING ACCEPT + iptables -t nat -P POSTROUTING ACCEPT + ;; +restart) + sh $0 stop + sh $0 start + ;; +*) + echo "Usage: $0 {start | stop | restart}" + ;; +esac +exit $? -- cgit v1.2.3 From 3f23dcd7a5f06f8cdda0ee8b1492cfd0b6c1413f Mon Sep 17 00:00:00 2001 From: Waldemar Brodkorb Date: Mon, 4 Jan 2010 23:18:14 +0100 Subject: fix default firewall script and kernel mod dependencies --- package/iptables/files/firewall.conf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'package/iptables/files') diff --git a/package/iptables/files/firewall.conf b/package/iptables/files/firewall.conf index bc9a39c41..2c8faaa34 100644 --- a/package/iptables/files/firewall.conf +++ b/package/iptables/files/firewall.conf @@ -1,13 +1,11 @@ #!/bin/sh - - echo "configure /etc/firewall.conf first." exit 1 ### Interfaces WAN=ppp0 LAN=br0 -WLAN= +WLAN=wlan0 ###################################################################### ### Default ruleset @@ -29,7 +27,7 @@ iptables -P FORWARD DROP # base case iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP +iptables -A INPUT -p tcp --tcp-flags SYN SYN \! --tcp-option 2 -j DROP # custom rules iptables -A INPUT -j input_rule -- cgit v1.2.3