chilidog.highland.cc.ks.us

home *** CD-ROM | disk | FTP | other *** search

/ chilidog.highland.cc.ks.us / chilidog.highland.cc.ks.us.zip / chilidog.highland.cc.ks.us / backup / bradford.20110725.etc.tar.gz / bradford.20110725.etc.tar / etc / sysconfig / scripts / SuSEfirewall2-custom < prev next >

Wrap

Text File | 2006-04-22 | 4KB | 88 lines

# # Authors: Marc Heuse <marc@suse.de>, # Volker Kuhlmann <kuhlmav@elec.canterbury.ac.nz> # # /etc/sysconfig/scripts/SuSEfirewall2-custom # # ------------------------------------------------------------------------ # # This is file is for SuSEfirewall2 and is an example for using # the hooks which are supplied to load customized ipchains rules. # # THERE IS NO HELP FOR USING HOOKS EXCEPT THIS FILE ! SO READ CAREFULLY ! # IT IS USEFUL TO CROSS-READ /sbin/SuSEfirewall2 TO SEE HOW HOOKS WORK ! # # ------------------------------------------------------------------------ fw_custom_before_antispoofing() { # these rules will be loaded before any anti spoofing rules will be # loaded. Effectively the only filter lists already effective are # 1) allow any traffic via the loopback interface, 2) allow DHCP stuff, # 3) allow SAMBA stuff [2 and 3 only if FW_SERVICE_... are set to "yes"] # You can use this hook to prevent logging of uninteresting broadcast # packets or to allow certain packet through the anti-spoofing mechanism. #example: allow incoming multicast packets for any routing protocol #iptables -A INPUT -j ACCEPT -d 224.0.0.0/24 true } fw_custom_after_antispoofing() { # could also be named "before_port_splitting()" # these rules will be loaded after the anti-spoofing and icmp handling # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. #example: always filter backorifice/netbus trojan connect requests and log them. #for target in LOG DROP; do # for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do # iptables -A $chain -j $target -p tcp --dport 31337 # iptables -A $chain -j $target -p udp --dport 31337 # iptables -A $chain -j $target -p tcp --dport 12345:12346 # iptables -A $chain -j $target -p udp --dport 12345:12346 # done #done true } fw_custom_before_port_handling() { # these rules will be loaded after the anti-spoofing and icmp handling # and after the input has been redirected to the input_XXX and # forward_XXX chains and some basic chain-specific anti-circumvention # rules have been set, # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. true } fw_custom_before_masq() { # could also be named "after_port_handling()" # these rules will be loaded after the IP protocol and TCP/UDP port # handling, but before any IP forwarding (routing), masquerading # will be done. # NOTE: reverse masquerading is before directly after # fw_custom_before_port_handling !!!! # You can use this hook to ... hmmm ... I'm sure you'll find a use for # this ... true } fw_custom_before_denyall() { # could also be named "after_forwardmasq()" # these are the rules to be loaded after IP forwarding and masquerading # but before the logging and deny all section is set by SuSEfirewall2. # You can use this hook to prevent the logging of annoying packets. #example: prevent logging of talk requests from anywhere #for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do # iptables -A $chain -j DROP -p udp --dport 517:518 #done true }