Jonathan Markevich wrote:
Please let me know if you can see any improvements. I am just learning shell scripting!
You're a helluva lot better than I''ll ever be!Perhaps this will compliment your ppp script ... Here's a modified firewall script. I downloaded this script a while back from a MASQ page on the net - sorry I don't know who actually wrote it, but it seems to work fine. I run this after the link is up, and it does a nice job. The main modification is that it automatically detects the ppp0 address, which is handy for those who have dynamic IP addresses. If anyone finds fault with it, please let me know. There's nothing worse than a crappy firewall script! The only thing I haven't added yet is a way to kick this script after an automatic redial. ppp 2.3.0 redials automatically just fine, and will accomplish 900f the time that which Jonathan's script is doing. Since I'm somewhat limited on time, I haven't figured out what signal it takes to "kick" it into redial, other than the fact that if the connection is terminated by the other end, it starts redialing nicely. And of course, you're all wondering why I don't use the SuSE supplied firewall/MASQ scripts, it's like anything else - you use what you know works. I haven't had time to read the docs and test their scripts, as I'm not sure what some of the values are in rc.config. -tks- #!/bin/sh # PATH=/sbin:/bin:/usr/sbin:/usr/bin # # For dynamic addresses, this little awk routine from Tim Schaefer # (<A HREF="http://www.inxutil.com"><A HREF="http://www.inxutil.com</A">http://www.inxutil.com</A</A>> tschaefe@mindspring.com) # extracts the dynamic IP address from the output of netconfig. # REMOTE=`ifconfig -a | awk ' /^ppp0/,/overruns/ { print $0 } ' | awk ' /inet/ { print $2 } ' | se # # The same script is used to detrmine the LAN address for the firewall machine. # LOCAL=`ifconfig -a | awk ' /^eth0/,/overruns/ { print $0 } ' | awk ' /inet/ { print $2 } ' | sed # echo "Local IP is now: $LOCAL" echo "Remote IP is now: $REMOTE" # echo "Setting Incoming, flush and set default policy of deny" # Actually the default policy # is irrelevant because there is a catch all rule with deny and log. ipfwadm -I -f ipfwadm -I -p deny echo "... local interface, local machines, going anywhere is valid " ipfwadm -I -a accept -V $LOCAL -S $LOCAL/24 -D 0.0.0.0/0 echo " ... remote interface, claiming to be local machines, IP spoofing, BYE! " ipfwadm -I -a deny -V $REMOTE -S $LOCAL/24 -D 0.0.0.0/0 -o echo " ... remote interface, any source, going to permanent PPP address is valid " ipfwadm -I -a accept -V $REMOTE -S 0.0.0.0/0 -D $REMOTE/32 echo " ... loopback interface is valid..." ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 echo " ... catch all rule, all other incoming is denied and logged" # pity there is no # log option on the policy but this does the job instead. ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o echo "Setting Outgoing, flush and set default policy of deny" # Actually the default policy # is irrelevant because there is a catch all rule with deny and log. ipfwadm -O -f ipfwadm -O -p deny echo " ... local interface, any source going to local net is valid " ipfwadm -O -a accept -V $LOCAL -S 0.0.0.0/0 -D $LOCAL/24 echo " ... outgoing to local net on remote interface, stuffed routing, deny " ipfwadm -O -a deny -V $REMOTE -S 0.0.0.0/0 -D $LOCAL/24 -o echo " ... outgoing from local net on remote interface, stuffed masquerading, deny" ipfwadm -O -a deny -V $REMOTE -S $LOCAL/24 -D 0.0.0.0/0 -o echo " ... outgoing from local net on remote interface, stuffed masquerading, deny" ipfwadm -O -a deny -V $REMOTE -S 0.0.0.0/0 -D $LOCAL/24 -o echo " ... anything else outgoing on remote interface is valid " ipfwadm -O -a accept -V $REMOTE -S $REMOTE/32 -D 0.0.0.0/0 echo " ... loopback interface is valid " ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 echo " ... catch all rule, all other outgoing is denied and logged" # pity there is no echo " ... log option on the policy but this does the job instead" ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o # echo "Setting Forwarding, flush and set default policy of deny" # Actually the default policy # is irrelevant because there is a catch all rule with deny and log. ipfwadm -F -f ipfwadm -F -p deny # echo "Seting Masquerade from local net on local interface to anywhere " ipfwadm -F -a masquerade -W ppp0 -S $LOCAL/24 -D 0.0.0.0/0 echo " ... catch all rule, all other forwarding is denied and logged " ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o -- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e