summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
8cf7350)
Refactor the untrusted-services stuff to make this less grim.
defport dns 53
defport bootps 67
defport bootpc 68
defport dns 53
defport bootps 67
defport bootpc 68
defport finger 79
defport http 80
defport ident 113
defport finger 79
defport http 80
defport ident 113
-## Provide DNS resolution to local untrusted hosts.
-for p in tcp udp; do
- run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p $p --destination-port $port_dns
-done
+## Extend some services to local untrusted hosts.
+clearchain inbound-untrusted
+run iptables -A inbound -j inbound-untrusted \
+ -s 172.29.198.0/24
-## Allow smb and nmb to untrusted hosts. This is a bit experimental.
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p udp -m multiport --destination-ports \
- $port_netbios_ns,$port_netbios_dgm
-run iptables -A inbound -j ACCEPT \
- -s 172.29.198.0/24 \
- -p tcp -m multiport --destination-ports \
- $port_netbios_ssn,$port_microsoft_ds
+allowservices inbound-untrusted tcp \
+ dns \
+ netbios_ssn microsoft_ds
+allowservices inbound-untrusted udp \
+ dns \
+ tftp
## Provide syslog for evolution.
run iptables -A inbound -j ACCEPT \
## Provide syslog for evolution.
run iptables -A inbound -j ACCEPT \