Changeset 290
- Timestamp:
- 11/22/04 16:45:58 (4 years ago)
- Files:
-
- trunk/wifidog/ChangeLog (modified) (1 diff)
- trunk/wifidog/libhttpd/api.c (modified) (1 diff)
- trunk/wifidog/src/conf.c (modified) (11 diffs)
- trunk/wifidog/src/conf.h (modified) (4 diffs)
- trunk/wifidog/src/fw_iptables.c (modified) (6 diffs)
- trunk/wifidog/src/ping_thread.c (modified) (2 diffs)
- trunk/wifidog/wifidog.conf (modified) (13 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/wifidog/ChangeLog
r281 r290 1 1 # $Header$ 2 3 2004-11-22 Alexandre Carmel-Veilleux <acv@acv.ca> 4 * libhttpd/api.c: Fix leak in HttpdEndRequest(). 5 * src/ping_thread.c: Fix auth_server IP change code with latest 6 from previous branch. 7 * src/conf.h: Same as above. 8 * src/fw_iptables.c: Same as above. 9 * src/conf.[ch]: Firewall rule set parsing code. 10 * wifidog.conf: Default firewall rule set defined. 11 * src/fw_iptables.[ch]: Firewall rule set enacting code. 12 2 13 2004-11-18 Benoit Gr�ire <bock@step.polymtl.ca> 3 14 * src/ping_thread.c: Merge phil's bug fixes from stable branch trunk/wifidog/libhttpd/api.c
r274 r290 602 602 { 603 603 _httpd_freeVariables(r->variables); 604 r->variables = NULL;605 604 shutdown(r->clientSock,2); 606 605 close(r->clientSock); 606 free(r); 607 607 } 608 608 trunk/wifidog/src/conf.c
r277 r290 82 82 oWdctlSocket, 83 83 oSyslogFacility, 84 oFirewallRule 84 oFirewallRule, 85 oFirewallRuleSet 85 86 } OpCodes; 86 87 … … 112 113 { "httpport", oAuthServHTTPPort }, 113 114 { "path", oAuthServPath }, 115 { "firewallruleset", oFirewallRuleSet }, 114 116 { "firewallrule", oFirewallRule }, 115 117 { NULL, oBadOption }, … … 120 122 static int parse_boolean_value(char *); 121 123 static void parse_auth_server(FILE *, char *, int *); 122 static int parse_firewall_rule(char *token, char *leftover); 124 static int parse_firewall_rule(char *ruleset, char *leftover); 125 static void parse_firewall_ruleset(char *, FILE *, char *, int *); 123 126 124 127 /** Accessor for the current gateway configuration … … 153 156 config.log_syslog = DEFAULT_LOG_SYSLOG; 154 157 config.wdctl_sock = strdup(DEFAULT_WDCTL_SOCK); 155 config.rules = NULL;158 config.rulesets = NULL; 156 159 } 157 160 … … 332 335 } while (0) 333 336 337 /** @internal 338 Parses firewall rule set information 339 */ 340 static void 341 parse_firewall_ruleset(char *ruleset, FILE *file, char *filename, int *linenum) 342 { 343 char line[MAX_BUF], 344 *p1, 345 *p2; 346 int opcode; 347 348 debug(LOG_DEBUG, "Adding Firewall Rule Set %s", ruleset); 349 350 /* Read first line */ 351 memset(line, 0, MAX_BUF); 352 fgets(line, MAX_BUF - 1, file); 353 (*linenum)++; /* increment line counter. */ 354 355 /* Parsing loop */ 356 while ((line[0] != '\0') && (strchr(line, '}') == NULL)) { 357 /* skip leading blank spaces */ 358 for (p1 = line; isblank(*p1); p1++); 359 360 /* End at end of line */ 361 if ((p2 = strchr(p1, '#')) != NULL) { 362 *p2 = '\0'; 363 } else if ((p2 = strchr(p1, '\r')) != NULL) { 364 *p2 = '\0'; 365 } else if ((p2 = strchr(p1, '\n')) != NULL) { 366 *p2 = '\0'; 367 } 368 369 /* next, we coopt the parsing of the regular config */ 370 if (strlen(p1) > 0) { 371 p2 = p1; 372 /* keep going until word boundary is found. */ 373 while ((*p2 != '\0') && (!isblank(*p2))) 374 p2++; 375 376 /* Terminate first word. */ 377 *p2 = '\0'; 378 p2++; 379 380 /* skip all further blanks. */ 381 while (isblank(*p2)) 382 p2++; 383 384 /* Get opcode */ 385 opcode = config_parse_token(p1, filename, *linenum); 386 387 debug(LOG_DEBUG, "p1 = [%s]; p2 = [%s]", p1, p2); 388 389 switch (opcode) { 390 case oFirewallRule: 391 parse_firewall_rule(ruleset, p2); 392 break; 393 394 case oBadOption: 395 default: 396 debug(LOG_ERR, "Bad option on line %d " 397 "in %s.", *linenum, 398 filename); 399 debug(LOG_ERR, "Exiting..."); 400 exit(-1); 401 break; 402 } 403 } 404 405 /* Read next line */ 406 memset(line, 0, MAX_BUF); 407 fgets(line, MAX_BUF - 1, file); 408 (*linenum)++; /* increment line counter. */ 409 } 410 411 debug(LOG_DEBUG, "Firewall Rule Set %s added.", ruleset); 412 } 413 334 414 static int 335 parse_firewall_rule(char * token, char *leftover)415 parse_firewall_rule(char *ruleset, char *leftover) 336 416 { 337 417 int i; … … 339 419 int all_nums = 1; /**< If 0, port contained non-numerics */ 340 420 int finished = 0; /**< reached end of line */ 421 char *token = NULL; /**< First word */ 341 422 char *port = NULL; /**< port to open/block */ 342 423 char *protocol = NULL; /**< protocol to block, tcp/udp/icmp */ 343 424 char *mask = NULL; /**< Netmask */ 344 425 char *other_kw = NULL; /**< other key word */ 426 t_firewall_ruleset *tmpr; 427 t_firewall_ruleset *tmpr2; 345 428 t_firewall_rule *tmp; 346 429 t_firewall_rule *tmp2; 347 430 348 debug(LOG_DEBUG, "leftover: %s", ++leftover); 349 debug(LOG_DEBUG, "token: %s", token); 350 431 debug(LOG_DEBUG, "leftover: %s", leftover); 432 351 433 /* lower case */ 352 434 for (i = 0; *(leftover + i) != '\0' 353 435 && (*(leftover + i) = tolower(*(leftover + i))); i++); 354 436 437 token = leftover; 438 TO_NEXT_WORD(leftover, finished); 439 355 440 /* Parse token */ 356 if (!strcasecmp(token, "block") ) {441 if (!strcasecmp(token, "block") || finished) { 357 442 block_allow = 0; 358 443 } else if (!strcasecmp(token, "allow")) { … … 366 451 /* Parse the remainder */ 367 452 /* Get the protocol */ 368 protocol = leftover; 369 TO_NEXT_WORD(leftover, finished); 370 if (strcmp(protocol, "tcp") && strcmp(protocol, "udp") 371 && strcmp(protocol, "icmp") || finished) { 372 debug(LOG_ERR, "Invalid protocol %s in FirewallRule", 373 protocol); 374 return -1; /*< Fail */ 453 if (strncmp(leftover, "tcp", 3) == 0 454 || strncmp(leftover, "udp", 3) == 0 455 || strncmp(leftover, "icmp", 4) == 0) { 456 protocol = leftover; 457 TO_NEXT_WORD(leftover, finished); 375 458 } 376 459 377 460 /* should be exactly "port" */ 378 other_kw = leftover; 379 TO_NEXT_WORD(leftover, finished); 380 if (strcmp(other_kw, "port") || finished) { 381 debug(LOG_ERR, "Invalid or unexpected keyword %s, " 382 "expecting \"port\"", other_kw); 383 return -2; /*< Fail */ 384 } 385 386 /* Get port now */ 387 port = leftover; 388 TO_NEXT_WORD(leftover, finished); 389 for (i = 0; *(port + i) != '\0'; i++) 390 if (!isdigit(*(port + i))) 391 all_nums = 0; /*< No longer only digits */ 392 if (!all_nums) { 393 debug(LOG_ERR, "Invalid port %s", port); 394 return -3; /*< Fail */ 461 if (strncmp(leftover, "port", 4) == 0) { 462 TO_NEXT_WORD(leftover, finished); 463 /* Get port now */ 464 port = leftover; 465 TO_NEXT_WORD(leftover, finished); 466 for (i = 0; *(port + i) != '\0'; i++) 467 if (!isdigit(*(port + i))) 468 all_nums = 0; /*< No longer only digits */ 469 if (!all_nums) { 470 debug(LOG_ERR, "Invalid port %s", port); 471 return -3; /*< Fail */ 472 } 395 473 } 396 474 … … 424 502 memset((void *)tmp, 0, sizeof(t_firewall_rule)); 425 503 tmp->block_allow = block_allow; 426 tmp->protocol = strdup(protocol); 427 tmp->port = strdup(port); 504 if (protocol != NULL) 505 tmp->protocol = strdup(protocol); 506 if (port != NULL) 507 tmp->port = strdup(port); 428 508 if (mask == NULL) 429 509 tmp->mask = strdup("0.0.0.0/0"); … … 435 515 436 516 /* Append the rule record */ 437 if (config.rules == NULL) { 438 config.rules = tmp; 517 if (config.rulesets == NULL) { 518 config.rulesets = (t_firewall_ruleset *)malloc( 519 sizeof(t_firewall_ruleset)); 520 memset(config.rulesets, 0, sizeof(t_firewall_ruleset)); 521 config.rulesets->name = strdup(ruleset); 522 tmpr = config.rulesets; 439 523 } else { 440 tmp2 = config.rules; 524 tmpr2 = tmpr = config.rulesets; 525 while (tmpr != NULL && (strcmp(tmpr->name, ruleset) != 0)) { 526 tmpr2 = tmpr; 527 tmpr = tmpr->next; 528 } 529 if (tmpr == NULL) { 530 /* Rule did not exist */ 531 tmpr = (t_firewall_ruleset *)malloc( 532 sizeof(t_firewall_ruleset)); 533 memset(tmpr, 0, sizeof(t_firewall_ruleset)); 534 tmpr->name = strdup(ruleset); 535 tmpr2->next = tmpr; 536 } 537 } 538 539 /* At this point, tmpr == current ruleset */ 540 if (tmpr->rules == NULL) { 541 /* No rules... */ 542 tmpr->rules = tmp; 543 } else { 544 tmp2 = tmpr->rules; 441 545 while (tmp2->next != NULL) 442 546 tmp2 = tmp2->next; … … 445 549 446 550 return 1; 551 } 552 553 t_firewall_rule * 554 get_ruleset(char *ruleset) 555 { 556 t_firewall_ruleset *tmp; 557 558 for (tmp = config.rulesets; tmp != NULL 559 && strcmp(tmp->name, ruleset) != 0; tmp = tmp->next); 560 561 return(tmp->rules); 447 562 } 448 563 … … 524 639 &linenum); 525 640 break; 526 case oFirewallRule: 527 parse_firewall_rule(p1, p2); 641 case oFirewallRuleSet: 642 parse_firewall_ruleset(p1, fd, 643 filename, &linenum); 528 644 break; 529 645 case oHTTPDName: trunk/wifidog/src/conf.h
r277 r290 62 62 listens on */ 63 63 int authserv_use_ssl; /**< @brief Use SSL or not */ 64 struct in_addr *last_ip; /**< @brief Last ip used by authserver */64 char *last_ip; /**< @brief Last ip used by authserver */ 65 65 struct _auth_serv_t *next; 66 66 } t_auth_serv; … … 76 76 struct _firewall_rule_t *next; 77 77 } t_firewall_rule; 78 79 /** 80 * Firewall rulesets 81 */ 82 typedef struct _firewall_ruleset_t { 83 char *name; 84 t_firewall_rule *rules; 85 struct _firewall_ruleset_t *next; 86 } t_firewall_ruleset; 78 87 79 88 /** … … 108 117 int syslog_facility; /**< @brief facility to use when using syslog for 109 118 logging */ 110 t_firewall_rule *rules; /**< @brief firewall rules */119 t_firewall_ruleset *rulesets; /**< @brief firewall rules */ 111 120 } s_config; 112 121 … … 132 141 void mark_auth_server_bad(t_auth_serv *); 133 142 143 /** @brief Fetch a firewall rule set. */ 144 t_firewall_rule *get_ruleset(char *); 145 134 146 #define LOCK_CONFIG() do { \ 135 147 debug(LOG_DEBUG, "Locking config"); \ trunk/wifidog/src/fw_iptables.c
r277 r290 36 36 #include <pthread.h> 37 37 38 #include "common.h" 39 38 40 #include "conf.h" 39 41 #include "fw_iptables.h" … … 44 46 45 47 static int iptables_do_command(char *format, ...); 48 static char *iptables_compile(char *, t_firewall_rule *); 49 static void iptables_load_ruleset(char *, char *); 46 50 47 51 extern pthread_mutex_t client_list_mutex; … … 73 77 } 74 78 79 /** 80 * @internal 81 * Compiles a struct definition of a firewall rule into a valid iptables 82 * command. 83 * @arg chain Chain that the command will be (-A)ppended to. 84 * @arg rule Definition of a rule into a struct, from conf.c. 85 */ 86 static char * 87 iptables_compile(char *chain, t_firewall_rule *rule) 88 { 89 char command[MAX_BUF], 90 *mode; 91 92 memset(command, 0, MAX_BUF); 93 94 if (rule->block_allow == 1) { 95 mode = strdup("ACCEPT"); 96 } else { 97 mode = strdup("DROP"); 98 } 99 100 snprintf(command, sizeof(command), "-t nat -A %s ", chain); 101 if (rule->mask != NULL) { 102 snprintf((command + strlen(command)), (sizeof(command) - 103 strlen(command)), "-d %s ", rule->mask); 104 } 105 if (rule->protocol != NULL) { 106 snprintf((command + strlen(command)), (sizeof(command) - 107 strlen(command)), "-p %s ", rule->protocol); 108 } 109 if (rule->port != NULL) { 110 snprintf((command + strlen(command)), (sizeof(command) - 111 strlen(command)), "--dport %s ", rule->port); 112 } 113 snprintf((command + strlen(command)), (sizeof(command) - 114 strlen(command)), "-j %s", mode); 115 116 free(mode); 117 118 /* XXX The buffer command, an automatic variable, will get cleaned 119 * off of the stack when we return, so we strdup() it. */ 120 return(strdup(command)); 121 } 122 123 /** 124 * @internal 125 * Load all the rules in a rule set. 126 * @arg ruleset Name of the ruleset 127 * @arg chain IPTables chain the rules go into 128 */ 129 static void 130 iptables_load_ruleset(char *ruleset, char *chain) 131 { 132 t_firewall_rule *rules; 133 char *cmd; 134 135 debug(LOG_DEBUG, "Load ruleset %s into chain %s", ruleset, chain); 136 137 for (rules = get_ruleset(ruleset); rules != NULL; rules = rules->next) { 138 cmd = iptables_compile(chain, rules); 139 debug(LOG_DEBUG, "Loading rule \"%s\" into %s", cmd, chain); 140 iptables_do_command(cmd); 141 } 142 143 debug(LOG_DEBUG, "Ruleset %s loaded into %s", ruleset, chain); 144 } 145 75 146 void 76 147 iptables_fw_clear_authservers(void) … … 92 163 for (auth_server = config->auth_servers; auth_server != NULL; 93 164 auth_server = auth_server->next) { 94 iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->authserv_hostname); 165 if (auth_server->last_ip == NULL || 166 strcmp(auth_server->last_ip, "0.0.0.0") == 0) { 167 iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->authserv_hostname); 168 } else { 169 iptables_do_command("-t nat -A " TABLE_WIFIDOG_AUTHSERVERS " -d %s -j ACCEPT", auth_server->last_ip); 170 } 95 171 } 96 172 … … 119 195 120 196 /** Insert global rules BEFORE the "defaults" */ 121 122 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -p udp --dport 67 -j ACCEPT"); 123 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -p tcp --dport 67 -j ACCEPT"); 124 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -p udp --dport 53 -j ACCEPT"); 125 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -p tcp --dport 80 -j ACCEPT"); 126 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -p tcp --dport 110 -j ACCEPT"); 127 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -p tcp --dport 995 -j ACCEPT"); 128 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -p tcp --dport 143 -j ACCEPT"); 129 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -p tcp --dport 993 -j ACCEPT"); 130 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -p tcp --dport 220 -j ACCEPT"); 131 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -p tcp --dport 993 -j ACCEPT"); 132 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -p tcp --dport 443 -j ACCEPT"); 133 iptables_do_command("-t nat -A " TABLE_WIFIDOG_VALIDATE " -j DROP"); 197 iptables_load_ruleset("global", TABLE_WIFIDOG_VALIDATE); 198 iptables_load_ruleset("validating-users", TABLE_WIFIDOG_VALIDATE); 134 199 135 200 LOCK_CONFIG(); … … 142 207 143 208 /** Insert global rules BEFORE the "defaults" */ 144 145 iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p udp --dport 67 -j ACCEPT"); 146 iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 67 -j ACCEPT"); 147 iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p udp --dport 53 -j ACCEPT"); 148 149 LOCK_CONFIG(); 150 209 iptables_load_ruleset("global", TABLE_WIFIDOG_UNKNOWN); 210 iptables_load_ruleset("unknown-users", TABLE_WIFIDOG_UNKNOWN); 211 LOCK_CONFIG(); 212 /* XXX If there's a rule in global for port 80, it overrides this. */ 151 213 iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", config->gw_port); 152 153 UNLOCK_CONFIG(); 154 214 UNLOCK_CONFIG(); 155 215 iptables_do_command("-t nat -A " TABLE_WIFIDOG_UNKNOWN " -j DROP"); 156 216 157 217 iptables_do_command("-t nat -N " TABLE_WIFIDOG_KNOWN); 158 159 218 /** Insert global rules BEFORE the "defaults" */ 160 161 iptables_ do_command("-t nat -A " TABLE_WIFIDOG_KNOWN " -j ACCEPT");219 iptables_load_ruleset("global", TABLE_WIFIDOG_KNOWN); 220 iptables_load_ruleset("known-users", TABLE_WIFIDOG_KNOWN); 162 221 163 222 iptables_do_command("-t nat -N " TABLE_WIFIDOG_LOCKED); 164 iptables_ do_command("-t nat -A " TABLE_WIFIDOG_LOCKED " -j DROP");165 223 iptables_load_ruleset("locked-users", TABLE_WIFIDOG_KNOWN); 224 166 225 iptables_do_command("-t nat -N " TABLE_WIFIDOG_CLASS); 167 168 LOCK_CONFIG(); 169 226 LOCK_CONFIG(); 170 227 iptables_do_command("-t nat -A " TABLE_WIFIDOG_CLASS " -i %s -m mark --mark 0x%u -j " TABLE_WIFIDOG_VALIDATE, config->gw_interface, FW_MARK_PROBATION); 171 228 iptables_do_command("-t nat -A " TABLE_WIFIDOG_CLASS " -i %s -m mark --mark 0x%u -j " TABLE_WIFIDOG_KNOWN, config->gw_interface, FW_MARK_KNOWN); trunk/wifidog/src/ping_thread.c
r281 r290 97 97 i; 98 98 t_auth_serv *auth_server; 99 char request[MAX_BUF]; 99 char request[MAX_BUF], 100 *tmp_addr; 100 101 struct in_addr *h_addr; 101 102 struct sockaddr_in their_addr; … … 127 128 128 129 if (auth_server->last_ip == NULL) { 129 auth_server->last_ip = (struct in_addr *)malloc( 130 sizeof(struct in_addr)); 130 auth_server->last_ip = strdup(inet_ntoa(*h_addr)); 131 131 if (auth_server->last_ip == NULL) { 132 132 debug(LOG_CRIT, "Could not allocate memory, Banzai!"); 133 133 exit(-1); 134 134 } 135 memcpy(auth_server->last_ip, h_addr, sizeof(struct in_addr));136 135 } else { 137 138 for (i = 0; i < sizeof(struct in_addr) 139 && (*((char *)auth_server->last_ip + i) 140 == *((char *)h_addr + i)); i++); 141 if (i < sizeof(struct in_addr)) { 142 memcpy(auth_server->last_ip, h_addr, sizeof(struct in_addr)); 136 tmp_addr = strdup(inet_ntoa(*h_addr)); 137 if (strcmp(auth_server->last_ip, tmp_addr) == 0) { 138 free(auth_server->last_ip); 139 auth_server->last_ip = tmp_addr; 143 140 fw_clear_authservers(); 144 141 fw_set_authservers(); 142 } else { 143 free(tmp_addr); 145 144 } 146 145 } trunk/wifidog/wifidog.conf
r221 r290 2 2 # WiFiDog Configuration file 3 3 4 # Par m: GatewayID4 # Parameter: GatewayID 5 5 # Default: default 6 6 # Optional but essential for monitoring purposes … … 12 12 GatewayID default 13 13 14 # Par m: ExternalInterface14 # Parameter: ExternalInterface 15 15 # Default: NONE 16 16 # Mandatory … … 20 20 ExternalInterface eth0 21 21 22 # Par m: GatewayInterface22 # Parameter: GatewayInterface 23 23 # Default: NONE 24 24 # Mandatory … … 28 28 GatewayInterface eth1 29 29 30 # Par m: GatewayAddress30 # Parameter: GatewayAddress 31 31 # Default: NONE 32 32 # Mandatory … … 36 36 GatewayAddress 192.168.1.1 37 37 38 # Par m: AuthServMaxTries38 # Parameter: AuthServMaxTries 39 39 # Default: 1 40 40 # Optional … … 46 46 # AuthServMaxTries 3 47 47 48 # Par m: AuthServer48 # Parameter: AuthServer 49 49 # Default: NONE 50 50 # Mandatory … … 79 79 #} 80 80 81 # Par m: Daemon81 # Parameter: Daemon 82 82 # Default: 1 83 83 # Optional … … 86 86 # Daemon 1 87 87 88 # Par m: GatewayPort88 # Parameter: GatewayPort 89 89 # Default: 2060 90 90 # Optional … … 93 93 # GatewayPort 2060 94 94 95 # Par m: HTTPDName95 # Parameter: HTTPDName 96 96 # Default: WiFiDog 97 97 # Optional … … 100 100 # HTTPDName WiFiDog 101 101 102 # Par m: HTTPDMaxConn102 # Parameter: HTTPDMaxConn 103 103 # Default: 10 104 104 # Optional … … 107 107 # HTTPDMaxConn 10 108 108 109 # Par m: CheckInterval109 # Parameter: CheckInterval 110 110 # Default: 60 111 111 # Optional … … 114 114 CheckInterval 60 115 115 116 # Par m: ClientTimeout116 # Parameter: ClientTimeout 117 117 # Default: 5 118 118 # Optional … … 122 122 ClientTimeout 5 123 123 124 # Parameter: FirewallRuleSet 125 # Default: none 126 # Mandatory 127 # 128 # Groups a number of FirewallRule statements together. 129 130 # Parameter: FirewallRule 131 # Default: none 132 # 133 # Define one firewall rule in a rule set. 134 135 # Rule Set: global 136 # 137 # Used for rules to be applied to all other rulesets except locked. 138 # This is the default config for the Teliphone service. 139 FirewallRuleSet global { 140 FirewallRule allow udp to 69.90.89.192/27 141 FirewallRule allow udp to 69.90.85.0/27 142 FirewallRule allow tcp port 80 to 69.90.89.205 143 } 144 145 # Rule Set: validating-users 146 # 147 # Used for new users validating their account 148 FirewallRuleSet validating-users { 149 FirewallRule allow udp port 67 150 FirewallRule allow tdp port 67 151 FirewallRule allow udp port 53 152 FirewallRule allow tcp port 53 153 FirewallRule allow tcp port 80 154 FirewallRule allow tcp port 110 155 FirewallRule allow tcp port 995 156 FirewallRule allow tcp port 143 157 FirewallRule allow tcp port 993 158 FirewallRule allow tcp port 220 159 FirewallRule allow tcp port 443 160 FirewallRule block to 0.0.0.0/0 161 } 162 163 # Rule Set: known-users 164 # 165 # Used for normal validated users. 166 FirewallRuleSet known-users { 167 FirewallRule allow to 0.0.0.0/0 168 } 169 170 # Rule Set: unknown-users 171 # 172 # Used for unvalidated users, this is the ruleset that gets redirected. 173 FirewallRuleSet unknown-users { 174 FirewallRule allow udp port 53 175 FirewallRule allow tcp port 53 176 FirewallRule allow udp port 67 177 FirewallRule allow tcp port 67 178 } 179 180 # Rule Set: locked-users 181 # 182 # Used for users that have been locked out. 183 FirewallRuleSet locked-users { 184 FirewallRule block to 0.0.0.0/0 185 }
