diff -uprk.orig rcf-5.2.1s1.orig/ChangeLog rcf-5.2.1s1/ChangeLog --- rcf-5.2.1s1.orig/ChangeLog 2002-01-03 17:32:24 +0300 +++ rcf-5.2.1s1/ChangeLog 2002-12-01 02:20:07 +0300 @@ -1,6 +1,14 @@ RELEASE NOTES +Version 6.0 +----------- +Updated FAQ with PPP and PPTP troubleshooting info. Man pages and FAQ +updated with new URL's (http://rcf.mvlan.net:8080/). Removed 69.0.0.0/8, +92.0.0.0/8 and 221.0.0.0/8 networks, which were removed from IANA +reserved list. Updated Edwin's e-mail address to e.ten.brink@freeler.nl. +Added 790-time-clients. Added Earth and Beyond game module. + Version 5.2.1s1 (January 3rd 2002) ---------------------------------- Dougal Holmes provided several updates, including: contributing diff -uprk.orig rcf-5.2.1s1.orig/etc/firewall/functions/device_subnets.sh rcf-5.2.1s1/etc/firewall/functions/device_subnets.sh --- rcf-5.2.1s1.orig/etc/firewall/functions/device_subnets.sh 2002-01-03 17:32:24 +0300 +++ rcf-5.2.1s1/etc/firewall/functions/device_subnets.sh 2002-12-01 02:19:29 +0300 @@ -2,12 +2,12 @@ #----------------------------------------------------------------------- # Copyright (C) 2000-2001, Jean-Sebastien Morisset #----------------------------------------------------------------------- -# $Id: device_subnets.sh,v 1.6 2001/09/02 22:09:26 jsmoriss Exp $ +# $Id: device_subnets.sh,v 1.3 2002/07/30 03:27:13 jsmoriss Exp $ #----------------------------------------------------------------------- # $RCSfile: device_subnets.sh,v $ # $Author: jsmoriss $ -# $Revision: 1.6 $ -# $Date: 2001/09/02 22:09:26 $ +# $Revision: 1.3 $ +# $Date: 2002/07/30 03:27:13 $ # $Locker: $ # $Name: $ #----------------------------------------------------------------------- @@ -57,10 +57,10 @@ Device_Subnets () { # netstat -nre 2>/dev/null | \ sed -n -e "s/^\([0-9\.]*\) *\([0-9\.]*\) *\([0-9\.]*\) *U[HG]* *[0-9]* *[0-9]* *[0-9]* *${device}$/\1 \2 \3/p" | \ - grep -v '^\(0\.0\.0\.0\|255\.255\.255\.255\) ' | \ + grep -v '^0\.0\.0\.0 [0-9\.]* 0\.0\.\0.\0' | \ + grep -v '^255\.255\.255\.255 [0-9\.]* 255\.255\.255\.255' | \ sed -n -e 's/^\([0-9\.]*\) [0-9\.]* \([0-9\.]*\)$/\1\/\2/p' } | sort | Sed_Uniq - unset prefix device network netmask ipaddr } diff -uprk.orig rcf-5.2.1s1.orig/etc/firewall/groups/iana-reserved-networks rcf-5.2.1s1/etc/firewall/groups/iana-reserved-networks --- rcf-5.2.1s1.orig/etc/firewall/groups/iana-reserved-networks 2002-01-03 17:32:24 +0300 +++ rcf-5.2.1s1/etc/firewall/groups/iana-reserved-networks 2002-12-01 02:20:07 +0300 @@ -5,8 +5,9 @@ # # IANA Reserved Networks. These addresses should not be seen on the # internet. You should update this list once or twice per year. The -# defaults were last verified against (last updated 2001 November 30) in December 2001. +# defaults were last verified against +# +# (last updated October 25, 2002) on November 24, 2002. # #----------------------------------------------------------------------- @@ -25,7 +26,6 @@ 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 -69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 @@ -36,7 +36,6 @@ 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 -82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 @@ -83,7 +82,6 @@ 126.0.0.0/8 127.0.0.0/8 197.0.0.0/8 -221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 240.0.0.0/8 diff -uprk.orig rcf-5.2.1s1.orig/etc/firewall/modules/common/online-games/earthandbeyond rcf-5.2.1s1/etc/firewall/modules/common/online-games/earthandbeyond --- rcf-5.2.1s1.orig/etc/firewall/modules/common/online-games/earthandbeyond 1970-01-01 03:00:00 +0300 +++ rcf-5.2.1s1/etc/firewall/modules/common/online-games/earthandbeyond 2002-12-01 02:19:29 +0300 @@ -0,0 +1,38 @@ + +#----------------------------------------------------------------------- +# MODULE CONFIGURATION +#----------------------------------------------------------------------- +# +#m# 123 +#a# accept +#n# earthandbeyond +#t# servers +# +# |--------------------------------------------------------------------| +#d# Earth and Beyond (Ports 3000-4000 UDP, 3801 TCP) +#d# +#d# Example: (IP shown is EA's, and should work) +#d# accept-eth0-earthandbeyond-servers = 159.143.232.0/24 +#d# +# |--------------------------------------------------------------------| +# +# +#----------------------------------------------------------------------- +# START OF MODULE CODE +#----------------------------------------------------------------------- +module_name="earthandbeyond" # module name used in options +module_type="servers" # module type (clients, servers, etc.) +tcp_ports="3801" # TCP ports used for login +udp_ports="3000:4000" # UDP ports used for gaming + +action_log="$LOG" +action_log_msg="$LOG_MSG" + +for host in `Option_Value accept $INTOPT $module_name $module_type` +do + Hostports accept remote tcp "Earth and Beyond Login" $host $tcp_ports + Hostports accept remote udp "Earth and Beyond game server" $host $udp_ports +done + +unset module_name module_type tcp_ports udp_ports +unset action_log_msg action_log host diff -uprk.orig rcf-5.2.1s1.orig/etc/firewall/modules/common/port-forwarding/afp rcf-5.2.1s1/etc/firewall/modules/common/port-forwarding/afp --- rcf-5.2.1s1.orig/etc/firewall/modules/common/port-forwarding/afp 2002-01-03 17:32:25 +0300 +++ rcf-5.2.1s1/etc/firewall/modules/common/port-forwarding/afp 2002-12-01 02:19:29 +0300 @@ -37,8 +37,8 @@ udp_port="548" for host in `Option_Value forward $INTOPT afp host` do - Forward_Hostports tcp "PcAnywhere" $host $tcp_port - Forward_Hostports udp "PcAnywhere" $host $udp_port + Forward_Hostports tcp "AFP" $host $tcp_port + Forward_Hostports udp "AFP" $host $udp_port done unset tcp_port udp_port host diff -uprk.orig rcf-5.2.1s1.orig/etc/firewall/modules/common/services/210-real-servers rcf-5.2.1s1/etc/firewall/modules/common/services/210-real-servers --- rcf-5.2.1s1.orig/etc/firewall/modules/common/services/210-real-servers 2002-01-03 17:32:25 +0300 +++ rcf-5.2.1s1/etc/firewall/modules/common/services/210-real-servers 2002-12-01 02:19:29 +0300 @@ -1,4 +1,3 @@ - #----------------------------------------------------------------------- # MODULE CONFIGURATION #----------------------------------------------------------------------- @@ -23,6 +22,10 @@ # START OF MODULE CODE #----------------------------------------------------------------------- +[ ! "$CLUSTER_MODE" ] && \ + { inchain="$INCHAIN"; outchain="$OUTCHAIN"; } || \ + { inchain="$OUTCHAIN"; outchain="$INCHAIN"; } + for host in `Option_Value accept $INTOPT real servers` do echo "Accept $INTOPT $IPADDR -> $HOST RealPlayer $LOG_MSG" @@ -34,4 +37,5 @@ do ipchains -A $inchain -j ACCEPT -p tcp -s $HOST 554 -d $IPADDR $UNPRIVPORTS ! -y $LOG ipchains -A $inchain -j ACCEPT -p tcp -s $HOST 7070 -d $IPADDR $UNPRIVPORTS ! -y $LOG done -unset host + +unset host inchain outchain diff -uprk.orig rcf-5.2.1s1.orig/etc/firewall/modules/common/services/225-termserv-clients rcf-5.2.1s1/etc/firewall/modules/common/services/225-termserv-clients --- rcf-5.2.1s1.orig/etc/firewall/modules/common/services/225-termserv-clients 2002-01-03 17:32:25 +0300 +++ rcf-5.2.1s1/etc/firewall/modules/common/services/225-termserv-clients 2002-12-01 02:19:29 +0300 @@ -1,7 +1,8 @@ + #----------------------------------------------------------------------- -# Copyright (C) 2000-2001, Jean-Sebastien Morisset +# Copyright (C) 2000-2002, Jean-Sebastien Morisset #----------------------------------------------------------------------- -# $Id: 225-termserv-clients,v 1.2 2001/12/27 22:58:59 dholmes Exp $ +# $Id: 225-termserv-clients,v 1.3 2002/03/04 16:28:36 jsmoriss Exp $ #----------------------------------------------------------------------- # README #----------------------------------------------------------------------- @@ -27,12 +28,13 @@ module_name="termserv" # module name used in options module_type="clients" # the module type (clients, servers, etc.) service_name="Terminal Server" # displayed on-screen -service_port="3389 1494" # port number for this service +tcp_service_port="3389 1494" # tcp port numbers +udp_service_port="1604" # udp browser port for host in `Option_Value accept $INTOPT $module_name $module_type` do - Hostports accept local tcp "$service_name" $host $service_port + Hostports accept local tcp "$service_name" $host $tcp_service_port + Hostports accept local udp "" $host $udp_service_port done -unset module_name module_type service_name service_port host - +unset module_name module_type service_name tcp_service_port udp_service_port host diff -uprk.orig rcf-5.2.1s1.orig/etc/firewall/modules/common/services/225-termserv-servers rcf-5.2.1s1/etc/firewall/modules/common/services/225-termserv-servers --- rcf-5.2.1s1.orig/etc/firewall/modules/common/services/225-termserv-servers 2002-01-03 17:32:25 +0300 +++ rcf-5.2.1s1/etc/firewall/modules/common/services/225-termserv-servers 2002-12-01 02:19:29 +0300 @@ -1,7 +1,8 @@ + #----------------------------------------------------------------------- -# Copyright (C) 2000-2001, Jean-Sebastien Morisset +# Copyright (C) 2000-2002, Jean-Sebastien Morisset #----------------------------------------------------------------------- -# $Id: 225-termserv-servers,v 1.2 2001/12/27 22:58:59 dholmes Exp $ +# $Id: 225-termserv-servers,v 1.3 2002/03/04 16:28:36 jsmoriss Exp $ #----------------------------------------------------------------------- # README #----------------------------------------------------------------------- @@ -27,12 +28,13 @@ module_name="termserv" # module name used in options module_type="servers" # the module type (clients, servers, etc.) service_name="Terminal Server" # displayed on-screen -service_port="3389 1494" # port number for this service +tcp_service_port="3389 1494" # tcp port numbers +udp_service_port="1604" # udp browser port for host in `Option_Value accept $INTOPT $module_name $module_type` do - Hostports accept remote tcp "$service_name" $host $service_port + Hostports accept remote tcp "$service_name" $host $tcp_service_port + Hostports accept remote udp "" $host $udp_service_port done -unset module_name module_type service_name service_port host - +unset module_name module_type service_name tcp_service_port udp_service_port host diff -uprk.orig rcf-5.2.1s1.orig/etc/firewall/modules/common/services/330-smb-hosts rcf-5.2.1s1/etc/firewall/modules/common/services/330-smb-hosts --- rcf-5.2.1s1.orig/etc/firewall/modules/common/services/330-smb-hosts 2002-01-03 17:32:25 +0300 +++ rcf-5.2.1s1/etc/firewall/modules/common/services/330-smb-hosts 2002-12-01 02:20:07 +0300 @@ -65,35 +65,34 @@ do done unset action action_log_msg action_log +# Execute this block only once to support all SMB hosts. +# These are generic rules which deal with broadcast addresses. if [ "`Option_Value accept $INTOPT smb hosts`" ] then if [ ! "$CLUSTER_NAME" ] then echo "Accept $INTOPT $IPADDR SMB <-> $BROADCAST SMB $LOG_MSG" - # Added by Jean-Sebastien Morisset on January 14th, 2001 ipchains -A $inchain -j ACCEPT -p udp -s $IPADDR netbios-ns -d $BROADCAST netbios-ns $LOG - - # Commented by Dougal Holmes 2001-04-20 - ####ipchains -A $inchain -j ACCEPT -p udp -s $BROADCAST netbios-ns -d $IPADDR netbios-ns $LOG - ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR netbios-ns -d $BROADCAST netbios-ns $LOG ipchains -A $inchain -j ACCEPT -p udp -s $IPADDR $UNPRIVPORTS -d $BROADCAST netbios-ns $LOG ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR $UNPRIVPORTS -d $BROADCAST netbios-ns $LOG + + # The following rule was added by Jean-Sebastien Morisset 20020620 + ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR netbios-ns -d $BROADCAST_DEST netbios-ns $LOG - # Added by Jean-Sebastien Morisset on January 14th, 2001 ipchains -A $inchain -j ACCEPT -p udp -s $IPADDR netbios-dgm -d $BROADCAST netbios-dgm $LOG - - # Commented by Dougal Holmes 2001-04-20 - ####ipchains -A $inchain -j ACCEPT -p udp -s $BROADCAST netbios-dgm -d $IPADDR netbios-dgm $LOG + ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR netbios-dgm -d $BROADCAST netbios-dgm $LOG - ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR netbios-dgm -d $BROADCAST netbios-dgm $LOG + # The following rule was added by Jean-Sebastien Morisset 20020620 + ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR netbios-dgm -d $BROADCAST_DEST netbios-dgm $LOG ipchains -A $inchain -j DENY -p tcp -s $BROADCAST netbios-ssn -d $IPADDR netbios-ssn $LOG ipchains -A $outchain -j REJECT -p tcp -s $IPADDR netbios-ssn -d $BROADCAST netbios-ssn $LOG fi fi +# These are the host specific SMB rules. for host in `Option_Value accept $INTOPT smb hosts` do echo "Accept $INTOPT $IPADDR SMB <-> $host SMB $LOG_MSG" @@ -122,9 +121,6 @@ do ipchains -A $inchain -j ACCEPT -p udp -s $host netbios-dgm -d $IPADDR netbios-dgm $LOG ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR netbios-dgm -d $host netbios-dgm $LOG - # Commented by Dougal Holmes 2001-04-20 - ####ipchains -A $outchain -j ACCEPT -p udp -s $IPADDR $UNPRIVPORTS -d $host netbios-dgm $LOG - # # netbios-ssn # @@ -137,13 +133,16 @@ do ipchains -A $outchain -j ACCEPT -p tcp -s $IPADDR $UNPRIVPORTS -d $host netbios-ssn $LOG ipchains -A $inchain -j ACCEPT -p tcp $SYNOPT -s $host netbios-ssn -d $IPADDR $UNPRIVPORTS $LOG - # # microsoft-ds # - # This new part of the protocol is not supported by Samba, so we can - # ignore the traffic for now. This may change in the future, however. + # This new part of the protocol is not supported by Samba. + # It is the new standard for Windows 2000/XP servers, and may be required by clusters # - ipchains -A $inchain -j DENY -p tcp -s $host $UNPRIVPORTS -d $IPADDR 445 $LOG + ipchains -A $inchain -j ACCEPT -p tcp -s $host $UNPRIVPORTS -d $IPADDR 445 $LOG + ipchains -A $outchain -j ACCEPT -p tcp $SYNOPT -s $IPADDR 445 -d $host $UNPRIVPORTS $LOG + + ipchains -A $outchain -j ACCEPT -p tcp -s $IPADDR $UNPRIVPORTS -d $host 445 $LOG + ipchains -A $inchain -j ACCEPT -p tcp $SYNOPT -s $host 445 -d $IPADDR $UNPRIVPORTS $LOG done unset host diff -uprk.orig rcf-5.2.1s1.orig/etc/firewall/modules/common/services/790-time-clients rcf-5.2.1s1/etc/firewall/modules/common/services/790-time-clients --- rcf-5.2.1s1.orig/etc/firewall/modules/common/services/790-time-clients 1970-01-01 03:00:00 +0300 +++ rcf-5.2.1s1/etc/firewall/modules/common/services/790-time-clients 2002-12-01 02:19:29 +0300 @@ -0,0 +1,26 @@ + +#----------------------------------------------------------------------- +# MODULE CONFIGURATION +#----------------------------------------------------------------------- +# +#m# 123 +#a# accept +#i# cluster novirtual +#n# time +#t# clients +# +# |--------------------------------------------------------------------| +#d# time (Port 37 TCP) +#d# Allows clients to obtain the time (port 37 TCP). The ntp +#d# protocol is usually preferred instead of the time protocol. +# |--------------------------------------------------------------------| +# +#----------------------------------------------------------------------- +# START OF MODULE CODE +#----------------------------------------------------------------------- + +for host in `Option_Value accept $INTOPT time clients` +do + Hostports accept local tcp "Time" $host time +done +unset host diff -uprk.orig rcf-5.2.1s1.orig/etc/firewall/modules/common/services/790-time-servers rcf-5.2.1s1/etc/firewall/modules/common/services/790-time-servers --- rcf-5.2.1s1.orig/etc/firewall/modules/common/services/790-time-servers 2002-01-03 17:32:25 +0300 +++ rcf-5.2.1s1/etc/firewall/modules/common/services/790-time-servers 2002-12-01 02:19:29 +0300 @@ -10,8 +10,9 @@ #t# servers # # |--------------------------------------------------------------------| +#d# time (Remote port 37 TCP, 37 UDP) #d# Allow access to time (port 37) servers in UDP and TCP. The ntp -#d# protocol is usually prefered instead of the time protocol. +#d# protocol is usually preferred instead of the time protocol. # |--------------------------------------------------------------------| # #----------------------------------------------------------------------- diff -uprk.orig rcf-5.2.1s1.orig/FAQ.html rcf-5.2.1s1/FAQ.html --- rcf-5.2.1s1.orig/FAQ.html 2002-01-03 17:32:24 +0300 +++ rcf-5.2.1s1/FAQ.html 2002-12-01 02:19:29 +0300 @@ -70,6 +70,7 @@ What are those martians in my logs?
How do I set up a DMZ (De-Militarized Zone) using RCF?
How would a MZ config look like?
How do I set up VPN (Virtual Private Networking) using RCF?
+How do I enable a PPTP server inside my firewall?
How do I forward ports to a server on my internal LAN?
How can I determine what ports should be forwarded to a server on my internal LAN?
How do I protect Windows machines on my internal LAN from trojans?
@@ -157,20 +158,20 @@ People usually refer to this document or
Maintainer:
Edwin ten Brink
E-mail: -
For remarks on this document only edwin@privateer.student.utwente.nl.
+
For remarks on this document only e.ten.brink@freeler.nl.
PLEASE: Questions on RCF should be directed to the 'users' mailing list. You'll get more and better answers there, since I only collect experiences.
Last revision date: -
December 14, 2001 (Version under development can be found in the dev directory) +
March 11, 2002 (Version under development can be found in the dev directory)
RCF version: -
5.2.1 +
6.0
License:
GPL
Homepage: -
http://rcf.mvlan.net/
+
http://rcf.mvlan.net:8080/
Thanks to:
All people who posed questions... and those who provided answers. -This document will never be complete. Feedback, also positive, is highly +This document will never be complete. Feedback, also positive, is highly appreciated.

1. HELP! - It doesn't work!

    @@ -190,7 +191,7 @@ appreciated.
  • Read this entire document.
  • Use all information quoted in the websites and documentation.
  • Pose a question, on the mailing list
    -
  • The latest version of this FAQ is available in the dev directory
    +
  • The latest version of this FAQ is available in the dev directory
Q: RCF gives an error/warning.
@@ -236,6 +237,9 @@ Invoke RCF like this, so RCF will keep g the initscripts when my computer boots. I'm using RedHat 6.1 or older (initscripts older than 5.0).
A: RCF conforms to initscripts 5.0. You should upgrade your initscripts to 5.0 or better.

+
Q: RCF blocks my ppp connection. +
A: These are the symptoms: Without rcf running your dialup works fine, but not if you run rcf at start up. It ignores the interface because its not up. If you wait for the modem to connect and the interface to go up, then re-run the firewall, everything works. This behavior is intended. Since the IP address of you ppp connection is unknown before you start it up, rcf (or any other firewall for that matter) cannot implement any rules, since it needs to know the ip address of the connection in order to set up the rules. You may want to use the --refresh-interfaces option after the ppp connection goes up or down. Or just start and stop the firewall with the connection, by adding '/etc/init.d/firewall restart' to your /etc/ppp/ip-up.local file (or create a file in /etc/ppp/ip-up.d/ to start it on Debian.)
+
Q: I can't get the virtual interfaces to work!
A: It seems that the code is flawed at least as far as 5.1b7. You should upgrade to a better version.

@@ -367,7 +371,7 @@ files.
Plain tar file / Slackware
  • Untar it.
  • Run the install.sh script. -
  • For more info, or manual install, please refer to the installation notes. +
  • For more info, or manual install, please refer to the installation notes.
RedHat (RPM)
rpm -U rcf-noarch-[version].rpm @@ -564,11 +568,11 @@ automagically for me.

Installing / upgrading

Where can I get the latest version of RCF?

-
The latest stable version will be available at the homepage and at +
The latest stable version will be available at the homepage and at Freshmeat. If you feel the need to have the latest version, for development, or because you need the state-of-the-art, you can download the development version at: -http://rcf.mvlan.net/dist/dev/
+http://rcf.mvlan.net:8080/dist/dev/
Be advised that the development version may contain bugs, doesn't function correctly etc.
It is not recommended to run the development version on a production @@ -1119,6 +1123,20 @@ you have accept-[int]-ping-clients set c

+
How do I enable a PPTP server inside my firewall?
+
+
The PPTP modules only allow Network Address Translation (NAT) for clients, and +not for servers. So if your PPTP server is on the Internal LAN using a private, +NAT'd address, then it will not work. This is a restriction of the PPTP protocol, +and not rcf. If, however, your PPTP server is in a DMZ, then the modules work. +Put 030-pptp-clients into the DMZ interface, setup a cluster on the DMZ which +includes the PPTP server, and update the config file. Then put the desired client +addresses in the DMZ cluster, and away it should go. 030-pptp-servers is used to +control which PPTP servers you want to connect to, either from the firewall, or +from the internal LAN (provided you have the pptp module loaded into the kernel if +you are using NAT).
+
+
How do I forward ports to a server on my internal LAN?

@@ -1183,7 +1201,7 @@ your configuration file.
How can I use multiple public connections in a fail-over setup?

In this example we have an ADSL modem on ppp0 and a CableModem on eth1. All -referenced scripts can be found in a contrib directory, http://rcf.mvlan.net/dist/contrib/adsl-cable-failover/. +referenced scripts can be found in a contrib directory, http://rcf.mvlan.net:8080/dist/contrib/adsl-cable-failover/. The idea is to use the ADSL to host web servers, etc., and the CableModem for all outgoing stuff (like browsing the web from LAN PCs, outgoing e-mail, etc.). If one of the lines goes down, traffic should start using the other viable @@ -1261,7 +1279,7 @@ And the adsl routing table:
default via 64.39.160.16 dev ppp0 Don't forget that the 'route' script must be called if/when one of your public IPs change. The -cablemodem uses a dhcp client which executes a script called dhcpcd-eth1.exe +cablemodem uses a dhcp client which executes a script called dhcpcd-eth1.exe (created by Jean-Sébastien Morisset) after it changes the ip. This script reloads the firewall rules for eth1 (only) and calls the 'route' script to update the routing tables.

@@ -1317,7 +1335,7 @@ get out/in before it's completed. This i the firewall chains when only one interface has gone up or down? So in /etc/ppp/ip-up.local and /etc/ppp/ip-down.local you should run rcf as follows:
/sbin/rcf -nsfc -ri $1
-You can also use a wrapper to add a file locking scheme to stop rcf +You can also use a wrapper to add a file locking scheme to stop rcf running twice at the same time. This is necessary when several connections are possible at once, such as a dial-in or pptp setup. It's possible you are also getting this, where the ip-up.local rcf is running before the @@ -1382,26 +1400,26 @@ or your network. Put that host in your b

Development

How can I contribute my module to the current sources through CVS?

-
The CVS repository is used to add new or modified files. You can browse the file hierarchy by picking directories (which have slashes after them, e.g., rcf-5.2.1/). If you pick a file, you will see the revision history for that file. Selecting a revision number will display it's revision. There is a link at each revision to display diffs between that revision and the previous one. A form at the bottom of the page will also allow you to display diffs between arbitrary revisions.
+
The CVS repository is used to add new or modified files. You can browse the file hierarchy by picking directories (which have slashes after them, e.g., rcf-5.2.1/). If you pick a file, you will see the revision history for that file. Selecting a revision number will display it's revision. There is a link at each revision to display diffs between that revision and the previous one. A form at the bottom of the page will also allow you to display diffs between arbitrary revisions.

You can also checkout the latest code using our public cvs pserver. Here's an example of the syntax:
-cvs -d :pserver:anonymous@cvs.mvlan.net:/rcf login
-cvs -d :pserver:anonymous@cvs.mvlan.net:/rcf co rcf-5.2.1
+cvs -d :pserver:anonymous@cvs.mvlan.net:8080:/rcf login
+cvs -d :pserver:anonymous@cvs.mvlan.net:8080:/rcf co rcf-5.2.1

Or to checkout a specific release (aka branch):
-cvs -d :pserver:anonymous@cvs.mvlan.net:/rcf co -r [branch] rcf-5.2.1
+cvs -d :pserver:anonymous@cvs.mvlan.net:8080:/rcf co -r [branch] rcf-5.2.1

-r [branch] is optional and refers to the current development release (i.e. HEAD, a1, b1, c1, etc.).

To work on the current development code, checkout the main (aka HEAD) branch. Example: -cvs -d :pserver:username@cvs.mvlan.net:/rcf login
-cvs -d :pserver:username@cvs.mvlan.net:/rcf co rcf-5.2.1
+cvs -d :pserver:username@cvs.mvlan.net:8080:/rcf login
+cvs -d :pserver:username@cvs.mvlan.net:8080:/rcf co rcf-5.2.1

If you need to go back to a specific release (to test for reported bugs, create patches, etc.), you should specify the branch. Example:
-cvs -d :pserver:username@cvs.mvlan.net:/rcf update -P -r c1 rcf-5.2.1
+cvs -d :pserver:username@cvs.mvlan.net:8080:/rcf update -P -r c1 rcf-5.2.1

You can go back to the current development version using:
-cvs -d :pserver:username@cvs.mvlan.net:/rcf update -P -r HEAD rcf-5.2.1
+cvs -d :pserver:username@cvs.mvlan.net:8080:/rcf update -P -r HEAD rcf-5.2.1

As we develop the main (aka HEAD) branch, we'll decide to release an alpha, beta, pre-release, etc. version. At that time, Jean-Sébastien will create a new branch. This is only a place marker and should only be used as mentioned above.

@@ -1413,7 +1431,7 @@ The "cvs watchers" command will list who
How can I obtain a CVS account?

-
You should contact Jean-Sébastien directly.
+
You should contact Jean-Sébastien directly.


Miscellaneous

@@ -1441,12 +1459,12 @@ some programs which can do it for you, e
How do I report a bug?

About the RCF script:
-Send a message to the author, Jean-Sébastien Morisset, +Send a message to the author, Jean-Sébastien Morisset, or to the 'users' mailing list.

About the RCF FAQ:
Send a message to the author, -Edwin ten Brink, or to the 'users' mailing list.
+Edwin ten Brink, or to the 'users' mailing list.


How do I contribute to the evolution of RCF?
@@ -1460,7 +1478,7 @@ Send a message to the author, If you have a question on the current version of RCF, your mail should be addressed towards the users list. If you want to have a quick answer to your question, include the version number of RCF you're using, a few relevant lines of your logs and your configuration (obtained with the --show-config parameter).
-Be sure your problem isn't described in the man pages, this FAQ or the mailing list archives already.
+Be sure your problem isn't described in the man pages, this FAQ or the mailing list archives already.


How do I unsubscribe from one of the mailing lists?
@@ -1585,13 +1603,13 @@ that kernel.

5.1 Websites

As everyone knows, nothing changes faster than the Internet, so the links below may have changed. If you find a broken link or a site of which you -feel it really should be in here, please report it to me.
+feel it really should be in here, please report it to me.
There are tons of information out there. This list is not, and will not be, complete. It merely provides useful references.

RCF Homepage

-Main page:

@@ -1740,20 +1758,20 @@ With the subject: "unsubscribe"
about the current production version.
So no development questions!
About the list:
-
http://www.mvlan.net/mailman/listinfo/rcf-users
+
http://www.mvlan.net:8080/mailman/listinfo/rcf-users
Archive of previous posts:
-
http://www.mvlan.net/pipermail/rcf-users/
+
http://www.mvlan.net:8080/pipermail/rcf-users/
Help about the list:
-
Mail to: rcf-users-request@lists.mvlan.net
+
Mail to: rcf-users-request@lists.mvlan.net:8080
With the subject: "help"
Subscribe:
-
Mail to: rcf-users-request@lists.mvlan.net
+
Mail to: rcf-users-request@lists.mvlan.net:8080
With the subject: "subscribe"
Unsubscribe:
-
Mail to: rcf-users-request@lists.mvlan.net
+
Mail to: rcf-users-request@lists.mvlan.net:8080
With the subject: "unsubscribe"
Posting a message:
-
Mail to: rcf-users@lists.mvlan.net
+
Mail to: rcf-users@lists.mvlan.net:8080

Linux ipchains firewall developers mailing list @@ -1761,20 +1779,20 @@ With the subject: "unsubscribe"
Audience:
Users who want to participate in or stay informed about developments of RCF
About the list:
-
http://www.mvlan.net/mailman/listinfo/rcf-dev
+
http://www.mvlan.net:8080/mailman/listinfo/rcf-dev
Archive of previous posts:
-
http://www.mvlan.net/pipermail/rcf-dev/
+
http://www.mvlan.net:8080/pipermail/rcf-dev/
Help about the list:
-
Mail to: rcf-dev-request@lists.mvlan.net
+
Mail to: rcf-dev-request@lists.mvlan.net:8080
With the subject: "help"
Subscribe:
-
Mail to: rcf-dev-request@lists.mvlan.net
+
Mail to: rcf-dev-request@lists.mvlan.net:8080
With the subject: "subscribe"
Unsubscribe:
-
Mail to: rcf-dev-request@lists.mvlan.net
+
Mail to: rcf-dev-request@lists.mvlan.net:8080
With the subject: "unsubscribe"
Posting a message:
-
Mail to: rcf-dev@lists.mvlan.net +
Mail to: rcf-dev@lists.mvlan.net:8080

Other, security- or firewall related mailing-lists

Various lists can be found at SecurityFocus, among diff -uprk.orig rcf-5.2.1s1.orig/fwinit rcf-5.2.1s1/fwinit --- rcf-5.2.1s1.orig/fwinit 2002-01-03 17:32:24 +0300 +++ rcf-5.2.1s1/fwinit 2002-12-01 02:19:29 +0300 @@ -3,12 +3,12 @@ #----------------------------------------------------------------------- # Copyright (C) 2000-2001, Jean-Sebastien Morisset #----------------------------------------------------------------------- -# $Id: fwinit,v 1.5 2001/08/23 19:55:17 jsmoriss Exp $ +# $Id: fwinit,v 1.4 2002/07/30 03:27:47 jsmoriss Exp $ #----------------------------------------------------------------------- # $RCSfile: fwinit,v $ # $Author: jsmoriss $ -# $Revision: 1.5 $ -# $Date: 2001/08/23 19:55:17 $ +# $Revision: 1.4 $ +# $Date: 2002/07/30 03:27:47 $ # $Locker: $ # $Name: $ #----------------------------------------------------------------------- @@ -24,11 +24,14 @@ # #----------------------------------------------------------------------- -# chkconfig: 2345 12 90 +# chkconfig: 2345 125 900 # description: rcf (aka rc.firewall) is an ipchains-based firewall with support for over 50 network services (including vtun, dhcp, nfs, smb, napster, proxies, online games, etc.), masquerading, port forwarding, and ip accounting. All services are self-contained modules which can be prioritized easily in the ipchains stack. Protections include spoofing, stuffed routing/masqerading, DoS, smurf attacks, outgoing port scans, and many more. rcf also supports multiple public, private (masqu'ed), dmz, and mz (non-masq'ed) networks and interfaces. Access rules are defined per interface and dmz/mz server groups. # processname: # config: /etc/firewall.conf - + +# Required by Oxygen LRP distribution. +RCDLINKS="0,K90 1,K90 2,S12 3,S12 4,S12 5,S12 6,K90" + # Source function library [ -f /etc/rc.d/init.d/functions ] && . /etc/rc.d/init.d/functions # Red Hat @@ -53,7 +56,11 @@ RETVAL=0 # See how we were called. case "$1" in start|restart|reload|force-reload) - /sbin/rcf + # if rcf is started as part of the regular system boot process, + # copy stdout to console. + [ "$RUNLEVEL" ] \ + && /sbin/rcf | tee -a /dev/console \ + || /sbin/rcf RETVAL=$? if [ $RETVAL -eq 0 ] then diff -uprk.orig rcf-5.2.1s1.orig/INSTALL rcf-5.2.1s1/INSTALL --- rcf-5.2.1s1.orig/INSTALL 2002-01-03 17:32:24 +0300 +++ rcf-5.2.1s1/INSTALL 2002-12-01 02:19:29 +0300 @@ -1,5 +1,5 @@ -Copyright (C) 2000-2001, Jean-Sebastien Morisset +Copyright (C) 2000-2002, Jean-Sebastien Morisset rcf - the most secure and complete ipchains Firewall for Linux. This program is free software; you can redistribute it and/or modify it @@ -11,10 +11,6 @@ WITHOUT ANY WARRANTY; without even the i MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License (LICENSE file in archive) for more details. -************************************************************************ - PLEASE SEE FOR PRIVATE AND COMMERCIAL USE. -************************************************************************ - DESCRIPTION rcf (aka rc.firewall) is an ipchains-based firewall with support for @@ -163,7 +159,7 @@ services/. FAQ -The FAQ is available at . +The FAQ is available at . MAILING LIST @@ -171,7 +167,7 @@ If you need help, would like to know whe or contribute to the general evolution of this script, subscribe to our mailing lists: - http://lists.mvlan.net/mailman/listinfo/rcf-users - http://lists.mvlan.net/mailman/listinfo/rcf-dev - http://lists.mvlan.net/mailman/listinfo/rcf-announce + http://lists.mvlan.net:8080/mailman/listinfo/rcf-users + http://lists.mvlan.net:8080/mailman/listinfo/rcf-dev + http://lists.mvlan.net:8080/mailman/listinfo/rcf-announce diff -uprk.orig rcf-5.2.1s1.orig/sbin/rcf rcf-5.2.1s1/sbin/rcf --- rcf-5.2.1s1.orig/sbin/rcf 2002-01-03 17:32:25 +0300 +++ rcf-5.2.1s1/sbin/rcf 2002-12-01 02:19:29 +0300 @@ -3,12 +3,12 @@ #----------------------------------------------------------------------- # Copyright (C) 2000-2001, Jean-Sebastien Morisset #----------------------------------------------------------------------- -# $Id: rcf,v 1.17 2001/12/15 13:08:36 edwin Exp $ +# $Id: rcf,v 1.4 2002/07/30 03:28:24 jsmoriss Exp $ #----------------------------------------------------------------------- # $RCSfile: rcf,v $ -# $Author: edwin $ -# $Revision: 1.17 $ -# $Date: 2001/12/15 13:08:36 $ +# $Author: jsmoriss $ +# $Revision: 1.4 $ +# $Date: 2002/07/30 03:28:24 $ # $Locker: $ # $Name: $ #----------------------------------------------------------------------- @@ -343,9 +343,6 @@ sed -e '' <. rcf (aka rc.firewall) v${PKG_VERSION} and all related scripts come with ABSOLUTELY NO WARRANTY; for details see the LICENSE file included in the rcf distribution. --------------------------------------------------------------------------------- - PLEASE SEE FOR PRIVATE AND COMMERCIAL USE. THANK YOU. --------------------------------------------------------------------------------- EOF # @@ -695,12 +692,15 @@ then done [ "$TEST" ] || echo "" - if [ "`echo $MASQ_TIMEOUTS|grep '^[0-9][0-9]* *[0-9][0-9]* *[0-9][0-9]*$'`" ] + if [ "$MASQ_TIMEOUTS" ] then + if [ "`echo $MASQ_TIMEOUTS|grep '^[0-9][0-9]* *[0-9][0-9]* *[0-9][0-9]*$'`" ] + then echo "Changing IP Masquerading Timeouts" ipchains -M -S $MASQ_TIMEOUTS - else + else echo "WARNING: ipmasq-timeouts option set incorrectly!" + fi fi fi diff -uprk.orig rcf-5.2.1s1.orig/TODO rcf-5.2.1s1/TODO --- rcf-5.2.1s1.orig/TODO 2002-01-03 17:32:24 +0300 +++ rcf-5.2.1s1/TODO 2002-12-01 02:19:29 +0300 @@ -1,6 +1,8 @@ -Version 5.3 +Version 6.0 ----------- +Compatibility with Linux 2.2.x ipchains AND 2.4.x iptables. + Add an option to define which subnets are allowed to be routed. Rename all options from {action}-{int}-{service}-{type} to @@ -10,7 +12,3 @@ an easy conversion of the configuration Convert the configuration file to XML. -Version 6.0 ------------ -Compatibility with Linux 2.2.x ipchains AND 2.4.x iptables. - diff -uprk.orig rcf-5.2.1s1.orig/usr/man/firewall.conf.5 rcf-5.2.1s1/usr/man/firewall.conf.5 --- rcf-5.2.1s1.orig/usr/man/firewall.conf.5 2002-01-03 17:32:25 +0300 +++ rcf-5.2.1s1/usr/man/firewall.conf.5 2002-12-01 02:19:29 +0300 @@ -3,7 +3,7 @@ .\" .\" Original: Jean-Sebastien Morisset .\" -.TH FIREWALL.CONF 5 "AUGUST 2001" "RCF 5.2.1" "User Manuals" +.TH FIREWALL.CONF 5 "JANUARY 2002" "RCF 6.0" "User Manuals" .SH NAME @@ -140,31 +140,31 @@ groups, modules, and sbin directories. The \fBrcf\fR Frequently Asked Questions (FAQ) are available at: .TP - + .RS .RE - + .RS .RE .SH BUGS -If you experience any problems using \fBrcf\fR, please subscribe to our mailing list . If you'd like to contribute to the evolution of \fBrcf\fR, you can also join the development list at . +If you experience any problems using \fBrcf\fR, please subscribe to our mailing list . If you'd like to contribute to the evolution of \fBrcf\fR, you can also join the development list at . .SH UPDATES Releases of \fBrcf\fR are announced on Freshmeat . .TP -Development and production releases are also announced on our mailing list . +Development and production releases are also announced on our mailing list . .TP The latest versions are always available from: .TP - + .RS .RE - + .RS .RE diff -uprk.orig rcf-5.2.1s1.orig/usr/man/rcf.8 rcf-5.2.1s1/usr/man/rcf.8 --- rcf-5.2.1s1.orig/usr/man/rcf.8 2002-01-03 17:32:25 +0300 +++ rcf-5.2.1s1/usr/man/rcf.8 2002-12-01 02:19:29 +0300 @@ -3,7 +3,7 @@ .\" .\" Original: Jean-Sebastien Morisset .\" -.TH RCF 8 "AUGUST 2001" "RCF 5.2.1" "User Manuals" +.TH RCF 8 "JANUARY 2002" "RCF 6.0" "User Manuals"" .SH NAME @@ -49,7 +49,6 @@ rcf \- the most complete and secure ipch .TP \fBrcf\fR (aka rc.firewall) is an ipchains-based firewall with support for over 50 network services (including vtun, dhcp, nfs, smb, napster, proxies, online games, etc.), masquerading, port forwarding, and ip accounting. All services are self-contained modules which can be prioritized easily in the ipchains stack. Protections include spoofing, stuffed routing/masqerading, DoS, smurf attacks, outgoing port scans, and many more. \fBrcf\fR also supports multiple public, private (masqu'ed), dmz, and mz (non-masq'ed) networks and interfaces. Access rules are defined per interface and dmz/mz server groups. .TP -If you use \fBrcf\fR in a commercial setting, please refer to . .SH OPTIONS @@ -143,31 +142,31 @@ For security reasons, your \fBPATH\fR en The \fBrcf\fR Frequently Asked Questions (FAQ) are available at: .TP - + .RS .RE - + .RS .RE .SH BUGS -If you experience any problems using \fBrcf\fR, please subscribe to our mailing list . If you'd like to contribute to the evolution of \fBrcf\fR, you can also join the development list at . +If you experience any problems using \fBrcf\fR, please subscribe to our mailing list . If you'd like to contribute to the evolution of \fBrcf\fR, you can also join the development list at . .SH UPDATES Releases of \fBrcf\fR are announced on Freshmeat . .TP -Development and production releases are also announced on our mailing list . +Development and production releases are also announced on our mailing list . .TP The latest versions are always available from: .TP - + .RS .RE - + .RS .RE diff -uprk.orig rcf-5.2.1s1.orig/usr/man/rcf-groups.5 rcf-5.2.1s1/usr/man/rcf-groups.5 --- rcf-5.2.1s1.orig/usr/man/rcf-groups.5 2002-01-03 17:32:25 +0300 +++ rcf-5.2.1s1/usr/man/rcf-groups.5 2002-12-01 02:19:29 +0300 @@ -1,9 +1,9 @@ .\" -.\" firewall.conf.5 +.\" rcf-groups.5 .\" .\" Original: Jean-Sebastien Morisset .\" -.TH RCF-GROUPS 5 "AUGUST 2001" "RCF 5.2.1" "User Manuals" +.TH RCF-GROUPS 5 "JANUARY 2002" "RCF 6.0" "User Manuals"" .SH NAME @@ -76,31 +76,31 @@ groups, modules, and sbin directories. The \fBrcf\fR Frequently Asked Questions (FAQ) are available at: .TP - + .RS .RE - + .RS .RE .SH BUGS -If you experience any problems using \fBrcf\fR, please subscribe to our mailing list . If you'd like to contribute to the evolution of \fBrcf\fR, you can also join the development list at . +If you experience any problems using \fBrcf\fR, please subscribe to our mailing list . If you'd like to contribute to the evolution of \fBrcf\fR, you can also join the development list at . .SH UPDATES Releases of \fBRCF\fR are announced on Freshmeat . .TP -Development and production releases are also announced on our mailing list . +Development and production releases are also announced on our mailing list . .TP The latest versions are always available from: .TP - + .RS .RE - + .RS .RE diff -uprk.orig rcf-5.2.1s1.orig/usr/man/rcf-modules.5 rcf-5.2.1s1/usr/man/rcf-modules.5 --- rcf-5.2.1s1.orig/usr/man/rcf-modules.5 2002-01-03 17:32:25 +0300 +++ rcf-5.2.1s1/usr/man/rcf-modules.5 2002-12-01 02:19:29 +0300 @@ -1,9 +1,9 @@ .\" -.\" firewall.conf.5 +.\" rcf-modules.5 .\" .\" Original: Jean-Sebastien Morisset .\" -.TH RCF-MODULES 5 "AUGUST 2001" "RCF 5.2.1" "User Manuals" +.TH RCF-MODULES 5 "JANUARY 2002" "RCF 6.0" "User Manuals"" .SH NAME @@ -88,31 +88,31 @@ groups, modules, and sbin directories. The \fBrcf\fR Frequently Asked Questions (FAQ) are available at: .TP - + .RS .RE - + .RS .RE .SH BUGS -If you experience any problems using \fBrcf\fR, please subscribe to our mailing list . If you'd like to contribute to the evolution of \fBrcf\fR, you can also join the development list at . +If you experience any problems using \fBrcf\fR, please subscribe to our mailing list . If you'd like to contribute to the evolution of \fBrcf\fR, you can also join the development list at . .SH UPDATES Releases of \fBRCF\fR are announced on Freshmeat . .TP -Development and production releases are also announced on our mailing list . +Development and production releases are also announced on our mailing list . .TP The latest versions are always available from: .TP - + .RS .RE - + .RS .RE