Changeset 230 for floppyfw-3.0

Timestamp:

11/14/07 14:36:08 (5 years ago)

Author:

root

Message:

Too much for one commit but it's what I have. Also floppyfw-3.0.3

Location:

floppyfw-3.0

Files:

• Makefile (modified) (5 diffs)
• configs/config-busybox-1.2.2.1 (modified) (1 diff)
• configs/config-kernel (modified) (19 diffs)
• makefiles/add.mk (modified) (1 diff)
• makefiles/iptables.mk (modified) (1 diff)
• makefiles/linux.mk (modified) (5 diffs)
• makefiles/madwifi.mk (modified) (4 diffs)
• makefiles/micro_proxy.mk (modified) (3 diffs)
• makefiles/muninlite.mk (modified) (2 diffs)
• makefiles/soekris.mk (modified) (2 diffs)
• makefiles/wireless-tools.mk (modified) (1 diff)
• scripts/bridge.ini (modified) (3 diffs)
• scripts/config (modified) (2 diffs)
• scripts/dmz-fw.ini (modified) (2 diffs)
• scripts/renew.sh (added)

floppyfw-3.0/Makefile

@@ -78 +78 @@
 # This one sets j<amount of CPUs> but it may be just as good or even better
 # with amount +1
-JLEVEL=-j$(shell expr $(shell grep -i -c '^processor[[:space:]]*:[[:space:]]*[0-9]\+' /proc/cpuinfo) \+ 1)
+# JLEVEL=-j$(shell expr $(shell grep -i -c '^processor[[:space:]]*:[[:space:]]*[0-9]\+' /proc/cpuinfo) \+ 1)
 # Or if running distcc: 
 # JLEVEL=-j5
@@ -105 +105 @@
 # I could have used base but some of the patches has a problem.
 # It's alot here, probably not so smart, cut back later.
-POM_PATCHES=h323-conntrack-nat quake3-conntrack-nat connlimit dstlimit pptp-conntrack-nat directx8-conntrack-nat time cuseeme-nat rtsp-conntrack iprange random ipp2p mms-conntrack-nat connrate msnp-conntrack-nat nth sip-conntrack-nat set expire psd time TARPIT
+POM_PATCHES=h323-conntrack-nat quake3-conntrack-nat connlimit dstlimit pptp-conntrack-nat directx8-conntrack-nat time cuseeme-nat rtsp-conntrack iprange random ipp2p mms-conntrack-nat connrate msnp-conntrack-nat nth sip-conntrack-nat set expire psd TARPIT
 
 # After switching to a newer p-o-m;
@@ -127 +127 @@
 # This works the same way as NIC_MODULES.
 # If you want options to the module, put them in a () after the module.
-IPTABLES_MODULES=ip_conntrack arp_tables iptable_filter arptable_filter iptable_mangle ipt_state ipt_MASQUERADE ipt_SET ipt_DSCP ipt_REJECT ipt_DSCP ipt_ECN ipt_LOG ipt_MARK ipt_REDIRECT ipt_TCPMSS ipt_TOS ipt_ULOG ipt_conntrack ipt_connlimit ipt_dscp ipt_ecn ipt_helper ipt_length ipt_limit ipt_mac ipt_mark ipt_physdev ipt_pkttype ipt_tcpmss ipt_tos ipt_ttl ipt_unclean ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc(ports=6666,6667,6668,7000) ip_nat_irc sch_htb ip_conntrack_h323 ip_conntrack_mms ip_nat_mms ip_conntrack_rtsp ip_conntrack_pptp ip_conntrack_quake3 ipt_iprange ipt_multiport ip_nat_proto_gre ipt_ipp2p
+IPTABLES_MODULES=ip_conntrack arp_tables iptable_filter arptable_filter iptable_mangle ipt_state ipt_MASQUERADE ipt_SET ipt_DSCP ipt_REJECT ipt_DSCP ipt_ECN ipt_LOG ipt_MARK ipt_REDIRECT ipt_TCPMSS ipt_TOS ipt_ULOG ipt_conntrack ipt_connlimit ipt_dscp ipt_ecn ipt_helper ipt_length ipt_limit ipt_mac ipt_mark ipt_physdev ipt_pkttype ipt_tcpmss ipt_tos ipt_ttl ipt_unclean ip_conntrack_ftp ip_nat_ftp ip_conntrack_irc(ports=6666,6667,6668,7000) ip_nat_irc sch_htb ip_conntrack_h323 ip_conntrack_mms ip_nat_mms ip_conntrack_rtsp ip_conntrack_pptp ip_conntrack_quake3 ipt_iprange ipt_multiport ip_nat_proto_gre ipt_ipp2p ipt_time
 
 #ipt_MIRROR 
@@ -188 +188 @@
 TARGETS+=tcpdump
 TARGETS+=madwifi
+TARGETS+=muninlite
+TARGETS+=micro_proxy
 # TARGETS+=quagga
 
@@ -251 +253 @@
 SSTRIP=$(shell command type sstrip >/dev/null 2>&1 && echo sstrip || echo $(STRIP))
 
-DEPMOD=(cd $(LINUX_DIR); \
-        /sbin/depmod -ae -F System.map -b $(MODULES_DIR) -r $(LINUX_VERSION))
+#DEPMOD=(cd $(LINUX_DIR); \
+#       /sbin/depmod -ae -F System.map -b $(MODULES_DIR) -r $(LINUX_VERSION))
+
+DEPMOD=([ -d $(MODULES_DIR)/lib/modules/$(LINUX_VERSION) ] && \
+        $(BASE_DIR)/perl/depmod.pl -n \
+                -b $(MODULES_DIR)/lib/modules/$(LINUX_VERSION)/ \
+                -k $(LINUX_DIR)/vmlinux \
+                > $(LINUX_MODULES_DEP) )
 
 # SED=/bin/sed -i -e

floppyfw-3.0/configs/config-busybox-1.2.2.1

@@ -494 +494 @@
 # CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV is not set
 # CONFIG_FEATURE_HTTPD_ENCODE_URL_STR is not set
-# CONFIG_IFCONFIG is not set
+CONFIG_IFCONFIG=y
 CONFIG_FEATURE_IFCONFIG_STATUS=y
 CONFIG_FEATURE_IFCONFIG_SLIP=y

floppyfw-3.0/configs/config-kernel

@@ -1 +1 @@
 #
-# Automatically generated by make menuconfig: don't edit
-#
+# Automatically generated make config: don't edit
+#
+# CONFIG_X86_64 is not set
 CONFIG_X86=y
 # CONFIG_SBUS is not set
@@ -300 +301 @@
 # CONFIG_IP_VS_DEBUG is not set
 CONFIG_IP_VS_TAB_BITS=12
+
+#
+# IPVS scheduler
+#
 CONFIG_IP_VS_RR=m
 CONFIG_IP_VS_WRR=m
@@ -310 +315 @@
 CONFIG_IP_VS_SED=m
 CONFIG_IP_VS_NQ=m
+
+#
+# IPVS application helper
+#
 CONFIG_IP_VS_FTP=m
 # CONFIG_IPV6 is not set
@@ -325 +334 @@
 # CONFIG_ATM is not set
 CONFIG_VLAN_8021Q=y
+
+#
+#  
+#
 CONFIG_IPX=m
 # CONFIG_IPX_INTERN is not set
@@ -410 +423 @@
 #
 CONFIG_BLK_DEV_IDE=m
+
+#
+# Please see Documentation/ide.txt for help/info on IDE drives
+#
 # CONFIG_BLK_DEV_HD_IDE is not set
 # CONFIG_BLK_DEV_HD is not set
@@ -423 +440 @@
 # CONFIG_BLK_DEV_IDESCSI is not set
 # CONFIG_IDE_TASK_IOCTL is not set
+
+#
+# IDE chipset support/bugfixes
+#
 # CONFIG_BLK_DEV_CMD640 is not set
 # CONFIG_BLK_DEV_CMD640_ENHANCED is not set
@@ -480 +501 @@
 #
 CONFIG_SCSI=m
+
+#
+# SCSI support type (disk, tape, CD-ROM)
+#
 CONFIG_BLK_DEV_SD=m
 CONFIG_SD_EXTRA_DEVS=40
@@ -488 +513 @@
 CONFIG_SR_EXTRA_DEVS=2
 CONFIG_CHR_DEV_SG=m
+
+#
+# Some SCSI devices (e.g. CD jukebox) support multiple LUNs
+#
 CONFIG_SCSI_DEBUG_QUEUES=y
 # CONFIG_SCSI_MULTI_LUN is not set
@@ -741 +770 @@
 CONFIG_YELLOWFIN=m
 CONFIG_R8169=m
+CONFIG_SKGE=m
+CONFIG_SKY2=m
 CONFIG_SK98LIN=m
 CONFIG_TIGON3=m
@@ -778 +809 @@
 CONFIG_TMD_HERMES=m
 CONFIG_PCI_HERMES=m
+
+#
+# Wireless Pcmcia cards support
+#
 CONFIG_PCMCIA_HERMES=m
 CONFIG_AIRO_CS=m
 CONFIG_PCMCIA_ATMEL=m
+
+#
+# Prism54 PCI/PCMCIA GT/Duette Driver - 802.11(a/b/g)
+#
 CONFIG_PRISM54=m
 CONFIG_FW_LOADER=m
@@ -898 +937 @@
 # CONFIG_INPUT_SERIO is not set
 # CONFIG_INPUT_SERPORT is not set
+
+#
+# Joysticks
+#
 # CONFIG_INPUT_ANALOG is not set
 # CONFIG_INPUT_A3D is not set
@@ -1129 +1172 @@
 CONFIG_USB=m
 # CONFIG_USB_DEBUG is not set
+
+#
+# Miscellaneous USB options
+#
 # CONFIG_USB_DEVICEFS is not set
 # CONFIG_USB_BANDWIDTH is not set
+
+#
+# USB Host Controller Drivers
+#
 CONFIG_USB_EHCI_HCD=m
 CONFIG_USB_UHCI=m
@@ -1137 +1188 @@
 CONFIG_USB_SL811HS_ALT=m
 CONFIG_USB_SL811HS=m
+
+#
+# USB Device Class drivers
+#
 # CONFIG_USB_AUDIO is not set
 # CONFIG_USB_EMI26 is not set
+
+#
+#   USB Bluetooth can only be used with disabled Bluetooth subsystem
+#
 # CONFIG_USB_MIDI is not set
 CONFIG_USB_STORAGE=m
@@ -1152 +1211 @@
 CONFIG_USB_ACM=m
 CONFIG_USB_PRINTER=m
+
+#
+# USB Human Interface Devices (HID)
+#
 CONFIG_USB_HID=m
 CONFIG_USB_HIDINPUT=y
@@ -1161 +1224 @@
 # CONFIG_USB_KBTAB is not set
 # CONFIG_USB_POWERMATE is not set
+
+#
+# USB Imaging devices
+#
 # CONFIG_USB_DC2XX is not set
 # CONFIG_USB_MDC800 is not set
@@ -1166 +1233 @@
 # CONFIG_USB_MICROTEK is not set
 # CONFIG_USB_HPUSBSCSI is not set
+
+#
+# USB Multimedia devices
+#
+
+#
+#   Video4Linux support is needed for USB Multimedia device support
+#
+
+#
+# USB Network adaptors
+#
 CONFIG_USB_PEGASUS=m
 CONFIG_USB_RTL8150=m
@@ -1172 +1251 @@
 CONFIG_USB_CDCETHER=m
 CONFIG_USB_USBNET=m
+
+#
+# USB port drivers
+#
 # CONFIG_USB_USS720 is not set
 
@@ -1178 +1261 @@
 #
 # CONFIG_USB_SERIAL is not set
+
+#
+# USB Miscellaneous drivers
+#
 # CONFIG_USB_RIO500 is not set
 CONFIG_USB_AUERSWALD=m
@@ -1194 +1281 @@
 CONFIG_USB_GADGET_CONTROLLER=m
 CONFIG_USB_GADGET_DUALSPEED=y
+
+#
+# USB Gadget Drivers
+#
 CONFIG_USB_ZERO=m
 CONFIG_USB_ETH=m

floppyfw-3.0/makefiles/add.mk

@@ -13 +13 @@
         cp $(SCRIPTS_DIR)/udhcpcrenew.sh $(ADD_MASTER)/etc/.
         cp $(SCRIPTS_DIR)/renew-dnsmasq.sh $(ADD_MASTER)/etc/.
+        cp $(SCRIPTS_DIR)/renew-outside.sh $(ADD_MASTER)/etc/.
         # cp $(SCRIPTS_DIR)/fakeleases.sh $(ADD_MASTER)/etc/.
         cp $(SCRIPTS_DIR)/udhcpd.conf.sh $(ADD_MASTER)/etc/.

floppyfw-3.0/makefiles/iptables.mk

@@ -5 +5 @@
 #############################################################
 
-IPTABLES_VERSION=1.3.7
+IPTABLES_VERSION=1.3.8
 
 IPTABLES_SOURCE_URL=http://netfilter.org/projects/iptables/files/

floppyfw-3.0/makefiles/linux.mk

@@ -27 +27 @@
 
 # Version of Linux to download and then apply patches to
-DOWNLOAD_LINUX_VERSION=2.4.35.1
+DOWNLOAD_LINUX_VERSION=2.4.35.3
 # Version of Linux AFTER patches
 LINUX_VERSION=$(DOWNLOAD_LINUX_VERSION)-floppyfw-$(FLOPPYFW_VERSION)
@@ -133 +133 @@
         $(SED) 's/^EXTRAVERSION\s=\s(.*)/EXTRAVERSION = $$1-floppyfw-$(FLOPPYFW_VERSION)/;' \
                 $(LINUX_DIR)/Makefile
-        $(MAKE) -C $(LINUX_DIR) oldconfig include/linux/version.h
+        $(MAKE) D=1 V=1 ARCH=$(ARCH) -C $(LINUX_DIR) oldconfig include/linux/version.h
+        # Annoying but hopefully this is enough:
+        # And I'm using perl as sed...
+        $(SED) 's/CONFIG_X86_64.*//' $(LINUX_DIR)/.config
         touch $(LINUX_DIR)/.configured
 
@@ -139 +142 @@
 
 $(LINUX_DIR)/.depend_done: $(LINUX_DIR)/.configured
-        $(MAKE) -C $(LINUX_DIR) dep
+        $(MAKE) D=1 V=1 ARCH=i386 -C $(LINUX_DIR) dep
         touch $(LINUX_DIR)/.depend_done
 
 $(LINUX_DIR)/$(LINUX_BINLOC): $(LINUX_DIR)/.depend_done
-        $(MAKE) CC="$(TARGET_CC)" -C $(LINUX_DIR) $(LINUX_FORMAT)
-        $(MAKE) CC="$(TARGET_CC)" -C $(LINUX_DIR) modules
+        $(MAKE) D=1 V=1 ARCH=i386 CC="$(TARGET_CC)" -C $(LINUX_DIR) $(LINUX_FORMAT)
+        $(MAKE) D=1 V=1 ARCH=i386 CC="$(TARGET_CC)" -C $(LINUX_DIR) modules
 
 $(LINUX_MODULES_DEP): $(LINUX_DIR)/.depend_done
         $(RM) -r $(MODULES_DIR)/lib/modules
-        $(MAKE) -C $(LINUX_DIR) INSTALL_MOD_PATH=$(MODULES_DIR) modules_install
+        $(MAKE) D=1 V=1 ARCH=i386 -C $(LINUX_DIR) INSTALL_MOD_PATH=$(MODULES_DIR) modules_install
+
+        [ -d $(MODULES_DIR)/lib/modules/$(LINUX_VERSION) ] && \
+        $(BASE_DIR)/perl/depmod.pl -n \
+                -b $(MODULES_DIR)/lib/modules/$(LINUX_VERSION)/ \
+                -k $(LINUX_DIR)/vmlinux \
+                > $(LINUX_MODULES_DEP)
 
         (cd $(MODULES_BASE_DIR) ; cat $(LINUX_MODULES_DEP) | $(BASE_DIR)/perl/capsfix.pl > $(TMP_DIR)/moddep )
@@ -177 +186 @@
         # busybox perl.
         [ -d $(MODULES_DIR)/lib/modules/$(LINUX_VERSION) ] && \
-        $(BUSYBOX_DIR)/examples/depmod.pl -n \
+        $(BASE_DIR)/perl/depmod.pl -n \
                 -b $(MODULES_DIR)/lib/modules/$(LINUX_VERSION)/ \
                 -k $(LINUX_DIR)/vmlinux \
@@ -190 +199 @@
 linuxclean: clean
         $(RM) $(LINUX_KERNEL)
-        -$(MAKE) -C $(LINUX_DIR) clean
+        -$(MAKE) ARCH=i386 -C $(LINUX_DIR) clean
 
 linux-dirclean:

floppyfw-3.0/makefiles/madwifi.mk

@@ -5 +5 @@
 #############################################################
 
-MADWIFI_VER=r1842-20061207
+# MADWIFI_VER=r1842-20061207
+MADWIFI_VER=r2826-20071105
 MADWIFI_SOURCE_URL=http://snapshots.madwifi.org/madwifi-ng/
 MADWIFI_SOURCE=madwifi-ng-$(MADWIFI_VER).tar.gz
@@ -28 +29 @@
 
 $(MADWIFI_DIR)/tools/wlanconfig: $(MADWIFI_DIR)/.configured
-        $(MAKE) KERNELPATH=$(LINUX_DIR) -C $(MADWIFI_DIR) 
+        $(MAKE) ARCH=$(ARCH) KERNELPATH=$(LINUX_DIR) -C $(MADWIFI_DIR) 
         # KMODPATH=$(MODULES_DIR) 
         
@@ -34 +35 @@
         -$(RM) -r  $(MADWIFI_PKG_DIR)
         mkdir -p  $(MADWIFI_PKG_DIR)
-        $(MAKE) KERNELPATH=$(LINUX_DIR) \
+        $(MAKE) ARCH=$(ARCH) KERNELPATH=$(LINUX_DIR) \
                 MANDIR=/usr/man \
                 BINDIR=/usr/bin \
@@ -41 +42 @@
         -$(RM) -r $(MADWIFI_PKG_DIR)/usr/man
         -$(SSTRIP) $(MADWIFI_PKG_DIR)/usr/bin/*
+        -$(STRIP_KMOD) $(MADWIFI_PKG_DIR)/lib/modules/$(LINUX_VERSION)/net/*
+        # Nice to put the modules in the full module tree.
+        cp -a $(MADWIFI_PKG_DIR)/lib/modules/$(LINUX_VERSION)/net/* \
+                $(MODULES_DIR)/lib/modules/$(LINUX_VERSION)/kernel/drivers/net/.
 
 

floppyfw-3.0/makefiles/micro_proxy.mk

@@ -52 +52 @@
         $(MAKE) -C $(MICRO_PROXY_DIR)
         cp $(MICRO_PROXY_DIR)/micro_proxy $(MICRO_PROXY_PKG_DIR)/usr/bin/micro_proxy
+        mkdir -p $(MICRO_PROXY_PKG_DIR)/etc/.
         cp $(PACKAGES_DIR)/scripts/post-micro_proxy.ini $(MICRO_PROXY_PKG_DIR)/etc/.
 
@@ -58 +59 @@
 # /floppyfw/packages.
 
-$(PACKAGES_DIR)/micro_proxy.bz2: $(MICRO_PROXY_PKG_DIR)/usr/bin/micro_proxy
+$(PACKAGES_DIR)/micro_proxy.ffw: $(MICRO_PROXY_PKG_DIR)/usr/bin/micro_proxy
 # here we should copy the .ini-file... Needs to be fixed.
         (cd $(PACKAGES_DIR); sh mkpack micro_proxy)
@@ -65 +66 @@
 # dir.
 
-micro_proxy: $(PACKAGES_DIR)/micro_proxy.bz2
+micro_proxy: $(PACKAGES_DIR)/micro_proxy.ffw
 
 # Makes it possible to write 'make micro_proxy-clean' from the

floppyfw-3.0/makefiles/muninlite.mk

@@ -50 +50 @@
 # /floppyfw/packages.
 
-$(PACKAGES_DIR)/muninlite.bz2: $(MUNINLITE_PKG_DIR)/usr/bin/munin-node
+$(PACKAGES_DIR)/muninlite.ffw: $(MUNINLITE_PKG_DIR)/usr/bin/munin-node
         cp $(MUNINLITE_DIR)/examples/post-muninlite.ini $(PACKAGES_DIR)/post-muninlite.ini
         (cd $(PACKAGES_DIR); sh mkpack muninlite)
@@ -57 +57 @@
 # dir.
 
-muninlite: $(PACKAGES_DIR)/muninlite.bz2
+muninlite: $(PACKAGES_DIR)/muninlite.ffw
 
 # Makes it possible to write 'make muninlite-clean' from the

floppyfw-3.0/makefiles/soekris.mk

@@ -1 +1 @@
 SOEKRIS_DIR=$(BASE_DIR)/floppyfw-$(FLOPPYFW_VERSION)-soekris
 
-soekrisdir: $(PACKAGES_DIR)/ppp.ffw $(PACKAGES_DIR)/wireless-tools.ffw $(PACKAGES_DIR)/pcmcia-cs.ffw initrd-ide add-package 
+soekrisdir: $(PACKAGES_DIR)/ppp.ffw $(PACKAGES_DIR)/wireless-tools.ffw $(PACKAGES_DIR)/pcmcia-cs.ffw $(PACKAGES_DIR)/madwifi.ffw initrd-ide add-package 
         -mv $(SOEKRIS_DIR).old $(SOEKRIS_DIR).old2
         -mv $(SOEKRIS_DIR) $(SOEKRIS_DIR).old
@@ -32 +32 @@
         cp $(PACKAGES_DIR)/pcmcia-cs.ffw $(SOEKRIS_DIR)/packages/.
         cp $(PACKAGES_DIR)/wireless-tools.ffw $(SOEKRIS_DIR)/packages/.
+        cp $(PACKAGES_DIR)/madwifi.ffw $(SOEKRIS_DIR)/packages/.
         cp $(PACKAGES_DIR)/scripts/pre-pcmcia.ini $(SOEKRIS_DIR)/packages/.
         cp $(PACKAGES_DIR)/scripts/pre-wireless.ini $(SOEKRIS_DIR)/packages/.

floppyfw-3.0/makefiles/wireless-tools.mk

@@ -21 +21 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
 # USA
-WIRELESS_TOOLS_SITE:=http://pcmcia-cs.sourceforge.net/ftp/contrib/
-WIRELESS_TOOLS_SOURCE:=wireless_tools.28.tar.gz
-WIRELESS_TOOLS_DIR:=$(BUILD_DIR)/wireless_tools.28
+# WIRELESS_TOOLS_SITE:=http://pcmcia-cs.sourceforge.net/ftp/contrib/
+WIRELESS_TOOLS_SITE:=http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/
+WIRELESS_TOOLS_SOURCE:=wireless_tools.29.tar.gz
+WIRELESS_TOOLS_DIR:=$(BUILD_DIR)/wireless_tools.29
 WIRELESS_TOOLS_CAT:=zcat
 

floppyfw-3.0/scripts/bridge.ini

@@ -10 +10 @@
 echo "0" > /proc/sys/net/ipv4/ip_forward
 
-( ifconfig eth0 > /dev/null 2> /dev/null) || {
+( ifconfig $INSIDE_DEV > /dev/null 2> /dev/null) || {
         echo 
         echo "WARNING"
@@ -18 +18 @@
 }
 
-( ifconfig eth1 > /dev/null 2> /dev/null) || {
+( ifconfig $OUTSIDE_DEV > /dev/null 2> /dev/null) || {
         echo 
         echo "WARNING"
@@ -52 +52 @@
 
 
-brctl addbr br0             # create bridge interface
+brctl addbr br0               # create bridge interface
 # brctl stp br0 off           # disable spanning tree protocol on br0
-brctl addif br0 eth0        # add eth0 to br0
-brctl addif br0 eth1        # add eth0 to br0
+brctl addif br0 $OUTSIDE_DEV  # add outside device to br0
+brctl addif br0 $INSIDE_DEV   # add inside device to br0
 
 ifconfig $OUTSIDE_DEV up

floppyfw-3.0/scripts/config

@@ -187 +187 @@
 #
 # This is just to set up the network, you have to edit firewall.ini to 
-# be able to do ahything useful with this.
+# be able to do anything useful with this.
 #
 # This can also be set up as the device/LAN for an open WLAN.
+#
+# Please note that enabling this automatically opens up for DNS requests to
+# the floppyfw from DMZ.
 #
 
@@ -201 +204 @@
 
 #
-# This switch (is not working yet) will turn on or off NAT to the outside 
-# network.
+# This switch will turn on or off NAT to the outside network.
 #
 
 DMZ_USE_NAT=y
 
-# This is the ports you will allow to the inside. SSH is the only one I'd 
-# trust, if any.
-DMZ_ALLOW_PORTS_INSIDE="ssh"
-
-# And for the outside. NEVER ALLOW SMTP if used as an open WLAN.
-DMZ_ALLOW_PORTS_OUTSIDE="ssh,www,https,ftp,domain,pop3,pop3s,imap3,imaps"
+# What traffic do you want to allow from DMZ to OUTSIDE?
+# Specifying "all" will allow all traffic, "none" will block all. TCP based
+# protocols can be specified in a comma separated list like this:
+# DMZ_ALLOW_TO_OUTSIDE="ssh,www,https,ftp,domain,pop3,pop3s,imap3,imaps"
+DMZ_ALLOW_TO_OUTSIDE="all"
+
+# What traffic do you want to allow from DMZ to INSIDE?
+# Specifying "all" will allow all traffic, "none" will block all. TCP based
+# protocols can be specified in a comma separated list like this:
+# DMZ_ALLOW_TO_INSIDE="ssh,ftp"
+DMZ_ALLOW_TO_INSIDE="none"
+
+# What traffic do you want to allow from INSIDE to DMZ?
+# Specifying "all" will allow all traffic, "none" will block all. TCP based
+# protocols can be specified in a comma separated list like this:
+# DMZ_ALLOW_FROM_INSIDE="ssh,ftp,http,https,smtp"
+DMZ_ALLOW_FROM_INSIDE="all"
 
 # This is to set a traffic shaping rule to restrict the bandwidth.

floppyfw-3.0/scripts/dmz-fw.ini

@@ -24 +24 @@
 echo "Setting up DMZ."
 
+# We will automatically accept DNS requests.
+iptables -A INPUT -i ${DMZ_DEVICE} -p TCP --dport 53 -j ACCEPT
+iptables -A INPUT -i ${DMZ_DEVICE} -p UDP --dport 53 -j ACCEPT
+
 if [ "$DMZ_USE_NAT" = "y" ]
  then
@@ -31 +35 @@
 # Open ports:
 # The big caveat here is thet multiport only supports 15 ports..
-if [ -n "$DMZ_ALLOW_PORTS_INSIDE" ]
+# We will try to pad that by giving the admin more options..
+if [ -n "$DMZ_ALLOW_TO_OUTSIDE" ]
 then
-  iptables -A FORWARD -p tcp -i $DMZ_DEVICE -m multiport --dports $DMZ_ALLOW_PORTS_INSIDE -o $INSIDE_DEVICE -j ACCEPT
+  case "$DMZ_ALLOW_TO_OUTSIDE" in
+    all) iptables -A FORWARD -i $DMZ_DEVICE -o $OUTSIDE_DEVICE -j ACCEPT
+    none) echo "No ports opened to OUTSIDE from DMZ"
+    *) iptables -A FORWARD -p tcp -i $DMZ_DEVICE -m multiport --dports $DMZ_ALLOW_TO_OUTSIDE -o $OUTSIDE_DEVICE -j ACCEPT
+  esac
 fi
 
-if [ -n "$DMZ_ALLOW_PORTS_OUTSIDE" ]
+if [ -n "$DMZ_ALLOW_TO_INSIDE" ]
 then
-  iptables -A FORWARD -p tcp -i $DMZ_DEVICE -m multiport --dports $DMZ_ALLOW_PORTS_OUTSIDE -o $OUTSIDE_DEVICE -j ACCEPT
+  case "$DMZ_ALLOW_TO_INSIDE" in
+    all) iptables -A FORWARD -i $DMZ_DEVICE -o $INSIDE_DEVICE -j ACCEPT
+    none) echo "No ports opened to INSIDE from DMZ"
+    *) iptables -A FORWARD -p tcp -i $DMZ_DEVICE -m multiport --dports $DMZ_ALLOW_TO_INSIDE -o $INSIDE_DEVICE -j ACCEPT
+  esac
+fi
+
+if [ -n "$DMZ_ALLOW_FROM_INSIDE" ]
+then
+  case "$DMZ_ALLOW_FROM_INSIDE" in
+    all) iptables -A FORWARD -i $INSIDE_DEVICE -o $DMZ_DEVICE -j ACCEPT
+    none) echo "No ports opened to DMZ from INSIDE"
+    *) iptables -A FORWARD -p tcp -i $INSIDE_DEVICE -m multiport --dports $DMZ_ALLOW_FROM_INSIDE -o $DMZ_DEVICE -j ACCEPT
+  esac
 fi