lans
Sponsored Links
Sponsored Links
Secleted [ 0 ] software to compare
Results 1 - 15 of about 27
VLAN 1.9
VLAN is an implementation of the 802.1Q VLAN protocol for Linux. more>>
VLAN is an implementation of the 802.1Q VLAN protocol for Linux.
VLAN allows one to have Virtual LANs on a single ethernet cable, giving you the ability to segregate LANs efficiently. VLAN should support up to 4094 vlan interfaces per ethernet device.
Main features:
- Implements 802.1Q VLAN spec.
- Implements support for a non-standard (as far as I know) MAC-based VLAN functionality.
- Can support up to 4094 VLANs per ethernet interface.
- Scales well in critical paths: O(n), where n is the number of PHYSICAL ethernet interfaces, and that is only on ingress. O(1) in every other critical path, as far as I know.
- Supports MULTICAST
- Can change MAC address of VLAN.
- Multiple naming conventions supported, and adjustable at runtime.
- Optional header-reordering, to make the VLAN interface look JUST LIKE an Ethernet interface. This fixes some problems with DHCPd and anything else that uses a SOCK_PACKET socket. Default setting is off, which works for every other protocol I know about, and is slightly faster.
Enhancements:
- This release fixes return error codes in vconfig.
<<lessVLAN allows one to have Virtual LANs on a single ethernet cable, giving you the ability to segregate LANs efficiently. VLAN should support up to 4094 vlan interfaces per ethernet device.
Main features:
- Implements 802.1Q VLAN spec.
- Implements support for a non-standard (as far as I know) MAC-based VLAN functionality.
- Can support up to 4094 VLANs per ethernet interface.
- Scales well in critical paths: O(n), where n is the number of PHYSICAL ethernet interfaces, and that is only on ingress. O(1) in every other critical path, as far as I know.
- Supports MULTICAST
- Can change MAC address of VLAN.
- Multiple naming conventions supported, and adjustable at runtime.
- Optional header-reordering, to make the VLAN interface look JUST LIKE an Ethernet interface. This fixes some problems with DHCPd and anything else that uses a SOCK_PACKET socket. Default setting is off, which works for every other protocol I know about, and is slightly faster.
Enhancements:
- This release fixes return error codes in vconfig.
Download (0.089MB)
Added: 2005-11-14 License: GPL (GNU General Public License) Price:
1558 downloads
Nest 3.2
Nest provides a secure IP VPN cryptographically protected packet tunnel. more>>
Nest provides a secure IP VPN cryptographically protected packet tunnel.
Nest is a secure IP VPN tunnel for FreeBSD. It connects two LANs over an insecure WAN.
Nest works on the IP packet level. Its features include packet authentication and integrity checking (with 96-bit SHA1-derived HMAC), packet encryption (with Blowfish and 160-bit key CBC mode), replay protection, adjustable packet queuing, and compression.
The VPN traffic appears on the WAN as a bidirectional stream of IP packets or as a unidirectional ICMP request/response stream. The latter case allows the establishment of VPN tunnels through certain firewalls.
Main features:
- Authentication/Integrity
- Encryption
- Replay protection
- Queueing/Compression
- ICMP stream (new in version 3)
- IP masquerading (new in version 3)
Enhancements:
- A #define to make the program silent was added. A
- bootable FreeBSD floppy containing the software is now also available for download.
<<lessNest is a secure IP VPN tunnel for FreeBSD. It connects two LANs over an insecure WAN.
Nest works on the IP packet level. Its features include packet authentication and integrity checking (with 96-bit SHA1-derived HMAC), packet encryption (with Blowfish and 160-bit key CBC mode), replay protection, adjustable packet queuing, and compression.
The VPN traffic appears on the WAN as a bidirectional stream of IP packets or as a unidirectional ICMP request/response stream. The latter case allows the establishment of VPN tunnels through certain firewalls.
Main features:
- Authentication/Integrity
- Encryption
- Replay protection
- Queueing/Compression
- ICMP stream (new in version 3)
- IP masquerading (new in version 3)
Enhancements:
- A #define to make the program silent was added. A
- bootable FreeBSD floppy containing the software is now also available for download.
Download (0.060MB)
Added: 2007-02-28 License: BSD License Price:
968 downloads
DragonFly BSD 1.10.1
DragonFly is an operating system and environment designed to be the logical continuation of the FreeBSD-4.x OS series. more>>
DragonFly is an Linux operating system and environment designed to be the logical continuation of the FreeBSD-4.x OS series. These operating systems belong in the same class as Linux in that they are based on UNIX ideals and APIs. DragonFly is a fork in the path, so to speak, giving the BSD base an opportunity to grow in an entirely new direction from the one taken in the FreeBSD-5 series.
It is our belief that the correct choice of features and algorithms can yield the potential for excellent scalability, robustness, and debuggability in a number of broad system categories. Not just for SMP or NUMA, but for everything from a single-node UP system to a massively clustered system. It is our belief that a fairly simple but wide-ranging set of goals will lay the groundwork for future growth.
The existing BSD cores, including FreeBSD-5, are still primarily based on models which could at best be called strained as they are applied to modern systems. The true innovation has given way to basically just laying on hacks to add features, such as encrypted disks and security layering that in a better environment could be developed at far less cost and with far greater flexibility.
We also believe that it is important to provide API solutions which allow reasonable backwards and forwards version compatibility, at least between userland and the kernel, in a mix-and-match environment. If one considers the situation from the ultimate in clustering... secure anonymous system clustering over the internet, the necessity of having properly specified APIs becomes apparent.
Finally, we believe that a fully integrated and feature-full upgrade mechanism should exist to allow end users and system operators of all walks of life to easily maintain their systems. Debian Linux has shown us the way, but it is possible to do better.
DragonFly is going to be a multi-year project at the very least. Achieving our goal set will require a great deal of groundwork just to reposition existing mechanisms to fit the new models. The goals link will take you to a more detailed description of what we hope to accomplish.
1.2.0 is our second major DragonFly release and the first one which we have created a separate CVS branch for. DragonFlys policy is to only commit bug fixes to release branches.
This release represents a significant milestone in our efforts to improve the kernel infrastructure. DragonFly is still running under the Big Giant Lock, but this will probably be the last release where that is the case.
The greatest progress has been made in the network subsystem. The TCP stack is now almost fully threaded (and will likely be the first subsystem we remove the BGL from in coming months). The TCP stack now fully supports the SACK protocol and a large number of bug and performance fixes have gone in, especially in regard to GigE performance over LANs.
The namecache has been completely rewritten and is now considered to be production-ready with this release. The rewrite will greatly simplify future filesystem work and is a necessary precursor for our ultimate goal of creating a clusterable OS.
This will be last release that uses GCC 2.95.x as the default compiler. Both GCC 3.4.x and GCC 2.95.x are supported in this release through the use of the CCVER environment variable (gcc2 or gcc34). GCC 2.95.x is to be retired soon due to its lack of TLS support. The current development branch will soon start depending heavily on TLS support and __thread both within the kernel and in libc and other libraries. This release fully supports TLS segments for programs compiled with gcc-3.4.x.
It goes without saying that this release is far more stable then our 1.0A release. A huge number of bug fixes, performance improvements, and design changes have been made since the 1.0A release.
<<lessIt is our belief that the correct choice of features and algorithms can yield the potential for excellent scalability, robustness, and debuggability in a number of broad system categories. Not just for SMP or NUMA, but for everything from a single-node UP system to a massively clustered system. It is our belief that a fairly simple but wide-ranging set of goals will lay the groundwork for future growth.
The existing BSD cores, including FreeBSD-5, are still primarily based on models which could at best be called strained as they are applied to modern systems. The true innovation has given way to basically just laying on hacks to add features, such as encrypted disks and security layering that in a better environment could be developed at far less cost and with far greater flexibility.
We also believe that it is important to provide API solutions which allow reasonable backwards and forwards version compatibility, at least between userland and the kernel, in a mix-and-match environment. If one considers the situation from the ultimate in clustering... secure anonymous system clustering over the internet, the necessity of having properly specified APIs becomes apparent.
Finally, we believe that a fully integrated and feature-full upgrade mechanism should exist to allow end users and system operators of all walks of life to easily maintain their systems. Debian Linux has shown us the way, but it is possible to do better.
DragonFly is going to be a multi-year project at the very least. Achieving our goal set will require a great deal of groundwork just to reposition existing mechanisms to fit the new models. The goals link will take you to a more detailed description of what we hope to accomplish.
1.2.0 is our second major DragonFly release and the first one which we have created a separate CVS branch for. DragonFlys policy is to only commit bug fixes to release branches.
This release represents a significant milestone in our efforts to improve the kernel infrastructure. DragonFly is still running under the Big Giant Lock, but this will probably be the last release where that is the case.
The greatest progress has been made in the network subsystem. The TCP stack is now almost fully threaded (and will likely be the first subsystem we remove the BGL from in coming months). The TCP stack now fully supports the SACK protocol and a large number of bug and performance fixes have gone in, especially in regard to GigE performance over LANs.
The namecache has been completely rewritten and is now considered to be production-ready with this release. The rewrite will greatly simplify future filesystem work and is a necessary precursor for our ultimate goal of creating a clusterable OS.
This will be last release that uses GCC 2.95.x as the default compiler. Both GCC 3.4.x and GCC 2.95.x are supported in this release through the use of the CCVER environment variable (gcc2 or gcc34). GCC 2.95.x is to be retired soon due to its lack of TLS support. The current development branch will soon start depending heavily on TLS support and __thread both within the kernel and in libc and other libraries. This release fully supports TLS segments for programs compiled with gcc-3.4.x.
It goes without saying that this release is far more stable then our 1.0A release. A huge number of bug fixes, performance improvements, and design changes have been made since the 1.0A release.
Download (112MB)
Added: 2007-08-21 License: BSD License Price:
796 downloads
Dual DHCP DNS Server 5.1
Dual DHCP DNS Server is a combined DHCP/DNS server for small LANs. more>>
Dual DHCP DNS Server is a combined DHCP/DNS server for small LANs.
Dynamic DHCP allocates/renews host addresses, while the caching DNS server first tries resolving from DHCP-allotted names, then from cache, and only then forwarding to external DNS servers.
Dual DHCP DNS Server supports an optional static DHCP mode and static IPs, automatic dynamic DNS updates from DHCP, and the ability to co-exist with other DHCP servers.
It is self-configuring and doesnt require the creation of zone files, and uses little memory and CPU.
Enhancements:
- This release fixes zone replication bugs.
<<lessDynamic DHCP allocates/renews host addresses, while the caching DNS server first tries resolving from DHCP-allotted names, then from cache, and only then forwarding to external DNS servers.
Dual DHCP DNS Server supports an optional static DHCP mode and static IPs, automatic dynamic DNS updates from DHCP, and the ability to co-exist with other DHCP servers.
It is self-configuring and doesnt require the creation of zone files, and uses little memory and CPU.
Enhancements:
- This release fixes zone replication bugs.
Download (0.095MB)
Added: 2007-07-23 License: GPL (GNU General Public License) Price:
546 downloads
lftpsearch 1.2.0
lftpsearch is a set of Perl scripts that are searching for files and directories on FTP servers. more>>
lftpsearch is a set of Perl scripts that are searching for files and directories on FTP servers. There is the searcher, the indexer for getting the lists of all the files and directories at remote FTP servers, and the onliner for checking whether FTP servers are online.
It supports (or >) and in search queries, page splitting at search results, searching on online servers only, searching for files/directories only, searching for size limited files, caching, and Russian names.
lftpsearch program also shows some statistics on servers (files/directories amount, total size). Initially, it was created to be used over LANs.
<<lessIt supports (or >) and in search queries, page splitting at search results, searching on online servers only, searching for files/directories only, searching for size limited files, caching, and Russian names.
lftpsearch program also shows some statistics on servers (files/directories amount, total size). Initially, it was created to be used over LANs.
Download (0.017MB)
Added: 2006-02-07 License: GPL (GNU General Public License) Price:
1354 downloads
Wireless Tools 27
The Wireless Tools is a set of tools allowing to manipulate the Linux Wireless Extensions. more>>
The Linux Wireless Extension and the Wireless Tools are an Open Source project sponsored by Hewlett Packard (through my contribution) since 1996, and build with the contribution of many Linux users all over the world.
The Wireless Extension (WE) is a generic API allowing a driver to expose to the user space configuration and statistics specific to common Wireless LANs. The beauty of it is that a single set of tool can support all the variations of Wireless LANs, regardless of their type (as long as the driver support Wireless Extension).
Another advantage is these parameters may be changed on the fly without restarting the driver (or Linux).
The Wireless Tools (WT) is a set of tools allowing to manipulate the Wireless Extensions. They use a textual interface and are rather crude, but aim to support the full Wireless Extension. There are many other tools you can use with Wireless Extensions, however Wireless Tools is the reference implementation.
iwconfig manipulate the basic wireless parameters
iwlist allow to initiate scanning and list frequencies, bit-rates, encryption keys...
iwspy allow to get per node link quality
iwpriv allow to manipulate the Wireless Extensions specific to a driver (private)
ifrename allow to name interfaces based on various static criteria
Most Linux distributions also have integrated Wireless Extensions support in their networking initialisation scripts, for easier boot-time configuration of wireless interfaces. They also include Wireless Tools as part of their standard packages.
Wireless configuration can also be done using the Hotplug scripts and distribution specific support, this enable the proper support of any removable wireless interface (Pcmcia, CardBus, USB...).
Any versions of the Pcmcia package offer the possibility to do wireless configuration of Pcmcia and Cardbus card through thefile wireless.opts. This allow to fully integrate wireless settings in the Pcmcia scheme mechansism. However, this method is now deprecated in favor of distribution specific methods.
Please note that the Wireless Tools (starting with version 19) supports fully IEEE 802.11 parameters and devices, support older style of devices and most proprietary protocols, and are prepared to handle HiperLan as well. More recent versions of course adds more 802.11 support.
But, unfortunately not all drivers support all these features...
<<lessThe Wireless Extension (WE) is a generic API allowing a driver to expose to the user space configuration and statistics specific to common Wireless LANs. The beauty of it is that a single set of tool can support all the variations of Wireless LANs, regardless of their type (as long as the driver support Wireless Extension).
Another advantage is these parameters may be changed on the fly without restarting the driver (or Linux).
The Wireless Tools (WT) is a set of tools allowing to manipulate the Wireless Extensions. They use a textual interface and are rather crude, but aim to support the full Wireless Extension. There are many other tools you can use with Wireless Extensions, however Wireless Tools is the reference implementation.
iwconfig manipulate the basic wireless parameters
iwlist allow to initiate scanning and list frequencies, bit-rates, encryption keys...
iwspy allow to get per node link quality
iwpriv allow to manipulate the Wireless Extensions specific to a driver (private)
ifrename allow to name interfaces based on various static criteria
Most Linux distributions also have integrated Wireless Extensions support in their networking initialisation scripts, for easier boot-time configuration of wireless interfaces. They also include Wireless Tools as part of their standard packages.
Wireless configuration can also be done using the Hotplug scripts and distribution specific support, this enable the proper support of any removable wireless interface (Pcmcia, CardBus, USB...).
Any versions of the Pcmcia package offer the possibility to do wireless configuration of Pcmcia and Cardbus card through thefile wireless.opts. This allow to fully integrate wireless settings in the Pcmcia scheme mechansism. However, this method is now deprecated in favor of distribution specific methods.
Please note that the Wireless Tools (starting with version 19) supports fully IEEE 802.11 parameters and devices, support older style of devices and most proprietary protocols, and are prepared to handle HiperLan as well. More recent versions of course adds more 802.11 support.
But, unfortunately not all drivers support all these features...
Download (0.18MB)
Added: 2005-10-18 License: GPL (GNU General Public License) Price:
1540 downloads
Ethloop
Ethloop is very simple and versatile packet generator and measurer which I use to test HTB qdisc. more>>
Ethloop is very simple and versatile packet generator and measurer which I use to test HTB qdisc. It is developement tool and you take it as such. It accepts controling program at stdin, executing it and producing flow rate table at stdout.
The generated rate is output on interface(s) selected in program and data are recieved on all interfaces in a system. You sometimes need to set promisc flag on recieving interfaces.
Generated packets are ethernet frames with protocol set to ETH_P_CUST so that you can safely inject them into existing LANs. MAC addresses are set to MACs of sending/recieving interface (may be the same).
The controling program is line based text file. Each line has fixed format and comment lines behins with #. The format of a line is:
5000 R 2 4500000
Number of spaces is optional and tabs can be used. Input is parsed by sscanf "%u %c %u %n". The first number is time in miliseconds from program start. The second character determines operation to do. Third number is flow id (see below) and remainder of line is operation dependent. However the remainder can be text or number and numbers are allowed in decimal or hex (if starting with 0x). Number can end with k to multiply it by 1024.
The line above means: at time 5sec set rate of flow 2 to 4.5 MBps. Lines are first read into struct progdata in memory (performance reasons) and should be in increasing time order. Ethloop performs no sorting by time so be carefull about it. Each line is executed at its time and can change ongoing traffic generators.
<<lessThe generated rate is output on interface(s) selected in program and data are recieved on all interfaces in a system. You sometimes need to set promisc flag on recieving interfaces.
Generated packets are ethernet frames with protocol set to ETH_P_CUST so that you can safely inject them into existing LANs. MAC addresses are set to MACs of sending/recieving interface (may be the same).
The controling program is line based text file. Each line has fixed format and comment lines behins with #. The format of a line is:
5000 R 2 4500000
Number of spaces is optional and tabs can be used. Input is parsed by sscanf "%u %c %u %n". The first number is time in miliseconds from program start. The second character determines operation to do. Third number is flow id (see below) and remainder of line is operation dependent. However the remainder can be text or number and numbers are allowed in decimal or hex (if starting with 0x). Number can end with k to multiply it by 1024.
The line above means: at time 5sec set rate of flow 2 to 4.5 MBps. Lines are first read into struct progdata in memory (performance reasons) and should be in increasing time order. Ethloop performs no sorting by time so be carefull about it. Each line is executed at its time and can change ongoing traffic generators.
Download (0.004MB)
Added: 2006-08-02 License: GPL (GNU General Public License) Price:
1179 downloads
UTIN Firewall script
UTIN Firewall script project is a script for Linux 2.4.x and iptables. more>>
UTIN Firewall script project is a script for Linux 2.4.x and iptables.
###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you dont have a static
# IP, I suggest not using this option at all for now but its still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IP="194.236.50.155"
INET_IFACE="eth0"
IPTABLES="/usr/local/sbin/iptables"
#########
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Enable ip_forward, this is critical since it is turned off as defaul in
# Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we dont want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# Do some checks for obviously spoofed IPs
#
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -A bad_tcp_packets -i $LAN_IFACE ! -s 192.168.0.0/16 -j DROP
#
# Bad TCP packets we dont want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward between interfaces.
#
$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules
#
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
#
# INPUT chain
#
# Bad TCP packets we dont want
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for incoming packets from anywhere
#
$IPTABLES -A INPUT -p ICMP -j icmp_packets
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
#
# Bad TCP packets we dont want
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
<<less###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you dont have a static
# IP, I suggest not using this option at all for now but its still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IP="194.236.50.155"
INET_IFACE="eth0"
IPTABLES="/usr/local/sbin/iptables"
#########
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Enable ip_forward, this is critical since it is turned off as defaul in
# Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we dont want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# Do some checks for obviously spoofed IPs
#
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -A bad_tcp_packets -i $LAN_IFACE ! -s 192.168.0.0/16 -j DROP
#
# Bad TCP packets we dont want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward between interfaces.
#
$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules
#
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
#
# INPUT chain
#
# Bad TCP packets we dont want
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for incoming packets from anywhere
#
$IPTABLES -A INPUT -p ICMP -j icmp_packets
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
#
# Bad TCP packets we dont want
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
985 downloads
DMZ IP Firewall script
DMZ IP Firewall script project is a script for Linux 2.4.x and iptables. more>>
DMZ IP Firewall script project is a script for Linux 2.4.x and iptables.
Sample:
# Configuration options, these will speed you up getting this script to work with your own setup.
# your LANs IP range and localhost IP. /24 means to only use the first 24 bits of the 32 bit IP adress. the same as netmask 255.255.255.0
# STATIC_IP is used by me to allow myself to do anything to myself, might be a security risc but sometimes I want this. If you dont have a static IP, I suggest not using this option at all for now but its still enabled per default and will add some really nifty security bugs for all those who skips reading the documentation
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
INET_IP="194.236.50.152"
INET_IFACE="eth0"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"
LO_IP="127.0.0.1"
LO_IFACE="lo"
IPTABLES="/usr/local/sbin/iptables"
<<lessSample:
# Configuration options, these will speed you up getting this script to work with your own setup.
# your LANs IP range and localhost IP. /24 means to only use the first 24 bits of the 32 bit IP adress. the same as netmask 255.255.255.0
# STATIC_IP is used by me to allow myself to do anything to myself, might be a security risc but sometimes I want this. If you dont have a static IP, I suggest not using this option at all for now but its still enabled per default and will add some really nifty security bugs for all those who skips reading the documentation
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
INET_IP="194.236.50.152"
INET_IFACE="eth0"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"
LO_IP="127.0.0.1"
LO_IFACE="lo"
IPTABLES="/usr/local/sbin/iptables"
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
997 downloads
seppl 0.4
seppl is both a protocol definition and a software implementation of a new encryption layer for IPv4. more>>
seppl is both a protocol definition and a software implementation of a new encryption layer for IPv4. seppl project makes use of symmetric cryptography for encrypting the whole traffic on a network. Its implementation is designed around Linux netfilter/iptables.
seppl introduces two new netfilter targets: CRYPT and DECRYPT. A firewall rule may thus be used for encrypting/decrypting the incoming and outgoing network traffic. This makes seppl extraordinarily easy to use, since no daemons need to run for secure communication.
seppl uses the encryption engine of the Linux Cryptographic API which is available in kernel 2.4.22 and newer.
seppl is primarily intended for encrypting wireless LANs (as secure replacement of the broken WEP encryption) and local ethernet networks but may be used for large scale VPN solutions as well.
The protocol seppl relies on is not compatible with any other software. The protocol is open and well defined but there is no implementation other than this reference software.
Why SEPPL, there are already IPSEC, CIPE,...?
CIPE may be used for point-to-point connections only. It has tunnel structure and thus introduces new IP addresses. This is not always desirable. It requires a user space daemon.
IPSEC/FreeSwan is extremely complicated to use. Due to its strange routing scheme it is nearly impossible to use together with routing daemons. IPSEC is heavyweight.
seppl is truely peer-to-peer. It encrypts seamlessly all outgoing traffic and it thus compatible with routing daemons. It is extremely easy to use as well, as it makes no change to the normal routing behaviour. seppl is extremely lightweight.
The Implementation
The implementation consists of three Linux kernel modules: seppl.o, ipt_CRYPT.o and ipt_DECRYPT.o. The former is the in-kernel key manager, the latter are the two new netfilter targets. Both depend on seppl.o.
seppl.o must be inserted into kernel in first place. The key manager may be accessed with the file /proc/net/seppl_keyring. It contains binary key data, and is initially empty. You may add a new key by writing it to that file.
The two Python scripts seppl-ls and seppl-gen-key me be used for key management. seppl-ls may be used for converting seppl keys between the binary format used by /proc/net/seppl_keyring and a human readable XML based format. Simply call seppl-ls for a list of all currently active keys. seppl-gen-key generates a new key from /dev/urandom. By default it will use the XML format. The parameter -x forces binary mode. You may generate and activate two keys "linus" and "alan" by issuing the following command lines:
seppl-gen-key -n linus -x > /proc/net/seppl_keyring
seppl-gen-key -n alan -x > /proc/net/seppl_keyring
seppl-ls without argument lists the new keys saved in the kernel keyring. You may remove all (currently unused) keys by issuing:
echo clear > /proc/net/seppl_keyring
Since seppl is based on symmetric cryptography using shared keys you have to copy newly generated keys to every host you want to connect to your seppl infrastructure. (preferably via SSH or any other secure file transfer) You get a binary copy of your current keyring by issuing:
cat /proc/net/seppl_keyring > keyring.save
Now copy that file keyring.save to all other hosts and issue the following command there:
cat keyring.save > /proc/net/seppl_keyring
That is simple, isnt it?
After doing so you may configure your firewall settings on each host:
iptables -t mangle -A POSTROUTING -o eth0 -j CRYPT --key linus
iptables -t mangle -A PREROUTING -i eth0 -j DECRYPT
This will encrypt all outgoing traffic on eth0 with the key "linus". All incoming traffic is decrypted with either "linus" or "alan", depending on the key name specified in the specific network packet. Unencrypted incoming packets are silently dropped. Use
iptables -t mangle -A PREROUTING -p 177 -i eth0 -j DECRYPT
for allowing both crypted and unencrypted incoming traffic.
Thats it. Youre done. All your traffic on the local subnet is now crypted with seppl.
The default cipher is AES-128. If you dont specify the name of the used key it defaults to "def".
An SysV init script /etc/init.d/seppl is provided. It will load seppls kernel modules and write all keys from the directory /etc/seppl to the kernel keyring. It will not add any firewall rules, however.
Performance issues
The network packets are increased in size when they are crypted, since two new headers and the IV are added. (36 bytes in average) This conflicts on some way with the MTU management of the Linux kernel and results in having all large packets (that is: package size near MTU) fragmented in one large and another very small package. This will hurt network performance. A work-around of this limitation is using the TCPMSS target of netfilter to adjust the MSS value in the TCP header to smaller values. This will increase TCP perfomance, since TCP packets of the size of the MTU are no longer generated. Thus no fragmentation is needed. However, TCPMSS is TCP specific, it wont help on UDP or other IP protocols.
Add the following line before encryption to your firewall setup:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --set-mss $((1500-40-8-16-6-15))
The Protocol
For encryption every single unencrypted packet is taken and converted to a crypted one. Not a single further packet is ever sent.
Original SEPPL counterpart
+------------+ +-----------------------+
| IP-Header | | Modified IP-Header | |
+------------+ +-----------------------+ |
| Payload | | SEPPL-Header | > Unencrypted
+------------+ +-----------------------+ |
| Initialization Vector | |
+-----------------------+ /
| SEPPL-Header |
+-----------------------+ | Crypted
| Payload | |
+-----------------------+ /
The original IP header is kept as far as possible. Only three fields are replaced with new values. The protocol number is set to 177, the fragment offset is set to 0 and the total length is corrected to the new length. All other fields are kept as is, including IP options.
The unencrypted seppl header consists of a one-byte cipher number and a key name. Currently only 0 and 1 are defined as cipher numbers for AES with 128bit key, resp. AES with 192bit key. The key name (7 bytes) may be used to select a specific key in a larger keyring.
The IV is used for CBC coding of the cipher used. It differs from packet to packet, but is not randomly generated. Due to perfomance reasons, only the initial IV on system startup is randomized, all following IVs are generated by incrementing the previous ones.
The crypted seppl header consists of three saved fields of the original IP header (protocol number, fragment offset, total length) and a byte which is always 0 for detecting unmatching keys.
The payload is the original IP-playload, from the TCP/UDP/other header to the end.
Version restrictions:
- seppl interferes with netfilters connection tracking in some way. Thus you will not be able to use NAT in conjunction with seppl. If you use connection tracking in some other way together with seppl your mileage may vary.
- seppl is tested with Linux 2.6.1. Use version 0.3 for Linux 2.4.
<<lessseppl introduces two new netfilter targets: CRYPT and DECRYPT. A firewall rule may thus be used for encrypting/decrypting the incoming and outgoing network traffic. This makes seppl extraordinarily easy to use, since no daemons need to run for secure communication.
seppl uses the encryption engine of the Linux Cryptographic API which is available in kernel 2.4.22 and newer.
seppl is primarily intended for encrypting wireless LANs (as secure replacement of the broken WEP encryption) and local ethernet networks but may be used for large scale VPN solutions as well.
The protocol seppl relies on is not compatible with any other software. The protocol is open and well defined but there is no implementation other than this reference software.
Why SEPPL, there are already IPSEC, CIPE,...?
CIPE may be used for point-to-point connections only. It has tunnel structure and thus introduces new IP addresses. This is not always desirable. It requires a user space daemon.
IPSEC/FreeSwan is extremely complicated to use. Due to its strange routing scheme it is nearly impossible to use together with routing daemons. IPSEC is heavyweight.
seppl is truely peer-to-peer. It encrypts seamlessly all outgoing traffic and it thus compatible with routing daemons. It is extremely easy to use as well, as it makes no change to the normal routing behaviour. seppl is extremely lightweight.
The Implementation
The implementation consists of three Linux kernel modules: seppl.o, ipt_CRYPT.o and ipt_DECRYPT.o. The former is the in-kernel key manager, the latter are the two new netfilter targets. Both depend on seppl.o.
seppl.o must be inserted into kernel in first place. The key manager may be accessed with the file /proc/net/seppl_keyring. It contains binary key data, and is initially empty. You may add a new key by writing it to that file.
The two Python scripts seppl-ls and seppl-gen-key me be used for key management. seppl-ls may be used for converting seppl keys between the binary format used by /proc/net/seppl_keyring and a human readable XML based format. Simply call seppl-ls for a list of all currently active keys. seppl-gen-key generates a new key from /dev/urandom. By default it will use the XML format. The parameter -x forces binary mode. You may generate and activate two keys "linus" and "alan" by issuing the following command lines:
seppl-gen-key -n linus -x > /proc/net/seppl_keyring
seppl-gen-key -n alan -x > /proc/net/seppl_keyring
seppl-ls without argument lists the new keys saved in the kernel keyring. You may remove all (currently unused) keys by issuing:
echo clear > /proc/net/seppl_keyring
Since seppl is based on symmetric cryptography using shared keys you have to copy newly generated keys to every host you want to connect to your seppl infrastructure. (preferably via SSH or any other secure file transfer) You get a binary copy of your current keyring by issuing:
cat /proc/net/seppl_keyring > keyring.save
Now copy that file keyring.save to all other hosts and issue the following command there:
cat keyring.save > /proc/net/seppl_keyring
That is simple, isnt it?
After doing so you may configure your firewall settings on each host:
iptables -t mangle -A POSTROUTING -o eth0 -j CRYPT --key linus
iptables -t mangle -A PREROUTING -i eth0 -j DECRYPT
This will encrypt all outgoing traffic on eth0 with the key "linus". All incoming traffic is decrypted with either "linus" or "alan", depending on the key name specified in the specific network packet. Unencrypted incoming packets are silently dropped. Use
iptables -t mangle -A PREROUTING -p 177 -i eth0 -j DECRYPT
for allowing both crypted and unencrypted incoming traffic.
Thats it. Youre done. All your traffic on the local subnet is now crypted with seppl.
The default cipher is AES-128. If you dont specify the name of the used key it defaults to "def".
An SysV init script /etc/init.d/seppl is provided. It will load seppls kernel modules and write all keys from the directory /etc/seppl to the kernel keyring. It will not add any firewall rules, however.
Performance issues
The network packets are increased in size when they are crypted, since two new headers and the IV are added. (36 bytes in average) This conflicts on some way with the MTU management of the Linux kernel and results in having all large packets (that is: package size near MTU) fragmented in one large and another very small package. This will hurt network performance. A work-around of this limitation is using the TCPMSS target of netfilter to adjust the MSS value in the TCP header to smaller values. This will increase TCP perfomance, since TCP packets of the size of the MTU are no longer generated. Thus no fragmentation is needed. However, TCPMSS is TCP specific, it wont help on UDP or other IP protocols.
Add the following line before encryption to your firewall setup:
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --set-mss $((1500-40-8-16-6-15))
The Protocol
For encryption every single unencrypted packet is taken and converted to a crypted one. Not a single further packet is ever sent.
Original SEPPL counterpart
+------------+ +-----------------------+
| IP-Header | | Modified IP-Header | |
+------------+ +-----------------------+ |
| Payload | | SEPPL-Header | > Unencrypted
+------------+ +-----------------------+ |
| Initialization Vector | |
+-----------------------+ /
| SEPPL-Header |
+-----------------------+ | Crypted
| Payload | |
+-----------------------+ /
The original IP header is kept as far as possible. Only three fields are replaced with new values. The protocol number is set to 177, the fragment offset is set to 0 and the total length is corrected to the new length. All other fields are kept as is, including IP options.
The unencrypted seppl header consists of a one-byte cipher number and a key name. Currently only 0 and 1 are defined as cipher numbers for AES with 128bit key, resp. AES with 192bit key. The key name (7 bytes) may be used to select a specific key in a larger keyring.
The IV is used for CBC coding of the cipher used. It differs from packet to packet, but is not randomly generated. Due to perfomance reasons, only the initial IV on system startup is randomized, all following IVs are generated by incrementing the previous ones.
The crypted seppl header consists of three saved fields of the original IP header (protocol number, fragment offset, total length) and a byte which is always 0 for detecting unmatching keys.
The payload is the original IP-playload, from the TCP/UDP/other header to the end.
Version restrictions:
- seppl interferes with netfilters connection tracking in some way. Thus you will not be able to use NAT in conjunction with seppl. If you use connection tracking in some other way together with seppl your mileage may vary.
- seppl is tested with Linux 2.6.1. Use version 0.3 for Linux 2.4.
Download (0.32MB)
Added: 2006-05-17 License: GPL (GNU General Public License) Price:
1255 downloads
DHCP IP Firewall script
DHCP IP Firewall script project is a script for Linux 2.4.x and iptables. more>>
DHCP IP Firewall script project is a script for Linux 2.4.x and iptables.
Sample:
1. Configuration options - use these to quicken up the set up.
####################################
# Local Area Network configuration.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24 bits of the 32 bit IP adress. the same as netmask 255.255.255.0
LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
######################################
#
# Localhost configuration.
#
# Localhost Interface and IP. Should not need any changes.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#######################################
#
# Internet configuration.
#
# All information pertaining to the Internet and the Internet connection.
#
INET_IFACE="eth0"
#######################################
#
# DHCP Configuration.
#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to No if you dont get IP from DHCP. If you get DHCP over the Internet set this variable to Yes, and set up the proper IP adress for the DHCP server in the DHCP_SERVER variable.
DHCP="No"
DHCP_SERVER="195.22.90.65"
#########################################
#
# PPPOE Configuration.
#
# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not getting through while small mail get through properly etc, you may set this option to "yes" which may fix the problem. This option will set a rule in the PREROUTING chain of the mangle table which will clamp (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since the PPPoE configuration option will give less overhead.
PPPOE_PMTU="No"
##########################################
#
# IPTABLES configuration.
#
# Options pertaining to iptables such as searchpath, etc.
#
IPTABLES="/usr/sbin/iptables"
<<lessSample:
1. Configuration options - use these to quicken up the set up.
####################################
# Local Area Network configuration.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24 bits of the 32 bit IP adress. the same as netmask 255.255.255.0
LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
######################################
#
# Localhost configuration.
#
# Localhost Interface and IP. Should not need any changes.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#######################################
#
# Internet configuration.
#
# All information pertaining to the Internet and the Internet connection.
#
INET_IFACE="eth0"
#######################################
#
# DHCP Configuration.
#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to No if you dont get IP from DHCP. If you get DHCP over the Internet set this variable to Yes, and set up the proper IP adress for the DHCP server in the DHCP_SERVER variable.
DHCP="No"
DHCP_SERVER="195.22.90.65"
#########################################
#
# PPPOE Configuration.
#
# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not getting through while small mail get through properly etc, you may set this option to "yes" which may fix the problem. This option will set a rule in the PREROUTING chain of the mangle table which will clamp (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since the PPPoE configuration option will give less overhead.
PPPOE_PMTU="No"
##########################################
#
# IPTABLES configuration.
#
# Options pertaining to iptables such as searchpath, etc.
#
IPTABLES="/usr/sbin/iptables"
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
986 downloads
NET=MGM 1.2
Net=MGM (Netmanager) is a tool to store information about subnets and virtual LANs in a data center environment. more>>
Net=MGM (Netmanager) is a tool to store information about subnets and virtual LANs in a data center environment.
NET=MGM is useful for network administrators who manage a large network and want to track information on every LAN or VLAN in the network. You can view information grouped by ownership, manager, or VLAN.
Enhancements:
- With this version i change the number release, the latest 1.7 version now is a 1.1.x.x version, in CHANGELOG you can see where it is.
- Two file fore changelog information:
CHANGELOG is writed by my hand with simple information
CHANGELOG-AUTO is generated from cvs server with detailed change
- In this release we start from the last ex-1.7 version, now 1.1.x.x, and insert new feature like a sistem to generate the network details.
- Some code was added to improve the security of the tool, but now is not complete.
- A first version of manual was addes, very simple manual, for the next release i try to improve this.
- This release have the same database structure and dont break compatibility with old version.
For any bug/problem or idea please use sourceforce site to notify me.
Thank You to use Net=MGM
<<lessNET=MGM is useful for network administrators who manage a large network and want to track information on every LAN or VLAN in the network. You can view information grouped by ownership, manager, or VLAN.
Enhancements:
- With this version i change the number release, the latest 1.7 version now is a 1.1.x.x version, in CHANGELOG you can see where it is.
- Two file fore changelog information:
CHANGELOG is writed by my hand with simple information
CHANGELOG-AUTO is generated from cvs server with detailed change
- In this release we start from the last ex-1.7 version, now 1.1.x.x, and insert new feature like a sistem to generate the network details.
- Some code was added to improve the security of the tool, but now is not complete.
- A first version of manual was addes, very simple manual, for the next release i try to improve this.
- This release have the same database structure and dont break compatibility with old version.
For any bug/problem or idea please use sourceforce site to notify me.
Thank You to use Net=MGM
Download (0.045MB)
Added: 2005-11-30 License: GPL (GNU General Public License) Price:
1426 downloads
Initial SIMPLE IP Firewall
Initial SIMPLE IP Firewall is a script for Linux 2.4.x and iptables. more>>
Initial SIMPLE IP Firewall is a script for Linux 2.4.x and iptables.
Sample:
Configuration options
###################################
#
# Local Area Network configuration.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"
###################################
#
# Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
###################################
#
# Internet Configuration.
#
INET_IP="194.236.50.155"
INET_IFACE="eth0"
###################################
#
# IPTables Configuration.
#
IPTABLES="/usr/sbin/iptables"
Module loading
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
<<lessSample:
Configuration options
###################################
#
# Local Area Network configuration.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"
###################################
#
# Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
###################################
#
# Internet Configuration.
#
INET_IP="194.236.50.155"
INET_IFACE="eth0"
###################################
#
# IPTables Configuration.
#
IPTABLES="/usr/sbin/iptables"
Module loading
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
983 downloads
Ip6wall 0.6
Ip6wall is a firewall script for ip6tables. more>>
Ip6wall is a firewall script for ip6tables.
It features support for IPV6-mapped LANs, forwarding, port forwarding, configurable outgoing filtering, configurable public service access, access control lists, and more.
This is a bash script for ip6tables, it works fine with the 2.4.x series of the linux kernel,
im testing it on a 2.6.0test6 linux kernel and, for now, it works fine. The idea of this script is taken from gShield, directly from the source.
Main features:
- support for an ipv6 mapped lan, forwading, port-forwarding, configurable outgoing filtering,
- configurable public service access, access control lists, and more.
Enhancements:
- Added information of copyright
- Fixed bugs of "#" in conf/ircservers
- Changed if [ -n var ]; into if [ $var != ""];
- Minor code cleanup
- version 0.5.9 Released to freshmeat.net
- Added docs directory even if some files
- werent complete, like readme and usage
<<lessIt features support for IPV6-mapped LANs, forwarding, port forwarding, configurable outgoing filtering, configurable public service access, access control lists, and more.
This is a bash script for ip6tables, it works fine with the 2.4.x series of the linux kernel,
im testing it on a 2.6.0test6 linux kernel and, for now, it works fine. The idea of this script is taken from gShield, directly from the source.
Main features:
- support for an ipv6 mapped lan, forwading, port-forwarding, configurable outgoing filtering,
- configurable public service access, access control lists, and more.
Enhancements:
- Added information of copyright
- Fixed bugs of "#" in conf/ircservers
- Changed if [ -n var ]; into if [ $var != ""];
- Minor code cleanup
- version 0.5.9 Released to freshmeat.net
- Added docs directory even if some files
- werent complete, like readme and usage
Download (0.015MB)
Added: 2006-07-11 License: GPL (GNU General Public License) Price:
1201 downloads
selfDHCP 0.2a
selfDHCP is a small network autoconfigure software. more>>
selfDHCP is a small network autoconfigure software. It is able to determine the main network configuration parameters by listening to the traffic and with appropriate heuristics. It can run as daemon or as application.
selfDHCP borns from a common need found working on networks: to configure a host in a transparent way. Though this task is greatly performed by many existing tools, such as DHCP, these tools need resources (DHCP servers) that could be not always present, or we would want not to use them. selfDCHP instead doesnt need any external resource, and can work stand-alone.
selfDHCP has two main ways of working. The first is to recognize a known network using profiles, so that it can be used to quickly configure a host on a small network without the need of setting up a DHCP server.
The second is to analyze the network traffic and try to guess the main configuration parameters of an unknown network with heuristic methods.selfDHCP has been written with aim of maximum discretion and stealthness: the great part of the job is done in passive mode, and even when traffic is generated, its stealthness is mantained by spoofing an existing address.
selfDHCP has for now some limits. First, it can only fully work on a non-swithced LAN (i.e. a LAN with a HUB, not a switch), and with ethernet/IPv4 protocols. From current 0.2 version anyway the active mode, combined with profiles, gives selfDHCP the ability to work even on swithced LANs, provided that some informations about the network are known a priori.
Second, it only works on GNU/Linux and other unix-like OSs. It has been tested on GNU/Linux and Solaris, both on x86 and SPARC architectures, and will soon be tested also under Cygwin, and on PPC and Alpha archs.
selfDHCP just passed from its alpha very first release to a more mature beta. Most of the features advertised should work correctly, but the path towards a stable release is still long. For this we strongly need beta testers.
Enhancements:
- Rewritten compilation scripts
<<lessselfDHCP borns from a common need found working on networks: to configure a host in a transparent way. Though this task is greatly performed by many existing tools, such as DHCP, these tools need resources (DHCP servers) that could be not always present, or we would want not to use them. selfDCHP instead doesnt need any external resource, and can work stand-alone.
selfDHCP has two main ways of working. The first is to recognize a known network using profiles, so that it can be used to quickly configure a host on a small network without the need of setting up a DHCP server.
The second is to analyze the network traffic and try to guess the main configuration parameters of an unknown network with heuristic methods.selfDHCP has been written with aim of maximum discretion and stealthness: the great part of the job is done in passive mode, and even when traffic is generated, its stealthness is mantained by spoofing an existing address.
selfDHCP has for now some limits. First, it can only fully work on a non-swithced LAN (i.e. a LAN with a HUB, not a switch), and with ethernet/IPv4 protocols. From current 0.2 version anyway the active mode, combined with profiles, gives selfDHCP the ability to work even on swithced LANs, provided that some informations about the network are known a priori.
Second, it only works on GNU/Linux and other unix-like OSs. It has been tested on GNU/Linux and Solaris, both on x86 and SPARC architectures, and will soon be tested also under Cygwin, and on PPC and Alpha archs.
selfDHCP just passed from its alpha very first release to a more mature beta. Most of the features advertised should work correctly, but the path towards a stable release is still long. For this we strongly need beta testers.
Enhancements:
- Rewritten compilation scripts
Download (0.15MB)
Added: 2006-07-06 License: GPL (GNU General Public License) Price:
1205 downloads
Secleted [ 0 ] software to compare
- Page: 1 of 2
- 1
- 2
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above lans search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
