to reject
Sponsored Links
Sponsored Links
Secleted [ 0 ] software to compare
Results 1 - 15 of about 172
UTIN Firewall script
UTIN Firewall script project is a script for Linux 2.4.x and iptables. more>>
UTIN Firewall script project is a script for Linux 2.4.x and iptables.
###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you dont have a static
# IP, I suggest not using this option at all for now but its still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IP="194.236.50.155"
INET_IFACE="eth0"
IPTABLES="/usr/local/sbin/iptables"
#########
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Enable ip_forward, this is critical since it is turned off as defaul in
# Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we dont want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# Do some checks for obviously spoofed IPs
#
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -A bad_tcp_packets -i $LAN_IFACE ! -s 192.168.0.0/16 -j DROP
#
# Bad TCP packets we dont want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward between interfaces.
#
$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules
#
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
#
# INPUT chain
#
# Bad TCP packets we dont want
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for incoming packets from anywhere
#
$IPTABLES -A INPUT -p ICMP -j icmp_packets
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
#
# Bad TCP packets we dont want
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
<<less###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LANs IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you dont have a static
# IP, I suggest not using this option at all for now but its still
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IP="194.236.50.155"
INET_IFACE="eth0"
IPTABLES="/usr/local/sbin/iptables"
#########
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Enable ip_forward, this is critical since it is turned off as defaul in
# Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we dont want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# Do some checks for obviously spoofed IPs
#
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
$IPTABLES -A bad_tcp_packets -i $LAN_IFACE ! -s 192.168.0.0/16 -j DROP
#
# Bad TCP packets we dont want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward between interfaces.
#
$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules
#
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
#
# INPUT chain
#
# Bad TCP packets we dont want
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for incoming packets from anywhere
#
$IPTABLES -A INPUT -p ICMP -j icmp_packets
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
#
# Bad TCP packets we dont want
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3
-j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
985 downloads
ipsort
ipsort script sorts a STDIN of IP addresses to STDOUT. more>>
ipsort script sorts a STDIN of IP addresses to STDOUT. It sorts by the first octet, then by the second, the third and the fourth.
Usage: Takes Standard in or a file or list of files. So ipsort < file1 > < file2 > or cat < file > | ipsort
Its quite clever and looks for an IP address on each line, rejecting if it doesnt find one
Options:
-c or --commas Separate the list by space-separated commas, rather than one IP per line.
-u or --unique Uniquely sort the list as well, to avoid duplicate IPs.
-s or --string Use this string to separate the IPs. Eg. -s :
-m or --multiple Search for multiple IP addresses per line.
-h or --help Display this usage message.
<<lessUsage: Takes Standard in or a file or list of files. So ipsort < file1 > < file2 > or cat < file > | ipsort
Its quite clever and looks for an IP address on each line, rejecting if it doesnt find one
Options:
-c or --commas Separate the list by space-separated commas, rather than one IP per line.
-u or --unique Uniquely sort the list as well, to avoid duplicate IPs.
-s or --string Use this string to separate the IPs. Eg. -s :
-m or --multiple Search for multiple IP addresses per line.
-h or --help Display this usage message.
Download (MB)
Added: 2007-04-05 License: GPL (GNU General Public License) Price:
934 downloads
NAT iptables firewall script
NAT iptables firewall script is an iptables firewall script. more>>
NAT iptables firewall script is an iptables firewall script.
This script is meant to be run once per boot the rules will be double added if you try to run it twice if you need to add another rule during runtime, change the -A to a -I to add it to the top of the list of rules if you use -A it will go at the end after the reject rule.
Sample:
# interface definitions
BAD_IFACE=eth0
DMZ_IFACE=eth1
DMZ_ADDR=x.x.x.96/28
GOOD_IFACE=eth2
GOOD_ADDR=192.168.1.0/24
MASQ_SERVER=x.x.x.98
FTP_SERVER=x.x.x.100
MAIL_SERVER=x.x.x.99
MAIL_SERVER_INTERNAL=192.168.1.3
# testing
#set -x
ip route del x.x.x.96/28 dev $BAD_IFACE
ip route del x.x.x.96/28 dev $DMZ_IFACE
ip route add x.x.x.97 dev $BAD_IFACE
ip route add x.x.x.96/28 dev $DMZ_IFACE
# we need proxy arp for the dmz network
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
# turn on ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# turn on antispoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# flush all rules in the filter table
#iptables -F
# flush built in rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
# deny everything for now
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
# make the chains to define packet directions
# bad is the internet, dmz is our dmz, good is our masqed network
iptables -N good-dmz
iptables -N bad-dmz
iptables -N good-bad
iptables -N dmz-good
iptables -N dmz-bad
iptables -N bad-good
iptables -N icmp-acc
# accept related packets
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# internal client masqing
iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
# mail server masqing
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443
# to allow the above to work you need something like
# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
# set which addresses jump to which chains
iptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmz
iptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good
iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz
iptables -A FORWARD -o $GOOD_IFACE -j bad-good
# drop anything that doesnt fit these
iptables -A FORWARD -j LOG --log-prefix "chain-jump "
iptables -A FORWARD -j DROP
# icmp acceptance
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "
iptables -A icmp-acc -j DROP
# from internal to dmz
iptables -A good-dmz -p tcp --dport smtp -j ACCEPT
iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT
iptables -A good-dmz -p udp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport www -j ACCEPT
iptables -A good-dmz -p tcp --dport https -j ACCEPT
iptables -A good-dmz -p tcp --dport ssh -j ACCEPT
iptables -A good-dmz -p tcp --dport telnet -j ACCEPT
iptables -A good-dmz -p tcp --dport auth -j ACCEPT
iptables -A good-dmz -p tcp --dport ftp -j ACCEPT
iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT
iptables -A good-dmz -p icmp -j icmp-acc
iptables -A good-dmz -j LOG --log-prefix "good-dmz "
iptables -A good-dmz -j DROP
# from external to dmz
iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT
iptables -A bad-dmz -p udp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport www -j ACCEPT
iptables -A bad-dmz -p tcp --dport https -j ACCEPT
iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT
iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT
iptables -A bad-dmz -p icmp -j icmp-acc
iptables -A bad-dmz -j LOG --log-prefix "bad-dmz "
iptables -A bad-dmz -j DROP
# from internal to external
iptables -A good-bad -j ACCEPT
# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
#iptables -A good-bad -p tcp -j MASQ
#iptables -A good-bad -p udp -j MASQ
#iptables -A good-bad -p icmp -j MASQ
#ipchains -A good-bad -p tcp --dport www -j MASQ
#ipchains -A good-bad -p tcp --dport ssh -j MASQ
#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
#ipchains -A good-bad -p tcp --dport ftp -j MASQ
#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
#ipchains -A good-bad -j REJECT -l
# from dmz to internal
# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPT
iptables -A dmz-good -p tcp --dport smtp -j ACCEPT
iptables -A dmz-good -p tcp --sport smtp -j ACCEPT
iptables -A dmz-good -p udp --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT
iptables -A dmz-good -p icmp -j icmp-acc
iptables -A dmz-good -j LOG --log-prefix "dmz-good "
iptables -A dmz-good -j DROP
# from dmz to external
iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT
iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT
iptables -A dmz-bad -p udp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport www -j ACCEPT
iptables -A dmz-bad -p tcp --dport https -j ACCEPT
iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT
iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT
iptables -A dmz-bad -p tcp --dport whois -j ACCEPT
iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT
iptables -A dmz-bad -p udp --dport ntp -j ACCEPT
# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
iptables -A dmz-bad -p icmp -j icmp-acc
iptables -A dmz-bad -j LOG --log-prefix "dmz-bad "
iptables -A dmz-bad -j DROP
# from external to internal
iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -j LOG --log-prefix "bad-good "
iptables -A bad-good -j REJECT
# rules for this machine itself
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if
# set up the jumps to each chain
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $GOOD_IFACE -j good-if
# external iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -j ACCEPT
#ipchains -A bad-if -i ! ppp0 -j DENY -l
#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
#ipchains -A bad-if -j icmp-acc
#ipchains -A bad-if -j DENY
# dmz iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A dmz-if -j ACCEPT
# internal iface
iptables -A good-if -p tcp --dport ssh -j ACCEPT
iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT
iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT
iptables -A good-if -j icmp-acc
iptables -A good-if -j DROP
# remove the complete blocks
iptables -D INPUT 1
iptables -D FORWARD 1
iptables -D OUTPUT 1
<<lessThis script is meant to be run once per boot the rules will be double added if you try to run it twice if you need to add another rule during runtime, change the -A to a -I to add it to the top of the list of rules if you use -A it will go at the end after the reject rule.
Sample:
# interface definitions
BAD_IFACE=eth0
DMZ_IFACE=eth1
DMZ_ADDR=x.x.x.96/28
GOOD_IFACE=eth2
GOOD_ADDR=192.168.1.0/24
MASQ_SERVER=x.x.x.98
FTP_SERVER=x.x.x.100
MAIL_SERVER=x.x.x.99
MAIL_SERVER_INTERNAL=192.168.1.3
# testing
#set -x
ip route del x.x.x.96/28 dev $BAD_IFACE
ip route del x.x.x.96/28 dev $DMZ_IFACE
ip route add x.x.x.97 dev $BAD_IFACE
ip route add x.x.x.96/28 dev $DMZ_IFACE
# we need proxy arp for the dmz network
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
# turn on ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# turn on antispoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# flush all rules in the filter table
#iptables -F
# flush built in rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
# deny everything for now
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
# make the chains to define packet directions
# bad is the internet, dmz is our dmz, good is our masqed network
iptables -N good-dmz
iptables -N bad-dmz
iptables -N good-bad
iptables -N dmz-good
iptables -N dmz-bad
iptables -N bad-good
iptables -N icmp-acc
# accept related packets
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# internal client masqing
iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
# mail server masqing
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443
# to allow the above to work you need something like
# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
# set which addresses jump to which chains
iptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmz
iptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good
iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz
iptables -A FORWARD -o $GOOD_IFACE -j bad-good
# drop anything that doesnt fit these
iptables -A FORWARD -j LOG --log-prefix "chain-jump "
iptables -A FORWARD -j DROP
# icmp acceptance
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "
iptables -A icmp-acc -j DROP
# from internal to dmz
iptables -A good-dmz -p tcp --dport smtp -j ACCEPT
iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT
iptables -A good-dmz -p udp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport www -j ACCEPT
iptables -A good-dmz -p tcp --dport https -j ACCEPT
iptables -A good-dmz -p tcp --dport ssh -j ACCEPT
iptables -A good-dmz -p tcp --dport telnet -j ACCEPT
iptables -A good-dmz -p tcp --dport auth -j ACCEPT
iptables -A good-dmz -p tcp --dport ftp -j ACCEPT
iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT
iptables -A good-dmz -p icmp -j icmp-acc
iptables -A good-dmz -j LOG --log-prefix "good-dmz "
iptables -A good-dmz -j DROP
# from external to dmz
iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT
iptables -A bad-dmz -p udp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport www -j ACCEPT
iptables -A bad-dmz -p tcp --dport https -j ACCEPT
iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT
iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT
iptables -A bad-dmz -p icmp -j icmp-acc
iptables -A bad-dmz -j LOG --log-prefix "bad-dmz "
iptables -A bad-dmz -j DROP
# from internal to external
iptables -A good-bad -j ACCEPT
# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
#iptables -A good-bad -p tcp -j MASQ
#iptables -A good-bad -p udp -j MASQ
#iptables -A good-bad -p icmp -j MASQ
#ipchains -A good-bad -p tcp --dport www -j MASQ
#ipchains -A good-bad -p tcp --dport ssh -j MASQ
#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
#ipchains -A good-bad -p tcp --dport ftp -j MASQ
#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
#ipchains -A good-bad -j REJECT -l
# from dmz to internal
# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPT
iptables -A dmz-good -p tcp --dport smtp -j ACCEPT
iptables -A dmz-good -p tcp --sport smtp -j ACCEPT
iptables -A dmz-good -p udp --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT
iptables -A dmz-good -p icmp -j icmp-acc
iptables -A dmz-good -j LOG --log-prefix "dmz-good "
iptables -A dmz-good -j DROP
# from dmz to external
iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT
iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT
iptables -A dmz-bad -p udp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport www -j ACCEPT
iptables -A dmz-bad -p tcp --dport https -j ACCEPT
iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT
iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT
iptables -A dmz-bad -p tcp --dport whois -j ACCEPT
iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT
iptables -A dmz-bad -p udp --dport ntp -j ACCEPT
# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
iptables -A dmz-bad -p icmp -j icmp-acc
iptables -A dmz-bad -j LOG --log-prefix "dmz-bad "
iptables -A dmz-bad -j DROP
# from external to internal
iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -j LOG --log-prefix "bad-good "
iptables -A bad-good -j REJECT
# rules for this machine itself
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if
# set up the jumps to each chain
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $GOOD_IFACE -j good-if
# external iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -j ACCEPT
#ipchains -A bad-if -i ! ppp0 -j DENY -l
#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
#ipchains -A bad-if -j icmp-acc
#ipchains -A bad-if -j DENY
# dmz iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A dmz-if -j ACCEPT
# internal iface
iptables -A good-if -p tcp --dport ssh -j ACCEPT
iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT
iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT
iptables -A good-if -j icmp-acc
iptables -A good-if -j DROP
# remove the complete blocks
iptables -D INPUT 1
iptables -D FORWARD 1
iptables -D OUTPUT 1
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
603 downloads
PHP Gift Registry 1.5.2
PHP Gift Registry is a a Web-enabled database. more>>
PHP Gift Registry is a a Web-enabled database that allows members to keep track of the gifts theyd like to receive and see what items other members would like to receive. Private reservations ensure gifts are not bought twice.
Main features:
- A single unifying view of items on your own list and people whose lists you can view.
- A now-optional request/permit system by which you can control who can see your list.
- A "checkin/checkout" system which allows you to reserve items on someones list.
- An in-system messaging system by which users can be informed of item deletions or custom announcements.
- New users can request accounts. Optionally, administrators will be informed about the request, and they can then approve or reject the request. Either way, the user will be informed by e-mail.
- A site-customizable ranking system for items.
- An events system for users to add significant (read: gift-bearing) events which will show up on others displays when the event nears.
<<lessMain features:
- A single unifying view of items on your own list and people whose lists you can view.
- A now-optional request/permit system by which you can control who can see your list.
- A "checkin/checkout" system which allows you to reserve items on someones list.
- An in-system messaging system by which users can be informed of item deletions or custom announcements.
- New users can request accounts. Optionally, administrators will be informed about the request, and they can then approve or reject the request. Either way, the user will be informed by e-mail.
- A site-customizable ranking system for items.
- An events system for users to add significant (read: gift-bearing) events which will show up on others displays when the event nears.
Download (0.058MB)
Added: 2005-11-18 License: GPL (GNU General Public License) Price:
1442 downloads
Scam-protect 1.0.0
Scam-protect is a milter which restricts the use of your domain address in emails. more>>
Scam-protect is a milter which restricts the use of your domain address in emails. The aim is to protect your users from phishing by rejecting mail purporting to be from your domain. It is not meant as a replacement for SPF or SenderID.
Main features:
- Reject mail with your domain name in the mail from envelope
- Reject mail with your domain name in the From header
Performance
Scam-protect milter was designed to be light-weight and use minimal resources.
Whitelist
Scam-protect has a configurable whitelist of IP addresses or a range of IP addresses (CIDR). This feature can be used to allow which hosts can use your domain name in email addresses..
Accept mail from users
Users should configure their mail clients (MS Outlook, Eudora, Mozilla Thunderbird) to use the port 587 (MSA) instead of the SMTP port to send mail through the mail server running Scam-protect.
Scam-protect will accept mail if the connection was authenticated through SMTP AUTH.
<<lessMain features:
- Reject mail with your domain name in the mail from envelope
- Reject mail with your domain name in the From header
Performance
Scam-protect milter was designed to be light-weight and use minimal resources.
Whitelist
Scam-protect has a configurable whitelist of IP addresses or a range of IP addresses (CIDR). This feature can be used to allow which hosts can use your domain name in email addresses..
Accept mail from users
Users should configure their mail clients (MS Outlook, Eudora, Mozilla Thunderbird) to use the port 587 (MSA) instead of the SMTP port to send mail through the mail server running Scam-protect.
Scam-protect will accept mail if the connection was authenticated through SMTP AUTH.
Download (0.013MB)
Added: 2007-08-10 License: BSD License Price:
805 downloads
Python milter 0.8.7
The milter module for Python provides a python interface to Sendmails libmilter that exploits all its features. more>>
Python milter module provides a python interface to Sendmails libmilter that exploits all its features. Milters can run on the same machine as sendmail, or another machine.
The milter can even run with a different operating system or processor than sendmail. Sendmail talks to the milter via a local or internet socket, and keeps the milter informed of events as it processes a mail connection.
At any point, the milter can cut the conversation short by telling sendmail to ACCEPT, REJECT, or DISCARD the message. After receiving a complete message from sendmail, the milter can again REJECT or DISCARD it, but it can also ACCEPT it with changes to the headers or body.
Enhancements:
- The spf module has been moved to the pyspf package.
- This will cause some confusion when upgrading, since 0.8.6 still has the module and will conflict with pyspf, whereas 0.8.7 does not have spf by itself, and will stop doing SPF if you dont install pyspf.
<<lessThe milter can even run with a different operating system or processor than sendmail. Sendmail talks to the milter via a local or internet socket, and keeps the milter informed of events as it processes a mail connection.
At any point, the milter can cut the conversation short by telling sendmail to ACCEPT, REJECT, or DISCARD the message. After receiving a complete message from sendmail, the milter can again REJECT or DISCARD it, but it can also ACCEPT it with changes to the headers or body.
Enhancements:
- The spf module has been moved to the pyspf package.
- This will cause some confusion when upgrading, since 0.8.6 still has the module and will conflict with pyspf, whereas 0.8.7 does not have spf by itself, and will stop doing SPF if you dont install pyspf.
Download (0.10MB)
Added: 2007-01-04 License: GPL (GNU General Public License) Price:
1024 downloads
Return-RST 1.1
Return-RST is a firewalling tool for Linux 2.2.xx systems using IPCHAINS. more>>
Return-RST is a firewalling tool for Linux 2.2.xx systems using IPCHAINS. It uses the netlink device to capture packets and sends TCP RST packets in response to TCP connection requests.
Normal IPCHAINS only allows you to drop packets, or reject packets with an ICMP error message. With Return-RST, you can make it look like there is no server listening, rather than giving away that theyre being filtered to the attacker.
Return-RST was written to overcome the lack of an ipchains policy that can return a RESET packet when denying a TCP connection. The DENY policy just drops the packet, and the REJECT policy sends back an ICMP message. Either policy will pull an attacker off to the fact theyre being filtered.
On the other hand, an RST in response to a TCP SYN packet is what happens when there is no server listening on a port - this program allows you to return this error, so attackers will think that there is no server available.
<<lessNormal IPCHAINS only allows you to drop packets, or reject packets with an ICMP error message. With Return-RST, you can make it look like there is no server listening, rather than giving away that theyre being filtered to the attacker.
Return-RST was written to overcome the lack of an ipchains policy that can return a RESET packet when denying a TCP connection. The DENY policy just drops the packet, and the REJECT policy sends back an ICMP message. Either policy will pull an attacker off to the fact theyre being filtered.
On the other hand, an RST in response to a TCP SYN packet is what happens when there is no server listening on a port - this program allows you to return this error, so attackers will think that there is no server available.
Download (0.013MB)
Added: 2006-07-13 License: GPL (GNU General Public License) Price:
1199 downloads
testmail 3.3.0
testmail is a Perl script that checks email availability at the POP3 server. more>>
The Perl script testmail checks e-mail available at the POP3 server (including SSL), filters it according to the defined rules, and depending on the selected method gets the messages to the local mailbox and/or removes it from the server.
Testmail uses Perl Mail-POP3Client, Net-Ping, and Socket modules and helps you escape from spam.
Enhancements:
- This release allows the user to use SSL and a specifically selected port (for example, for a Gmail mailbox).
- Testmail now uses Mail-POP3Client module instead of the libnet module.
- Configuration files were changed to add PORT, USESSL, AUTH_MODE, and DEBUG options.
- Some rejecting rules were improved.
<<lessTestmail uses Perl Mail-POP3Client, Net-Ping, and Socket modules and helps you escape from spam.
Enhancements:
- This release allows the user to use SSL and a specifically selected port (for example, for a Gmail mailbox).
- Testmail now uses Mail-POP3Client module instead of the libnet module.
- Configuration files were changed to add PORT, USESSL, AUTH_MODE, and DEBUG options.
- Some rejecting rules were improved.
Download (0.10MB)
Added: 2005-11-08 License: GPL (GNU General Public License) Price:
1445 downloads
sipscreen 1.00
sipscreen project is a Linux iptables QUEUE target handler written in perl for screening incoming SIP phone calls. more>>
sipscreen project is a Linux iptables QUEUE target handler written in perl for screening incoming SIP phone calls.
If you have a network configuration similar to mine, with a Vonage or other Voice-over-IP adapter located behind a Linux gateway, you may find sipscreen useful for programmatically accepting or rejecting inbound calls, based on the caller ID information, the time of day, or any other clever algorithm you can think of.
<<lessIf you have a network configuration similar to mine, with a Vonage or other Voice-over-IP adapter located behind a Linux gateway, you may find sipscreen useful for programmatically accepting or rejecting inbound calls, based on the caller ID information, the time of day, or any other clever algorithm you can think of.
Download (0.003MB)
Added: 2007-06-15 License: GPL (GNU General Public License) Price:
861 downloads
Parse::RecDescent 1.94
Parse::RecDescent is a Perl module to generate Recursive-Descent Parsers. more>>
Parse::RecDescent is a Perl module to generate Recursive-Descent Parsers.
SYNOPSIS
use Parse::RecDescent;
# Generate a parser from the specification in $grammar:
$parser = new Parse::RecDescent ($grammar);
# Generate a parser from the specification in $othergrammar
$anotherparser = new Parse::RecDescent ($othergrammar);
# Parse $text using rule startrule (which must be
# defined in $grammar):
$parser->startrule($text);
# Parse $text using rule otherrule (which must also
# be defined in $grammar):
$parser->otherrule($text);
# Change the universal token prefix pattern
# (the default is: s*):
$Parse::RecDescent::skip = [ t]+;
# Replace productions of existing rules (or create new ones)
# with the productions defined in $newgrammar:
$parser->Replace($newgrammar);
# Extend existing rules (or create new ones)
# by adding extra productions defined in $moregrammar:
$parser->Extend($moregrammar);
# Global flags (useful as command line arguments under -s):
$::RD_ERRORS # unless undefined, report fatal errors
$::RD_WARN # unless undefined, also report non-fatal problems
$::RD_HINT # if defined, also suggestion remedies
$::RD_TRACE # if defined, also trace parsers behaviour
$::RD_AUTOSTUB # if defined, generates "stubs" for undefined rules
$::RD_AUTOACTION # if defined, appends specified action to productions
Parse::RecDescent incrementally generates top-down recursive-descent text parsers from simple yacc-like grammar specifications.
Main features:
- Regular expressions or literal strings as terminals (tokens),
- Multiple (non-contiguous) productions for any rule,
- Repeated and optional subrules within productions,
- Full access to Perl within actions specified as part of the grammar,
- Simple automated error reporting during parser generation and parsing,
- The ability to commit to, uncommit to, or reject particular productions during a parse,
- The ability to pass data up and down the parse tree ("down" via subrule argument lists, "up" via subrule return values)
- Incremental extension of the parsing grammar (even during a parse),
- Precompilation of parser objects,
- User-definable reduce-reduce conflict resolution via "scoring" of matching productions.
<<lessSYNOPSIS
use Parse::RecDescent;
# Generate a parser from the specification in $grammar:
$parser = new Parse::RecDescent ($grammar);
# Generate a parser from the specification in $othergrammar
$anotherparser = new Parse::RecDescent ($othergrammar);
# Parse $text using rule startrule (which must be
# defined in $grammar):
$parser->startrule($text);
# Parse $text using rule otherrule (which must also
# be defined in $grammar):
$parser->otherrule($text);
# Change the universal token prefix pattern
# (the default is: s*):
$Parse::RecDescent::skip = [ t]+;
# Replace productions of existing rules (or create new ones)
# with the productions defined in $newgrammar:
$parser->Replace($newgrammar);
# Extend existing rules (or create new ones)
# by adding extra productions defined in $moregrammar:
$parser->Extend($moregrammar);
# Global flags (useful as command line arguments under -s):
$::RD_ERRORS # unless undefined, report fatal errors
$::RD_WARN # unless undefined, also report non-fatal problems
$::RD_HINT # if defined, also suggestion remedies
$::RD_TRACE # if defined, also trace parsers behaviour
$::RD_AUTOSTUB # if defined, generates "stubs" for undefined rules
$::RD_AUTOACTION # if defined, appends specified action to productions
Parse::RecDescent incrementally generates top-down recursive-descent text parsers from simple yacc-like grammar specifications.
Main features:
- Regular expressions or literal strings as terminals (tokens),
- Multiple (non-contiguous) productions for any rule,
- Repeated and optional subrules within productions,
- Full access to Perl within actions specified as part of the grammar,
- Simple automated error reporting during parser generation and parsing,
- The ability to commit to, uncommit to, or reject particular productions during a parse,
- The ability to pass data up and down the parse tree ("down" via subrule argument lists, "up" via subrule return values)
- Incremental extension of the parsing grammar (even during a parse),
- Precompilation of parser objects,
- User-definable reduce-reduce conflict resolution via "scoring" of matching productions.
Download (0.12MB)
Added: 2006-09-23 License: Perl Artistic License Price:
1131 downloads
BFBTester 2.0.1
BFBTester is great for doing quick, proactive, security checks of binary programs. more>>
BFBTester is great for doing quick, proactive, security checks of binary programs. BFBTester will perform checks for single and multiple argument command line overflows and environment variable overflows. Versions 2.0-BETA and higher can also watch for
tempfile creation activity to alert the user of any programs using unsafe tempfile names.
The basic syntax for making BFBTester to run is:
bfbtester [-htv] [-d level ] [-r rejects] [-o out-file]
[-x max-execs] -asme file [file2 file3 ...]
Must specify one or more of the following tests:
-s Single Argument Test
-m Multiple Argument Test
-e Environment Variable Test
-a Selects all tests
Options:
-h Print this message
-t Enable tempfile monitoring
-v Print version string
-d level Set debug level (default = 0, max = 2)
-r rejects Comma separated list of binaries to skip
-o out-file Output to out-file rather than stdout
-x max-execs Set maximum executables to run in parallel (default = 250)
file. Specific binary or a directory of binaries to test
You must specify at least one test to run and you must specify either a binary or a directory.
<<lesstempfile creation activity to alert the user of any programs using unsafe tempfile names.
The basic syntax for making BFBTester to run is:
bfbtester [-htv] [-d level ] [-r rejects] [-o out-file]
[-x max-execs] -asme file [file2 file3 ...]
Must specify one or more of the following tests:
-s Single Argument Test
-m Multiple Argument Test
-e Environment Variable Test
-a Selects all tests
Options:
-h Print this message
-t Enable tempfile monitoring
-v Print version string
-d level Set debug level (default = 0, max = 2)
-r rejects Comma separated list of binaries to skip
-o out-file Output to out-file rather than stdout
-x max-execs Set maximum executables to run in parallel (default = 250)
file. Specific binary or a directory of binaries to test
You must specify at least one test to run and you must specify either a binary or a directory.
Download (0.069MB)
Added: 2006-07-13 License: GPL (GNU General Public License) Price:
1198 downloads
Tie::Scalar::Sticky 1.06
Tie::Scalar::Sticky is a Perl module with block assignments to scalars. more>>
Tie::Scalar::Sticky is a Perl module with block assignments to scalars.
SYNOPSIS
use strict;
use Tie::Scalar::Sticky;
tie my $sticky, Tie::Scalar::Sticky;
$sticky = 42;
$sticky = ; # still 42
$sticky = undef; # still 42
$sticky = 0; # now its zero
tie my $sticky, Tie::Scalar::Sticky => qw/ foo bar /;
$sticky = 42;
$sticky = foo; # still 42
$sticky = bar; # still 42
$sticky = 0; # now its zero
Scalars tieed to this module will reject any assignments of undef or the empty string or any of the extra arugments provided to tie(). It simply removes the need for you to validate assignments, such as:
$var = $val unless grep $val eq $_, qw(not one of these);
Actually, that is the exact idea used in this module ...
So, why do this? Because i recently had to loop through a list where some items were undefined and the previously defined value should be used instead. In a nutshell:
tie my $sticky, Tie::Scalar::Sticky => 9, string;
for (3,undef,string,2,,1,9,0) {
$sticky = $_;
print $sticky, ;
}
Should print: 3 3 2 2 1 0
<<lessSYNOPSIS
use strict;
use Tie::Scalar::Sticky;
tie my $sticky, Tie::Scalar::Sticky;
$sticky = 42;
$sticky = ; # still 42
$sticky = undef; # still 42
$sticky = 0; # now its zero
tie my $sticky, Tie::Scalar::Sticky => qw/ foo bar /;
$sticky = 42;
$sticky = foo; # still 42
$sticky = bar; # still 42
$sticky = 0; # now its zero
Scalars tieed to this module will reject any assignments of undef or the empty string or any of the extra arugments provided to tie(). It simply removes the need for you to validate assignments, such as:
$var = $val unless grep $val eq $_, qw(not one of these);
Actually, that is the exact idea used in this module ...
So, why do this? Because i recently had to loop through a list where some items were undefined and the previously defined value should be used instead. In a nutshell:
tie my $sticky, Tie::Scalar::Sticky => 9, string;
for (3,undef,string,2,,1,9,0) {
$sticky = $_;
print $sticky, ;
}
Should print: 3 3 2 2 1 0
Download (0.003MB)
Added: 2007-02-13 License: Perl Artistic License Price:
983 downloads
Python SRS Library 0.30.11
Python SRS Library is a Python implementation of the Sender Rewriting Scheme. more>>
Python SRS Library is a Python implementation of the Sender Rewriting Scheme. Python SRS Library is a fairly direct translation of the draft implementation in Perl by Shevek. It includes a test suite, which currently checks four levels of forwarding and subsequent reversal for the Guarded, DB, and Reversible implementations.
This package includes scripts to be used as sendmail program maps. See sendmail integration for an explanation and instructions on incorporating SRS into sendmail.cf, substituting envfrom2srs.py and srs2envtol.py for the perl scripts. Even simpler, use the supplied sendmail m4 hack with sendmail.mc.
SRS.Daemon.Daemon() provides a simple socket daemon suitable for use with the Exim mailer.
RPM now includes a sendmail socketmap daemon. The program map is no longer recommended. It is slow and a security risk. Prior to socketmaps, it was all that was available for a custom map. Socketmap is available in sendmail 8.13.
For best results, use with Python milter to reject unsigned recipients.
Sendmail integration
Add the following lines to your /etc/mail/sendmail.mc (RedHat / Fedora) after any MAILER():
dnl #
dnl # File listing domains we do not SRS encode for when sending to
dnl #
define(`NO_SRS_FILE,`/etc/mail/no-srs-mailers)dnl
dnl #
dnl # Uncomment the following if you do not wish to SRS encode mail from
dnl # local domains. Only non-local domains need to be SRS encoded to
dnl # satisfy SPF. But encoding all outgoing mail can detect bounce forgeries.
dnl #
dnl define(`NO_SRS_FROM_LOCAL)dnl
dnl #
HACK(`pysrs,`/var/run/milter/pysrs)dnl
If you cannot install a version of sendmail with socketmap support, then the original program map is still available as HACK(pysrsprog).
NO_SRS_FILE is the path of a file containing the recipient MTAs for which you wont do SRS (typically, primary MXes for which you are secondary). Just leave this away, if you are secondary for nobody. The no-srs-mailers file is a simple text file which has one recipient MTA per line.
The argument to pysrs is the socket where the socketmap daemon is listening. This must match /etc/mail/pysrs.cfg or the default of /var/run/milter/pysrs.
NO_SRS_FROM_LOCAL : if this is set (define line present), then no SRS is done if sender is local (i.e. his domain is in /etc/mail/local-host-names)
The argument to pysrsprog is the domain that your SRS addresses bear (i.e. if your SRS addresses are srs0=mumble-jumble-toto@mydomain.com, then the argument is mydomain.com). This overrides fwdomain in /etc/mail/pysrs.cfg.
Enhancements:
- This release supports signing mode.
<<lessThis package includes scripts to be used as sendmail program maps. See sendmail integration for an explanation and instructions on incorporating SRS into sendmail.cf, substituting envfrom2srs.py and srs2envtol.py for the perl scripts. Even simpler, use the supplied sendmail m4 hack with sendmail.mc.
SRS.Daemon.Daemon() provides a simple socket daemon suitable for use with the Exim mailer.
RPM now includes a sendmail socketmap daemon. The program map is no longer recommended. It is slow and a security risk. Prior to socketmaps, it was all that was available for a custom map. Socketmap is available in sendmail 8.13.
For best results, use with Python milter to reject unsigned recipients.
Sendmail integration
Add the following lines to your /etc/mail/sendmail.mc (RedHat / Fedora) after any MAILER():
dnl #
dnl # File listing domains we do not SRS encode for when sending to
dnl #
define(`NO_SRS_FILE,`/etc/mail/no-srs-mailers)dnl
dnl #
dnl # Uncomment the following if you do not wish to SRS encode mail from
dnl # local domains. Only non-local domains need to be SRS encoded to
dnl # satisfy SPF. But encoding all outgoing mail can detect bounce forgeries.
dnl #
dnl define(`NO_SRS_FROM_LOCAL)dnl
dnl #
HACK(`pysrs,`/var/run/milter/pysrs)dnl
If you cannot install a version of sendmail with socketmap support, then the original program map is still available as HACK(pysrsprog).
NO_SRS_FILE is the path of a file containing the recipient MTAs for which you wont do SRS (typically, primary MXes for which you are secondary). Just leave this away, if you are secondary for nobody. The no-srs-mailers file is a simple text file which has one recipient MTA per line.
The argument to pysrs is the socket where the socketmap daemon is listening. This must match /etc/mail/pysrs.cfg or the default of /var/run/milter/pysrs.
NO_SRS_FROM_LOCAL : if this is set (define line present), then no SRS is done if sender is local (i.e. his domain is in /etc/mail/local-host-names)
The argument to pysrsprog is the domain that your SRS addresses bear (i.e. if your SRS addresses are srs0=mumble-jumble-toto@mydomain.com, then the argument is mydomain.com). This overrides fwdomain in /etc/mail/pysrs.cfg.
Enhancements:
- This release supports signing mode.
Download (0.037MB)
Added: 2006-08-02 License: Python License Price:
1183 downloads
KXML Editor 1.1.4
KXML Editor is a XML Editor for KDE. more>>
KXML Editor is application for KDE, that display and edit contents of XML file.
Main features:
- Drag and drop editing, clipboard support
- Use DOM level 2 Qt library parser
- KParts technology support
- DCOP technology support
- Editing KOffice compressed files
Enhancements:
- Updated /admin with latest kde-common/admin contents
- Switched the default item insert point to "at bottom" for the "New Element", "New Proc.Instr." and "New CData" dialogs.
- Implemented feature request #1044396 "Reload function".
- Fixed a little usability bug. Tabbing between the widgets work (better) now (all unvisible widgets reject focus on tab).
- Fixed the bug mentioned in feature request #1049159 "Keyboard shortcut for closing the "Edit XML as raw text" win".
- Implemented feature request #1048738 "F2 button for editing text content".
- Added fix_paths script to fix hardcoded paths in files generated by dcopidl2cpp
<<lessMain features:
- Drag and drop editing, clipboard support
- Use DOM level 2 Qt library parser
- KParts technology support
- DCOP technology support
- Editing KOffice compressed files
Enhancements:
- Updated /admin with latest kde-common/admin contents
- Switched the default item insert point to "at bottom" for the "New Element", "New Proc.Instr." and "New CData" dialogs.
- Implemented feature request #1044396 "Reload function".
- Fixed a little usability bug. Tabbing between the widgets work (better) now (all unvisible widgets reject focus on tab).
- Fixed the bug mentioned in feature request #1049159 "Keyboard shortcut for closing the "Edit XML as raw text" win".
- Implemented feature request #1048738 "F2 button for editing text content".
- Added fix_paths script to fix hardcoded paths in files generated by dcopidl2cpp
Download (1.3MB)
Added: 2005-06-13 License: GPL (GNU General Public License) Price:
1603 downloads
mod_bwshare 0.1.9
mod_bwshare is a bandwidth throttling and monitoring per client IP address. more>>
mod_bwshare is a bandwidth throttling and monitoring per client IP address.
The mod_bwshare module accepts or rejects HTTP requests from each client IP address based on past downloads by that client IP address.
If the HTTP clients download rate exceeds specified levels, the reponse to the HTTP client is an HTML warning message.
A human browser will see a warning message indicating how long to wait.
Automatic rampant downloaders will download large numbers of useless warning messages.
The original motivation for mod_bwshare was to prevent automatic download of all 900 MBytes of material on one of my web sites which was connected to a 33k modem, which would have taken several days if it had succeeded.
<<lessThe mod_bwshare module accepts or rejects HTTP requests from each client IP address based on past downloads by that client IP address.
If the HTTP clients download rate exceeds specified levels, the reponse to the HTTP client is an HTML warning message.
A human browser will see a warning message indicating how long to wait.
Automatic rampant downloaders will download large numbers of useless warning messages.
The original motivation for mod_bwshare was to prevent automatic download of all 900 MBytes of material on one of my web sites which was connected to a 33k modem, which would have taken several days if it had succeeded.
Download (0.063MB)
Added: 2006-05-23 License: Artistic License Price:
1250 downloads
Secleted [ 0 ] software to compare
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above to reject search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
