From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] firewall initscript: slightly improve comments Date: Tue, 07 Apr 2020 16:11:27 +0100 Message-ID: In-Reply-To: <52fede12-5ee7-9e76-8eda-eb8dfeff7b3d@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4027078954531955450==" List-Id: --===============4027078954531955450== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Michael Tremer > On 7 Apr 2020, at 16:07, Peter M=C3=BCller wro= te: >=20 > This patch corrects some typos and does not introduce functional changes. >=20 > Signed-off-by: Peter M=C3=BCller > --- > src/initscripts/system/firewall | 18 +++++++++--------- > 1 file changed, 9 insertions(+), 9 deletions(-) >=20 > diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew= all > index ab144ea18..00512d9fa 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -41,18 +41,18 @@ iptables_init() { > iptables -A LOG_REJECT -j REJECT >=20 > # This chain will log, then DROPs packets with certain bad combinations > - # of flags might indicate a port-scan attempt (xmas, null, etc) > + # of flags might indicate a port-scan attempt (xmas, null, etc.) > iptables -N PSCAN > if [ "$DROPPORTSCAN" =3D=3D "on" ]; then > - iptables -A PSCAN -p tcp -m limit --limit 10/second -j LOG --log-prefix= "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" > - iptables -A PSCAN -p udp -m limit --limit 10/second -j LOG --log-prefix= "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" > + iptables -A PSCAN -p tcp -m limit --limit 10/second -j LOG --log-prefix= "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan" > + iptables -A PSCAN -p udp -m limit --limit 10/second -j LOG --log-prefix= "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan" > iptables -A PSCAN -p icmp -m limit --limit 10/second -j LOG --log-prefix = "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan" > iptables -A PSCAN -f -m limit --limit 10/second -j LOG --log-prefix = "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan" > fi > iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan" >=20 > # New tcp packets without SYN set - could well be an obscure type of port = scan > - # that's not covered above, may just be a broken windows machine > + # that's not covered above, may just be a broken Windows machine > iptables -N NEWNOTSYN > if [ "$DROPNEWNOTSYN" =3D=3D "on" ]; then > iptables -A NEWNOTSYN -m limit --limit 10/second -j LOG --log-prefix "D= ROP_NEWNOTSYN " > @@ -159,7 +159,7 @@ iptables_init() { > iptables -t raw -A CONNTRACK -p tcp -j CT --helper amanda > fi >=20 > - # Fix for braindead ISP's > + # Fix for braindead ISPs > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-t= o-pmtu >=20 > # CUSTOM chains, can be used by the users themselves > @@ -180,7 +180,7 @@ iptables_init() { > iptables -A FORWARD -j P2PBLOCK > iptables -A OUTPUT -j P2PBLOCK > =09 > - # Guardian (IPS) chains > + # IPS (Guardian) chains > iptables -N GUARDIAN > iptables -A INPUT -j GUARDIAN > iptables -A FORWARD -j GUARDIAN > @@ -196,7 +196,7 @@ iptables_init() { > iptables -A FORWARD -i tun+ -j OVPNBLOCK > iptables -A FORWARD -o tun+ -j OVPNBLOCK >=20 > - # IPS (suricata) chains > + # IPS (Suricata) chains > iptables -N IPS_INPUT > iptables -N IPS_FORWARD > iptables -N IPS_OUTPUT > @@ -261,7 +261,7 @@ iptables_init() { > iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT > fi >=20 > - # allow DHCP on BLUE to be turned on/off > + # Allow DHCP on BLUE to be turned on/off > iptables -N DHCPBLUEINPUT > iptables -N DHCPBLUEOUTPUT > if [ -n "${BLUE_DEV}" ]; then > @@ -438,7 +438,7 @@ iptables_red_up() { > iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $I= FACE -j ACCEPT > fi >=20 > - # Outgoing masquerading (don't masqerade IPSEC (mark 50)) > + # Outgoing masquerading (don't masqerade IPsec (mark 50)) > iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN >=20 > if [ "${IFACE}" =3D "${GREEN_DEV}" ]; then > --=20 > 2.16.4 --===============4027078954531955450==--