RCS file: /etc/firewall/RCS/firewall,v Working file: /etc/firewall/firewall head: 1.17 branch: locks: strict access list: symbolic names: keyword substitution: kv total revisions: 17; selected revisions: 17 description: firewall - main script for CAcert hopper firewall ---------------------------- revision 1.17 date: 2014/08/09 14:52:28; author: root; state: Exp; lines: +4 -1 Add some rules to allow local testing of services over IPv6. ---------------------------- revision 1.16 date: 2014/08/08 15:36:45; author: root; state: Exp; lines: +5 -1 Add rules to allow everything on loopback interface. ---------------------------- revision 1.15 date: 2014/08/08 15:19:05; author: root; state: Exp; lines: +69 -26 Expand script to deal with IPv6. ---------------------------- revision 1.14 date: 2014/02/05 16:50:17; author: root; state: Exp; lines: +4 -1 Add rule to allow access to rsync daemon on www.cacert.org for retrieving CRLs. ---------------------------- revision 1.13 date: 2014/01/28 16:09:05; author: root; state: Exp; lines: +6 -19 Remove OCSP related entries from the firewall script, because we are now running on a dedicated vm for CRL service. ---------------------------- revision 1.12 date: 2013/12/17 15:30:03; author: root; state: Exp; lines: +6 -4 Update rules to allow access to DNS resolver. ---------------------------- revision 1.11 date: 2013/12/17 15:28:01; author: root; state: Exp; lines: +3 -2 Allow incoming OCSP requests over SSL on port 443. Update comment about firewall. ---------------------------- revision 1.10 date: 2013/11/20 10:52:50; author: root; state: Exp; lines: +4 -1 Add call to run the traffic control limit script "tclimit". ---------------------------- revision 1.9 date: 2013/11/20 10:50:59; author: root; state: Exp; lines: +5 -1 Add rule to allow replies from CRL server (again state tracking doesn't seem to work 100%?). ---------------------------- revision 1.8 date: 2013/10/22 10:42:25; author: root; state: Exp; lines: +6 -4 Add support for HTTPS access to crl.cacert.org. ---------------------------- revision 1.7 date: 2013/10/18 13:58:37; author: root; state: Exp; lines: +7 -1 Add support for RSYNC access to CRL server on specific IPv4 address. ---------------------------- revision 1.6 date: 2011/06/17 16:19:16; author: root; state: Exp; lines: +4 -1 Add rule to allow replies from OCSP server (state tracking doesn't seem to work?). ---------------------------- revision 1.5 date: 2011/05/17 15:36:16; author: root; state: Exp; lines: +10 -3 Add explicit IPv4 addresses for access to OCSP service. Add support for HTTP access to CRL server on specific IPv4 address. ---------------------------- revision 1.4 date: 2011/05/16 14:47:10; author: root; state: Exp; lines: +24 -1 Add rules for operating as OCSP server: - allow logging to log server - allow OCSP (server) on port 2560 - allow OCSP (local testing) - allow dns resolver - allow incoming ICMP Echo and ICMP Time Exceeded - log all incoming traffic that is dropped by this firewall ---------------------------- revision 1.3 date: 2011/04/28 20:51:19; author: root; state: Exp; lines: +1 -5 *** empty log message *** ---------------------------- revision 1.2 date: 2009/06/10 10:06:14; author: root; state: Exp; lines: +5 -1 *** empty log message *** ---------------------------- revision 1.1 date: 2009/06/08 13:05:10; author: root; state: Exp; Initial revision =============================================================================