Port 445 -> 444 gewechselt und XTAccess-Regeln ausgeschaltet.
authorms <ms@ea5c0bd1-69bd-2848-81d8-4f18e57aeed8>
Sun, 19 Feb 2006 11:25:43 +0000 (11:25 +0000)
committerms <ms@ea5c0bd1-69bd-2848-81d8-4f18e57aeed8>
Sun, 19 Feb 2006 11:25:43 +0000 (11:25 +0000)
Nach der Installation sind alle Ports geschlossen!

git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@41 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8

config/cfgroot/proxy-acl
config/cfgroot/xtaccess-config
config/httpd/httpd.conf
html/cgi-bin/portfw.cgi

index ca1ccdf..038f64d 100644 (file)
@@ -1,49 +1,49 @@
-# Do not modify '/var/ipcop/proxy/squid.conf' directly since any changes
-# you make will be overwritten whenever you resave proxy settings using the
-# web interface! Instead, modify the file '/var/ipcop/proxy/acl' and then
-# restart squid using the web interface. Changes made to the 'acl' file
-# will propagate to the 'squid.conf' file at that time.
-# [Scott Tregear, 22 Feb 2005]
-
-# Uncomment the following line to enable logging of User-Agent header:
-#useragent_log      /var/log/squid/user_agent.log
-
-# Uncomment the following line to enable logging of Referer header:
-#referer_log        /var/log/squid/referer.log
-
-acl all src 0.0.0.0/0.0.0.0
-acl localhost src 127.0.0.1/255.255.255.255
-acl SSL_ports port 443 563 
-acl Safe_ports port 80 # http 
-acl Safe_ports port 21 # ftp 
-acl Safe_ports port 443 563 # https, snews 
-acl Safe_ports port 70 # gopher 
-acl Safe_ports port 210 # wais 
-acl Safe_ports port 1025-65535 # unregistered ports 
-acl Safe_ports port 280 # http-mgmt 
-acl Safe_ports port 488 # gss-http 
-acl Safe_ports port 591 # filemaker 
-acl Safe_ports port 777 # multiling http 
-acl Safe_ports port __PROXY_PORT__ # Squid port (for icons) 
-
-acl IPCop_http  port 81
-acl IPCop_https port 445
-acl IPCop_ips  dst __GREEN_IP__ __BLUE_IP__
-acl IPCop_networks src __GREEN_NET__ __BLUE_NET__
-acl CONNECT method CONNECT 
-
-##Access to squid:
-#local machine, no restriction
-http_access allow         localhost
-
-#GUI admin if local machine connects
-http_access allow         IPCop_ips IPCop_networks IPCop_http
-http_access allow CONNECT IPCop_ips IPCop_networks IPCop_https
-
-#Deny not web services
-http_access deny          !Safe_ports
-http_access deny  CONNECT !SSL_ports
-
-#Finally allow IPCop_networks clients
-http_access allow         IPCop_networks
-http_access deny          all
+# Do not modify '/var/ipcop/proxy/squid.conf' directly since any changes\r
+# you make will be overwritten whenever you resave proxy settings using the\r
+# web interface! Instead, modify the file '/var/ipcop/proxy/acl' and then\r
+# restart squid using the web interface. Changes made to the 'acl' file\r
+# will propagate to the 'squid.conf' file at that time.\r
+# [Scott Tregear, 22 Feb 2005]\r
+\r
+# Uncomment the following line to enable logging of User-Agent header:\r
+#useragent_log      /var/log/squid/user_agent.log\r
+\r
+# Uncomment the following line to enable logging of Referer header:\r
+#referer_log        /var/log/squid/referer.log\r
+\r
+acl all src 0.0.0.0/0.0.0.0\r
+acl localhost src 127.0.0.1/255.255.255.255\r
+acl SSL_ports port 443 563 \r
+acl Safe_ports port 80 # http \r
+acl Safe_ports port 21 # ftp \r
+acl Safe_ports port 443 563 # https, snews \r
+acl Safe_ports port 70 # gopher \r
+acl Safe_ports port 210 # wais \r
+acl Safe_ports port 1025-65535 # unregistered ports \r
+acl Safe_ports port 280 # http-mgmt \r
+acl Safe_ports port 488 # gss-http \r
+acl Safe_ports port 591 # filemaker \r
+acl Safe_ports port 777 # multiling http \r
+acl Safe_ports port __PROXY_PORT__ # Squid port (for icons) \r
+\r
+acl IPCop_http  port 81\r
+acl IPCop_https port 444\r
+acl IPCop_ips  dst __GREEN_IP__ __BLUE_IP__\r
+acl IPCop_networks src __GREEN_NET__ __BLUE_NET__\r
+acl CONNECT method CONNECT \r
+\r
+##Access to squid:\r
+#local machine, no restriction\r
+http_access allow         localhost\r
+\r
+#GUI admin if local machine connects\r
+http_access allow         IPCop_ips IPCop_networks IPCop_http\r
+http_access allow CONNECT IPCop_ips IPCop_networks IPCop_https\r
+\r
+#Deny not web services\r
+http_access deny          !Safe_ports\r
+http_access deny  CONNECT !SSL_ports\r
+\r
+#Finally allow IPCop_networks clients\r
+http_access allow         IPCop_networks\r
+http_access deny          all\r
index 74019ef..69d4e16 100644 (file)
@@ -1 +1 @@
-tcp,0.0.0.0/0,113,on,0.0.0.0
+tcp,0.0.0.0/0,113,off,0.0.0.0\r
index ad54da9..11e5438 100644 (file)
-##
-## httpd.conf -- Apache HTTP server configuration file
-##
-## $Id: httpd.conf,v 1.15.2.7 2005/04/16 11:40:15 rkerr Exp $
-##
-ServerType standalone
-ServerRoot /etc/httpd
-
-LockFile /var/lock/httpd.lock
-PidFile /var/run/httpd.pid
-ScoreBoardFile /var/run/httpd.scoreboard
-Timeout 900
-KeepAlive On
-MaxKeepAliveRequests 100
-KeepAliveTimeout 15
-MinSpareServers 1
-MaxSpareServers 2
-StartServers 2
-MaxClients 10
-MaxRequestsPerChild 100
-Port 81
-Listen 81
-Listen 445
-User nobody
-Group nobody
-ServerAdmin root@localhost
-ServerTokens Prod
-DocumentRoot /home/httpd/html
-# Limit track/trace requests
-RewriteEngine on
-RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
-RewriteRule .* - [F]
-
-<Directory />
-    Options None
-    AllowOverride None
-</Directory>
-<Directory /home/httpd/html>
-    Options ExecCGI
-    AllowOverride None
-    Order allow,deny
-    Allow from all
-</Directory>
-<DirectoryMatch "/home/httpd/html/(graphs|sgraph)">
-    AuthName "Restricted"
-    AuthType Basic
-    AuthUserFile CONFIG_ROOT/auth/users
-    require user admin
-</DirectoryMatch>
-ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
-<Directory /home/httpd/cgi-bin>
-    AllowOverride None
-    Options None
-    AuthName "Restricted"
-    AuthType Basic
-    AuthUserFile CONFIG_ROOT/auth/users
-    Require user admin
-    <Files index.cgi>
-        Satisfy Any
-        Allow from All
-    </Files>
-    <Files credits.cgi>
-        Satisfy Any
-        Allow from All
-    </Files>
-    <Files dial.cgi>
-        Require user admin dial
-    </Files>
-</Directory>
-<IfModule mod_dir.c>
-    DirectoryIndex index.html index.htm index.shtml index.cgi
-</IfModule>
-AccessFileName .htaccess
-<Files ~ "^\.ht">
-    Order allow,deny
-    Deny from all
-</Files>
-<IfModule mod_mime.c>
-    TypesConfig /etc/mime.types
-</IfModule>
-DefaultType text/plain
-
-HostnameLookups Off
-ErrorLog /var/log/httpd/error_log
-LogLevel warn
-LogFormat "%h %l %u %t \"%r\" %>s %b" common
-CustomLog /var/log/httpd/access_log common
-ServerSignature Off
-AddHandler cgi-script .cgi
-<IfModule mod_setenvif.c>
-    BrowserMatch "Mozilla/2" nokeepalive
-    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
-    BrowserMatch "RealPlayer 4\.0" force-response-1.0
-    BrowserMatch "Java/1\.0" force-response-1.0
-    BrowserMatch "JDK/1\.0" force-response-1.0
-</IfModule>
-
-###
-### SSL Configuration
-###
-AddType application/x-x509-ca-cert .crt
-AddType application/x-pkcs7-crl    .crl
-
-SSLPassPhraseDialog  builtin
-SSLSessionCache         dbm:/var/log/httpd/ssl_scache
-SSLSessionCacheTimeout  900
-SSLMutex  file:/var/log/httpd/ssl_mutex
-SSLRandomSeed startup builtin
-SSLRandomSeed connect builtin
-SSLLog      /var/log/httpd/ssl_engine_log
-SSLLogLevel info
-
-<VirtualHost _default_:445>
-    RewriteEngine on
-    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
-    RewriteRule .* - [F]
-    DocumentRoot /home/httpd/html
-    ServerAdmin root@localhost
-    ErrorLog /var/log/httpd/error_log
-    TransferLog /var/log/httpd/access_log
-    SSLEngine on
-    SSLProtocol all -SSLv2
-    SSLCipherSuite ALL:!ADH:!EXPORT56:!eNULL:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP
-    SSLCertificateFile /etc/httpd/server.crt
-    SSLCertificateKeyFile /etc/httpd/server.key
-    <Files ~ "\.(cgi|shtml?)$">
-       SSLOptions +StdEnvVars
-    </Files>
-    <Directory /home/httpd/cgi-bin>
-       SSLOptions +StdEnvVars
-    </Directory>
-    SetEnv HOME /home/nobody
-    SetEnvIf User-Agent ".*MSIE.*" \
-       nokeepalive ssl-unclean-shutdown \
-       downgrade-1.0 force-response-1.0
-    CustomLog /var/log/httpd/ssl_request_log \
-       "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-</VirtualHost>
-
-<Directory /home/httpd/html/backup>
-    Options None
-    AllowOverride None
-    AuthName "Restricted"
-    AuthType Basic
-    AuthUserFile /var/ipcop/auth/users
-    require user admin
-</Directory>
-
-include /etc/httpd/conf/hostname.conf
+##\r
+## httpd.conf -- Apache HTTP server configuration file\r
+##\r
+## $Id: httpd.conf,v 1.15.2.7 2005/04/16 11:40:15 rkerr Exp $\r
+##\r
+ServerType standalone\r
+ServerRoot /etc/httpd\r
+\r
+LockFile /var/lock/httpd.lock\r
+PidFile /var/run/httpd.pid\r
+ScoreBoardFile /var/run/httpd.scoreboard\r
+Timeout 900\r
+KeepAlive On\r
+MaxKeepAliveRequests 100\r
+KeepAliveTimeout 15\r
+MinSpareServers 1\r
+MaxSpareServers 2\r
+StartServers 2\r
+MaxClients 10\r
+MaxRequestsPerChild 100\r
+Port 81\r
+Listen 81\r
+Listen 444\r
+User nobody\r
+Group nobody\r
+ServerAdmin root@localhost\r
+ServerTokens Prod\r
+DocumentRoot /home/httpd/html\r
+# Limit track/trace requests\r
+RewriteEngine on\r
+RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)\r
+RewriteRule .* - [F]\r
+\r
+<Directory />\r
+    Options None\r
+    AllowOverride None\r
+</Directory>\r
+<Directory /home/httpd/html>\r
+    Options ExecCGI\r
+    AllowOverride None\r
+    Order allow,deny\r
+    Allow from all\r
+</Directory>\r
+<DirectoryMatch "/home/httpd/html/(graphs|sgraph)">\r
+    AuthName "Restricted"\r
+    AuthType Basic\r
+    AuthUserFile CONFIG_ROOT/auth/users\r
+    require user admin\r
+</DirectoryMatch>\r
+ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/\r
+<Directory /home/httpd/cgi-bin>\r
+    AllowOverride None\r
+    Options None\r
+    AuthName "Restricted"\r
+    AuthType Basic\r
+    AuthUserFile CONFIG_ROOT/auth/users\r
+    Require user admin\r
+    <Files index.cgi>\r
+        Satisfy Any\r
+        Allow from All\r
+    </Files>\r
+    <Files credits.cgi>\r
+        Satisfy Any\r
+        Allow from All\r
+    </Files>\r
+    <Files dial.cgi>\r
+        Require user admin dial\r
+    </Files>\r
+</Directory>\r
+<IfModule mod_dir.c>\r
+    DirectoryIndex index.html index.htm index.shtml index.cgi\r
+</IfModule>\r
+AccessFileName .htaccess\r
+<Files ~ "^\.ht">\r
+    Order allow,deny\r
+    Deny from all\r
+</Files>\r
+<IfModule mod_mime.c>\r
+    TypesConfig /etc/mime.types\r
+</IfModule>\r
+DefaultType text/plain\r
+\r
+HostnameLookups Off\r
+ErrorLog /var/log/httpd/error_log\r
+LogLevel warn\r
+LogFormat "%h %l %u %t \"%r\" %>s %b" common\r
+CustomLog /var/log/httpd/access_log common\r
+ServerSignature Off\r
+AddHandler cgi-script .cgi\r
+<IfModule mod_setenvif.c>\r
+    BrowserMatch "Mozilla/2" nokeepalive\r
+    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0\r
+    BrowserMatch "RealPlayer 4\.0" force-response-1.0\r
+    BrowserMatch "Java/1\.0" force-response-1.0\r
+    BrowserMatch "JDK/1\.0" force-response-1.0\r
+</IfModule>\r
+\r
+###\r
+### SSL Configuration\r
+###\r
+AddType application/x-x509-ca-cert .crt\r
+AddType application/x-pkcs7-crl    .crl\r
+\r
+SSLPassPhraseDialog  builtin\r
+SSLSessionCache         dbm:/var/log/httpd/ssl_scache\r
+SSLSessionCacheTimeout  900\r
+SSLMutex  file:/var/log/httpd/ssl_mutex\r
+SSLRandomSeed startup builtin\r
+SSLRandomSeed connect builtin\r
+SSLLog      /var/log/httpd/ssl_engine_log\r
+SSLLogLevel info\r
+\r
+<VirtualHost _default_:444>\r
+    RewriteEngine on\r
+    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)\r
+    RewriteRule .* - [F]\r
+    DocumentRoot /home/httpd/html\r
+    ServerAdmin root@localhost\r
+    ErrorLog /var/log/httpd/error_log\r
+    TransferLog /var/log/httpd/access_log\r
+    SSLEngine on\r
+    SSLProtocol all -SSLv2\r
+    SSLCipherSuite ALL:!ADH:!EXPORT56:!eNULL:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP\r
+    SSLCertificateFile /etc/httpd/server.crt\r
+    SSLCertificateKeyFile /etc/httpd/server.key\r
+    <Files ~ "\.(cgi|shtml?)$">\r
+       SSLOptions +StdEnvVars\r
+    </Files>\r
+    <Directory /home/httpd/cgi-bin>\r
+       SSLOptions +StdEnvVars\r
+    </Directory>\r
+    SetEnv HOME /home/nobody\r
+    SetEnvIf User-Agent ".*MSIE.*" \\r
+       nokeepalive ssl-unclean-shutdown \\r
+       downgrade-1.0 force-response-1.0\r
+    CustomLog /var/log/httpd/ssl_request_log \\r
+       "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"\r
+</VirtualHost>\r
+\r
+<Directory /home/httpd/html/backup>\r
+    Options None\r
+    AllowOverride None\r
+    AuthName "Restricted"\r
+    AuthType Basic\r
+    AuthUserFile /var/ipcop/auth/users\r
+    require user admin\r
+</Directory>\r
+\r
+include /etc/httpd/conf/hostname.conf\r
index bfa9e99..ca626f8 100644 (file)
@@ -1040,7 +1040,7 @@ sub disallowreserved
 {\r
        # port 67 and 68 same for tcp and udp, don't bother putting in an array\r
        my $msg = "";\r
-       my @tcp_reserved = (81,222,445);\r
+       my @tcp_reserved = (81,222,444);\r
        my $prt = $_[0]; # the port or range\r
        my $ryn = $_[1]; # tells us whether or not it is a port range\r
        my $prot = $_[2]; # protocol\r