Splitting from dev_urandom

author: root <root@pompom.softgrouphosting.net> 2009-11-20 14:26:26 -0500
committer: root <root@pompom.softgrouphosting.net> 2009-11-20 14:26:26 -0500
commit: 549fa35bd35c5e6356099ad3ac6f4392aa0acd23 (patch)
tree: 44eb51894096d5cecbb1344b6f1705ba6dd2228d
download: iptables_scripts-549fa35bd35c5e6356099ad3ac6f4392aa0acd23.tar.bz2
iptables_scripts-549fa35bd35c5e6356099ad3ac6f4392aa0acd23.tar.xz
iptables_scripts-549fa35bd35c5e6356099ad3ac6f4392aa0acd23.zip
2 files changed, 239 insertions, 0 deletions
diff --git a/firewall b/firewall
new file mode 100644
index 0000000..d19f0ce
--- /dev/null
+++ b/firewall
@@ -0,0 +1,179 @@
+# Make sure we have all the commands to continue
+if [[ ! `which iptables` || ! `which ifconfig` || ! `which grep` || ! `which sed` ]]; then
+        echo 'Essential commands are missing. Can not continue.'
+        exit 1
+fi
+# Check for root
+if [[ $UID != 0 ]]; then
+        echo 'You are not root.'
+        exit 1
+fi
+# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
+export LC_ALL="en"
+# Source our configuration file
+source /etc/firewall.conf
+# Go into lockdown mode while we setup the rules
+iptables -P INPUT   DROP
+iptables -P OUTPUT  DROP
+iptables -P FORWARD DROP
+# Flush all existing chains and erase personal chains
+CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
+for i in $CHAINS; do
+        iptables -t $i -F
+        iptables -t $i -X
+done
+echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Source Address Verification
+for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
+        echo 1 > $f
+done
+# Disable IP source routing and ICMP redirects
+for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
+        echo 0 > $f
+done
+for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
+        echo 0 > $f
+done
+echo 1 > /proc/sys/net/ipv4/ip_forward
+# Determine the IP/Broadcast/Netmask for the outside interface
+# dynamically by grepping ifconfig commands
+#
+# Due to absence of EXTBC in ifconfig output I manually set it 
+# to 255.255.255.255 this hopefully will serve the same purpose
+EXTIP="`ifconfig $EXTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`"
+EXTBC="255.255.255.255"
+EXTMSK="`ifconfig $EXTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`"
+EXTNET="$EXTIP/$EXTMSK"
+echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
+# Determine the IP/Broadcast/Netmask for the outside interface
+# dynamically by grepping ifconfig commands
+INTIP="`ifconfig $INTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`"
+INTBC="`ifconfig $INTIF|grep Bcast:|sed 's/.*Bcast:\([^ ]*\) .*/\1/'`"
+INTMSK="`ifconfig $INTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`"
+INTNET="$INTIP/$INTMSK"
+echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"
+# We are now going to create a few custom chains that will result in
+# logging of dropped packets. This will enable us to avoid having to
+# enter a log command prior to every drop we wish to log. The
+# first will be first log drops the other will log rejects.
+# Do not complain if chain already exists (so restart is clean)
+iptables -N DROPl   2> /dev/null
+iptables -A DROPl   -j LOG --log-prefix 'DROPl:'
+iptables -A DROPl   -j DROP
+iptables -N REJECTl 2> /dev/null
+iptables -A REJECTl -j LOG --log-prefix 'REJECTl:'
+iptables -A REJECTl -j REJECT
+# Now we are going to accpet all traffic from our loopback device
+# if the IP matches any of our interfaces.
+iptables -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT
+iptables -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT
+iptables -A INPUT   -i $LPDIF -s   $INTIP  -j ACCEPT
+# Blocking Broadcasts
+iptables -A INPUT   -i $EXTIF -d   $EXTBC -j DROPl
+iptables -A INPUT   -i $INTIF -d   $INTBC -j DROPl
+iptables -A OUTPUT  -o $EXTIF -d   $EXTBC -j DROPl
+iptables -A OUTPUT  -o $INTIF -d   $INTBC -j DROPl
+iptables -A FORWARD -o $EXTIF -d   $EXTBC -j DROPl
+iptables -A FORWARD -o $INTIF -d   $INTBC -j DROPl
+# Block WAN access to internal network
+#
+# This also stops nefarious crackers from using our network as a
+# launching point to attack other people
+iptables -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl
+# Now we will block internal addresses originating from anything but our
+# two predefined interfaces... just remember that if you jack your
+# your laptop or another pc into one of these NIC's directly, you'll need
+# to ensure that they either have the same ip or that you add a line explicitly
+# for that IP as well
+iptables -A INPUT   -i $INTIF -s ! $INTNET -j DROPl
+iptables -A OUTPUT  -o $INTIF -d ! $INTNET -j DROPl
+iptables -A FORWARD -i $INTIF -s ! $INTNET -j DROPl
+iptables -A FORWARD -o $INTIF -d ! $INTNET -j DROPl
+# An additional Egress check
+iptables -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl
+# Block outbound ICMP (except for PING)
+iptables -A OUTPUT  -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
+iptables -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
+# Explicitly block TCP ports
+for i in $TCPBLOCK; do
+  iptables -A INPUT   -p tcp --dport $i  -j DROPl
+  iptables -A OUTPUT  -p tcp --dport $i  -j DROPl
+  iptables -A FORWARD -p tcp --dport $i  -j DROPl
+done
+# Explicitly block UDP ports
+for i in $UDPBLOCK; do
+  iptables -A INPUT   -p udp --dport $i  -j DROPl
+  iptables -A OUTPUT  -p udp --dport $i  -j DROPl
+  iptables -A FORWARD -p udp --dport $i  -j DROPl
+done
+# Open inbound service ports
+for i in $INPORTS; do 
+        iptables -A INPUT -p tcp --dport $i -j ACCEPT   
+done
+iptables -A FORWARD -t filter -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -t filter -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+# Opening up ftp connection tracking
+MODULES="ip_nat_ftp ip_conntrack_ftp"
+for i in $MODULES; do
+        modprobe $i
+done
+# Allow inside systems to use external services
+for i in $TCPSERV; do
+  iptables -A OUTPUT  -o $EXTIF  -p tcp -s $EXTIP   --dport $i --syn -m state --state NEW -j ACCEPT
+  iptables -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT
+done
+for i in $UDPSERV; do
+  iptables -A OUTPUT  -o $EXTIF  -p udp -s $EXTIP   --dport $i -m state --state NEW -j ACCEPT
+  iptables -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT
+done
+# Allow to ping out
+iptables -A OUTPUT  -o $EXTIF  -p icmp -s $EXTIP   --icmp-type 8 -m state --state NEW -j ACCEPT
+iptables -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
+# Allow firewall to ping internal systems
+iptables -A OUTPUT  -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
+# Allow a few services internally
+iptables -A OUTPUT  -o $INTIF -p tcp -s $INTNET --dport 80 -m state --state NEW -j ACCEPT
+iptables -A OUTPUT  -o $INTIF -p tcp -s $INTNET --dport 443 -m state --state NEW -j ACCEPT
+iptables -A INPUT   -i $INTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
+# Setup dynamic NAT
+iptables -t nat -A PREROUTING  -j ACCEPT
+iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE
+iptables -t nat -A POSTROUTING -j ACCEPT
+iptables -t nat -A OUTPUT -j ACCEPT
+iptables -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
+iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
+# Block and log what me may have forgot
+iptables -A INPUT   -j DROPl
+iptables -A OUTPUT  -j REJECTl
+iptables -A FORWARD -j DROPl
+\ No newline at end of file
diff --git a/firewall.conf b/firewall.conf
new file mode 100644
index 0000000..78f873b
--- /dev/null
+++ b/firewall.conf
@@ -0,0 +1,60 @@
+EXTIF=eth1 # External interface
+INTIF=eth0 # Internal interface
+# Loop device/localhost
+LPDIF=lo
+LPDIP=127.0.0.1
+LPDMSK=255.0.0.0
+LPDNET="$LPDIP/$LPDMSK"
+# Defining some common chat clients. Remove these from your accepted list for better security.
+# ICQ and AOL are 5190
+# MSN is 1863
+# Y! is 5050
+# Jabber is 5222
+# Y! and Jabber ports not added by author and therefore left out of the script
+IRC='ircd'
+MSN=1863
+ICQ=5190
+YIM=5050
+AIM=5190
+NFS='sunrpc'
+PORTAGE='rsync'
+OpenPGP_HTTP_Keyserver=11371
+# All services ports are read from /etc/services
+TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s time $PORTAGE $YIM $AIM"
+UDPSERV="domain time"
+INPORTS="ssh http"
+# COMmon ports:
+# 0 is tcpmux; SGI had vulnerability, 1 is common attack
+# 13 is daytime
+# 98 is Linuxconf
+# 111 is sunrpc (portmap)
+# 137:139, 445 is Microsoft
+# SNMP: 161,2
+# Squid flotilla: 3128, 8000, 8008, 8080
+# 1214 is Morpheus or KaZaA
+# 2049 is NFS
+# 3049 is very virulent Linux Trojan, mistakable for NFS
+# Common attacks: 1999, 4329, 6346
+# Common Trojans 12345 65535
+COMBLOCK="0:1 13 98 111 113 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
+# TCP ports:
+# 98 is Linuxconf
+# 512-515 is rexec, rlogin, rsh, printer(lpd)
+#   [very serious vulnerabilities; attacks continue daily]
+# 1080 is Socks proxy server
+# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
+# Block 6112 (Sun's/HP's CDE)
+TCPBLOCK="$COMBLOCK 98 512:515 1080 3330 1128 3054 6000:6009 6112"
+# UDP ports:
+# 161:162 is SNMP
+# 520 is RIP
+# 9000 is Sangoma
+# 517:518 are talk and ntalk (more annoying than anything)
+UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
+\ No newline at end of file
author	root <root@pompom.softgrouphosting.net>	2009-11-20 14:26:26 -0500
committer	root <root@pompom.softgrouphosting.net>	2009-11-20 14:26:26 -0500
commit	549fa35bd35c5e6356099ad3ac6f4392aa0acd23 (patch)
tree	44eb51894096d5cecbb1344b6f1705ba6dd2228d
download	iptables_scripts-549fa35bd35c5e6356099ad3ac6f4392aa0acd23.tar.bz2 iptables_scripts-549fa35bd35c5e6356099ad3ac6f4392aa0acd23.tar.xz iptables_scripts-549fa35bd35c5e6356099ad3ac6f4392aa0acd23.zip

diff --git a/firewall b/firewall new file mode 100644 index 0000000..d19f0ce --- /dev/null +++ b/firewall
@@ -0,0 +1,179 @@
	1	# Make sure we have all the commands to continue
	2	if [[ ! `which iptables` \|\| ! `which ifconfig` \|\| ! `which grep` \|\| ! `which sed` ]]; then
	3	echo 'Essential commands are missing. Can not continue.'
	4	exit 1
	5	fi
	6
	7	# Check for root
	8	if [[ $UID != 0 ]]; then
	9	echo 'You are not root.'
	10	exit 1
	11	fi
	12
	13	# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
	14	export LC_ALL="en"
	15
	16	# Source our configuration file
	17	source /etc/firewall.conf
	18
	19	# Go into lockdown mode while we setup the rules
	20	iptables -P INPUT DROP
	21	iptables -P OUTPUT DROP
	22	iptables -P FORWARD DROP
	23
	24	# Flush all existing chains and erase personal chains
	25	CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
	26	for i in $CHAINS; do
	27	iptables -t $i -F
	28	iptables -t $i -X
	29	done
	30	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
	31	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	32
	33	# Source Address Verification
	34	for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
	35	echo 1 > $f
	36	done
	37
	38	# Disable IP source routing and ICMP redirects
	39	for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
	40	echo 0 > $f
	41	done
	42	for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
	43	echo 0 > $f
	44	done
	45	echo 1 > /proc/sys/net/ipv4/ip_forward
	46
	47	# Determine the IP/Broadcast/Netmask for the outside interface
	48	# dynamically by grepping ifconfig commands
	49	#
	50	# Due to absence of EXTBC in ifconfig output I manually set it
	51	# to 255.255.255.255 this hopefully will serve the same purpose
	52	EXTIP="`ifconfig $EXTIF\|grep addr:\|sed 's/.addr:\([^ ]\) .*/\1/'`"
	53	EXTBC="255.255.255.255"
	54	EXTMSK="`ifconfig $EXTIF\|grep Mask:\|sed 's/.Mask:\([^ ]\)/\1/'`"
	55	EXTNET="$EXTIP/$EXTMSK"
	56	echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
	57
	58	# Determine the IP/Broadcast/Netmask for the outside interface
	59	# dynamically by grepping ifconfig commands
	60	INTIP="`ifconfig $INTIF\|grep addr:\|sed 's/.addr:\([^ ]\) .*/\1/'`"
	61	INTBC="`ifconfig $INTIF\|grep Bcast:\|sed 's/.Bcast:\([^ ]\) .*/\1/'`"
	62	INTMSK="`ifconfig $INTIF\|grep Mask:\|sed 's/.Mask:\([^ ]\)/\1/'`"
	63	INTNET="$INTIP/$INTMSK"
	64	echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"
	65
	66	# We are now going to create a few custom chains that will result in
	67	# logging of dropped packets. This will enable us to avoid having to
	68	# enter a log command prior to every drop we wish to log. The
	69	# first will be first log drops the other will log rejects.
	70	# Do not complain if chain already exists (so restart is clean)
	71	iptables -N DROPl 2> /dev/null
	72	iptables -A DROPl -j LOG --log-prefix 'DROPl:'
	73	iptables -A DROPl -j DROP
	74	iptables -N REJECTl 2> /dev/null
	75	iptables -A REJECTl -j LOG --log-prefix 'REJECTl:'
	76	iptables -A REJECTl -j REJECT
	77
	78	# Now we are going to accpet all traffic from our loopback device
	79	# if the IP matches any of our interfaces.
	80	iptables -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
	81	iptables -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
	82	iptables -A INPUT -i $LPDIF -s $INTIP -j ACCEPT
	83
	84	# Blocking Broadcasts
	85	iptables -A INPUT -i $EXTIF -d $EXTBC -j DROPl
	86	iptables -A INPUT -i $INTIF -d $INTBC -j DROPl
	87	iptables -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl
	88	iptables -A OUTPUT -o $INTIF -d $INTBC -j DROPl
	89	iptables -A FORWARD -o $EXTIF -d $EXTBC -j DROPl
	90	iptables -A FORWARD -o $INTIF -d $INTBC -j DROPl
	91
	92	# Block WAN access to internal network
	93	#
	94	# This also stops nefarious crackers from using our network as a
	95	# launching point to attack other people
	96	iptables -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl
	97
	98	# Now we will block internal addresses originating from anything but our
	99	# two predefined interfaces... just remember that if you jack your
	100	# your laptop or another pc into one of these NIC's directly, you'll need
	101	# to ensure that they either have the same ip or that you add a line explicitly
	102	# for that IP as well
	103	iptables -A INPUT -i $INTIF -s ! $INTNET -j DROPl
	104	iptables -A OUTPUT -o $INTIF -d ! $INTNET -j DROPl
	105	iptables -A FORWARD -i $INTIF -s ! $INTNET -j DROPl
	106	iptables -A FORWARD -o $INTIF -d ! $INTNET -j DROPl
	107
	108	# An additional Egress check
	109	iptables -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl
	110
	111	# Block outbound ICMP (except for PING)
	112	iptables -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
	113	iptables -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
	114
	115	# Explicitly block TCP ports
	116	for i in $TCPBLOCK; do
	117	iptables -A INPUT -p tcp --dport $i -j DROPl
	118	iptables -A OUTPUT -p tcp --dport $i -j DROPl
	119	iptables -A FORWARD -p tcp --dport $i -j DROPl
	120	done
	121
	122	# Explicitly block UDP ports
	123	for i in $UDPBLOCK; do
	124	iptables -A INPUT -p udp --dport $i -j DROPl
	125	iptables -A OUTPUT -p udp --dport $i -j DROPl
	126	iptables -A FORWARD -p udp --dport $i -j DROPl
	127	done
	128
	129	# Open inbound service ports
	130	for i in $INPORTS; do
	131	iptables -A INPUT -p tcp --dport $i -j ACCEPT
	132	done
	133
	134	iptables -A FORWARD -t filter -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	135	iptables -A FORWARD -t filter -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	136
	137	# Opening up ftp connection tracking
	138	MODULES="ip_nat_ftp ip_conntrack_ftp"
	139	for i in $MODULES; do
	140	modprobe $i
	141	done
	142
	143	# Allow inside systems to use external services
	144	for i in $TCPSERV; do
	145	iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
	146	iptables -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT
	147	done
	148
	149	for i in $UDPSERV; do
	150	iptables -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
	151	iptables -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT
	152	done
	153
	154	# Allow to ping out
	155	iptables -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
	156	iptables -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
	157
	158	# Allow firewall to ping internal systems
	159	iptables -A OUTPUT -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
	160
	161	# Allow a few services internally
	162	iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 80 -m state --state NEW -j ACCEPT
	163	iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 443 -m state --state NEW -j ACCEPT
	164	iptables -A INPUT -i $INTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
	165
	166	# Setup dynamic NAT
	167	iptables -t nat -A PREROUTING -j ACCEPT
	168	iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE
	169	iptables -t nat -A POSTROUTING -j ACCEPT
	170	iptables -t nat -A OUTPUT -j ACCEPT
	171	iptables -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
	172	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	173	iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	174	iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	175
	176	# Block and log what me may have forgot
	177	iptables -A INPUT -j DROPl
	178	iptables -A OUTPUT -j REJECTl
	179	iptables -A FORWARD -j DROPl \ No newline at end of file


diff --git a/firewall.conf b/firewall.conf new file mode 100644 index 0000000..78f873b --- /dev/null +++ b/firewall.conf
@@ -0,0 +1,60 @@
	1	EXTIF=eth1 # External interface
	2	INTIF=eth0 # Internal interface
	3
	4	# Loop device/localhost
	5	LPDIF=lo
	6	LPDIP=127.0.0.1
	7	LPDMSK=255.0.0.0
	8	LPDNET="$LPDIP/$LPDMSK"
	9
	10	# Defining some common chat clients. Remove these from your accepted list for better security.
	11	# ICQ and AOL are 5190
	12	# MSN is 1863
	13	# Y! is 5050
	14	# Jabber is 5222
	15	# Y! and Jabber ports not added by author and therefore left out of the script
	16	IRC='ircd'
	17	MSN=1863
	18	ICQ=5190
	19	YIM=5050
	20	AIM=5190
	21	NFS='sunrpc'
	22	PORTAGE='rsync'
	23	OpenPGP_HTTP_Keyserver=11371
	24
	25	# All services ports are read from /etc/services
	26	TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s time $PORTAGE $YIM $AIM"
	27	UDPSERV="domain time"
	28
	29	INPORTS="ssh http"
	30
	31	# COMmon ports:
	32	# 0 is tcpmux; SGI had vulnerability, 1 is common attack
	33	# 13 is daytime
	34	# 98 is Linuxconf
	35	# 111 is sunrpc (portmap)
	36	# 137:139, 445 is Microsoft
	37	# SNMP: 161,2
	38	# Squid flotilla: 3128, 8000, 8008, 8080
	39	# 1214 is Morpheus or KaZaA
	40	# 2049 is NFS
	41	# 3049 is very virulent Linux Trojan, mistakable for NFS
	42	# Common attacks: 1999, 4329, 6346
	43	# Common Trojans 12345 65535
	44	COMBLOCK="0:1 13 98 111 113 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
	45
	46	# TCP ports:
	47	# 98 is Linuxconf
	48	# 512-515 is rexec, rlogin, rsh, printer(lpd)
	49	# [very serious vulnerabilities; attacks continue daily]
	50	# 1080 is Socks proxy server
	51	# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
	52	# Block 6112 (Sun's/HP's CDE)
	53	TCPBLOCK="$COMBLOCK 98 512:515 1080 3330 1128 3054 6000:6009 6112"
	54
	55	# UDP ports:
	56	# 161:162 is SNMP
	57	# 520 is RIP
	58	# 9000 is Sangoma
	59	# 517:518 are talk and ntalk (more annoying than anything)
	60	UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000" \ No newline at end of file