% pfilter - packet filtering for GNU/Linux
%
% pfilter ruleset for globus service

% Copyright 2003 Neil Gorsuch
%
% This file is part of pfilter.
%
% pfilter is free software; you can redistribute it and/or modify
% it under the terms of the GNU General Public License as published by
% the Free Software Foundation; either version 2 of the License, or
% (at your option) any later version.
%
% pfilter is distributed in the hope that it will be useful,
% but WITHOUT ANY WARRANTY; without even the implied warranty of
% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
% GNU General Public License for more details.
%
% You should have received a copy of the GNU General Public License
% along with this program; if not, write to the Free Software
% Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

% NFS is defined because it dynamically opens various ports.

%macro service-nfs-open src_address dest_address src_int dest_int src_bcast dest_bcast
# Let all NFS connection packets through to %dest_address%.
# This method is used because NFS dynamically maps ports.
# Newer netfilter patches for the kernel are supposed to
# support RPC/NFS connection tracking, but they have not
# passed pfilter testing yet.
%loop port 111 635
%loop protocol tcp udp
%open_protocol_port% %src_address% %dest_address% %src_int% %dest_int% %protocol% %port%
%endloop
%loop protocol tcp udp
%open_protocol_port% 127.0.0.1 127.0.0.1 %src_int% %dest_int% %protocol% %port%
%endloop
%endloop
%loop protocol tcp udp
for port in `rpcinfo -p | awk '$3=="%protocol%"{print $4}' | egrep -v '^111$' | sort -n | uniq` ; do
  %open_protocol_port% %src_address% %dest_address% %src_int% %dest_int% %protocol% $port
  %open_protocol_port% 127.0.0.1 127.0.0.1 %src_int% %dest_int% %protocol% $port
done
%endloop
%endmacro

%macro service-nfs-close src_address dest_address src_int dest_int src_bcast dest_bcast
# Close all NFS connection packets through to %dest_address%.
# This method is used because NFS dynamically maps ports.
# Newer netfilter patches for the kernel are supposed to
# support RPC/NFS connection tracking, but they have not
# passed pfilter testing yet.
%loop port 111 635
%loop protocol tcp udp
%close_protocol_port% %src_address% %dest_address% %src_int% %dest_int% %protocol% %port%
%endloop
%loop protocol tcp udp
%close_protocol_port% 127.0.0.1 127.0.0.1 %src_int% %dest_int% %protocol% %port%
%endloop
%endloop
for port in `rpcinfo -p | awk '$3=="$protocol"{print $4}' | egrep -v '^111$' | sort -n | uniq` ; do
  %loop protocol tcp udp
  %close_protocol_port% %src_address% %dest_address% %src_int% %dest_int% %protocol% $port
  %endloop
  %loop protocol tcp udp
  %close_protocol_port% 127.0.0.1 127.0.0.1 %src_int% %dest_int% %protocol% $port
  %endloop
done
%endmacro

for protocol in tcp udp ; do
  for port in 111 635 ; do
    %close_protocol_port% %src_address% %dest_address% %src_int% %dest_int% $protocol $port
    %close_protocol_port% 127.0.0.1 127.0.0.1 $protocol $port
  done
  for port in `rpcinfo -p | awk '$3=="$protocol"{print $4}' | egrep -v '^111$' | sort -n | uniq` ; do
    %close_protocol_port% %src_address% %dest_address% %src_int% %dest_int% $protocol $port
    %close_protocol_port% 127.0.0.1 127.0.0.1 $protocol $port
  done
done
%endmacro

