kleine Linuxdistributionen

[Gnoovy]

Hi leutz,

folgendes Problem:


ich habe einen 486er und 400 mb festplatte und möchte, sofern das ding noch funzt, linux draufmachen. ich habe gehört, dass es da kleine linuxdistributionen geben soll. ich möchte dann linux so konfigurieren, dass er als proxy-server und firewall in einer win2k-domäne läuft. bräuchte dann auch ne genaue schritt - für - schritt - anleitung, wie ich das alles konfigurieren muss, da ich bis jetzt gerade mal weiß wie man linux schreibt.


mfg
gnoovy

 

[stpe]

da würde ich Dir eine mini-distribution empfehlen.

da gibt es z.b.:
- fli4l
- mulinux
- tomsrtbt
oder small linux

empfehlen würde ich Dir fli4l - die ist in deutsch und genau für Deinen einsatzzweck gedacht. ausserdem lässt sich fli4l auch unter windows zusammenstellen.

installations-anleitungen findest Du auf den jeweiligen homepages. bei problemen versuchen wir Dir aber natürlich sofort weiterzuhelfen.

 

[Gnoovy]

hi stpe,


habe fli4l genommen, er erkennt meine netzwerkkarten, setzt aber komischerweise alle auf irq 0. er erkennt auch beide als ne2000 clone oder so, dann sagt er, dass das netzwerk unereichbar ist, liegt das eventuell in dem zusammenspiel, pci-netzwerkkarte und alter 486er infrastruktur?



mfg
gnoovy

 

[stpe]

dem fehler nach zu urteilen hast Du Dich eher bei der einrichtung der ip-konfiguration vertan.

 

[Gnoovy]

hi leutz,



also habe auf linux coyote gesetzt. war am anfang das gleiche problem. jetzt hab ich es so hinbekommen, dass er bei der netzwerkkarte, die am dsl-router hängt per dhcp die daten zieht. meine netzwerkkarte fürs local lan funzt ebenfalls ping zum linux-rechner und ping von linux-rechner geht einwandfrei. allerdings hab ich es bis jetzt noch nicht geschafft, dass die anderen rechner über ihn ins internet kommen. die ip des linux-rechners hab ich schon mal als gateway bei einem client eingetragen, funzt aber edde, was kann da getan werden?



mfg
gnoovy

 

[stpe]

Du musst auf der linux-kiste noch das routing und die firewall einrichten. wie das geht, sollte auf der homepage der distri nachzulesen sein. oder in den mitgelieferten howtos.

 

[Gnoovy]

hi leutz,


shitty kann nichts finden, kannst du mir da nicht weiterhelfen argh....




mfg
gnoovy

 

[Gnoovy]

hi leutz,



also habe es endlich geschafft. weiss zwar immer noch nicht, wie man verzeichnisse auflistet, aber schon mal wie nen proxy geht he...
nur noch eins: wie konfiguriere ich jetzt die firewall??? irgendwie mit ipchains hies es, aber blicke da überhaupt nicht durch.




mfg
gnoovy

 

[stpe]

ein howto für ipchains findest Du hier.

das thema ist ein wenig zu komplex, um hier eine kurze anleitung zu posten. man sollte auf jeden fall die arbeitsweise von ipchains verstehen, wenn man eine firewall aufsetzen möchte. vorgefertigte scripts helfen da nicht unbedingt weiter.

trotzdem ein kurzer erklärungsversuch zur arbeitsweise von ipchains:

die firewall arbeitet mit ketten, den sog. chains. davon gibt es 3 stück. INPUT, OUTPUT und FORWARD. jede kette besteht aus sog. regeln, die bestimmen, was mit einem datenpaket geschehen soll (accept, deny, reject).

kommt nun ein datenpaket von aussen an, so muss es zuerst die input-chain passieren. ist es für den lokalen rechner bestimmt, so reicht es also, das paket in der input-chain durchzulassen.

ist das paket nicht für den lokalen rechner bestimmt, reicht die input-chain es an die forward-chain weiter. hier wird noch einmal geprüft, ob das paket weitergereicht werden darf.

zum schluss muss das datenpaket noch die output-chain passieren. erst wenn es ihm auch hier erlaubt wird weiterzureisen hat es die firewall überwunden.

nachfolger von ipchains ist iptables. der groesste unterschied von iptables zu seinem vorgaenger besteht darin, dass pakete nur noch eine chain durchlaufen müssen. pakete, die für den lokalen rechner bestimmt sind, müssen durch die input-chain, pakete die von aussen kommen und den rechner passieren wollen müssen durch die forward-chain und pakete vom lokalen rechner schliesslich müssen durch die output-chain.

 

[Gnoovy]

hi leutz,



jo ok aber das iss mir irgendwie zu komplex kannst du mir nicht ein paar regeln sagen, die ich eingeben kann, damit mein rechner von äußeren angriffen geschützt ist.




mfg
gnoovy

 

[Gnoovy]

hi leutz,



achja.... ich benutze ipchains version 1.3.9 vom 17 März 1999





mfg
gnoovy

 

[stpe]

sorry - aber wie schon weiter oben gepostet - eine firewall ist nicht einfach mit zwei zeilen aufgesetzt. lies Dir das howto durch, dann kannst Du auch in kurzer zeit eine einfache, aber sichere firewall aufsetzen und vor allem: Du weisst, was Du da getan hast...

 

[Gnoovy]

hi stpe,

kann man dann wenigstens solche einstellungen standardmäßig vergeben, wie sie in fli4l in dieser base.txt steht?

habe da nochwas gefunden, was hältst du davon:

#!/bin/sh


# --------------------------------------------------------------------
# © ipchains rc.firewall for an Individual System or Home LAN from Chapter 3
#
# Chapter 3 covers the application protocols and firewall rules for the types of
# services most likely to be used on an individual, standalone Linux box. If a
# small LAN of personal, client computers were attached to an internal LAN, the
# firewall forwards and masquerades all traffic between the LAN and the
# Internet. As an example, Chapter 3 demonstrates numerous safeguards and
# logging events that aren't strictly necessary in a fully functional firewall.
# Additionally, both client and server rules are presented for services not
# everyone will use. The complete firewall script, as it would appear in
# /etc/rc.d/rc.firewall, and built upon ipchains, follows:
# --------------------------------------------------------------------


echo "Starting firewalling... "

# Some definitions for easy maintenance:

# --------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming convention
LAN_INTERFACE_1="eth1" # internal LAN interface

IPADDR="my.ip.address" # your IP address
LAN_1="192.168.1.0/24" # whatever (private) range you use
LAN_IPADDR_1="192.168.1.1" # your internal interface address

ANYWHERE="any/0" # match any IP address

DHCP_SERVER="my.dhcp.server" # if you use one
MY_ISP="my.isp.address.range" # ISP & NOC address range
NAMESERVER_1="my.name.server.1" # everyone must have at least one

SMTP_SERVER="any/0" # external mail server
SMTP_GATEWAY="my.isp.server" # external mail relay
POP_SERVER="my.pop.server" # external pop server, if any
IMAP_SERVER="my.isp.imap.server" # external imap server, if any
NEWS_SERVER="my.news.server" # external news server, if any
WEB_PROXY_SERVER="my.www.proxy" # ISP web proxy server, if any
WEB_PROXY_PORT="www.proxy.port" # ISP web proxy port, if any
# typically 8008 or 8080

LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address

PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range

TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"

# ....................................................................
# If your IP address is dynamically assigned by a DHCP server, then
# nameservers are found in /etc/dhcpc/resolv.conf. If used, the
# example ifdhcpc-done script updates these automatically and
# appends them to /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE or
# /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info.

# If using the example ifdhcpc-done script, the following NAMESERVER
# definitions (one per server, up to 3) will be overridden correctly
# here.

# The IP address, $IPADDR, is defined by dhcp

# Otherwise, if you have a static IP address, then define both
# your static IP address and the IP address of your external name
# server(s).

if [ -f /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE ]; then
. /etc/dhcpc/hostinfo-$EXTERNAL_INTERFACE
elif [ -f /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info ]; then
. /etc/dhcpc/dhcpcd-$EXTERNAL_INTERFACE.info
elif [ -f /etc/dhcpc/pump.info ]; then
. /etc/dhcpc/pump.info
else
echo "rc.firewall: dhcp is not configured."
ipchains -F
ipchains -P input DENY
ipchains -P output DENY
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A input -i $LAN_INTERFACE_1 -j ACCEPT
ipchains -A output -i $LAN_INTERFACE_1 -j ACCEPT
exit 1
fi

# If using the example ifdhcpc-done script, any previous definitions of
# IPADDR and NAMESERVER will be overridden correctly here.

DHCP_SERVER=$DHCPSIADDR

# ....................................................................
# EDIT THESE TO MATCH THE NUMBER OF SERVERS OR CONNECTIONS
# YOU SUPPORT.

# X Windows port allocation begins at 6000 and increments
# for each additional server running from 6000 to 6063.

XWINDOW_PORTS="6000:6063" # (TCP) X windows

# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.

SSH_PORTS="1020:1023" # simultaneous connections

# --------------------------------------------------------------------

SOCKS_PORT="1080" # (TCP) socks
OPENWINDOWS_PORT="2000" # (TCP) openwindows
NFS_PORT="2049" # (TCP/UDP) NFS

# --------------------------------------------------------------------

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done


# These are now necessary for masquerading the services
#/sbin/modprobe ip_masq_ftp
#/sbin/modprobe ip_masq_raudio
#/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_vdolive
#/sbin/modprobe ip_masq_cuseeme
#/sbin/modprobe ip_masq_quake

# --------------------------------------------------------------------

# Flush any existing rules from all chains
ipchains -F

# Set the default policy to deny
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT

# Set masquerade timeout to 10 hours for TCP connections.
ipchains -M -S 36000 0 0

# Disallow Fragmented Packets
ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY

# --------------------------------------------------------------------
# LOOPBACK

# Unlimited traffic on the loopback interface
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# --------------------------------------------------------------------
# Unlimited traffic within the local network.

# All internal machines have access to the fireall machine.

ipchains -A input -i $LAN_INTERFACE_1 \
-s $LAN_1 -j ACCEPT

ipchains -A output -i $LAN_INTERFACE_1 \
-d $LAN_1 -j ACCEPT

# --------------------------------------------------------------------
# Masquerade internal traffic.

# All internal traffic is masqueraded externally.

ipchains -A forward -i $EXTERNAL_INTERFACE -s $LAN_1 -j MASQ

# --------------------------------------------------------------------
# Refuse any connections from problem sites

# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s <address/mask> -j DENY
# rules to block all access.

# Refuse packets claiming to be from the banned list
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi

# --------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.

# Refuse spoofed packets pretending to be from
# the external interface's IP address
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l

# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l

# Refuse packets claiming to be to or from a Class C private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l

# Refuse packets claiming to be to the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l

# block directed broadcasts:
# Network base address
# Network broadcast address
# SUBNET_BROADCAST="you.you.you.255"
# SUBNET_BASE="you.you.you.0"
# ipchains -A input -i $EXTERNAL_INTERFACE -d $SUBNET_BASE -j DENY -l
# ipchains -A input -i $EXTERNAL_INTERFACE -d $SUBNET_BROADCAST -j DENY -l

# Refuse malformed broadcast packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

# Refuse Class D multicast addresses
# Multicast is only illegal as a source address.
# Multicast uses UDP

# incoming blocked below
# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
-j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
-j REJECT -l

# Refuse Class E reserved IP addresses
# incoming blocked below
# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET \
-j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET \
-j REJECT

# Refuse addresses defined as reserved by the IANA.
# Note: The reserved addresses are allocated periodically.
# Filtering them requires checking the IANA address lists,
# preferably monthly.
# The following matches the IANA list on October 14, 2000.

# 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 36.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*
# 49-50.*.*.*, 58-60.*.*.*
# 67-127.*.*.*
# 169.254.0.0/16 - Link Local Networks
# 192.0.2.0/24 - TEST-NET
# 197.*.*.*, 218-255.*.*.*

# 0.*.*.* - Can't be blocked for DHCP users.
# ipchains -A input -i $EXTERNAL_INTERFACE -s 0.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 36.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 49.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 50.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/6 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/5 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l

# 96-126
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/3 -j DENY -l

# Link local networks
ipchains -A input -i $EXTERNAL_INTERFACE -s 169.254.0.0/16 -j DENY -l

# Test NET
ipchains -A input -i $EXTERNAL_INTERFACE -s 192.0.2.0/24 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 197.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l

# includes multicast, reserved and unallocated addresses
ipchains -A input -i $EXTERNAL_INTERFACE -s 224.0.0.0/3 -j DENY -l

# --------------------------------------------------------------------
# UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.

# Open Windows: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $OPENWINDOWS_PORT -j REJECT

# Open Windows incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $OPENWINDOWS_PORT -j DENY

# X Windows: establishing a remote connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $XWINDOW_PORTS -j REJECT

# X Windows: incoming connection attempt
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $XWINDOW_PORTS -j DENY -l

# SOCKS: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $SOCKS_PORT -j REJECT -l

# SOCKS incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $SOCKS_PORT -j DENY

# NFS: TCP connections
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $NFS_PORT -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-d $ANYWHERE $NFS_PORT -j REJECT -l

# NFS: UDP connections
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $NFS_PORT -j DENY -l

# NFS incoming request (normal UDP mode)
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-d $ANYWHERE $NFS_PORT -j REJECT -l

# --------------------------------------------------------------------
# NOTE:
# The symbolic names used in /etc/services for the port numbers
# vary by supplier. Using them is less error prone and more
# meaningful.

# --------------------------------------------------------------------
# Required Services

# DNS client modes (53)
# ---------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# TCP client to server requests are allowed by the protocol
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary nameserver for zone transfers from
# their primary nameservers, and as hackers.

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT


# DNS server modes (53)
# ---------------------

# DNS caching & forwarding nameserver
# -----------------------------------

# server to server query or response
# Caching only name server uses UDP, not TCP

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR 53 -j ACCEPT

# DNS full nameserver
# -------------------

# client to server DNS transaction
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s <my.dns.clients> $UNPRIVPORTS \
-d $IPADDR 53 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d <my.dns.clients> $UNPRIVPORTS -j ACCEPT

# peer-to-peer server DNS transaction
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s <my.dns.clients> 53 \
-d $IPADDR 53 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d <my.dns.clients> 53 -j ACCEPT

# Zone Transfers
# due to the potential danger of zone transfers,
# only allow TCP traffic to specific secondaries.

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s <my.dns.secondaries> $UNPRIVPORTS \
-d $IPADDR 53 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 53 \
-d <my.dns.secondaries> $UNPRIVPORTS -j ACCEPT

# --------------------------------------------------------------------

# AUTH (113) - Allowing Your Outgoing AUTH Requests as a Client
# -------------------------------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 113 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 113 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# AUTH server (113)
# -----------------
# Accepting Incoming AUTH Requests

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 113 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 113 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# OR

# Rejecting Incoming AUTH Requests

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR 113 -j REJECT

# --------------------------------------------------------------------
# TCP services on selected ports

# Sending Mail through a remote SMTP gateway (25)
# -----------------------------------------------

# SMTP client to an ISP account without a local server

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $SMTP_GATEWAY 25 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $SMTP_GATEWAY 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# OR
# Sending Mail through a local SMTP server

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 25 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# Receiving Mail as a Local SMTP server (25)
# ------------------------------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 25 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 25 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# --------------------------------------------------------------------

# POP (110) - Retrieving Mail as a POP Client
# -------------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $POP_SERVER 110 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $POP_SERVER 110 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# POP (110) - Hosting a POP Server for Remote Clients
# ---------------------------------------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s <my.pop.clients> $UNPRIVPORTS \
-d $IPADDR 110 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 110 \
-d <my.pop.clients> $UNPRIVPORTS -j ACCEPT

# --------------------------------------------------------------------

# IMAP (143) - Retrieving Mail as an IMAP Client
# ----------------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d <my.imap.server> 143 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s <my.imap.server> 143 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# IMAP (143) - Hosting an IMAP Server for Remote Clients
# ------------------------------------------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s <my.imap.clients> $UNPRIVPORTS \
-d $IPADDR 143 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 143 \
-d <my.imap.clients> $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------

# NNTP (119) - Reading and Posting News as a Usenet Client
# --------------------------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NEWS_SERVER 119 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NEWS_SERVER 119 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT


# NNTP (119) - Hosting a Usenet News Server for Remote Clients
# ------------------------------------------------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s <my.news.clients> $UNPRIVPORTS \
-d $IPADDR 119 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 119 \
-d <my.news.clients> $UNPRIVPORTS -j ACCEPT

# NNTP (119) - Allowing Peer News Feeds for a Local Usenet Server
# ---------------------------------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d <my.news.feed> 119 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s <my.news.feed> 119 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------

# TELNET (23) - Allowing Outgoing Client Access to Remote Sites
# -------------------------------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 23 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# TELNET (23) - Allowing Incoming Access to Your Local Server
# -----------------------------------------------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 23 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 23 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# --------------------------------------------------------------------

# SSH client (22) - Allowing Client Access to Remote SSH Servers
# --------------------------------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 22 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $SSH_PORTS \
-d $ANYWHERE 22 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $SSH_PORTS -j ACCEPT

# SSH (22) - Allowing Remote Client Access to Your Local SSH Server
# -----------------------------------------------------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 22 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $SSH_PORTS \
-d $IPADDR 22 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $SSH_PORTS -j ACCEPT

# --------------------------------------------------------------------

# FTP (20, 21) - Allowing Outgoing Client Access to Remote FTP Servers
# --------------------------------------------------------------------

# outgoing request

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 21 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# Normal Port Mode FTP Data Channels

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 20 -j ACCEPT

# Passive Mode FTP Data Channels

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# FTP (20, 21) - Allowing Incoming Access to Your Local FTP Server
# ----------------------------------------------------------------

# incoming request

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 21 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 21 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# Normal Port Mode FTP Data Channel Responses

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 20 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 20 -j ACCEPT

# Passive Mode FTP Data Channel Responses

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# --------------------------------------------------------------------

# HTTP (80) - Accessing Remote Web Sites as a Client
# --------------------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 80 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# HTTP (80) - Allowing Remote Access to a Local Web Server
# --------------------------------------------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 80 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 80 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT


# HTTPS (443) - Accessing Remote Web Sites Over SSL as a Client
# -------------------------------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 443 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# HTTPS (443) - Allowing Remote Access to a Local SSL Web Server
# --------------------------------------------------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 443 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 443 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# --------------------------------------------------------------------

# HTTP Proxy client (8008/8080)
# -----------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $WEB_PROXY_SERVER $WEB_PROXY_PORT -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $WEB_PROXY_SERVER $WEB_PROXY_PORT \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# --------------------------------------------------------------------

# FINGER (79) - Accessing Remote finger Servers as a Client
# ---------------------------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 79 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 79 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# FINGER (79) - Allowing Remote Client Access to a Local finger Server
# --------------------------------------------------------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s <my.finger.clients> $UNPRIVPORTS \
-d $IPADDR 79 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 79 \
-d <my.finger.clients> $UNPRIVPORTS -j ACCEPT

# --------------------------------------------------------------------

# WHOIS client (43)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 43 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 43 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------

# Gopher client (70)
# ------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 70 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 70 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# --------------------------------------------------------------------

# WAIS client (210)
# -----------------

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 210 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 210 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

# --------------------------------------------------------------------
# UDP accept only on selected ports

# TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
# -----------------------------------------------------

# Enabling Outgoing traceroute Requests
# -------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $TRACEROUTE_SRC_PORTS \
-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT

# incoming query from the ISP.
# All others are denied by default.
# ---------------------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_ISP 32769:65535 \
-d $IPADDR 33434:33523 -j ACCEPT

# --------------------------------------------------------------------

# DHCP client (67, 68)
# --------------------

# INIT or REBINDING: No lease or Lease time expired.
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 68 \
-d $BROADCAST_DEST 67 -j ACCEPT

# Getting renumbered
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 67 \
-d $BROADCAST_DEST 68 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $BROADCAST_DEST 68 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $BROADCAST_SRC 68 \
-d $DHCP_SERVER 67 -j ACCEPT

# As a result of the above, we're supposed to change our IP
# address with this message, which is addressed to our new
# address before the dhcp client has received the update.

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $MY_ISP 68 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $DHCP_SERVER 67 \
-d $IPADDR 68 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 68 \
-d $DHCP_SERVER 67 -j ACCEPT

# --------------------------------------------------------------------

# NTP (123) - Accessing Remote Network Time Servers
# -------------------------------------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d <my.time.provider> 123 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s <my.time.provider> 123 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 123 \
-d <my.time.provider> 123 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s <my.time.provider> 123 \
-d $IPADDR 123 -j ACCEPT

# --------------------------------------------------------------------
# ICMP

# (4) Source_Quench
# incoming & outgoing requests to slow down (flow control)

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT

# (12) Parameter_Problem
# incoming & outgoing error messages

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT

# (3) Dest_Unreachable, Service_Unavailable
# incoming & outgoing size negotiation, service or
# destination unavailability, final traceroute response

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 3 -d $MY_ISP -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR fragmentation-needed -d $ANYWHERE -j ACCEPT

# (11) Time_Exceeded
# incoming & outgoing time out conditions,
# also intermediate TTL response to traceroutes

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 11 -d $MY_ISP -j ACCEPT

# allow outgoing pings to anywhere

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT

# allow incoming pings from trusted hosts

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $MY_ISP 8 -d $IPADDR -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 0 -d $MY_ISP -j ACCEPT

# ----------------------------------------------------------------------------
# Enable logging for selected denied packets

# Note that these ports are blocked by default.
# The following rules merely enable logging for blocked packets.

# TCP
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l

* Useful for debugging
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -j REJECT -l


# UDP
ipchains -A input -i $EXTERNAL_INTERFACE -p udp -j DENY -l

* Useful for debugging
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -j REJECT -l


# ICMP
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l

# --------------------------------------------------------------------

echo "done"

exit 0

---------------------------------------------

könnte ich dies 1:1 in meiner firewallconfig eintragen? also mit meiner ipchainversion?


mfg
gnoovy

 

[Gnoovy]

hi leutz,


habe mir zudem noch ne diskette mit linux fli4fl gemacht. dort gibts ja schon ne bestehende firewall, die schon konfiguriert ist. ich wollte nun wissen, ob diese firewall genügt oder nicht. wenn ich zudem linux gebootet habe, kommt nach einer gewissen zeit eine befehlsfolge namens: input REJECT eth1 Proto=17 192.168.168.253:138 192.168.168.255:138 L =202
S=0x00 I=17670 F=0x0000 T=128 (#9)

Was bedeutet das? der rechner reagiert nun auch auf keine tastaturbefehle mehr. wie kann ich wieder was eingeben und wie lautet der befehl zum herunterfahren des rechers.


mfg
gnoovy

 

[stpe]

sorry - aber ich kenne auch nicht jede linux-distri auswendig. kann Die bei dieser frage leider nicht weiterhelfen. schau am besten erstmal in den faq's zu fli4l nach. vielleicht hatte auch schon jemand anderes Dein problem.

und das ipchains-listing würde ich so nicht direkt einsetzen. das ist ein bischen zu umfrangreich, um es beim ersten 'durchlesen' komplett zu durchschauen.

die devise sollte lauten: klein anfangen, und dann langsam das regelwerk erweitern - also selbermachen, statt ellenlange scripts einfach ungesehen zu übernehmen.

ganz ohne mühe geht es eben leider nicht.