===================================================================
RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v
retrieving revision 2.56
retrieving revision 2.57
diff -u -p -r2.56 -r2.57
--- scripts/shell/firewall/fw-universal.sh	2008/01/27 13:36:02	2.56
+++ scripts/shell/firewall/fw-universal.sh	2008/02/02 22:57:54	2.57
@@ -9,7 +9,7 @@
 # Licensed under terms of GNU General Public License.
 # All rights reserved.
 #
-# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.55 2008-01-17 22:12:34 rajo Exp $
+# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.56 2008-01-27 13:36:02 rajo Exp $
 #
 # Changelog:
 # 2003-10-24 - created
@@ -78,6 +78,10 @@ LO_IFACE="${LO_IFACE:=lo}"
 # Hide NAT clients behind firewall
 NAT_SET_TTL="${NAT_SET_TTL:=no}"
 
+# reject config
+ALL_REJECT_INPUT_TCP="${ALL_REJECT_INPUT_TCP:=113}" # by default reject connections to AUTH server
+REJECT_WITH="${REJECT_WITH:=tcp-reset}"
+
 #
 # CONSTANTS - Do not edit
 #
@@ -625,7 +629,7 @@ reject_input()
 		for port in $ALL_REJECT_INPUT_TCP; do
 			for iface in $INTERFACES; do
 				print_info -en " $port($iface)"
-				$IPTABLES -A INPUT -i $iface -p TCP --dport $port -j REJECT --reject-with icmp-port-unreachable
+				$IPTABLES -A INPUT -i $iface -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH
 			done
 		done
 		print_info " done."
@@ -635,7 +639,7 @@ reject_input()
 		for port in $ALL_REJECT_INPUT_UDP; do
 			for iface in $INTERFACES; do
 				print_info -en " $port($iface)"
-				$IPTABLES -A INPUT -i $iface -p UDP --dport $port -j REJECT --reject-with icmp-port-unreachable
+				$IPTABLES -A INPUT -i $iface -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH
 			done
 		done
 		print_info " done."
@@ -739,9 +743,9 @@ allow_input()
 				print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"`
 				for ip in ${!IPS}; do
 					if [ -z $src_ip ]; then
-						$IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j REJECT --reject-with icmp-port-unreachable
+						$IPTABLES -A INPUT -i $iface -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH
 					else
-						$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p TCP --dport $port -j REJECT --reject-with icmp-port-unreachable
+						$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p TCP --dport $port -j REJECT --reject-with $REJECT_WITH
 					fi
 				done
 			done
@@ -756,9 +760,9 @@ allow_input()
 				print_info -en " $port"`[ ! -z $src_ip ] && echo "[$src_ip]"`
 				for ip in ${!IPS}; do
 					if [ -z $src_ip ]; then
-						$IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j REJECT --reject-with icmp-port-unreachable
+						$IPTABLES -A INPUT -i $iface -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH
 					else
-						$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p UDP --dport $port -j REJECT --reject-with icmp-port-unreachable
+						$IPTABLES -A INPUT -i $iface -s $src_ip -d $ip -p UDP --dport $port -j REJECT --reject-with $REJECT_WITH
 					fi
 				done
 			done
@@ -844,10 +848,6 @@ allow_icmp()
 { # {{{
 
 	print_info -en "Accepting ICMP packets:"
-	# Službu AUTH není dobré filtrovat pomocí DROP, protože to může
-	# vést k prodlevám při navazování některých spojení. Proto jej
-	# sice zamítneme, ale vygenerujeme korektní ICMP chybovou zprávu
-	$IPTABLES -A INPUT -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server
 
 	# accept only allowed ICMP packets
 	for type in $ACCEPT_ICMP_PACKETS; do