2003-08-23 23:26:50 +00:00
#!/bin/bash
2002-09-05 20:57:59 +00:00
#
2013-10-24 18:56:04 +00:00
# FireHOL - A firewall for humans...
2002-09-05 20:57:59 +00:00
#
2012-03-25 13:52:07 +00:00
# Copyright
2002-09-05 20:57:59 +00:00
#
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# Copyright (C) 2003-2015 Costa Tsaousis <costa@tsaousis.gr>
# Copyright (C) 2012-2015 Phil Whineray <phil@sanewall.org>
2002-09-05 20:57:59 +00:00
#
2012-03-25 13:52:07 +00:00
# License
2002-09-05 20:57:59 +00:00
#
2012-03-25 13:52:07 +00:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# See the file COPYING for details.
2002-10-27 12:47:48 +00:00
#
2013-10-24 18:56:04 +00:00
2015-03-01 02:16:16 +00:00
#set -x -v
2015-01-31 15:02:43 +00:00
if [ $(( ${BASH_VERSINFO[0]} )) -lt 4 ]
then
echo >&2
2015-02-01 22:39:33 +00:00
echo >&2 "ERROR:"
2015-01-31 15:02:43 +00:00
echo >&2 "FireHOL requires BASH version 4 or later."
echo >&2 "You are running version: ${BASH_VERSION}"
echo >&2 "Please upgrade."
echo >&2
exit 1
fi
2013-10-24 18:56:04 +00:00
get_version() {
GIT_REF='$Format:%d,commit-%h$'
local IFS=":(), "
set -- "$GIT_REF"
ver='$Id$'
2015-02-06 20:43:23 +00:00
for i in ${@}
2013-10-24 18:56:04 +00:00
do
case "$i" in
*[0-9].[0.9]*)
echo "$i" | sed -e 's/^v//'
return 0
;;
commit-[0-9a-zA-Z]*)
ver="$i"
;;
esac
done
echo "$ver"
return 0
}
VERSION=$(get_version)
2003-10-26 21:27:31 +00:00
2012-03-25 13:52:07 +00:00
emit_version() {
${CAT_CMD} <<EOF
2013-10-24 18:56:04 +00:00
FireHOL $VERSION
2015-02-19 01:21:51 +00:00
(C) Copyright 2003-2015 Costa Tsaousis <costa@tsaousis.gr>
(C) Copyright 2012-2015 Phil Whineray <phil@firehol.org>
2012-03-25 13:52:07 +00:00
FireHOL is distributed under the GPL v2+.
Home Page: http://firehol.org
-------------------------------------------------------------------------
Get notified of new FireHOL releases by subscribing to the mailing list:
http://lists.firehol.org/mailman/listinfo/firehol-support/
-------------------------------------------------------------------------
EOF
}
2005-01-24 21:23:38 +00:00
# Make sure only root can run us.
if [ ! "${UID}" = 0 ]
then
echo >&2
2015-02-01 22:39:33 +00:00
echo >&2 "ERROR:"
2005-01-24 21:23:38 +00:00
echo >&2 "Only user root can run FireHOL."
echo >&2
2015-01-17 15:41:52 +00:00
exit 1
2005-01-24 21:23:38 +00:00
fi
2003-10-26 21:27:31 +00:00
# Remember who you are.
2015-01-30 22:45:56 +00:00
PROGRAM_FILE="${0}"
2015-01-06 17:53:45 +00:00
declare -a FIREHOL_ORIGINAL_ARGS=("${@}")
2004-10-28 23:03:06 +00:00
FIREHOL_DEFAULT_WORKING_DIRECTORY="${PWD}"
2003-01-06 00:41:10 +00:00
2015-01-17 15:41:52 +00:00
# Make sure we don't get localized results
export LC_ALL=C
2013-09-25 23:50:30 +00:00
2015-02-15 19:20:59 +00:00
RUNNING_ON_TERMINAL=0
2015-02-07 15:28:43 +00:00
if [ "z$1" = "z-nc" ]
then
shift
else
2015-02-19 01:21:51 +00:00
test -t 2 && RUNNING_ON_TERMINAL=1
if [ -t 2 -a $[$(tput colors 2>/dev/null)] -ge 8 ]
2015-02-07 15:28:43 +00:00
then
2015-02-15 19:20:59 +00:00
# Enable colors
2015-02-07 15:28:43 +00:00
COLOR_RESET="\e[0m"
COLOR_BLACK="\e[30m"
COLOR_RED="\e[31m"
COLOR_GREEN="\e[32m"
COLOR_YELLOW="\e[33m"
COLOR_BLUE="\e[34m"
COLOR_PURPLE="\e[35m"
COLOR_CYAN="\e[36m"
COLOR_WHITE="\e[37m"
COLOR_BGBLACK="\e[40m"
COLOR_BGRED="\e[41m"
COLOR_BGGREEN="\e[42m"
COLOR_BGYELLOW="\e[43m"
COLOR_BGBLUE="\e[44m"
COLOR_BGPURPLE="\e[45m"
COLOR_BGCYAN="\e[46m"
COLOR_BGWHITE="\e[47m"
COLOR_BOLD="\e[1m"
COLOR_DIM="\e[2m"
COLOR_UNDERLINED="\e[4m"
COLOR_BLINK="\e[5m"
COLOR_INVERTED="\e[7m"
fi
fi
2015-01-22 22:34:22 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# BITMASKED MARKS
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
declare -A MARKS_BITS=()
declare -A MARKS_MASKS=()
declare -A MARKS_MAX=()
declare -A MARKS_SHIFT=()
2015-01-25 15:59:28 +00:00
declare -A MARKS_SAVERESTORE=()
declare -A MARKS_STATEFUL=()
MARKS_SAVERESTORE_STATEFUL_MASK="0x00000000"
MARKS_SAVERESTORE_STATELESS_MASK="0x00000000"
2015-01-22 22:34:22 +00:00
MARKS_TOTAL_BITS=0
# taken from http://stackoverflow.com/questions/109023/how-to-count-the-number-of-set-bits-in-a-32-bit-integer
# and http://books.google.gr/books?id=iBNKMspIlqEC&pg=PA66&redir_esc=y#v=onepage&q&f=false
# counts the number of bits set in a number
numberofbits() {
local x="${1}"
2015-01-30 22:45:56 +00:00
x=$[ x - ( (x >> 1) & 0x55555555) ]
x=$[ (x & 0x33333333) + ( (x >> 2) & 0x33333333) ]
x=$[ (x + (x >> 4) ) & 0x0F0F0F0F ]
x=$[ x + (x >> 8) ]
2015-02-27 22:31:32 +00:00
x=$[ x + (x >> 16) ]
2015-01-30 22:45:56 +00:00
bits=$[ x & 0x0000003F ]
2015-01-22 22:34:22 +00:00
echo $bits
}
# taken from http://www.skorks.com/2010/10/write-a-function-to-determine-if-a-number-is-a-power-of-2/
# checks if a number is power of 2
ispoweroftwo() {
local num="${1}"
test ! $num = 0 -a $[num & (num - 1)] = 0 && return 0
return 1
}
2015-01-25 15:59:28 +00:00
marksreset() { markdef clear; }
2015-01-22 22:34:22 +00:00
markdef() {
2015-01-25 15:59:28 +00:00
if [ "$1" = "reset" -o "$1" = "clear" ]
then
MARKS_BITS=()
MARKS_MASKS=()
MARKS_MAX=()
MARKS_SHIFT=()
MARKS_SAVERESTORE=()
MARKS_STATEFUL=()
MARKS_SAVERESTORE_STATEFUL_MASK="0x00000000"
MARKS_SAVERESTORE_STATELESS_MASK="0x00000000"
MARKS_TOTAL_BITS=0
return 0
fi
local saverestore=1
local stateful=1
2015-01-30 22:45:56 +00:00
local mask=
local name="${1}"
local max="${2}"
shift 2
2015-01-22 22:34:22 +00:00
2015-01-25 15:59:28 +00:00
while [ ! -z "${1}" ]
do
case "${1}" in
2015-02-01 18:39:26 +00:00
default)
saverestore=1
stateful=1
;;
classic)
saverestore=0
stateful=0
;;
2015-01-25 15:59:28 +00:00
save|restore|permanent)
2015-01-30 22:45:56 +00:00
saverestore=1
2015-01-25 15:59:28 +00:00
;;
nosave|norestore|temp|temporary)
2015-01-30 22:45:56 +00:00
saverestore=0
2015-01-25 15:59:28 +00:00
;;
stateless)
2015-01-30 22:45:56 +00:00
stateful=0
2015-01-25 15:59:28 +00:00
;;
stateful)
2015-01-30 22:45:56 +00:00
stateful=1
2015-01-25 15:59:28 +00:00
;;
*)
2015-02-01 22:39:33 +00:00
echo >&2 "ERROR in ${FUNCNAME}: Unknown keyword '${1}'."
2015-01-25 15:59:28 +00:00
exit 1
;;
esac
shift
done
2015-01-22 22:42:30 +00:00
if [ ! -z "${MARKS_MASKS[$name]}" ]
then
2015-02-27 22:31:32 +00:00
echo >&2 "ERROR in ${FUNCNAME}: Mark type '${name}' already exists with mask ${MARKS_MASKS[$name]}. Please use 'markdef reset' to reset them before re-defining them."
2015-01-22 22:42:30 +00:00
exit 1
fi
2015-01-22 22:34:22 +00:00
if [ "${max}" = "rest" ]
then
2015-01-30 22:45:56 +00:00
max=$[ 1 << (32 - MARKS_TOTAL_BITS) ]
2015-01-22 22:34:22 +00:00
fi
if ! ispoweroftwo $max
then
2015-02-01 22:39:33 +00:00
echo >&2 "ERROR in ${FUNCNAME}: Max value $max of mark '$name' is not a power of 2."
2015-01-22 22:34:22 +00:00
exit 1
fi
# it will be from 0 to max - 1
max=$[ max - 1 ]
if [ $max -lt 1 -o $max -gt $[ 0xffffffff ] ]
then
2015-02-01 22:39:33 +00:00
echo >&2 "ERROR in ${FUNCNAME}: Max value $max of mark '$name' is out of bounds."
2015-01-22 22:34:22 +00:00
exit 1
fi
bits=$(numberofbits $max)
if [ $bits -eq 0 ]
then
2015-02-01 22:39:33 +00:00
echo >&2 "ERROR in ${FUNCNAME}: INTERNAL ERROR: Cannot figure out the bits set of value $max."
2015-01-22 22:34:22 +00:00
exit 1
fi
if [ $[ bits + MARKS_TOTAL_BITS ] -gt 32 ]
then
2015-02-01 22:39:33 +00:00
echo >&2 "ERROR in ${FUNCNAME}: Too many masks were requested. Cannot proceed. Please use fewer."
2015-01-22 22:34:22 +00:00
exit 1
fi
# find its mask
# we have all the bits we need set in $mark
# just shift it to the right position.
2015-01-30 22:45:56 +00:00
mask=$[ max << MARKS_TOTAL_BITS ]
2015-01-22 22:34:22 +00:00
MARKS_SHIFT[$name]=${MARKS_TOTAL_BITS}
MARKS_MAX[$name]=$max
MARKS_BITS[$name]=$bits
MARKS_MASKS[$name]=$(printf "0x%08x" $mask)
2015-01-25 15:59:28 +00:00
MARKS_STATEFUL[$name]=$stateful
MARKS_SAVERESTORE[$name]=$saverestore
if [ $saverestore -eq 1 ]
then
if [ $stateful -eq 1 ]
then
MARKS_SAVERESTORE_STATEFUL_MASK=$(printf "0x%08x" $[MARKS_SAVERESTORE_STATEFUL_MASK | mask])
else
MARKS_SAVERESTORE_STATELESS_MASK=$(printf "0x%08x" $[MARKS_SAVERESTORE_STATELESS_MASK | mask])
fi
fi
2015-01-22 22:34:22 +00:00
MARKS_TOTAL_BITS=$[ MARKS_TOTAL_BITS + bits ]
}
2015-01-06 17:53:45 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# GLOBAL DEFAULTS
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
# --- BEGIN OF FIREHOL DEFAULTS ---
# These are the defaults for FireHOL.
# You can set everything system-wide here, or set any or all
# of these to your firewall config file.
# The options set in the firewall config file have the highest
# priority (will overwrite these one).
# FireHOL config directory.
# EVEN IF YOU CHANGE THIS, THE firehol-defaults.conf FILE
# SHOULD STILL EXIST IN /etc/firehol
FIREHOL_CONFIG_DIR="/etc/firehol"
# FireHOL services directory.
# FireHOL will look into this directory for service
# definition files (*.conf).
# Package maintainers may install their service definitions
# in this directory.
# Default: /etc/firehol/services
FIREHOL_SERVICES_DIR="${FIREHOL_CONFIG_DIR}/services"
# Where to permanently save state information?
# Default: /var/spool/firehol
FIREHOL_SPOOL_DIR="/var/spool/firehol"
# Where temporary files should go?
# /var/run is usualy a ram drive, so we prefer to use
# this for temporary files.
# Default: /var/run/firehol
FIREHOL_RUN_DIR="/var/run/firehol"
2015-02-11 23:42:38 +00:00
# show a spinner during processing that shows
# number of iptables statements generated
FIREHOL_ENABLE_SPINNER=${FIREHOL_ENABLE_SPINNER-0}
2015-01-06 17:53:45 +00:00
# Restore instead of Start when possible.
# If set to 1, FireHOL will actually do a 'restore' when a
# 'start' is requested.
# If enabled and the config files have not changed since
# the last successful activation, the last successfuly
# activated firewall will be restored.
# THIS OPTION SHOULD NOT BE ENABLED IF THE FIREWALL CONFIG
# IS USING DYNAMIC DETECTION OF SERVER PORTS OR OTHER DATA
# THAT MAY INFLUENCE THE GENERATED RULES.
# At the other hand, if the firewall is always static
# this option provides fast startup of the firewall.
# Default: 0
FIREHOL_RESTORE_INSTEAD_OF_START="0"
# Enable IPv4 firewall
# Default: 1
ENABLE_IPV4="1"
# Enable IPv6 firewall
# Default: 1
ENABLE_IPV6="1"
# Syslog facility to use when logging FireHOL events.
# This is only used by FireHOL, not the iptables packet
# logging mechanism.
# Default: daemon
FIREHOL_SYSLOG_FACILITY="daemon"
# FireHOL can wait for an interface to come up.
# Set the interface name to wait for, here.
# Default: check the environment variable, if any
WAIT_FOR_IFACE="${WAIT_FOR_IFACE}"
# External program to call on 'start' (successfull or
# failed), 'stop' and 'panic'
# It will be run like this:
# "${FIREHOL_NOTIFICATION_PROGRAM}" "${FIREHOL_CONFIG}" "${result}" "${restored}" "${work_error}" "${work_runtime_error}"
# where
# FIREHOL_CONFIG is the filename of the config
# result is either empty, OK or FAILED
# restored is either NO, OK or FAILED
# work_error is the count of pre-processing errors encountered
# work_runtime_error is the count of post-processing errors encountered
# Default: check the environment variable, if any
FIREHOL_NOTIFICATION_PROGRAM="${FIREHOL_NOTIFICATION_PROGRAM}"
# ----------------------------------------------------------------------
# RUNTIME CONTROL VARIABLES
# These do not affect the final firewall output. They just control how
# FireHOL behaves.
# They can also be set as environment variables of the same name.
# If set to 1, FireHOL will attempt to activate the firewall with
# iptables-restore. This is a lot faster firewall activation.
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# The only drawback of this, is that in case of error, FireHOL may be unable to
# identify the exact statement in the firewall config that caused the error.
2015-01-06 17:53:45 +00:00
# Default: 1
FIREHOL_FAST_ACTIVATION="${FIREHOL_FAST_ACTIVATION-1}"
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# Only when FIREHOL_FAST_ACTIVATION=1, this value is the time in seconds, to
# wait for just an ENTER before trying the new firewall.
2015-01-31 00:53:34 +00:00
FIREHOL_WAIT_USER_BEFORE_TRY=600
2015-01-06 17:53:45 +00:00
# If set to 0, firehol will not try to load the required kernel modules
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# Generally, FireHOL is able to detect if a module is compiled in the kernel,
# even if this is set to 1.
2015-01-06 17:53:45 +00:00
# Default: 1
FIREHOL_LOAD_KERNEL_MODULES="${FIREHOL_LOAD_KERNEL_MODULES-1}"
# Firewall Policy during firewall activation
# Default: ACCEPT
# Possible values: ACCEPT, REJECT, DROP
FIREHOL_INPUT_ACTIVATION_POLICY="${FIREHOL_INPUT_ACTIVATION_POLICY-ACCEPT}"
FIREHOL_OUTPUT_ACTIVATION_POLICY="${FIREHOL_OUTPUT_ACTIVATION_POLICY-ACCEPT}"
FIREHOL_FORWARD_ACTIVATION_POLICY="${FIREHOL_FORWARD_ACTIVATION_POLICY-ACCEPT}"
# Do we allow pre-existing connections to continue during activation?
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# If this is set to 0 and FIREHOL_FAST_ACTIVATION is also set to 0, then every
# time the firewall is activated, existing connections will be disrupted.
2015-01-06 17:53:45 +00:00
# Default: 1
FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT="${FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT-1}"
# If you want to restore the firewall using the iptables init script of
# your distribution, set here the paths where it expects the rules.
# These settings are only saved when 'save' is requested at the command line.
# Default: unset for automatic detection.
FIREHOL_AUTOSAVE=
FIREHOL_AUTOSAVE6=
# Ready to use values for various distributions:
#
# Gentoo
# Check: /etc/conf.d/iptables and ip6tables
#FIREHOL_AUTOSAVE="/var/lib/iptables/rules-save"
#FIREHOL_AUTOSAVE6="/var/lib/ip6tables/rules-save"
#
# Arch
# Check: /usr/lib/systemd/system/iptables.service and ip6tables.service
#FIREHOL_AUTOSAVE=/etc/iptables/iptables.rules
#FIREHOL_AUTOSAVE6=/etc/iptables/ip6tables.rules
# ----------------------------------------------------------------------
# FIREWALL CONFIGURATION VARIABLES
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# These affect the final firewall output.
2015-01-06 17:53:45 +00:00
# They can also be set in the firewall config file.
2015-02-15 18:30:34 +00:00
# This controls how 'optimal' or 'accurate' the iptables statements
# generated will be.
# 'optimal' generates a production state firewall optimized for speed.
# It makes FireHOL accept all packets of ESTABLISHED connections at the
# beginning of the firewall, thus practically eliminating the need for
# filtering ESTABLISHED traffic. Packet filtering is only done for NEW
# sockets.
# 'accurate' generates a firewall that precisely matches all packets in both
# directions: client->server and server->client
# This setting affects logging, accounting and stateless rules.
# When it is set to 'optimal', logginng will only log the first packet of NEW
# sockets, accounting will only account the first packet of NEW sockets and
# stateless rules are disabled.
# When it is set to 'accurate', logging and accounting will be done for all
# packets and stateless rules are enabled.
# Default: accurate
# Possible Values: optimal accurate
FIREHOL_RULESET_MODE="accurate"
# Should we drop all INVALID packets always?
# INVALID packets as seen by the connection tracker.
# Check also the next section (SYSTEM CONFIGURATION) for related options.
2015-02-19 01:21:51 +00:00
# It can be enabled per interface using 'protection invalid'.
# This will be enabled if you use the synproxy helper.
2015-02-15 18:30:34 +00:00
# Default: 1
FIREHOL_DROP_INVALID=1
2015-02-19 01:21:51 +00:00
# When FIREHOL_DROP_INVALID=1 shall we also log the droped packets?
# Default: 1
FIREHOL_LOG_DROP_INVALID=1
2015-02-15 18:30:34 +00:00
# If set to 1, FireHOL will silently drop orphan TCP packets with ACK,FIN set.
# In modern kernels, the connection tracker detects closed sockets
# and removes them from memory before receiving the FIN,ACK from the remote
# party. This makes FireHOL log these packets when they will be received.
# To silently drop these packets, enable this option.
# Default: 1
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=1
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# If enabled FireHOL will create a chain per server/client statement and jump
# to it from the main flow. Normaly this jump is only required for clarity.
2015-02-15 09:20:22 +00:00
# So it is advised to leave this setting to 0, for a more efficient firewall.
2015-02-13 00:43:38 +00:00
# Default: 0
FIREHOL_CHAIN_PER_SERVICE=0
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# If enabled, FireHOL will use the multiport matches of iptables, when
# possible. Note that multiport matches in iptables do not support matching
# both source and destination ports on the same statement, with different
# ports for source and destination.
# So, FireHOL will only use it if sport or dport in set to 'any' (or not at
# all) or when sport and dport are the exactly the same ports.
# Default: 1
FIREHOL_SUPPORT_MULTIPORT=1
# There are matches that are more "expensive" than others. When enabled,
# FireHOL will use branching (create a new chain and jump to it) in order to
# avoid executing expensive matches more than once per statement.
# Expensive matches are: limit, connlimit, ipset (not when used in src/dst),
# helpers (for RELATED matches).
# Default: 1
FIREHOL_PROTECTED_MATCHES=1
2015-02-15 10:55:11 +00:00
# How to configure conntrack helper assignement?
#
# 'kernel' = the kernel will attempt to match RELATED sockets for all
# conntrack helpers and all traffic matching its predefined rules.
# This is considered a security threat and should be avoided.
# Check: https://home.regit.org/netfilter-en/secure-use-of-helpers/
#
# 'firehol' = FireHOL will generate rules in the 'raw' table, using the -j CT
# target of iptables to match the flows of the statements
# the conntrack helpers are used.
2015-02-16 01:29:21 +00:00
# CAUTION: FireHOL generated statements are not NAT aware.
2015-02-15 10:55:11 +00:00
# You should only use this, if you don't NAT traffic that have to
# be seen by conntrack helpers to detect RELATED ports.
#
# 'manual' = You configure conntrack helper assignement manually using
# the 'cthelper' firehol helper.
# In this case, neither the kernel nor FireHOL will do anything
# about conntrack helpers assignement.
#
# Default: kernel
FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT="kernel"
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2015-02-19 01:21:51 +00:00
# SYNPROXY options
# The options to pass to -j SYNPROXY
# Default: --sack-perm --timestamp --wscale 7 --mss 1460
FIREHOL_SYNPROXY_OPTIONS="--sack-perm --timestamp --wscale 7 --mss 1460"
# Shall the SYNPROXY FireHOL helper log the packets as they pass during
# the various phases?
2015-02-19 23:37:52 +00:00
# Default: 0
FIREHOL_SYNPROXY_LOG=0
2015-02-19 01:21:51 +00:00
2015-02-23 07:34:05 +00:00
# When enabled, synproxy will exclude for the SYNPROXY->SERVER match
# all the packets that have an UID or a GID (ownmer matches).
# When enabled, dst is not required for synproxy and synproxy can
# be used on dynamic IPs (it requires an 'src not; though).
# Default: 0
FIREHOL_SYNPROXY_EXCLUDE_OWNER=0
2015-02-19 01:21:51 +00:00
# Trust loopback?
# loose = Trust device lo unconditionally
# strict = Trust only IPs 127.0.0.0/8 and ::1 on device lo
# Default: loose
FIREHOL_TRUST_LOOPBACK="loose"
2015-02-15 18:30:34 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# If set to non-empty, FireHOL will apply a global reverse filtering on all
# traffic. If you use connection tracker helpers, you should enable this.
# Check: https://home.regit.org/netfilter-en/secure-use-of-helpers/
# Default: <empty>
# Possible Values: <check: iptables -m rpfilter --help>
FIREHOL_GLOBAL_RPFILTER=
# The default policy for the interfaces of the firewall. This can be
# controlled on a per interface basis using the policy interface subcommand.
2015-01-06 17:53:45 +00:00
# Default: DROP
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# Possible Values: DROP REJECT RETURN or custom action
2015-01-06 17:53:45 +00:00
DEFAULT_INTERFACE_POLICY="DROP"
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# The default policy for the router commands of the firewall. This can be
# controlled on a per interface basis using the policy interface subscommand.
2015-01-06 17:53:45 +00:00
# Default: RETURN
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# Possible Values: DROP REJECT RETURN or custom action
2015-01-06 17:53:45 +00:00
DEFAULT_ROUTER_POLICY="RETURN"
# At the end of the firewall, there may be packets not matched
# anywhere. What to do with them?
# Default: DROP
# Possible Values: DROP REJECT
UNMATCHED_INPUT_POLICY="DROP"
UNMATCHED_OUTPUT_POLICY="DROP"
UNMATCHED_ROUTER_POLICY="DROP"
# The client ports to be used for "default" client ports when the
# client specified is a foreign host.
# Note that FireHOL will ask the kernel for default client ports of
# the local host. This setting only applies to client ports of remote hosts.
# Default: 1024:65535
DEFAULT_CLIENT_PORTS="1024:65535"
2015-02-15 18:30:34 +00:00
# ----------------------------------------------------------------------
# SYSTEM CONFIGURATION
# Set this to 1 have firehol load NAT kernel modules
# It will be enabled automatically if nat commands are given in the firewall.
# Default: 0
FIREHOL_NAT="${FIREHOL_NAT-0}"
# Set this to 1 to enable routing of packets in the kernel
# It will be enabled automatically if routers are defined in the firewall.
# Default: 0
FIREHOL_ROUTING="${FIREHOL_ROUTING-0}"
# Make connection tracker use strick categorization of TCP packets.
# When set to zero the packets that do not seem right will be marked as INVALID
# instead of NEW. It will also improve ACK flood protection.
# This sets net.netfilter.nf_conntrack_tcp_loose=0
# The system default is 1, the firehol default is 0.
2015-02-19 01:21:51 +00:00
# Default: <unset to not set it>
FIREHOL_CONNTRACK_LOOSE_MATCHING=
2015-02-15 18:30:34 +00:00
# How many connection tracking sockets are supported?
# The system default is 65536.
# On busy servers you may need to increase this.
# Keep in mind that each socket in the connection tracker takes 288 bytes.
2015-02-19 01:21:51 +00:00
# Default: <unset to not set it>
FIREHOL_CONNTRACK_MAX=
2015-02-15 18:30:34 +00:00
# How many hash entries should the connection tracker have?
# The system default is 16384.
# On busy servers you may need to increase this. Keep in mind that each hash
# entry takes 8 bytes, but somehow this is related to your CPU L3 cache size.
2015-02-19 01:21:51 +00:00
# Default: <unset to not set it>
FIREHOL_CONNTRACK_HASHSIZE=
2015-02-15 18:30:34 +00:00
# required for synproxy
# This will be automatically set to 1 if you use the synproxy helper.
# This sets net.ipv4.tcp_syncookies=1
2015-02-19 01:21:51 +00:00
# Default: <unset to not set it>
FIREHOL_TCP_SYN_COOKIES=
2015-02-15 18:30:34 +00:00
# required for synproxy
# This will be automatically set to 1 if you use the synproxy helper.
# This sets net.ipv4.tcp_timestamps=1
2015-02-19 01:21:51 +00:00
# Default: <unset to not set it>
FIREHOL_TCP_TIMESTAMPS=
2015-01-06 17:53:45 +00:00
2015-01-22 22:34:22 +00:00
# ----------------------------------------------------------------------
# IPTABLES MARKS BITMASKING
# FireHOL allows multiple independent MARKs.
# By default FireHOL requires 'connmark' and 'usermark'.
2015-01-25 15:59:28 +00:00
# Mark types may be defined with this template:
#
# markdef NAME VALUES [stateful|stateless] [permanent|temporary]
#
# NAME = a name for this mark type
# connmark and usermark should always be defined.
#
# VALUES = max number of marks to support (0 to VALUES - 1)
# VALUES must be a power of two.
#
# stateful = all statements that assign this mark should
# only apply it on NEW packets.
#
# stateless = all statements that assign this mark type should
# only apply it only to traffic matched by the
# optional rule parameters given.
#
# temporary = do not save/restore to/from connection marks.
# This means RESPONSES to the matched packets
# will not get the mark.
#
# permanent = save/restore to/from connection marks
# This means that RESPONSES will get the mark.
#
# NOTES ABOUT markdef OPTIONS
#
2015-02-01 18:39:26 +00:00
# default is : stateful permanent or default
2015-01-25 15:59:28 +00:00
# in this mode, only NEW packets of connections need
# to be marked. ESTABLISHED and RELATED packets
# will automatically get the same mark too.
# So, in FireHOL mark helpers (connmark, mark, custommark)
# you will only need to match a REQUEST packet and
# automatically all the packets of the connection will
# get the mark.
#
# - stateful temporary
# In this mode, only NEW packets will be marked for each
# connection. ESTABLISHED and RELATED packets will NOT
# get the mark.
#
# - stateless permanent
# In this mode, whatever the helper statement matches
# will get the mark. This mark will also be applied to
# all the packets that are encountered after the marked
# packet and are part of the same socket.
#
2015-02-01 18:39:26 +00:00
# - stateless temporary or classic
2015-01-25 15:59:28 +00:00
# In this mode, only whatever the helper statement matches
# will get the mark. Nothing else.
#
# clear the internal marks - do not remove this line
markdef clear
2015-01-22 22:34:22 +00:00
# connmarks are used by the connmark helper
markdef connmark 64
# usermark are used by the mark helper
markdef usermark 128
2015-01-25 15:59:28 +00:00
# Custom mark example:
#
2015-01-22 22:34:22 +00:00
# markdef qosmark 8
2015-01-25 15:59:28 +00:00
#
# To use it use 'custommark' helper and optional rule parameter.
# The first argument to both should the mark name (qosmark in this case)
2015-01-22 22:34:22 +00:00
2015-01-06 17:53:45 +00:00
# ----------------------------------------------------------------------
# IPTABLES PACKETS LOGGING
# LOG mode for iptables
# Default: LOG
# Possible Values: LOG, ULOG, NFLOG
# LOG = syslog
# We recommend to install ulogd and use NFLOG.
FIREHOL_LOG_MODE="LOG"
# Accepts anything iptables accepts for each mode.
# Check: iptables -j LOG --help
# iptables -j ULOG --help
# iptables -j NFLOG --help
# Default: empty
FIREHOL_LOG_OPTIONS=""
# FireHOL can prefix each log with a keyword.
# Default: empty
FIREHOL_LOG_PREFIX=""
2015-02-03 19:17:50 +00:00
FIREHOL_LOG_ESCAPE="\""
2015-01-06 17:53:45 +00:00
# Used only for FIREHOL_LOG_MODE="LOG"
# The syslog level to be used when logging packets.
FIREHOL_LOG_LEVEL="warning"
# For loglimit, these are the frequency and the burst
# of logging. They are applied per logging rule, not across
# the firewall.
FIREHOL_LOG_FREQUENCY="1/second"
FIREHOL_LOG_BURST="5"
2015-02-01 04:09:17 +00:00
# ----------------------------------------------------------------------
2015-02-01 20:51:13 +00:00
# IPSET OPTIONS
2015-04-24 17:39:09 +00:00
# if set to zero, ipset restore does not support
# FLUSH SWAP DESTROY in which case they be executed during postprocess
IPSET_RESTORE_SUPPORTS_FLUSH_SWAP_DESTROY=1
2015-02-12 15:46:22 +00:00
# options that are appended to -m ipset matches when the ipset
# is used instead of src and dst IPs.
# The default is to prevent updating ipset counters
# Default: ! --update-counters ! --update-subcounters
IPSET_SRC_DST_OPTIONS="! --update-counters ! --update-subcounters"
2015-02-01 20:51:13 +00:00
# A recent ipset command uses these:
2015-02-01 22:16:33 +00:00
IPSET_CREATE_OPTION="create"
2015-02-03 22:33:17 +00:00
IPSET_DESTROY_OPTION="destroy"
2015-02-01 22:16:33 +00:00
IPSET_FLUSH_OPTION="flush"
2015-02-27 22:31:32 +00:00
IPSET_ADD_OPTION="add"
IPSET_DELETE_OPTION="del"
2015-02-03 22:33:17 +00:00
IPSET_SWAP_OPTION="swap"
2015-02-01 22:16:33 +00:00
IPSET_SAVE_OPTION="save"
2015-02-27 22:31:32 +00:00
IPSET_RESTORE_OPTION="-! restore"
2015-02-01 22:16:33 +00:00
IPSET_CREATE_IPV6_OPTION="family inet6"
IPSET_LIST_NAMES_EVAL="list -n"
2015-02-01 20:51:13 +00:00
2015-02-07 10:18:13 +00:00
# The default options to be passed to ipset
# when the iptrap helper creates the ipset
2015-02-09 21:18:49 +00:00
IPTRAP_DEFAULT_IPSET_TIMEOUT_OPTIONS="timeout 3600"
IPTRAP_DEFAULT_IPSET_COUNTERS_OPTIONS="timeout 3600 counters"
2015-02-07 10:18:13 +00:00
2015-04-24 17:55:04 +00:00
# ----------------------------------------------------------------------
# OLDER VERSIONS OF IPSET
# IPSET_RESTORE_SUPPORTS_FLUSH_SWAP_DESTROY=0
2015-02-07 10:18:13 +00:00
# older versions do not support the 'counters' option
# even older versions do not support the 'timeout' option
2015-02-09 21:18:49 +00:00
#IPTRAP_DEFAULT_IPSET_TIMEOUT_OPTIONS="timeout 3600"
#IPTRAP_DEFAULT_IPSET_COUNTERS_OPTIONS="" # not supported
2015-02-07 10:18:13 +00:00
2015-02-01 20:51:13 +00:00
# older versions use these
2015-04-24 17:39:09 +00:00
#IPSET_SRC_DST_OPTIONS=
2015-02-01 22:16:33 +00:00
#IPSET_CREATE_OPTION="-N"
2015-02-03 22:33:17 +00:00
#IPSET_DESTROY_OPTION="-X"
2015-02-01 22:16:33 +00:00
#IPSET_FLUSH_OPTION="-F"
#IPSET_ADD_OPTION="-A"
2015-02-03 22:33:17 +00:00
#IPSET_DELETE_OPTION="-D"
#IPSET_SAVE_OPTION="-S"
#IPSET_SWAP_OPTION="-W"
2015-04-24 17:55:04 +00:00
#IPSET_RESTORE_OPTION="-R"
2015-02-01 22:16:33 +00:00
#IPSET_CREATE_IPV6_OPTION="" # No ipv6 support
2015-02-03 22:33:17 +00:00
#IPSET_LIST_NAMES_EVAL="-L | grep Name: | cut -d: -f 2"
2015-01-06 17:53:45 +00:00
# ----------------------------------------------------------------------
# DEFAULT IP SETS
# FireHOL will overwite these settings with the contents of the files with
# the same names in ${FIREHOL_CONFIG_DIR}.
#
# For example, RESERVED_IPV4 will be set from /etc/firehol/RESERVED_IPV4
# IANA reserved address space that should never appear
RESERVED_IPV4="0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 "
RESERVED_IPV6="::/8 0100::/8 0200::/7 0400::/6 0800::/5 1000::/4 4000::/3 6000::/3 8000::/3 A000::/3 C000::/3 E000::/4 F000::/5 F800::/6 FE00::/9 FEC0::/10"
# Private IPv4 address space
# 10.0.0.0/8 => RFC 1918: IANA Private Use
# 169.254.0.0/16 => Link Local
# 192.0.2.0/24 => Test Net
# 192.88.99.0/24 => RFC 3068: 6to4 anycast & RFC 2544: Benchmarking addresses
# 192.168.0.0/16 => RFC 1918: Private use
PRIVATE_IPV4="10.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16"
# Private IPv6 address space
# FC00::/7 => Unique Local Unicast
# FE80::/10 => Link Local Unicast
PRIVATE_IPV6="FC00::/7 FE80::/10"
# The multicast address space
MULTICAST_IPV4="224.0.0.0/4"
MULTICAST_IPV6="FF00::/16"
# --- END OF FIREHOL DEFAULTS ---
2015-02-15 19:20:59 +00:00
# disable the spinner when we don't run on a terminal
test ${RUNNING_ON_TERMINAL} -eq 0 && FIREHOL_ENABLE_SPINNER=0
2015-01-30 22:45:56 +00:00
# load the defaults if they exist
2015-01-06 17:53:45 +00:00
if [ -f "${FIREHOL_CONFIG_DIR}/firehol-defaults.conf" ]
then
source "${FIREHOL_CONFIG_DIR}/firehol-defaults.conf" || exit 1
fi
2015-01-30 22:45:56 +00:00
# default config file
2015-01-06 17:53:45 +00:00
FIREHOL_CONFIG="${FIREHOL_CONFIG_DIR}/firehol.conf"
# Concurrent run control
FIREHOL_LOCK_FILE="${FIREHOL_RUN_DIR}/firehol.lck"
2015-01-30 22:45:56 +00:00
# make sure the defaults include a connmark
2015-01-22 22:34:22 +00:00
if [ -z "${MARKS_MASKS[connmark]}" ]
then
2015-02-01 22:39:33 +00:00
echo >&2 "ERROR: File ${FIREHOL_CONFIG_DIR}/marks.conf does not define a 'connmark' definition."
2015-01-22 22:34:22 +00:00
exit 1
fi
2015-01-30 22:45:56 +00:00
# make sure the defaults include a usermark
2015-01-22 22:34:22 +00:00
if [ -z "${MARKS_MASKS[usermark]}" ]
then
2015-02-01 22:39:33 +00:00
echo >&2 "ERROR: File ${FIREHOL_CONFIG_DIR}/marks.conf does not define a 'usermark' definition."
2015-01-22 22:34:22 +00:00
exit 1
fi
# save the information for the other tools
2015-01-25 15:59:28 +00:00
declare -p MARKS_BITS MARKS_MASKS MARKS_MAX MARKS_SHIFT MARKS_STATEFUL MARKS_SAVERESTORE MARKS_SAVERESTORE_STATEFUL_MASK MARKS_SAVERESTORE_STATELESS_MASK >"${FIREHOL_SPOOL_DIR}/marks.conf"
2015-01-22 22:34:22 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# make sure we have a valid FIREHOL_RULESET_MODE
if [ ! "${FIREHOL_RULESET_MODE}" = "optimal" -a ! "${FIREHOL_RULESET_MODE}" = "accurate" ]
then
echo >&2 "ERROR: FIREHOL_RULESET_MODE can either be 'optimal' or 'accurate' but you set it as '${FIREHOL_RULESET_MODE}'."
exit 1
fi
2015-01-06 17:53:45 +00:00
2003-10-26 21:27:31 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# EXTERNAL/SYSTEM COMMANDS MANAGEMENT
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
2005-01-24 21:23:38 +00:00
export PATH="${PATH}:/bin:/usr/bin:/sbin:/usr/sbin"
2003-04-08 00:12:02 +00:00
# External commands FireHOL will need.
# If one of those is not found, FireHOL will refuse to run.
2003-05-22 19:39:53 +00:00
which_cmd() {
2015-01-30 22:45:56 +00:00
local cmd= block=1
2004-05-05 23:41:19 +00:00
if [ "a${1}" = "a-n" ]
then
2015-01-30 22:45:56 +00:00
block=0
2004-05-05 23:41:19 +00:00
shift
fi
2004-03-03 23:18:43 +00:00
unalias $2 >/dev/null 2>&1
2015-01-30 22:45:56 +00:00
cmd=`which $2 2>/dev/null | head -n 1`
2003-05-22 19:39:53 +00:00
if [ $? -gt 0 -o ! -x "${cmd}" ]
then
2004-05-05 23:41:19 +00:00
if [ ${block} -eq 1 ]
then
echo >&2
echo >&2 "ERROR: Command '$2' not found in the system path."
echo >&2 " FireHOL requires this command for its operation."
echo >&2 " Please install the required package and retry."
echo >&2
2005-01-24 21:23:38 +00:00
echo >&2 " Note that you need an operational 'which' command"
echo >&2 " for FireHOL to find all the external programs it"
echo >&2 " needs. Check it yourself. Run:"
echo >&2
echo >&2 " which $2"
2004-05-05 23:41:19 +00:00
exit 1
fi
2004-10-28 23:03:06 +00:00
return 1
2003-05-22 19:39:53 +00:00
fi
2004-03-03 23:18:43 +00:00
eval $1=${cmd}
2004-10-28 23:03:06 +00:00
return 0
2003-05-22 19:39:53 +00:00
}
2005-02-17 23:45:02 +00:00
# command on demand support.
2005-02-07 20:56:09 +00:00
require_cmd() {
2015-01-30 22:45:56 +00:00
local var= val= block=1
2005-02-17 23:45:02 +00:00
if [ "a$1" = "a-n" ]
then
2015-01-30 22:45:56 +00:00
block=0
2005-02-17 23:45:02 +00:00
shift
fi
# if one is found, return success
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
for x in "${@}"
2005-02-07 20:56:09 +00:00
do
2013-11-23 08:48:37 +00:00
eval var=`echo ${x} | tr 'a-z-' 'A-Z_'`_CMD
2005-02-07 20:56:09 +00:00
eval val=\$\{${var}\}
if [ -z "${val}" ]
then
which_cmd -n "${var}" "${x}"
test $? -eq 0 && return 0
fi
done
2005-02-17 23:45:02 +00:00
if [ $block -eq 1 ]
then
echo >&2
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
echo >&2 "ERROR: FIREHOL REQUIRES THESE COMMANDS:"
2005-02-17 23:45:02 +00:00
echo >&2
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
echo >&2 " ${@}"
2005-02-17 23:45:02 +00:00
echo >&2
echo >&2 " You have requested the use of an optional FireHOL"
echo >&2 " feature that requires certain external programs"
echo >&2 " to be installed in the running system."
echo >&2
echo >&2 " Please consult your Linux distribution manual to"
echo >&2 " install the package(s) that provide these external"
echo >&2 " programs and retry."
echo >&2
echo >&2 " Note that you need an operational 'which' command"
echo >&2 " for FireHOL to find all the external programs it"
echo >&2 " needs. Check it yourself. Run:"
echo >&2
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
for x in "${@}"
2005-02-17 23:45:02 +00:00
do
echo >&2 " which $x"
done
exit 1
fi
2005-02-07 20:56:09 +00:00
return 1
}
2005-02-17 23:45:02 +00:00
# Currently the following commands are required only when needed.
# (i.e. Command on Demand)
#
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
# zcat or gzcat or gzip (either or none is fine)
# less or more (either or none is fine)
2005-02-17 23:45:02 +00:00
# ip
2012-05-17 20:00:07 +00:00
# ss
2005-02-17 23:45:02 +00:00
# date
# hostname
2010-05-23 17:12:41 +00:00
# modprobe or insmod
# gawk or awk
# nice (none is fine)
2005-02-17 23:45:02 +00:00
# Commands that are mandatory for FireHOL operation:
2004-03-03 23:18:43 +00:00
which_cmd CAT_CMD cat
which_cmd CUT_CMD cut
which_cmd CHOWN_CMD chown
which_cmd CHMOD_CMD chmod
2007-05-05 23:38:31 +00:00
which_cmd EGREP_CMD egrep
2004-10-28 23:03:06 +00:00
which_cmd EXPR_CMD expr
2007-05-05 23:38:31 +00:00
which_cmd FIND_CMD find
2007-07-30 22:52:48 +00:00
which_cmd FOLD_CMD fold
2004-03-03 23:18:43 +00:00
which_cmd GREP_CMD grep
2004-10-28 23:03:06 +00:00
which_cmd HEAD_CMD head
2014-03-12 22:20:00 +00:00
which_cmd TAIL_CMD tail
2004-03-03 23:18:43 +00:00
which_cmd LSMOD_CMD lsmod
which_cmd MKDIR_CMD mkdir
2014-10-04 09:32:15 +00:00
which_cmd MKTEMP_CMD mktemp
2004-03-03 23:18:43 +00:00
which_cmd MV_CMD mv
which_cmd RM_CMD rm
which_cmd SED_CMD sed
which_cmd SORT_CMD sort
which_cmd SYSCTL_CMD sysctl
which_cmd TOUCH_CMD touch
which_cmd TR_CMD tr
which_cmd UNAME_CMD uname
which_cmd UNIQ_CMD uniq
2009-02-26 02:13:54 +00:00
which_cmd LOGGER_CMD logger
2013-11-01 13:39:17 +00:00
which_cmd FLOCK_CMD flock
2003-04-08 00:12:02 +00:00
2015-01-03 05:45:19 +00:00
ENABLE_ACCOUNTING=1
2015-01-04 00:24:42 +00:00
ACCOUNTING_WARNING=0
2015-01-03 05:45:19 +00:00
require_cmd -n nfacct
if [ -z "${NFACCT_CMD}" ]
then
2015-01-04 00:24:42 +00:00
# silently disable accounting here,
# the user will get a warning when the first
# accounting rule is evaluated
2015-01-03 05:45:19 +00:00
ENABLE_ACCOUNTING=0
2015-01-04 00:24:42 +00:00
ACCOUNTING_WARNING=1
2015-01-03 05:45:19 +00:00
fi
2015-02-01 22:16:33 +00:00
ENABLE_IPSET=1
IPSET_WARNING=0
require_cmd -n ipset
if [ -z "${IPSET_CMD}" ]
then
# silently disable accounting here,
# the user will get a warning when the first
# accounting rule is evaluated
ENABLE_IPSET=0
IPSET_WARNING=1
fi
2015-01-06 17:53:45 +00:00
if [ ${ENABLE_IPV4} -eq 1 ]
then
require_cmd -n iptables
require_cmd -n iptables-save
require_cmd -n iptables-restore
if [ -z "${IPTABLES_CMD}" ]
then
echo >&2 " WARNING: no iptables command: IPv4 disabled"
ENABLE_IPV4=0
elif [ -z "${IPTABLES_SAVE_CMD}" ]
then
echo >&2 " WARNING: no iptables-save command: IPv4 disabled"
ENABLE_IPV4=0
elif [ -z "${IPTABLES_RESTORE_CMD}" ]
then
echo >&2 " WARNING: no iptables-restore command: IPv4 disabled"
ENABLE_IPV4=0
fi
2013-11-23 08:48:37 +00:00
fi
2015-01-06 17:53:45 +00:00
if [ ${ENABLE_IPV6} -eq 1 ]
then
require_cmd -n ip6tables
require_cmd -n ip6tables-save
require_cmd -n ip6tables-restore
if [ ! -f /proc/net/if_inet6 ]
then
# IPv6 not in use on this system, silently ignore
ENABLE_IPV6=0
elif [ -z "${IP6TABLES_CMD}" ]
then
echo >&2 " WARNING: no ip6tables command: IPv6 disabled"
ENABLE_IPV6=0
elif [ -z "${IP6TABLES_SAVE_CMD}" ]
then
echo >&2 " WARNING: no ip6tables-save command: IPv6 disabled"
ENABLE_IPV6=0
elif [ -z "${IP6TABLES_RESTORE_CMD}" ]
then
echo >&2 " WARNING: no ip6tables-restore command: IPv6 disabled"
ENABLE_IPV6=0
fi
2013-11-23 08:48:37 +00:00
fi
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
# Special commands
pager_cmd() {
if [ -z "${LESS_CMD}" ]
then
require_cmd -n less more
test -z "${LESS_CMD}" && LESS_CMD="${MORE_CMD}"
test -z "${LESS_CMD}" && LESS_CMD="${CAT_CMD}"
fi
"${LESS_CMD}" "${@}"
}
zcat_cmd() {
require_cmd -n zcat gzcat gzip
test -z "${ZCAT_CMD}" && ZCAT_CMD="${GZCAT_CMD}"
if [ ! -z "${ZCAT_CMD}" ]
then
"${ZCAT_CMD}" "${@}"
return $?
elif [ ! -z "${GZIP_CMD}" ]
then
"${CAT_CMD}" "${@}" | "${GZIP_CMD}" -dc
return $?
fi
echo >&2 " "
2015-02-01 22:39:33 +00:00
echo >&2 " WARNING:"
echo >&2 " --------"
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
echo >&2 " FireHOL cannot find any of the commands: zcat, gzcat, gzip."
echo >&2 " Make sure you have one of these available in the system path."
echo >&2 " "
return 1
}
2010-05-23 17:12:41 +00:00
gawk_cmd() {
require_cmd -n gawk awk
test -z "${GAWK_CMD}" && GAWK_CMD="${AWK_CMD}"
if [ ! -z "${GAWK_CMD}" ]
then
"${GAWK_CMD}" "${@}"
return $?
fi
echo >&2 " "
2015-02-01 22:39:33 +00:00
echo >&2 " WARNING:"
echo >&2 " --------"
2010-05-23 17:12:41 +00:00
echo >&2 " FireHOL cannot find any of the commands: gawk, awk."
echo >&2 " Make sure you have one of these available in the system path."
echo >&2 " "
return 1
}
2013-09-25 23:50:30 +00:00
2010-05-23 17:12:41 +00:00
modprobe_cmd() {
require_cmd -n modprobe insmod
test -z "${MODPROBE_CMD}" && MODPROBE_CMD="${INSMOD_CMD}"
if [ ! -z "${MODPROBE_CMD}" ]
then
2015-01-03 05:45:19 +00:00
save_for_restore none "${MODPROBE_CMD}" "${@}"
2010-05-23 17:12:41 +00:00
"${MODPROBE_CMD}" "${@}"
status=$?
if [ $status -eq 17 ]
then
# insmod: module already loaded - not a problem
return 0
else
return $status
fi
fi
echo >&2 " "
2015-02-01 22:39:33 +00:00
echo >&2 " WARNING:"
echo >&2 " --------"
2010-05-23 17:12:41 +00:00
echo >&2 " FireHOL cannot find any of the commands: modprobe, insmod."
echo >&2 " Make sure you have one of these available in the system path."
echo >&2 " "
return 1
}
renice_cmd() {
if [ -z "${RENICE_CMD}" ]
then
require_cmd -n renice
test -z "${RENICE_CMD}" && RENICE_CMD=":"
fi
"${RENICE_CMD}" "${@}"
}
2013-09-25 23:50:30 +00:00
2010-04-06 22:23:16 +00:00
firehol_concurrent_run_lock() {
2013-11-01 13:39:17 +00:00
exec 200>"${FIREHOL_LOCK_FILE}"
if [ $? -ne 0 ]; then exit; fi
${FLOCK_CMD} -n 200
if [ $? -ne 0 ]
2010-04-06 22:23:16 +00:00
then
2015-02-01 22:39:33 +00:00
echo >&2 "ERROR: FireHOL is already running. Exiting..."
2013-11-01 13:39:17 +00:00
exit 1
2010-04-06 22:23:16 +00:00
fi
return 0
}
2005-01-24 21:23:38 +00:00
# Make sure our generated files cannot be accessed by anyone else.
umask 077
# Be nice on production environments
2010-05-23 17:12:41 +00:00
renice_cmd 10 $$ >/dev/null 2>/dev/null
2003-04-08 00:12:02 +00:00
2004-05-15 10:19:01 +00:00
# Initialize iptables
2015-01-06 17:53:45 +00:00
if [ $ENABLE_IPV4 -eq 1 ]
2013-11-23 08:48:37 +00:00
then
2015-01-06 17:53:45 +00:00
${IPTABLES_CMD} -nxvL >/dev/null 2>&1
if [ $? -ne 0 ]
then
echo >&2 " WARNING: error initializing iptables: IPv4 disabled"
ENABLE_IPV4=0
fi
2013-11-23 08:48:37 +00:00
fi
2014-10-18 07:15:47 +00:00
if [ $ENABLE_IPV6 -eq 1 ]
2013-11-23 08:48:37 +00:00
then
2014-10-18 07:15:47 +00:00
${IP6TABLES_CMD} -nxvL >/dev/null 2>&1
if [ $? -ne 0 ]
then
echo >&2 " WARNING: error initializing ip6tables: IPv6 disabled"
ENABLE_IPV6=0
fi
2013-11-23 08:48:37 +00:00
fi
if [ $ENABLE_IPV4 -eq 0 -a $ENABLE_IPV6 -eq 0 ]
then
echo >&2 " ERROR: Neither IPv4 nor IPv6 is available - exiting"
exit 1
fi
2004-05-15 10:19:01 +00:00
2003-01-06 00:41:10 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
2015-01-06 17:53:45 +00:00
# GLOBAL PREPARATIONS
2003-01-06 00:41:10 +00:00
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2002-09-05 20:57:59 +00:00
# ------------------------------------------------------------------------------
2002-09-08 12:05:10 +00:00
2005-01-24 21:23:38 +00:00
# ----------------------------------------------------------------------
# Directories and files
2015-01-06 17:53:45 +00:00
if [ ! -d "${FIREHOL_RUN_DIR}" ]
then
${MKDIR_CMD} -p "${FIREHOL_RUN_DIR}" || exit 1
"${CHOWN_CMD}" root:root "${FIREHOL_RUN_DIR}" || exit 1
"${CHMOD_CMD}" 700 "${FIREHOL_RUN_DIR}" || exit 1
fi
if [ ! -d "${FIREHOL_SPOOL_DIR}" ]
then
${MKDIR_CMD} -p "${FIREHOL_SPOOL_DIR}" || exit 1
"${CHOWN_CMD}" root:root "${FIREHOL_SPOOL_DIR}" || exit 1
"${CHMOD_CMD}" 700 "${FIREHOL_SPOOL_DIR}" || exit 1
fi
2012-07-28 20:25:55 +00:00
# Create an empty temporary directory we need for this run.
2015-01-06 17:53:45 +00:00
if ! FIREHOL_DIR="`${MKTEMP_CMD} -d "${FIREHOL_RUN_DIR}/firehol-XXXXXXXXXX"`"
2012-07-28 20:25:55 +00:00
then
2015-01-06 17:53:45 +00:00
echo >&2
echo >&2
2015-02-01 22:39:33 +00:00
echo >&2 "ERROR: Cannot create temporary directory in ${FIREHOL_RUN_DIR}. Make sure you have a working mktemp."
2015-01-06 17:53:45 +00:00
echo >&2
exit 1
2012-07-28 20:25:55 +00:00
fi
2015-01-03 05:45:19 +00:00
#FIREHOL_CHAINS_DIR="${FIREHOL_DIR}/chains"
2005-01-24 21:23:38 +00:00
FIREHOL_OUTPUT="${FIREHOL_DIR}/firehol-out.sh"
FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh"
2013-11-03 10:32:23 +00:00
FIREHOL_SAVED6="${FIREHOL_DIR}/firehol-save6.sh"
2005-01-24 21:23:38 +00:00
# ------------------------------------------------------------------------------
# Make sure we automatically cleanup when we exit.
# WHY:
# Even a CTRL-C will call this and we will not leave temp files.
# Also, if a configuration file breaks, we will detect this too.
2013-03-23 10:06:42 +00:00
FIREHOL_CLEAN_TMP=1
2009-02-26 02:13:54 +00:00
FIREHOL_ACTIVATED_SUCCESSFULLY=0
syslog() {
local p="$1"; shift
2015-01-24 16:44:15 +00:00
"${LOGGER_CMD}" -p ${FIREHOL_SYSLOG_FACILITY}.$p -t "FireHOL[$$]" -- "${@}"
2009-02-26 02:13:54 +00:00
return 0
}
2005-01-24 21:23:38 +00:00
2015-02-02 20:54:11 +00:00
declare -a FIREHOL_PROGRESS_MESSAGES=()
progress() {
2015-02-07 15:28:43 +00:00
printf >&2 "${COLOR_GREEN}FireHOL:${COLOR_RESET} ${*}... "
2015-02-02 20:54:11 +00:00
FIREHOL_PROGRESS_MESSAGES=("${*}" "${FIREHOL_PROGRESS_MESSAGES[@]}")
syslog info "${*} started"
}
success() {
if [ ! -z "${1}" ]
then
2015-02-07 15:28:43 +00:00
echo >&2 -e "${COLOR_RESET}${COLOR_BGGREEN}${COLOR_BLACK}${COLOR_BOLD} OK ${COLOR_RESET} (${*})"
2015-02-02 20:54:11 +00:00
syslog info "${FIREHOL_PROGRESS_MESSAGES[0]} succeeded with message: ${*}"
else
2015-02-07 15:28:43 +00:00
echo >&2 -e "${COLOR_RESET}${COLOR_BGGREEN}${COLOR_BLACK}${COLOR_BOLD} OK ${COLOR_RESET}"
2015-02-02 20:54:11 +00:00
syslog info "${FIREHOL_PROGRESS_MESSAGES[0]} succeeded"
fi
unset FIREHOL_PROGRESS_MESSAGES[0]
FIREHOL_PROGRESS_MESSAGES=("${FIREHOL_PROGRESS_MESSAGES[@]}")
}
failure() {
if [ ! -z "${1}" ]
then
2015-02-07 15:28:43 +00:00
echo >&2 -e "${COLOR_RESET}${COLOR_BGRED}${COLOR_WHITE}${COLOR_BOLD}${COLOR_BLINK} FAILED ${COLOR_RESET} (${*})"
2015-02-02 20:54:11 +00:00
syslog err "${FIREHOL_PROGRESS_MESSAGES[0]} failed with message: ${*}"
else
2015-02-07 15:28:43 +00:00
echo >&2 -e "${COLOR_RESET}${COLOR_BGRED}${COLOR_WHITE}${COLOR_BOLD}${COLOR_BLINK} FAILED ${COLOR_RESET}"
2015-02-02 20:54:11 +00:00
syslog err "${FIREHOL_PROGRESS_MESSAGES[0]} failed"
fi
unset FIREHOL_PROGRESS_MESSAGES[0]
FIREHOL_PROGRESS_MESSAGES=("${FIREHOL_PROGRESS_MESSAGES[@]}")
}
2005-01-24 21:23:38 +00:00
firehol_exit() {
2009-02-26 02:13:54 +00:00
local restored="NO"
2015-01-17 15:41:52 +00:00
if [ \( -f "${FIREHOL_SAVED}" -o -f "${FIREHOL_SAVED6}" \) -a "${FIREHOL_MODE}" = "START" ]
2005-01-24 21:23:38 +00:00
then
2015-02-01 22:39:33 +00:00
echo >&2
2015-02-02 20:54:11 +00:00
progress "Restoring old firewall"
2014-02-22 11:52:56 +00:00
local status4=0
local status6=0
if [ $ENABLE_IPV4 -eq 1 ]
then
${IPTABLES_RESTORE_CMD} <"${FIREHOL_SAVED}"
status4=$?
fi
if [ $ENABLE_IPV6 -eq 1 ]
then
${IP6TABLES_RESTORE_CMD} <"${FIREHOL_SAVED6}"
status6=$?
fi
2013-11-03 10:32:23 +00:00
if [ $status4 -eq 0 -a $status6 -eq 0 ]
2005-01-24 21:23:38 +00:00
then
2015-01-30 22:45:56 +00:00
restored="OK"
2015-02-02 20:54:11 +00:00
success # "Restoring old firewall"
2005-01-24 21:23:38 +00:00
else
2015-01-30 22:45:56 +00:00
restored="FAILED"
2015-02-02 20:54:11 +00:00
failure # "Restoring old firewall"
2005-01-24 21:23:38 +00:00
fi
fi
2009-02-26 02:13:54 +00:00
# remove the temporary directory created for this session
2013-03-23 10:06:42 +00:00
if [ ${FIREHOL_ACTIVATED_SUCCESSFULLY} -eq 0 -a ${FIREHOL_CLEAN_TMP} -eq 0 ]
then
2015-02-01 22:39:33 +00:00
echo >&2 "FireHOL: temporary files left in ${FIREHOL_DIR}"
2013-03-23 10:06:42 +00:00
else
test -d "${FIREHOL_DIR}" && ${RM_CMD} -rf "${FIREHOL_DIR}"
fi
2009-02-26 02:13:54 +00:00
# syslog
local result=
local notify=0
case "${FIREHOL_MODE}" in
START) if [ ${FIREHOL_ACTIVATED_SUCCESSFULLY} -eq 0 ]
then
syslog emerg "FAILED to activate the firewall from ${FIREHOL_CONFIG}. Last good firewall restoration: ${restored}."
2015-01-30 22:45:56 +00:00
result="FAILED"
2009-02-26 02:13:54 +00:00
else
syslog info "Successfully activated new firewall from ${FIREHOL_CONFIG}."
2015-01-30 22:45:56 +00:00
result="OK"
2009-02-26 02:13:54 +00:00
fi
2015-01-30 22:45:56 +00:00
notify=1
2009-02-26 02:13:54 +00:00
;;
STOP) syslog emerg "Firewall has been stopped. Policy is ACCEPT EVERYTHING!"
2015-01-30 22:45:56 +00:00
notify=1
2009-02-26 02:13:54 +00:00
;;
PANIC) syslog emerg "PANIC! Machine has been locked. Policy is DROP EVERYTHING!"
2015-01-30 22:45:56 +00:00
notify=1
2009-02-26 02:13:54 +00:00
;;
*) # do nothing for the rest
2015-01-30 22:45:56 +00:00
notify=0
2009-02-26 02:13:54 +00:00
;;
esac
# do we have to run a program?
if [ ${notify} -eq 1 ]
then
if [ ! -z "${FIREHOL_NOTIFICATION_PROGRAM}" -a -x "${FIREHOL_NOTIFICATION_PROGRAM}" ]
then
# we just fork it, so that it will not depend on terminal conditions
"${FIREHOL_NOTIFICATION_PROGRAM}" "${FIREHOL_CONFIG}" "${result}" "${restored}" "${work_error}" "${work_runtime_error}" >/dev/null 2>&1 </dev/null &
fi
fi
2015-02-04 22:05:13 +00:00
# remove any temporary ipsets that may have been left behind
ipset_remove_all_tmp_sets
2015-01-17 16:26:35 +00:00
enable trap
2015-01-17 15:41:52 +00:00
enable exit
2015-01-17 16:26:35 +00:00
trap exit EXIT
2015-01-17 15:41:52 +00:00
if [ ${FIREHOL_ACTIVATED_SUCCESSFULLY} -eq 0 ]
then
exit 1
fi
exit 0
2005-01-24 21:23:38 +00:00
}
# Run our exit even if we don't call exit.
trap firehol_exit EXIT
2005-03-01 19:52:56 +00:00
trap firehol_exit SIGHUP
2015-01-17 15:41:52 +00:00
trap firehol_exit INT
2005-01-24 21:23:38 +00:00
2015-01-30 22:45:56 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# LIBRARY OF COMMON FUNCTIONS
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
# file management for BASH
file() {
local cmd="$1"
shift
case "${cmd}" in
open)
local fd="$1" filename="$2" mode="$3"
case "$mode" in
r) # read
eval "exec $fd<\"$filename\""
return $?
;;
rw) # read-write
eval "exec $fd<>\"$filename\""
return $?
;;
w) # write
eval "exec $fd>\"$filename\""
return $?
;;
*)
echo >&2 "${FUNCNAME}(): unknown mode '$mode'."
return 1
;;
esac
;;
close)
local fd="$1"
eval "exec $fd>&-"
return $?
;;
dup2)
local fd1="$1" fd2="$2"
eval "exec $fd2>&$fd1"
return $?
;;
*)
echo >&2 "${FUNCNAME}: unknown command '${cmd}'"
return 1
esac
return 1
}
# Given a mark-type and a list of marks, this function
# calculates the bitmasked equivalent values
mark_value() {
local x= name="${1}"; shift
if [ -z "${name}" ]
then
error "Cannot find the value of mark with name '${name}'."
return 1
fi
if [ -z "${1}" ]
then
error "Empty mark value given for mark ${name}."
return 1
fi
if [ -z "${MARKS_MASKS[$name]}" ]
then
error "Mark $name does not exist."
return 1
fi
for x in ${@//,/ }
do
x=$[ x + 1 - 1 ]
if [ $x -gt ${MARKS_MAX[$name]} -o $x -lt 0 ]
then
error "Cannot get mark $name of value $x. Mark $name is configured to get values from 0 to ${MARKS_MAX[$name]}. Change firehol-defaults.conf to add more."
return 1
fi
printf "0x%08x/${MARKS_MASKS[$name]}\n" "$[ x << ${MARKS_SHIFT[$name]} ]"
done
return 0
}
# Find in the BASH execution stack, the line and the source file that has called us.
# Before first use the variable PROGRAM_FILE should be set to the file to be excluded.
# It also sets the variable LAST_CONFIG_LINE on each run.
2015-02-02 20:54:11 +00:00
declare -A PROGRAM_CONFIG_FILES=()
2015-01-30 22:45:56 +00:00
config_line() {
if [ ! -z "${FORCE_CONFIG_LINEID}" ]
then
LAST_CONFIG_LINE="${FORCE_CONFIG_LINEID}"
else
# find the config line in the BASH stack
# start from 2
# 0 is this line
# 1 is the caller - our line for sure
# 2 is the caller's caller - possibly a config file line
2015-02-02 20:54:11 +00:00
local i= all=${#BASH_SOURCE} cfg=
2015-01-30 22:45:56 +00:00
for (( i = 2; i < $all; i++ ))
do
[ ! "${BASH_SOURCE[$i]}" = "${PROGRAM_FILE}" ] && break
done
2015-02-02 20:54:11 +00:00
cfg="${BASH_SOURCE[$i]}"
if [ ! "${cfg}" = "${PROGRAM_CONFIG}" -a -z "${PROGRAM_CONFIG_FILES[$cfg]}" ]
then
syslog info "Processing configuration file '${cfg}'..."
PROGRAM_CONFIG_FILES[$cfg]=1
fi
LAST_CONFIG_LINE="${BASH_LINENO[$[i-1]]}@${cfg}: ${FUNCNAME[$[i-1]]}:"
2015-01-30 22:45:56 +00:00
fi
test ! "z$1" = "z-ne" && echo "${LAST_CONFIG_LINE}"
}
2005-01-24 21:23:38 +00:00
# ------------------------------------------------------------------------------
# Create the directories we need.
2007-07-20 21:16:59 +00:00
if [ ! -d "${FIREHOL_CONFIG_DIR}" ]
2005-01-24 21:23:38 +00:00
then
"${MKDIR_CMD}" "${FIREHOL_CONFIG_DIR}" || exit 1
"${CHOWN_CMD}" root:root "${FIREHOL_CONFIG_DIR}" || exit 1
"${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}" || exit 1
2007-07-20 21:16:59 +00:00
if [ -f /etc/firehol.conf ]
then
"${MV_CMD}" /etc/firehol.conf "${FIREHOL_CONFIG}" || exit 1
echo >&2
echo >&2
echo >&2 "NOTICE: Your config file /etc/firehol.conf has been moved to ${FIREHOL_CONFIG}"
echo >&2
sleep 5
fi
2005-01-24 21:23:38 +00:00
fi
2015-01-06 17:53:45 +00:00
# Externally defined services can be placed in "${FIREHOL_SERVICES_DIR}"
if [ ! -d "${FIREHOL_SERVICES_DIR}" ]
2005-01-24 21:23:38 +00:00
then
2015-01-06 17:53:45 +00:00
"${MKDIR_CMD}" -p "${FIREHOL_SERVICES_DIR}"
2005-01-24 21:23:38 +00:00
if [ $? -ne 0 ]
then
echo >&2
echo >&2
2015-01-06 17:53:45 +00:00
echo >&2 "FireHOL needs to create the directory '${FIREHOL_SERVICES_DIR}', but it cannot."
2005-01-24 21:23:38 +00:00
echo >&2 "Possibly you have a file with this name, or something else is happening."
echo >&2 "Please solve this issue and retry".
echo >&2
exit 1
fi
2015-01-06 17:53:45 +00:00
"${CHOWN_CMD}" root:root "${FIREHOL_SERVICES_DIR}"
"${CHMOD_CMD}" 700 "${FIREHOL_SERVICES_DIR}"
2005-01-24 21:23:38 +00:00
fi
2015-01-03 05:45:19 +00:00
#"${MKDIR_CMD}" "${FIREHOL_CHAINS_DIR}" || exit 1
2014-10-04 09:41:15 +00:00
"${MKDIR_CMD}" "${FIREHOL_DIR}/fast" || exit 1
"${MKDIR_CMD}" "${FIREHOL_DIR}/fast/tables" || exit 1
"${MKDIR_CMD}" "${FIREHOL_DIR}/fast/table6s" || exit 1
2005-01-24 21:23:38 +00:00
2007-07-20 21:16:59 +00:00
# prepare the file that will hold all modules to be loaded.
# this is needed only when we are going to save the firewall
# with iptables-save.
2015-01-30 22:45:56 +00:00
file open 20 "${FIREHOL_DIR}/firewall_restore_commands.sh" w || exit 1
2015-02-15 18:44:20 +00:00
cat >&20 <<'EOFMTL'
2007-07-20 21:16:59 +00:00
#!/bin/sh
2014-12-30 18:42:58 +00:00
# Generated by FireHOL to execute additional actions
# to restore the generated firewall.
#
2007-07-20 21:16:59 +00:00
2015-02-15 18:44:20 +00:00
# a function to help us save a value to a file
postprocess_echo_to() { echo "${1}" >"${2}"; }
2007-07-20 21:16:59 +00:00
EOFMTL
2015-01-30 22:45:56 +00:00
# prepare the file that will hold the generated iptables commands
# when FAST_ACTIVATION is zero
file open 21 "${FIREHOL_OUTPUT}" w || exit 1
2005-01-24 21:23:38 +00:00
2015-02-15 18:44:20 +00:00
# we need this for sourcing our output file
postprocess_echo_to() { echo "${1}" >"${2}"; }
2004-05-05 23:41:19 +00:00
# Make sure we have a directory for our data.
if [ ! -d "${FIREHOL_SPOOL_DIR}" ]
then
2007-07-20 21:16:59 +00:00
"${MKDIR_CMD}" "${FIREHOL_SPOOL_DIR}" || exit 1
"${CHOWN_CMD}" root:root "${FIREHOL_SPOOL_DIR}" || exit 1
"${CHMOD_CMD}" 700 "${FIREHOL_SPOOL_DIR}" || exit 1
2004-05-05 23:41:19 +00:00
fi
2015-01-30 22:45:56 +00:00
# Generate firehol-defaults.conf file
if [ ! -f "${FIREHOL_CONFIG_DIR}/firehol-defaults.conf" ]
then
"${EGREP_CMD}" "^# --- BEGIN OF FIREHOL DEFAULTS ---" -A 1000 "${PROGRAM_FILE}" |\
"${EGREP_CMD}" "^# --- END OF FIREHOL DEFAULTS ---" -B 1000 >"${FIREHOL_CONFIG_DIR}/firehol-defaults.conf" || exit 1
"${CHOWN_CMD}" root:root "${FIREHOL_CONFIG_DIR}/firehol-defaults.conf" || exit 1
"${CHMOD_CMD}" 600 "${FIREHOL_CONFIG_DIR}/firehol-defaults.conf" || exit 1
fi
2007-05-05 23:38:31 +00:00
load_ips() {
local v="${1}" # the variable
2013-11-24 11:09:46 +00:00
local f="${2}" # the old file-name
local d="${3}" # the default value
local dt="${4}" # days old
local m="${5}" # additional info for file generation
local c="${6}" # if set, complain if file is missing
# We load from a file with the variable name if found but will use
# the old file name for compatibility
if [ "${f}" != ${v} \
-a -f "${FIREHOL_CONFIG_DIR}/${f}" \
-a -f "${FIREHOL_CONFIG_DIR}/${v}" ]
then
echo >&2 "WARNING "
echo >&2 "Found ${f} and ${v} in '${FIREHOL_CONFIG_DIR}'"
echo >&2 "Using ${v}"
f=${v}
elif [ -f "${FIREHOL_CONFIG_DIR}/${v}" ]
then
f=${v}
else
: # Using the 'old' name
fi
if [ ! -f "${FIREHOL_CONFIG_DIR}/${f}" ]
2007-05-05 23:38:31 +00:00
then
if [ ! -z "${c}" ]
then
echo >&2
echo >&2
echo >&2 "WARNING "
echo >&2 "Cannot find file '${FIREHOL_CONFIG_DIR}/${v}'."
echo >&2 "Using internal default values for variable '${v}' and all inherited ones."
echo >&2
if [ ! -z "${m}" ]
then
echo >&2 "${m}"
echo >&2
fi
fi
eval "export ${v}=\"${d}\""
return 0
fi
if [ ${dt} -gt 0 ]
then
2013-11-24 11:09:46 +00:00
local t=`${FIND_CMD} "${FIREHOL_CONFIG_DIR}/${f}" -mtime +${dt}`
2007-05-05 23:38:31 +00:00
if [ ! -z "${t}" ]
then
echo >&2
echo >&2
echo >&2 "WARNING"
2013-11-24 11:09:46 +00:00
echo >&2 "File '${FIREHOL_CONFIG_DIR}/${f}' is more than ${dt} days old."
2007-05-05 23:38:31 +00:00
echo >&2 "You should update it to ensure proper operation of your firewall."
echo >&2
if [ ! -z "${m}" ]
then
echo >&2 "${m}"
echo >&2
fi
fi
fi
2013-11-24 11:09:46 +00:00
local t=`${CAT_CMD} "${FIREHOL_CONFIG_DIR}/${f}" | ${EGREP_CMD} "^ *[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/[0-9]+ *$"`
2007-05-05 23:38:31 +00:00
local t2=
local i=0
for x in ${t}
do
i=$[i + 1]
t2="${t2} ${x}"
done
2013-11-24 11:09:46 +00:00
local t6=`${CAT_CMD} "${FIREHOL_CONFIG_DIR}/${f}" | ${EGREP_CMD} "^ *((([0-9A-Fa-f]{1,4}:){7}(([0-9A-Fa-f]{1,4})|:))|(([0-9A-Fa-f]{1,4}:){6}(:|((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})|(:[0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){4}(:[0-9A-Fa-f]{1,4}){0,1}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){3}(:[0-9A-Fa-f]{1,4}){0,2}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){2}(:[0-9A-Fa-f]{1,4}){0,3}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:)(:[0-9A-Fa-f]{1,4}){0,4}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(:(:[0-9A-Fa-f]{1,4}){0,5}((:((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(((25[0-5]|2[0-4]\d|[01]?\d{1,2})(\.(25[0-5]|2[0-4]\d|[01]?\d{1,2})){3})))(%.+)?/[0-9]+ *$"`
2013-10-15 21:59:25 +00:00
for x in ${t6}
do
i=$[i + 1]
t2="${t2} ${x}"
done
2007-05-05 23:38:31 +00:00
if [ ${i} -eq 0 -o -z "${t2}" ]
then
echo >&2
echo >&2
echo >&2 "WARNING "
2013-11-24 11:09:46 +00:00
echo >&2 "The file '${FIREHOL_CONFIG_DIR}/${f}' contains zero IP definitions."
2007-05-05 23:38:31 +00:00
echo >&2 "Using internal default values for variable '${v}' and all inherited ones."
echo >&2
if [ ! -z "${m}" ]
then
echo >&2 "${m}"
echo >&2
fi
eval "export ${v}=\"${d}\""
return 0
fi
eval "export ${v}=\"${t2}\""
return 0
}
2004-05-05 23:41:19 +00:00
2005-01-24 21:23:38 +00:00
# ------------------------------------------------------------------------------
# IP definitions
2013-11-16 09:40:08 +00:00
# IANA Reserved IPv4 address space.
2013-11-24 11:09:46 +00:00
load_ips RESERVED_IPV4 RESERVED_IPS "${RESERVED_IPV4}" 0
load_ips RESERVED_IPV6 RESERVED_IPV6 "${RESERVED_IPV6}" 0
2013-11-16 09:40:08 +00:00
# Make the original name a context-dependent function
RESERVED_IPS="reserved_ips()"
reserved_ips() {
if running_both; then
error "Cannot be called in 'both' mode"
return 1
fi
if running_ipv6; then
echo "${RESERVED_IPV6}"
else
echo "${RESERVED_IPV4}"
fi
return 0
}
2015-01-06 17:53:45 +00:00
# private IP address space
2013-11-24 11:09:46 +00:00
load_ips PRIVATE_IPV4 PRIVATE_IPS "${PRIVATE_IPV4}" 0
load_ips PRIVATE_IPV6 PRIVATE_IPV6 "${PRIVATE_IPV6}" 0
2013-11-16 09:40:08 +00:00
PRIVATE_IPS="private_ips()"
private_ips() {
if running_both; then
error "Cannot be called in 'both' mode"
return 1
fi
if running_ipv6; then
echo "${PRIVATE_IPV6}"
else
echo "${PRIVATE_IPV4}"
fi
return 0
}
2002-12-07 00:47:30 +00:00
2003-01-06 00:41:10 +00:00
# The multicast address space
2013-11-24 11:09:46 +00:00
load_ips MULTICAST_IPV4 MULTICAST_IPS "${MULTICAST_IPV4}" 0
load_ips MULTICAST_IPV6 MULTICAST_IPV6 "${MULTICAST_IPV6}" 0
MULTICAST_IPS="multicast_ips()"
multicast_ips() {
if running_both; then
error "Cannot be called in 'both' mode"
return 1
fi
if running_ipv6; then
echo "${MULTICAST_IPV6}"
else
echo "${MULTICAST_IPV4}"
fi
return 0
}
2002-09-05 20:57:59 +00:00
2003-01-06 00:41:10 +00:00
# A shortcut to have all the Internet unroutable addresses in one
# variable
2013-11-16 09:40:08 +00:00
UNROUTABLE_IPV4="${RESERVED_IPV4} ${PRIVATE_IPV4}"
2013-11-24 11:09:46 +00:00
load_ips UNROUTABLE_IPV4 UNROUTABLE_IPS "${UNROUTABLE_IPV4}" 0
2013-11-16 09:40:08 +00:00
UNROUTABLE_IPV6="${RESERVED_IPV6} ${PRIVATE_IPV6}"
2013-11-24 11:09:46 +00:00
load_ips UNROUTABLE_IPV6 UNROUTABLE_IPV6 "${UNROUTABLE_IPV6}" 0
2013-11-16 09:40:08 +00:00
UNROUTABLE_IPS="unroutable_ips()"
unroutable_ips() {
if running_both; then
error "Cannot be called in 'both' mode"
return 1
fi
if running_ipv6; then
echo "${UNROUTABLE_IPV6}"
else
echo "${UNROUTABLE_IPV4}"
fi
return 0
}
2002-09-05 20:57:59 +00:00
2003-01-06 00:41:10 +00:00
# Get the default client ports from the kernel configuration.
# This is formed to a range of ports to be used for all "default"
# client ports when the client specified is the localhost.
2013-11-16 15:33:24 +00:00
#
# According to http://tldp.org/HOWTO/Linux+IPv6-HOWTO/proc-sys-net-ipv4..html
# the ipv4 values are also used for ipv6, so no needed change here
2003-04-08 00:12:02 +00:00
LOCAL_CLIENT_PORTS_LOW=`${SYSCTL_CMD} net.ipv4.ip_local_port_range | ${CUT_CMD} -d '=' -f 2 | ${CUT_CMD} -f 1`
LOCAL_CLIENT_PORTS_HIGH=`${SYSCTL_CMD} net.ipv4.ip_local_port_range | ${CUT_CMD} -d '=' -f 2 | ${CUT_CMD} -f 2`
2003-01-06 00:41:10 +00:00
LOCAL_CLIENT_PORTS="${LOCAL_CLIENT_PORTS_LOW}:${LOCAL_CLIENT_PORTS_HIGH}"
# ----------------------------------------------------------------------
# This is our version number. It is increased when the configuration
# file commands and arguments change their meaning and usage, so that
# the user will have to review it more precisely.
2014-02-09 18:11:39 +00:00
FIREHOL_VERSION=6
2003-01-06 00:41:10 +00:00
# ----------------------------------------------------------------------
# The initial line number of the configuration file.
2015-01-30 22:45:56 +00:00
FORCE_CONFIG_LINEID="INIT"
LAST_CONFIG_LINE="INIT"
2003-01-06 00:41:10 +00:00
# Variable kernel module requirements.
# Suggested by Fco.Felix Belmonte <ffelix@gescosoft.com>
# Note that each of the complex services
# may add to this variable the kernel modules it requires.
2015-01-24 02:21:04 +00:00
declare -A FIREHOL_KERNEL_MODULES=()
2015-03-01 02:16:16 +00:00
2003-01-06 00:41:10 +00:00
#
# In the configuration file you can write:
#
# require_kernel_module <module_name>
#
# to have FireHOL require a specific module for the configurarion.
# ------------------------------------------------------------------------------
2005-01-24 21:23:38 +00:00
# Various Defaults
2003-05-22 19:39:53 +00:00
2009-02-26 02:13:54 +00:00
# Valid modes:
# START, DEBUG, EXPLAIN, WIZARD, STOP, PANIC
FIREHOL_MODE="NONE"
2002-09-05 20:57:59 +00:00
# If set to 1, the firewall will be saved for normal iptables processing.
2009-02-26 02:13:54 +00:00
# Valid only for FIREHOL_MODE="START"
2002-09-05 20:57:59 +00:00
FIREHOL_SAVE=0
2002-10-31 15:31:52 +00:00
# If set to 1, the firewall will be restored if you don't commit it.
2009-02-26 02:13:54 +00:00
# Valid only for FIREHOL_MODE="START"
2009-10-01 10:25:23 +00:00
FIREHOL_TRY=0
2002-09-05 20:57:59 +00:00
2013-04-13 20:41:09 +00:00
# If set to 1, firehol will output the commands of the configuration file
2004-04-21 21:35:29 +00:00
# with variables expanded.
2015-01-30 22:45:56 +00:00
FIREHOL_CONF_SHOW=0
2004-04-21 21:35:29 +00:00
2013-11-03 17:44:18 +00:00
# ------------------------------------------------------------------------------
# Keep information about the current namespace: ipv4, ipv6 or both
2015-01-24 02:21:04 +00:00
declare -a FIREHOL_NS_STACK=()
2015-03-01 02:16:16 +00:00
FIREHOL_NS_CURR=
FIREHOL_DEFAULT_NAMESPACE=
init_namespace() {
[ ! -z "${FIREHOL_NS_CURR}" ] && return 0
if [ $ENABLE_IPV4 -eq 1 -a $ENABLE_IPV6 -eq 1 ]
then
FIREHOL_DEFAULT_NAMESPACE="both"
elif [ $ENABLE_IPV4 -eq 1 ]
then
FIREHOL_DEFAULT_NAMESPACE="ipv4"
else
FIREHOL_DEFAULT_NAMESPACE="ipv6"
fi
FIREHOL_NS_STACK=(${FIREHOL_DEFAULT_NAMESPACE})
FIREHOL_NS_CURR=${FIREHOL_DEFAULT_NAMESPACE}
}
2013-11-10 12:38:37 +00:00
2015-03-05 07:29:55 +00:00
init_namespace
2013-11-03 17:44:18 +00:00
push_namespace() {
if [ "$1" != "ipv4" -a "$1" != "ipv6" -a "$1" != "both" ]
then
2013-11-10 13:05:29 +00:00
error "Bad namespace: $1 (must be ipv4/ipv6/both)"
return 1
2013-11-03 17:44:18 +00:00
fi
2013-11-10 12:38:37 +00:00
if [ "${FIREHOL_NS_CURR}" != "both" -a "$1" != "${FIREHOL_NS_CURR}" ]
then
2013-11-10 13:05:29 +00:00
error "Cannot use namespace $1 within ${FIREHOL_NS_CURR}"
return 1
2013-11-10 12:38:37 +00:00
fi
2015-01-24 02:21:04 +00:00
FIREHOL_NS_STACK=("$1" "${FIREHOL_NS_STACK[@]}")
FIREHOL_NS_CURR="$1"
2013-11-03 17:44:18 +00:00
return 0
}
pop_namespace() {
2015-01-24 11:06:43 +00:00
FIREHOL_NS_STACK=(${FIREHOL_NS_STACK[@]:1})
2015-01-24 11:17:20 +00:00
FIREHOL_NS_CURR=${FIREHOL_NS_STACK[0]-${FIREHOL_DEFAULT_NAMESPACE}}
2013-11-03 17:44:18 +00:00
return 0
}
running_ipv4() {
2013-11-10 12:38:37 +00:00
if [ "${FIREHOL_NS_CURR}" = "ipv4" -o "${FIREHOL_NS_CURR}" = "both" ]
then
return 0;
fi
2013-11-03 17:44:18 +00:00
return 1
}
running_ipv6() {
2013-11-10 12:38:37 +00:00
if [ "${FIREHOL_NS_CURR}" = "ipv6" -o "${FIREHOL_NS_CURR}" = "both" ]
then
return 0;
fi
2013-11-03 17:44:18 +00:00
return 1
}
running_both() {
2013-11-10 12:38:37 +00:00
if [ "${FIREHOL_NS_CURR}" = "both" ]
then
return 0;
fi
2013-11-03 17:44:18 +00:00
return 1
}
2015-03-01 02:16:16 +00:00
ipv4() { force_namespace ipv4 "${@}"; }
ipv6() { force_namespace ipv6 "${@}"; }
both() { force_namespace both "${@}"; }
force_namespace() {
test -z "${FIREHOL_DEFAULT_NAMESPACE}" && init_namespace
2013-11-10 13:05:29 +00:00
2015-03-01 02:16:16 +00:00
local ipv="${1}" command="${2}" ret=0
shift 2
2013-11-10 13:05:29 +00:00
2015-03-01 02:16:16 +00:00
case "${command}" in
# these commands push/pop the namespace by themselves
interface|interface4|interface6|interface46|router|router4|router6|router46|group|group4|group6|group46)
${command} -ns ${ipv} "${@}"
ret=$?
;;
2013-11-10 13:05:29 +00:00
2015-03-01 02:16:16 +00:00
# all the others complete in just one step
# so, we push/pop for them
*)
if ! push_namespace ${ipv}; then return 1; fi
$command "${@}"
ret=$?
pop_namespace
;;
esac
2013-11-10 13:05:29 +00:00
2015-03-01 02:16:16 +00:00
return $ret
2013-11-03 17:44:18 +00:00
}
2002-09-05 20:57:59 +00:00
2003-01-06 00:41:10 +00:00
# ------------------------------------------------------------------------------
# Keep information about the current primary command
# Primary commands are: interface, router
2002-12-03 22:49:16 +00:00
2013-11-03 17:44:18 +00:00
work_counter4=0
work_counter6=0
2003-01-06 00:41:10 +00:00
work_cmd=
work_realcmd=("(unset)")
work_name=
work_inface=
work_outface=
2006-06-05 17:25:33 +00:00
work_policy=
2003-01-06 00:41:10 +00:00
work_error=0
work_function="Initializing"
2002-12-03 22:49:16 +00:00
2013-11-03 21:08:26 +00:00
get_next_work_counter() {
local var="$1"
2013-11-03 17:44:18 +00:00
if running_both
then
if [ $work_counter4 -gt $work_counter6 ]
then
work_counter4=$[work_counter4 + 1]
work_counter6=$[work_counter4]
else
work_counter6=$[work_counter6 + 1]
work_counter4=$[work_counter6]
fi
2013-11-03 21:08:26 +00:00
eval ${var}=${work_counter4}
2013-11-03 17:44:18 +00:00
elif running_ipv6
then
work_counter6=$[work_counter6 + 1]
2013-11-03 21:08:26 +00:00
eval ${var}=${work_counter6}
2013-11-03 17:44:18 +00:00
else
work_counter4=$[work_counter4 + 1]
2013-11-03 21:08:26 +00:00
eval ${var}=${work_counter4}
2013-11-03 17:44:18 +00:00
fi
}
2002-09-05 20:57:59 +00:00
# ------------------------------------------------------------------------------
# Keep status information
2009-02-26 02:13:54 +00:00
# 0 = no errors, >0 = there were errors in the script
work_runtime_error=0
2002-09-05 20:57:59 +00:00
2013-11-03 21:08:26 +00:00
# This function is used for generating dynamic chains when needed for
2002-12-23 14:39:19 +00:00
# combined negative statements (AND) implied by the "not" parameter
# to many FireHOL directives.
# What FireHOL is doing to accomplish this, is to produce dynamically
# a linked list of iptables chains with just one condition each, making
# the packets to traverse from chain to chain when matched, to reach
# their final destination.
2013-11-03 21:08:26 +00:00
dynamic_counter4=0
dynamic_counter6=0
get_next_dynamic_counter() {
local var="$1"
if running_both
then
if [ $dynamic_counter4 -gt $dynamic_counter6 ]
then
dynamic_counter4=$[dynamic_counter4 + 1]
dynamic_counter6=$[dynamic_counter4]
else
dynamic_counter6=$[dynamic_counter6 + 1]
dynamic_counter4=$[dynamic_counter6]
fi
eval ${var}=${dynamic_counter4}
elif running_ipv6
then
dynamic_counter6=$[dynamic_counter6 + 1]
eval ${var}=${dynamic_counter6}
else
dynamic_counter4=$[dynamic_counter4 + 1]
eval ${var}=${dynamic_counter4}
fi
}
2002-12-23 14:39:19 +00:00
2004-10-28 23:03:06 +00:00
# Services API version
FIREHOL_SERVICES_API="1"
2002-09-05 20:57:59 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# SIMPLE SERVICES DEFINITIONS
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
# The following are definitions for simple services.
# We define as "simple" the services that are implemented using a single socket,
# initiated by the client and used by the server.
2003-01-06 00:41:10 +00:00
#
2002-11-30 14:33:33 +00:00
# The following list is sorted by service name.
2002-10-11 21:09:11 +00:00
2015-03-13 09:59:51 +00:00
server_all_ports="any/any"
client_all_ports="any"
helper_all="ftp irc sip pptp proto_gre"
# any is the same with all, without helpers
server_any_ports="${server_all_ports}"
client_any_ports="${client_all_ports}"
helper_any=
2003-01-03 23:34:37 +00:00
server_AH_ports="51/any"
client_AH_ports="any"
2009-02-19 05:27:49 +00:00
server_amanda_ports="udp/10080"
client_amanda_ports="default"
helper_amanda="amanda"
2002-12-12 20:07:47 +00:00
server_aptproxy_ports="tcp/9999"
client_aptproxy_ports="default"
server_apcupsd_ports="tcp/6544"
client_apcupsd_ports="default"
2002-12-22 14:02:54 +00:00
server_apcupsdnis_ports="tcp/3551"
client_apcupsdnis_ports="default"
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
server_asterisk_ports="tcp/5038"
client_asterisk_ports="default"
2003-10-20 17:49:56 +00:00
server_cups_ports="tcp/631 udp/631"
2007-10-25 12:34:06 +00:00
client_cups_ports="any"
2002-12-20 20:31:11 +00:00
2003-01-20 21:50:36 +00:00
server_cvspserver_ports="tcp/2401"
client_cvspserver_ports="default"
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
server_darkstat_ports="tcp/666"
client_darkstat_ports="default"
2004-10-08 22:30:52 +00:00
server_daytime_ports="tcp/13"
2002-10-11 21:09:11 +00:00
client_daytime_ports="default"
2003-10-18 09:40:45 +00:00
server_dcc_ports="udp/6277"
client_dcc_ports="default"
2003-06-10 21:27:46 +00:00
server_dcpp_ports="tcp/1412 udp/1412"
client_dcpp_ports="default"
2004-10-08 22:30:52 +00:00
server_dns_ports="udp/53 tcp/53"
2002-12-18 20:44:08 +00:00
client_dns_ports="any"
2004-10-08 22:30:52 +00:00
server_dhcprelay_ports="udp/67"
client_dhcprelay_ports="67"
2002-12-12 20:07:47 +00:00
2005-01-21 19:58:09 +00:00
server_dict_ports="tcp/2628"
client_dict_ports="default"
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
server_distcc_ports="tcp/3632"
client_distcc_ports="default"
server_eserver_ports="tcp/4661 udp/4661 udp/4665"
client_eserver_ports="any"
2003-01-03 23:34:37 +00:00
server_ESP_ports="50/any"
client_ESP_ports="any"
2004-10-08 22:30:52 +00:00
server_echo_ports="tcp/7"
2002-11-30 14:33:33 +00:00
client_echo_ports="default"
2004-10-08 22:30:52 +00:00
server_finger_ports="tcp/79"
2002-10-11 21:09:11 +00:00
client_finger_ports="default"
2009-02-19 05:27:49 +00:00
server_ftp_ports="tcp/21"
client_ftp_ports="default"
helper_ftp="ftp"
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
server_gift_ports="tcp/4302 tcp/1214 tcp/2182 tcp/2472"
client_gift_ports="any"
server_giftui_ports="tcp/1213"
client_giftui_ports="default"
2003-10-13 18:50:30 +00:00
server_gkrellmd_ports="tcp/19150"
client_gkrellmd_ports="default"
2003-01-03 23:34:37 +00:00
server_GRE_ports="47/any"
client_GRE_ports="any"
2009-02-19 05:27:49 +00:00
helper_GRE="proto_gre"
2003-01-03 23:34:37 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
server_h323_ports="udp/1720 tcp/1720"
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
client_h323_ports="default"
2009-02-19 05:27:49 +00:00
helper_h323="h323"
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
2002-11-30 14:33:33 +00:00
server_heartbeat_ports="udp/690:699"
client_heartbeat_ports="default"
2002-10-11 21:09:11 +00:00
2004-10-08 22:30:52 +00:00
server_http_ports="tcp/80"
2002-11-30 14:33:33 +00:00
client_http_ports="default"
2002-10-11 21:09:11 +00:00
2004-10-08 22:30:52 +00:00
server_https_ports="tcp/443"
2002-11-30 14:33:33 +00:00
client_https_ports="default"
2002-09-05 20:57:59 +00:00
2013-10-15 12:01:13 +00:00
server_httpalt_ports="tcp/8080"
client_httpalt_ports="default"
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
server_iax_ports="udp/5036"
client_iax_ports="default"
server_iax2_ports="udp/5469 udp/4569"
client_iax2_ports="default"
2003-01-03 23:34:37 +00:00
server_ICMP_ports="icmp/any"
client_ICMP_ports="any"
2013-11-16 15:49:16 +00:00
server_icmp_ports="${server_ICMP_ports}"
client_icmp_ports="${client_ICMP_ports}"
2002-12-18 20:44:08 +00:00
2013-11-16 15:49:16 +00:00
server_ICMPV6_ports="icmpv6/any"
client_ICMPV6_ports="any"
server_icmpv6_ports="${server_ICMPV6_ports}"
client_icmpv6_ports="${client_ICMPV6_ports}"
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
server_icp_ports="udp/3130"
client_icp_ports="3130"
2004-10-08 22:30:52 +00:00
server_ident_ports="tcp/113"
2002-09-05 20:57:59 +00:00
client_ident_ports="default"
2003-07-31 20:44:45 +00:00
server_imap_ports="tcp/143"
2002-09-05 20:57:59 +00:00
client_imap_ports="default"
2004-10-08 22:30:52 +00:00
server_imaps_ports="tcp/993"
2002-11-30 14:33:33 +00:00
client_imaps_ports="default"
2002-09-05 20:57:59 +00:00
2004-10-08 22:30:52 +00:00
server_irc_ports="tcp/6667"
2002-10-27 02:49:34 +00:00
client_irc_ports="default"
2009-02-19 05:27:49 +00:00
helper_irc="irc"
2002-09-05 20:57:59 +00:00
2002-12-12 20:07:47 +00:00
server_isakmp_ports="udp/500"
2007-10-25 12:34:06 +00:00
client_isakmp_ports="any"
2002-12-12 20:07:47 +00:00
2010-04-08 22:12:35 +00:00
server_ipsecnatt_ports="udp/4500"
client_ipsecnatt_ports="any"
2003-06-30 22:07:01 +00:00
server_jabber_ports="tcp/5222 tcp/5223"
client_jabber_ports="default"
server_jabberd_ports="tcp/5222 tcp/5223 tcp/5269"
client_jabberd_ports="default"
2010-04-08 22:12:35 +00:00
server_l2tp_ports="udp/1701"
client_l2tp_ports="any"
2004-10-08 22:30:52 +00:00
server_ldap_ports="tcp/389"
2002-09-05 20:57:59 +00:00
client_ldap_ports="default"
2004-10-08 22:30:52 +00:00
server_ldaps_ports="tcp/636"
2002-12-05 09:23:36 +00:00
client_ldaps_ports="default"
2004-10-08 22:30:52 +00:00
server_lpd_ports="tcp/515"
2007-10-25 12:34:06 +00:00
client_lpd_ports="any"
2002-09-05 20:57:59 +00:00
2004-10-08 22:30:52 +00:00
server_microsoft_ds_ports="tcp/445"
2003-01-01 04:32:48 +00:00
client_microsoft_ds_ports="default"
2003-10-26 21:27:31 +00:00
server_mms_ports="tcp/1755 udp/1755"
client_mms_ports="default"
2015-02-15 09:20:22 +00:00
helper_mms="mms"
2003-10-26 21:27:31 +00:00
2013-10-22 21:03:48 +00:00
server_ms_ds_ports="${server_microsoft_ds_ports}"
client_ms_ds_ports="${client_microsoft_ds_ports}"
2013-10-15 21:59:25 +00:00
server_msnp_ports="tcp/6891"
client_msnp_ports="default"
server_msn_ports="tcp/1863 udp/1863"
2003-06-10 21:27:46 +00:00
client_msn_ports="default"
2004-10-08 22:30:52 +00:00
server_mysql_ports="tcp/3306"
2002-09-05 20:57:59 +00:00
client_mysql_ports="default"
2003-10-09 10:01:26 +00:00
server_netbackup_ports="tcp/13701 tcp/13711 tcp/13720 tcp/13721 tcp/13724 tcp/13782 tcp/13783"
client_netbackup_ports="any"
2004-10-08 22:30:52 +00:00
server_netbios_ns_ports="udp/137"
2007-10-25 12:34:06 +00:00
client_netbios_ns_ports="any"
2002-11-30 14:33:33 +00:00
2004-10-08 22:30:52 +00:00
server_netbios_dgm_ports="udp/138"
2007-10-25 12:34:06 +00:00
client_netbios_dgm_ports="any"
2002-11-30 14:33:33 +00:00
2004-10-08 22:30:52 +00:00
server_netbios_ssn_ports="tcp/139"
2002-11-30 14:33:33 +00:00
client_netbios_ssn_ports="default"
2004-10-08 22:30:52 +00:00
server_nntp_ports="tcp/119"
2002-11-30 14:33:33 +00:00
client_nntp_ports="default"
2004-10-08 22:30:52 +00:00
server_nntps_ports="tcp/563"
client_nntps_ports="default"
server_ntp_ports="udp/123 tcp/123"
2007-10-25 12:34:06 +00:00
client_ntp_ports="any"
2002-11-30 14:33:33 +00:00
2004-10-28 22:02:43 +00:00
server_nut_ports="tcp/3493 udp/3493"
client_nut_ports="default"
2004-09-12 06:57:47 +00:00
server_nxserver_ports="tcp/5000:5200"
client_nxserver_ports="default"
2013-10-15 21:59:25 +00:00
server_openvpn_ports="tcp/1194 udp/1194"
client_openvpn_ports="default"
2003-10-13 18:50:30 +00:00
server_oracle_ports="tcp/1521"
client_oracle_ports="default"
2006-03-11 12:24:34 +00:00
server_OSPF_ports="89/any"
client_OSPF_ports="any"
2003-07-31 20:44:45 +00:00
server_pop3_ports="tcp/110"
2002-11-30 14:33:33 +00:00
client_pop3_ports="default"
2004-10-08 22:30:52 +00:00
server_pop3s_ports="tcp/995"
2002-12-05 09:23:36 +00:00
client_pop3s_ports="default"
2004-10-08 22:30:52 +00:00
server_portmap_ports="udp/111 tcp/111"
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
client_portmap_ports="any" # Portmap clients appear to use ports below 1024
2002-09-05 20:57:59 +00:00
2003-07-20 21:52:41 +00:00
server_postgres_ports="tcp/5432"
client_postgres_ports="default"
2009-02-19 05:27:49 +00:00
server_pptp_ports="tcp/1723"
client_pptp_ports="default"
helper_pptp="pptp proto_gre"
2002-12-05 09:23:36 +00:00
server_privoxy_ports="tcp/8118"
client_privoxy_ports="default"
2004-07-29 22:31:14 +00:00
server_radius_ports="udp/1812 udp/1813"
2002-09-05 20:57:59 +00:00
client_radius_ports="default"
2004-07-29 22:31:14 +00:00
server_radiusproxy_ports="udp/1814"
client_radiusproxy_ports="default"
2002-09-05 20:57:59 +00:00
server_radiusold_ports="udp/1645 udp/1646"
client_radiusold_ports="default"
2004-07-29 22:31:14 +00:00
server_radiusoldproxy_ports="udp/1647"
client_radiusoldproxy_ports="default"
2004-09-12 07:24:58 +00:00
server_rdp_ports="tcp/3389"
client_rdp_ports="default"
2004-10-08 22:30:52 +00:00
server_rndc_ports="tcp/953"
2002-11-30 14:33:33 +00:00
client_rndc_ports="default"
2002-09-05 20:57:59 +00:00
2004-10-08 22:30:52 +00:00
server_rsync_ports="tcp/873 udp/873"
2002-11-30 14:33:33 +00:00
client_rsync_ports="default"
2002-09-05 20:57:59 +00:00
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
server_rtp_ports="udp/10000:20000"
client_rtp_ports="any"
2010-04-08 22:16:03 +00:00
server_sane_ports="tcp/6566"
client_sane_ports="default"
helper_sane="sane"
2015-02-06 00:57:06 +00:00
server_sip_ports="tcp/5060 udp/5060"
2006-01-18 21:20:28 +00:00
client_sip_ports="5060 default"
2009-02-19 05:27:49 +00:00
helper_sip="sip"
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
2004-10-08 22:30:52 +00:00
server_socks_ports="tcp/1080 udp/1080"
2003-03-15 01:24:19 +00:00
client_socks_ports="default"
2003-03-14 21:22:37 +00:00
server_squid_ports="tcp/3128"
2002-12-05 09:23:36 +00:00
client_squid_ports="default"
2004-10-08 22:30:52 +00:00
server_smtp_ports="tcp/25"
2002-11-30 14:33:33 +00:00
client_smtp_ports="default"
2004-10-08 22:30:52 +00:00
server_smtps_ports="tcp/465"
2002-12-05 09:23:36 +00:00
client_smtps_ports="default"
2004-10-08 22:30:52 +00:00
server_snmp_ports="udp/161"
2002-11-30 14:33:33 +00:00
client_snmp_ports="default"
2004-10-08 22:30:52 +00:00
server_snmptrap_ports="udp/162"
2003-02-20 22:32:56 +00:00
client_snmptrap_ports="any"
2002-12-05 09:23:36 +00:00
2013-10-15 21:59:25 +00:00
server_nrpe_ports="tcp/5666"
client_nrpe_ports="default"
2004-10-08 22:30:52 +00:00
server_ssh_ports="tcp/22"
2002-11-30 14:33:33 +00:00
client_ssh_ports="default"
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
server_stun_ports="udp/3478 udp/3479"
client_stun_ports="any"
2002-12-11 20:51:38 +00:00
server_submission_ports="tcp/587"
2002-12-05 09:03:37 +00:00
client_submission_ports="default"
2002-11-30 14:33:33 +00:00
server_sunrpc_ports="${server_portmap_ports}"
client_sunrpc_ports="${client_portmap_ports}"
2002-09-05 20:57:59 +00:00
2004-10-08 22:30:52 +00:00
server_swat_ports="tcp/901"
2002-12-05 09:23:36 +00:00
client_swat_ports="default"
2004-10-08 22:30:52 +00:00
server_syslog_ports="udp/514"
2015-02-15 18:30:34 +00:00
client_syslog_ports="514 default"
2002-09-05 20:57:59 +00:00
2004-10-08 22:30:52 +00:00
server_telnet_ports="tcp/23"
2002-11-30 14:33:33 +00:00
client_telnet_ports="default"
2002-09-05 20:57:59 +00:00
2009-02-19 05:27:49 +00:00
server_tftp_ports="udp/69"
client_tftp_ports="default"
helper_tftp="tftp"
2013-03-10 11:19:47 +00:00
server_tomcat_ports="${server_httpalt_ports}"
client_tomcat_ports="${client_httpalt_ports}"
2003-10-22 06:58:27 +00:00
server_time_ports="tcp/37 udp/37"
2003-07-20 21:50:29 +00:00
client_time_ports="default"
Added services:
asterisk, darkstat, distcc, eserver, gift, giftui, h323, iax, iax2, icp,
rtp, sip, stun, upnp.
2004-09-26 00:52:55 +00:00
server_upnp_ports="udp/1900 tcp/2869"
client_upnp_ports="default"
2004-10-08 22:30:52 +00:00
server_uucp_ports="tcp/540"
2002-11-30 14:33:33 +00:00
client_uucp_ports="default"
2002-10-03 16:28:16 +00:00
2004-04-21 22:23:10 +00:00
server_whois_ports="tcp/43"
client_whois_ports="default"
2002-10-26 15:14:52 +00:00
server_vmware_ports="tcp/902"
client_vmware_ports="default"
2002-10-03 16:28:16 +00:00
server_vmwareauth_ports="tcp/903"
client_vmwareauth_ports="default"
2005-11-19 09:38:25 +00:00
server_vmwareweb_ports="tcp/8222 tcp/8333"
2002-10-03 16:28:16 +00:00
client_vmwareweb_ports="default"
2002-11-30 14:33:33 +00:00
server_vnc_ports="tcp/5900:5903"
client_vnc_ports="default"
2002-10-11 21:09:11 +00:00
2013-10-15 12:01:13 +00:00
server_webcache_ports="${server_httpalt_ports}"
client_webcache_ports="${client_httpalt_ports}"
2002-09-05 20:57:59 +00:00
2003-06-30 22:18:46 +00:00
server_webmin_ports="tcp/10000"
client_webmin_ports="default"
2003-08-31 22:21:49 +00:00
server_xdmcp_ports="udp/177"
client_xdmcp_ports="default"
2002-09-05 20:57:59 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# COMPLEX SERVICES DEFINITIONS
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
# The following are definitions for complex services.
# We define as "complex" the services that are implemented using multiple sockets.
# Each function bellow is organized in three parts:
# 1) A Header, common to each and every function
# 2) The rules required for the INPUT of the server
# 3) The rules required for the OUTPUT of the server
#
# The Header part, together with the "reverse" keyword can reverse the rules so
# that if we are implementing a client the INPUT will become OUTPUT and vice versa.
#
# In most the cases the input and output rules are the same with the following
# differences:
#
# a) The output rules begin with the "reverse" keyword, which reverses:
# inface/outface, src/dst, sport/dport
# b) The output rules use ${out}_${mychain} instead of ${in}_${mychain}
# c) The state rules match the client operation, not the server.
2013-11-16 16:47:48 +00:00
# --- ICMP (v4/v6) helper functions --------------------------------------------
add_icmp_rule_pair() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
mychain="${1}" \
type="${2}" \
request="${3}" \
response="${4}"
shift 4
2013-11-16 16:47:48 +00:00
if [ "${type}" = "client" ]
then
in=out
out=in
fi
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto icmp custom "--icmp-type $request" state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto icmp custom "--icmp-type $response" state ESTABLISHED || return 1
2013-11-16 16:47:48 +00:00
return 0
}
add_icmpv6_rule_pair() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
mychain="${1}" \
type="${2}" \
request="${3}" \
response="${4}"
shift 4
2013-11-16 16:47:48 +00:00
if [ "${type}" = "client" ]
then
in=out
out=in
fi
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto icmpv6 custom "--icmpv6-type $request" state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto icmpv6 custom "--icmpv6-type $response" state ESTABLISHED || return 1
2013-11-16 16:47:48 +00:00
return 0
}
add_icmpv6_rule_pair_stateless() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
mychain="${1}" \
type="${2}" \
icmpv6in="${3}" \
icmpv6out="${4}"
shift 4
2013-11-16 16:47:48 +00:00
if [ "${type}" = "client" ]
then
in=out
out=in
fi
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto icmpv6 custom "--icmpv6-type $icmpv6in" || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto icmpv6 custom "--icmpv6-type $icmpv6out" || return 1
2013-11-16 16:47:48 +00:00
return 0
}
add_icmpv6_rule_error() {
# Unlike stateful and stateless icmpv6 packets, for a server
# or client we do the same thing:
# ingress error packets allowed if we think we have a connection
# egress error packets allowed whatever
# Possibly we could restrict the whatever to be related also?
2015-01-30 22:45:56 +00:00
local mychain="${1}" \
type="${2}" \
icmpv6error="${3}"
shift 3
2013-11-16 16:47:48 +00:00
2015-01-30 22:45:56 +00:00
local in=in out=out
2013-11-16 16:47:48 +00:00
if [ "${type}" = "client" ]
then
in=out
out=in
fi
2015-02-06 20:43:23 +00:00
rule ${in} reverse action "${@}" chain "${in}_${mychain}" proto icmpv6 custom "--icmpv6-type $icmpv6error" state ESTABLISHED,RELATED || return 1
rule ${out} action "${@}" chain "${out}_${mychain}" proto icmpv6 custom "--icmpv6-type $icmpv6error" || return 1
2013-11-16 16:47:48 +00:00
return 0
}
2007-12-11 22:05:24 +00:00
# --- XBOX ---------------------------------------------------------------------
# Contributed by andrex@alumni.utexas.net
# Following is the (complex) service definition function for xbox, the Xbox live
# service. With this definition our Xbox connects and plays from behind a NAT
# firewall with no trouble. Andrew.
rules_xbox() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
client_ports="${DEFAULT_CLIENT_PORTS}" \
mychain="${1}" \
type="${2}"
shift 2
2007-12-11 22:05:24 +00:00
if [ "${type}" = "client" ]
then
in=out
out=in
fi
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# ----------------------------------------------------------------------
2015-02-19 01:21:51 +00:00
set_work_function "Rules for Xbox live"
2007-12-11 22:05:24 +00:00
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto udp dport "88 3074" sport "${client_ports}" state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto udp dport "88 3074" sport "${client_ports}" state ESTABLISHED || return 1
2007-12-11 22:05:24 +00:00
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto tcp dport 3074 sport "${client_ports}" state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto tcp dport 3074 sport "${client_ports}" state ESTABLISHED || return 1
2007-12-11 22:05:24 +00:00
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto udp sport 3074 dport "${client_ports}" state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto udp sport 3074 dport "${client_ports}" state ESTABLISHED || return 1
2007-12-11 22:05:24 +00:00
return 0
}
2002-09-05 20:57:59 +00:00
2004-10-30 23:03:57 +00:00
# --- DHCP --------------------------------------------------------------------
rules_dhcp() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
client_ports="${DEFAULT_CLIENT_PORTS}" \
mychain="${1}" \
type="${2}"
shift 2
2013-12-01 17:56:34 +00:00
if ! push_namespace ipv4; then return 1; fi
2004-10-30 23:03:57 +00:00
if [ "${type}" = "client" ]
then
in=out
out=in
fi
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# ----------------------------------------------------------------------
2015-02-19 01:21:51 +00:00
set_work_function "Rules for DHCP (${type})"
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto "udp" sport "68" dport "67" || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "udp" sport "68" dport "67" || return 1
2004-10-30 23:03:57 +00:00
2013-12-01 17:56:34 +00:00
pop_namespace
return 0
}
rules_dhcpv6() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
client_ports="${DEFAULT_CLIENT_PORTS}" \
mychain="${1}" \
type="${2}"
shift 2
2013-12-01 17:56:34 +00:00
if ! push_namespace ipv6; then return 1; fi
if [ "${type}" = "client" ]
then
in=out
out=in
fi
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# ----------------------------------------------------------------------
2015-02-19 01:21:51 +00:00
set_work_function "Rules for DHCPv6 (${type})"
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto "udp" dport "547" || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "udp" sport "546" || return 1
2013-12-01 17:56:34 +00:00
pop_namespace
2004-10-30 23:03:57 +00:00
return 0
}
2003-02-03 23:11:49 +00:00
# --- EMULE --------------------------------------------------------------------
rules_emule() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
client_ports="${DEFAULT_CLIENT_PORTS}" \
mychain="${1}" \
type="${2}"
shift 2
2003-02-03 23:11:49 +00:00
if [ "${type}" = "client" ]
then
in=out
out=in
fi
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# ----------------------------------------------------------------------
# allow incomming to server tcp/4662
2015-02-19 01:21:51 +00:00
set_work_function "Rules for EMULE/client-to-server tcp/4662 (${type})"
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto "tcp" sport any dport 4662 state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "tcp" sport any dport 4662 state ESTABLISHED || return 1
2003-02-03 23:11:49 +00:00
2003-07-20 22:45:50 +00:00
# allow outgoing to client tcp/4662
2015-02-19 01:21:51 +00:00
set_work_function "Rules for EMULE/server-to-client tcp/4662 (${type})"
2015-02-06 20:43:23 +00:00
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "tcp" dport any sport 4662 state NEW,ESTABLISHED || return 1
rule ${in} action "${@}" chain "${in}_${mychain}" proto "tcp" dport any sport 4662 state ESTABLISHED || return 1
2003-02-03 23:11:49 +00:00
# allow incomming to server udp/4672
2015-02-19 01:21:51 +00:00
set_work_function "Rules for EMULE/client-to-server udp/4672 (${type})"
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto "udp" sport any dport 4672 state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "udp" sport any dport 4672 state ESTABLISHED || return 1
2003-02-03 23:11:49 +00:00
2003-07-20 22:45:50 +00:00
# allow outgoing to client udp/4672
2015-02-19 01:21:51 +00:00
set_work_function "Rules for EMULE/server-to-client udp/4672 (${type})"
2015-02-06 20:43:23 +00:00
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "udp" dport any sport 4672 state NEW,ESTABLISHED || return 1
rule ${in} action "${@}" chain "${in}_${mychain}" proto "udp" dport any sport 4672 state ESTABLISHED || return 1
2003-02-03 23:11:49 +00:00
# allow incomming to server tcp/4661
2015-02-19 01:21:51 +00:00
set_work_function "Rules for EMULE/client-to-server tcp/4661 (${type})"
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto "tcp" sport any dport 4661 state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "tcp" sport any dport 4661 state ESTABLISHED || return 1
2003-02-03 23:11:49 +00:00
# allow incomming to server udp/4665
2015-02-19 01:21:51 +00:00
set_work_function "Rules for EMULE/client-to-server udp/4665 (${type})"
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto "udp" sport any dport 4665 state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "udp" sport any dport 4665 state ESTABLISHED || return 1
2003-02-03 23:11:49 +00:00
return 0
}
2003-07-20 22:45:50 +00:00
# --- HYLAFAX ------------------------------------------------------------------
# Written by: Franscisco Javier Felix <ffelix@gescosoft.com>
rules_hylafax() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
client_ports="${DEFAULT_CLIENT_PORTS}" \
mychain="${1}" \
type="${2}"
shift 2
2003-07-20 22:45:50 +00:00
if [ "${type}" = "client" ]
then
in=out
out=in
fi
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# ----------------------------------------------------------------------
# allow incomming to server tcp/4559
2015-02-19 01:21:51 +00:00
set_work_function "Rules for HYLAFAX/client-to-server tcp/4559 (${type})"
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto "tcp" sport any dport 4559 state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "tcp" sport any dport 4559 state ESTABLISHED || return 1
2003-07-20 22:45:50 +00:00
2003-10-05 22:58:57 +00:00
# allow outgoing to client from server tcp/4558
2015-02-19 01:21:51 +00:00
set_work_function "Rules for HYLAFAX/server-to-client from server tcp/4558 (${type})"
2015-02-06 20:43:23 +00:00
rule ${out} action "${@}" chain "${out}_${mychain}" proto "tcp" sport 4558 dport any state NEW,ESTABLISHED || return 1
rule ${in} reverse action "${@}" chain "${in}_${mychain}" proto "tcp" sport 4558 dport any state ESTABLISHED || return 1
2003-07-20 22:45:50 +00:00
return 0
}
2002-09-05 20:57:59 +00:00
# --- SAMBA --------------------------------------------------------------------
rules_samba() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
client_ports="${DEFAULT_CLIENT_PORTS}" \
mychain="${1}" \
type="${2}"
shift 2
2002-10-28 19:47:02 +00:00
if [ "${type}" = "client" ]
2002-09-05 20:57:59 +00:00
then
in=out
out=in
fi
2002-12-04 21:32:26 +00:00
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
2002-09-05 20:57:59 +00:00
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# ----------------------------------------------------------------------
2015-02-19 01:21:51 +00:00
set_work_function "Rules for SAMBA/NETBIOS-NS (${type})"
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto "udp" sport "137 ${client_ports}" dport 137 state NEW,ESTABLISHED || return 1
2003-11-04 21:43:02 +00:00
# NETBIOS initiates based on the broadcast address of an interface
# (request goes to broadcast address) but the server responds from
# its own IP address. This makes the server samba accept statement
# drop the server reply.
# Bellow is a hack, that allows a linux samba server to respond
# correctly, as it allows new outgoing connections from the well
# known netbios-ns port to the clients high ports.
# For clients and routers this hack is not applied because it
# would be a huge security hole.
if [ "${type}" = "server" -a "${work_cmd}" = "interface" ]
then
2015-02-06 20:43:23 +00:00
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "udp" sport "137 ${client_ports}" dport 137 state NEW,ESTABLISHED || return 1
2003-11-04 21:43:02 +00:00
else
2015-02-06 20:43:23 +00:00
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "udp" sport "137 ${client_ports}" dport 137 state ESTABLISHED || return 1
2003-11-04 21:43:02 +00:00
fi
2002-09-05 20:57:59 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for SAMBA/NETBIOS-DGM (${type})"
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto "udp" sport "138 ${client_ports}" dport 138 state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "udp" sport "138 ${client_ports}" dport 138 state ESTABLISHED || return 1
2003-10-05 22:58:57 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for SAMBA/NETBIOS-SSN (${type})"
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto "tcp" sport "${client_ports}" dport 139 state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "tcp" sport "${client_ports}" dport 139 state ESTABLISHED || return 1
2004-10-30 22:41:21 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for SAMBA/MICROSOFT_DS (${type})"
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" proto "tcp" sport "${client_ports}" dport 445 state NEW,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "tcp" sport "${client_ports}" dport 445 state ESTABLISHED || return 1
2002-09-05 20:57:59 +00:00
return 0
}
# --- NFS ----------------------------------------------------------------------
rules_nfs() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
client_ports="${DEFAULT_CLIENT_PORTS}" \
mychain="${1}" \
type="${2}"
shift 2
2002-10-28 19:47:02 +00:00
if [ "${type}" = "client" ]
2002-09-05 20:57:59 +00:00
then
in=out
out=in
fi
2002-12-04 21:32:26 +00:00
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
2002-09-05 20:57:59 +00:00
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# ----------------------------------------------------------------------
# This command requires in the client or route subcommands,
# the first argument after the policy/action is a dst.
2015-01-30 22:45:56 +00:00
local servers="localhost" \
action="${1}"
shift
2002-09-05 20:57:59 +00:00
2002-12-10 18:10:38 +00:00
if [ "${type}" = "client" -o ! "${work_cmd}" = "interface" ]
2002-09-05 20:57:59 +00:00
then
case "${1}" in
dst|DST|destination|DESTINATION)
shift
2015-01-30 22:45:56 +00:00
servers="${1}"
2002-09-05 20:57:59 +00:00
shift
;;
*)
error "Please re-phrase to: ${type} nfs ${action} dst <NFS_SERVER> [other rules]"
return 1
;;
esac
fi
local x=
for x in ${servers}
do
2014-10-04 09:34:56 +00:00
local tmp="`${MKTEMP_CMD} ${FIREHOL_DIR}/firehol-rpcinfo-XXXXXXXXXX`"
2002-09-05 20:57:59 +00:00
2002-12-17 20:47:34 +00:00
set_work_function "Getting RPC information from server '${x}'"
2002-09-05 20:57:59 +00:00
rpcinfo -p ${x} >"${tmp}"
if [ $? -gt 0 -o ! -s "${tmp}" ]
then
2002-09-08 12:05:10 +00:00
error "Cannot get rpcinfo from host '${x}' (using the previous firewall rules)"
2003-04-08 00:12:02 +00:00
${RM_CMD} -f "${tmp}"
2002-09-05 20:57:59 +00:00
return 1
fi
2004-09-10 21:36:26 +00:00
local server_rquotad_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " rquotad$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
2003-10-07 22:31:06 +00:00
local server_mountd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " mountd$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
local server_lockd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nlockmgr$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
2006-06-05 17:47:48 +00:00
local server_statd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " status$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
2003-10-07 22:31:06 +00:00
local server_nfsd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nfs$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
2002-09-05 20:57:59 +00:00
2002-12-17 20:47:34 +00:00
test -z "${server_mountd_ports}" && error "Cannot find mountd ports for nfs server '${x}'" && return 1
2003-10-07 22:31:06 +00:00
test -z "${server_lockd_ports}" && error "Cannot find lockd ports for nfs server '${x}'" && return 1
2006-06-05 17:47:48 +00:00
test -z "${server_statd_ports}" && error "Cannot find statd ports for nfs server '${x}'" && return 1
2002-12-17 20:47:34 +00:00
test -z "${server_nfsd_ports}" && error "Cannot find nfsd ports for nfs server '${x}'" && return 1
2002-09-05 20:57:59 +00:00
local dst=
if [ ! "${x}" = "localhost" ]
then
dst="dst ${x}"
fi
2004-09-10 21:36:26 +00:00
if [ ! -z "${server_rquotad_ports}" ]
then
2015-02-19 01:21:51 +00:00
set_work_function "Rules for rquotad on server '${x}'"
2015-02-06 20:43:23 +00:00
rules_custom "${mychain}" "${type}" nfs-rquotad "${server_rquotad_ports}" "500:65535" "${action}" $dst "${@}"
2004-09-10 21:36:26 +00:00
fi
2015-02-19 01:21:51 +00:00
set_work_function "Rules for mountd on server '${x}'"
2015-02-06 20:43:23 +00:00
rules_custom "${mychain}" "${type}" nfs-mountd "${server_mountd_ports}" "500:65535" "${action}" $dst "${@}"
2002-12-17 20:47:34 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for lockd on server '${x}'"
2015-02-06 20:43:23 +00:00
rules_custom "${mychain}" "${type}" nfs-lockd "${server_lockd_ports}" "500:65535" "${action}" $dst "${@}"
2006-06-05 17:47:48 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for statd on server '${x}'"
2015-02-06 20:43:23 +00:00
rules_custom "${mychain}" "${type}" nfs-statd "${server_statd_ports}" "500:65535" "${action}" $dst "${@}"
2003-10-07 22:31:06 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for nfsd on server '${x}'"
2015-02-06 20:43:23 +00:00
rules_custom "${mychain}" "${type}" nfs-nfsd "${server_nfsd_ports}" "500:65535" "${action}" $dst "${@}"
2002-12-17 20:47:34 +00:00
2003-04-08 00:12:02 +00:00
${RM_CMD} -f "${tmp}"
2002-09-05 20:57:59 +00:00
echo >&2 ""
echo >&2 "WARNING:"
2003-04-30 23:29:47 +00:00
echo >&2 "This firewall must be restarted if NFS server ${x} is restarted!"
2002-09-05 20:57:59 +00:00
echo >&2 ""
done
return 0
}
2004-10-30 21:13:26 +00:00
# --- NIS ----------------------------------------------------------------------
# These rules work for client access only!
#
# Pushing changes to slave servers won't work if these rules are active
# somewhere between the master and its slaves, because it is impossible to
# predict the ports where "yppush" will be listening on each push.
#
# Pulling changes directly on the slaves will work, and could be improved
# performance-wise if these rules are modified to open "fypxfrd". This wasn't
# done because it doesn't make that much sense since pushing changes on the
# master server is the most common, and recommended, way to replicate maps.
#
# Created by Carlos Rodrigues <crlf@users.sourceforge.net>
# Feature Requests item #1050951 <https://sourceforge.net/tracker/?func=detail&atid=487695&aid=1050951&group_id=58425>
rules_nis() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
client_ports="${DEFAULT_CLIENT_PORTS}" \
mychain="${1}" \
type="${2}"
shift 2
2004-10-30 21:13:26 +00:00
if [ "${type}" = "client" ]
then
in=out
out=in
fi
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# ----------------------------------------------------------------------
# This command requires in the client or route subcommands,
# the first argument after the policy/action is a dst.
2015-01-30 22:45:56 +00:00
local servers="localhost" \
action="${1}"
shift
2004-10-30 21:13:26 +00:00
if [ "${type}" = "client" -o ! "${work_cmd}" = "interface" ]
then
case "${1}" in
dst|DST|destination|DESTINATION)
shift
2015-01-30 22:45:56 +00:00
servers="${1}"
2004-10-30 21:13:26 +00:00
shift
;;
*)
error "Please re-phrase to: ${type} nis ${action} dst <NIS_SERVER> [other rules]"
return 1
;;
esac
fi
local x=
for x in ${servers}
do
2014-10-04 09:34:56 +00:00
local tmp="`${MKTEMP_CMD} ${FIREHOL_DIR}/firehol-rpcinfo-XXXXXXXXXX)`"
2004-10-30 21:13:26 +00:00
set_work_function "Getting RPC information from server '${x}'"
rpcinfo -p ${x} >"${tmp}"
if [ $? -gt 0 -o ! -s "${tmp}" ]
then
error "Cannot get rpcinfo from host '${x}' (using the previous firewall rules)"
${RM_CMD} -f "${tmp}"
return 1
fi
local server_ypserv_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " ypserv$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
local server_yppasswdd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " yppasswdd$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
test -z "${server_ypserv_ports}" && error "Cannot find ypserv ports for nis server '${x}'" && return 1
local dst=
if [ ! "${x}" = "localhost" ]
then
dst="dst ${x}"
fi
2010-04-08 21:55:07 +00:00
if [ ! -z "${server_yppasswdd_ports}" ]
2004-10-30 21:13:26 +00:00
then
2015-02-19 01:21:51 +00:00
set_work_function "Rules for yppasswd on server '${x}'"
2015-02-06 20:43:23 +00:00
rules_custom "${mychain}" "${type}" nis-yppasswd "${server_yppasswdd_ports}" "500:65535" "${action}" $dst "${@}"
2004-10-30 21:13:26 +00:00
fi
2015-02-19 01:21:51 +00:00
set_work_function "Rules for ypserv on server '${x}'"
2015-02-06 20:43:23 +00:00
rules_custom "${mychain}" "${type}" nis-ypserv "${server_ypserv_ports}" "500:65535" "${action}" $dst "${@}"
2004-10-30 21:13:26 +00:00
${RM_CMD} -f "${tmp}"
echo >&2 ""
echo >&2 "WARNING:"
echo >&2 "This firewall must be restarted if NIS server ${x} is restarted!"
echo >&2 ""
done
return 0
}
2003-01-05 20:03:07 +00:00
# --- PING ---------------------------------------------------------------------
rules_ping() {
2015-01-30 22:45:56 +00:00
local mychain="${1}" \
type="${2}"
shift 2
2003-01-05 20:03:07 +00:00
2013-11-16 16:47:48 +00:00
if running_ipv4; then
2015-02-06 20:43:23 +00:00
ipv4 add_icmp_rule_pair $mychain $type echo-request echo-reply "${@}" || return 1
2003-01-05 20:03:07 +00:00
fi
2013-11-16 16:47:48 +00:00
if running_ipv6; then
2015-02-06 20:43:23 +00:00
ipv6 add_icmpv6_rule_pair $mychain $type echo-request echo-reply "${@}" || return 1
2003-01-06 01:16:41 +00:00
fi
2003-01-05 20:03:07 +00:00
return 0
}
2004-12-03 21:29:41 +00:00
# --- TIMESTAMP ----------------------------------------------------------------
rules_timestamp() {
2015-01-30 22:45:56 +00:00
local mychain="${1}" \
type="${2}" \
status=0
shift 2
2013-11-16 16:47:48 +00:00
if ! push_namespace ipv4; then return 1; fi
2015-02-06 20:43:23 +00:00
add_icmp_rule_pair $mychain $type timestamp-request timestamp-reply "${@}" || status=1
2004-12-03 21:29:41 +00:00
2013-11-16 16:47:48 +00:00
pop_namespace
return $status
}
# --- IVP6NEIGH ----------------------------------------------------------------
rules_ipv6neigh() {
2015-01-30 22:45:56 +00:00
local mychain="${1}" \
type="${2}" \
status=0
shift 2
2013-11-16 16:47:48 +00:00
if ! push_namespace ipv6; then return 1; fi
2015-02-06 20:43:23 +00:00
add_icmpv6_rule_pair_stateless $mychain $type neighbour-solicitation neighbour-advertisement "${@}" || status=1
2013-11-16 16:47:48 +00:00
pop_namespace
return $status
2004-12-03 21:29:41 +00:00
}
2013-11-16 16:47:48 +00:00
# --- IVP6ROUTER ---------------------------------------------------------------
rules_ipv6router() {
2015-01-30 22:45:56 +00:00
local mychain="${1}" \
type="${2}" \
status=0
shift 2
2013-11-16 16:47:48 +00:00
if ! push_namespace ipv6; then return 1; fi
2015-02-06 20:43:23 +00:00
add_icmpv6_rule_pair_stateless $mychain $type router-solicitation router-advertisement "${@}" || status=1
2013-11-16 16:47:48 +00:00
pop_namespace
return $status
}
# --- IVP6ERROR ----------------------------------------------------------------
rules_ipv6error() {
2015-01-30 22:45:56 +00:00
local mychain="${1}" \
type="${2}"
shift 2
2013-11-16 16:47:48 +00:00
if ! push_namespace ipv6; then return 1; fi
for icmptype in destination-unreachable \
packet-too-big \
ttl-zero-during-transit \
ttl-zero-during-reassembly \
unknown-header-type \
unknown-option
do
2015-02-06 20:43:23 +00:00
add_icmpv6_rule_error $mychain $type $icmptype "${@}"
2013-11-16 16:47:48 +00:00
if [ $? -ne 0 ]
then
pop_namespace
return 1
fi
done
pop_namespace
return 0
}
2003-01-05 20:03:07 +00:00
2004-11-02 00:37:15 +00:00
# --- ANYSTATELESS -------------------------------------------------------------
rules_anystateless() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
client_ports="${DEFAULT_CLIENT_PORTS}" \
mychain="${1}" \
type="${2}" \
name="${3}"
shift 3
2004-11-02 00:37:15 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
if [ "${FIREHOL_RULESET_MODE}" = "optimal" ]
then
# FIXME
# We could insert an untrack rule in raw table to make this stateless
error "Stateless rules are not supported in 'optimal' mode. Please set FIREHOL_RULESET_MODE='accurate'."
return 1
fi
2004-11-02 00:37:15 +00:00
if [ "${type}" = "client" ]
then
in=out
out=in
fi
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# ----------------------------------------------------------------------
# allow new and established incoming packets
2015-02-06 20:43:23 +00:00
rule ${in} action "${@}" chain "${in}_${mychain}" || return 1
2004-11-02 00:37:15 +00:00
# allow outgoing established packets
2015-02-06 20:43:23 +00:00
rule ${out} reverse action "${@}" chain "${out}_${mychain}" || return 1
2004-11-02 00:37:15 +00:00
return 0
}
2002-11-01 19:37:20 +00:00
# --- MULTICAST ----------------------------------------------------------------
rules_multicast() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
client_ports="${DEFAULT_CLIENT_PORTS}" \
mychain="${1}" \
type="${2}"
shift 2
2002-11-01 19:37:20 +00:00
if [ "${type}" = "client" ]
then
in=out
out=in
fi
2002-12-04 21:32:26 +00:00
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
2002-11-01 19:37:20 +00:00
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# ----------------------------------------------------------------------
# match multicast packets in both directions
2015-02-06 20:43:23 +00:00
rule ${out} action "${@}" chain "${out}_${mychain}" dst "${MULTICAST_IPS}" proto 2 || return 1
rule ${in} reverse action "${@}" chain "${in}_${mychain}" src "${MULTICAST_IPS}" proto 2 || return 1
2007-07-20 21:28:13 +00:00
2015-02-06 20:43:23 +00:00
rule ${out} action "${@}" chain "${out}_${mychain}" dst "${MULTICAST_IPS}" proto udp || return 1
rule ${in} reverse action "${@}" chain "${in}_${mychain}" src "${MULTICAST_IPS}" proto udp || return 1
2002-11-01 19:37:20 +00:00
return 0
}
2002-12-23 14:39:19 +00:00
# --- CUSTOM -------------------------------------------------------------------
2002-09-05 20:57:59 +00:00
2002-12-23 14:39:19 +00:00
rules_custom() {
2015-01-30 22:45:56 +00:00
local in=in out=out \
client_ports="${DEFAULT_CLIENT_PORTS}" \
mychain="${1}" \
type="${2}" \
server="${3}" \
my_server_ports="${4}" \
my_client_ports="${5}" \
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
helpers= x= proto= protocols= sp= sport= cport= \
require_ct=0
2015-01-30 22:45:56 +00:00
shift 5
2002-09-05 20:57:59 +00:00
2009-02-19 05:27:49 +00:00
if [ "$1" = "helpers" ]
then
2015-01-30 22:45:56 +00:00
helpers="$2"
2009-02-19 05:27:49 +00:00
shift 2
fi
2002-12-23 14:39:19 +00:00
if [ "${type}" = "client" ]
2002-09-05 20:57:59 +00:00
then
2002-12-23 14:39:19 +00:00
in=out
out=in
2002-09-05 20:57:59 +00:00
fi
2002-10-31 15:31:52 +00:00
2002-12-23 14:39:19 +00:00
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
2002-10-31 15:31:52 +00:00
then
2002-12-23 14:39:19 +00:00
client_ports="${LOCAL_CLIENT_PORTS}"
2002-10-31 15:31:52 +00:00
fi
2002-12-23 14:39:19 +00:00
# ----------------------------------------------------------------------
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# do we have to create CT entries?
2015-02-15 10:55:11 +00:00
if [ "${FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT}" = "firehol" -a ! -z "${helpers}" ]
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
then
for x in ${helpers}
do
case "${x}" in
sip|ftp|tftp|sane)
require_ct=1
;;
pptp|irc)
running_ipv4 && require_ct=1
running_ipv6 && require_ct=0
;;
h323|proto_gre|amanda|netbios_ns)
require_ct=0
;;
esac
done
if [ ${require_ct} -eq 1 ]
then
# reconstruct the path of flow in the 'raw' table
if [ "${work_cmd}" = "interface" ]
then
reconstruct_flow_inheritance in raw PREROUTING outface any
reconstruct_flow_inheritance out raw OUTPUT inface any
else
reconstruct_flow_inheritance in raw PREROUTING outface any
reconstruct_flow_inheritance out raw PREROUTING outface any
fi
fi
fi
2002-09-05 20:57:59 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# find all protocols used by the service
for x in ${my_server_ports}
2002-12-23 14:39:19 +00:00
do
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
proto="${x//\/*/}"
protocols="|${protocols//|${proto}|/}|${proto}|"
done
# find all client ports
cport="${my_client_ports//default/${client_ports}}"
2015-01-24 02:21:04 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# generate one set of rules per protocol (all server and clients ports used by the protocol)
for proto in ${protocols//|/ }
do
# find all the server ports of this protocol
sport=
for sp in ${my_server_ports}
2002-12-23 14:39:19 +00:00
do
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
[ "${sp//\/*/}" = "${proto}" ] && sport="${sport} ${sp//*\//}"
2002-12-23 14:39:19 +00:00
done
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
set_work_function "Rules for ${server} ${type}, with server port(s) '${proto}/${sport}' and client port(s) '${cport}'"
# allow new and established incoming packets
rule ${in} action "${@}" chain "${in}_${mychain}" proto "${proto}" sport "${cport}" dport "${sport}" state NEW,ESTABLISHED || return 1
# allow outgoing established packets
rule ${out} reverse action "${@}" chain "${out}_${mychain}" proto "${proto}" sport "${cport}" dport "${sport}" state ESTABLISHED || return 1
if [ ${require_ct} -eq 1 ]
then
for x in ${helpers}
do
# configure the helper
# this is the same with the request and the reply, but with action CT.
2015-02-19 01:21:51 +00:00
set_work_function "Rules for configuring helper '${x}'"
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# FIXME
# for each helper we should find out which packet determines the RELATED socket
# so that we will not match both client->server and server->client, but only one
# of the two. This will further limit the security threat due to helper use.
rule table raw ${in} action "${@}" chain "${in}_${mychain}" proto "${proto}" sport "${cport}" dport "${sport}" nosoftwarnings action CT helper ${x} || return 1
rule table raw ${out} reverse action "${@}" chain "${out}_${mychain}" proto "${proto}" sport "${cport}" dport "${sport}" nosoftwarnings action CT helper ${x} || return 1
done
fi
2002-12-23 14:39:19 +00:00
done
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# generate the helper rules to match RELATED traffic
2009-02-19 05:27:49 +00:00
for x in ${helpers}
do
2015-02-19 01:21:51 +00:00
set_work_function "Rules for RELATED packets to ${server} ${type}, using helper '${x}'"
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# match RELATED packets
# we do not match server and client ports here, because the RELATED packet we are trying
# to match may not be on these ports
# FIXME
# the above FIXME note applies here too: We should know what we expect to match, per helper.
# The way it is implemented now, we inherit src/dst and inface/outface (since the rules below
# are implemented in the chain of the actual service rules, but since we match both directions
# of traffic, we may have allowed also spoofed packets to be matched as RELATED - it is totaly
# up to the helper to figure out if the traffic we see is really RELATED to an ESTABLISHED
# socket or not).
2015-02-19 21:06:00 +00:00
# Note
# ESTABLISHED connections matching is required at this point, because the replies of RELATED sockets
# will not be accepted by the connection tracker. Example: ftp (test without client all accept)
rule ${in} action "${@}" chain "${in}_${mychain}" helper ${x} state RELATED,ESTABLISHED || return 1
rule ${out} reverse action "${@}" chain "${out}_${mychain}" helper ${x} state RELATED,ESTABLISHED || return 1
2009-02-19 05:27:49 +00:00
done
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2002-09-05 20:57:59 +00:00
return 0
}
2004-10-28 23:03:06 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# SUPPORT FOR EXTERNAL DEFINITIONS OF SERVICES
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
# Load all the services.
# All these files should start with: #FHVER: 1
2015-01-06 17:53:45 +00:00
cd "${FIREHOL_SERVICES_DIR}" || exit 1
2004-10-28 23:03:06 +00:00
for f in `ls *.conf 2>/dev/null`
do
2015-01-06 17:53:45 +00:00
cd "${FIREHOL_SERVICES_DIR}" || exit 1
2004-10-28 23:03:06 +00:00
2005-01-24 21:23:38 +00:00
if [ ! -O "${f}" ]
then
2015-02-01 22:39:33 +00:00
echo >&2 " WARNING >>> Ignoring service in '${FIREHOL_SERVICES_DIR}/${f}' because it is not owned by root."
2005-01-24 21:23:38 +00:00
continue
fi
2004-10-28 23:03:06 +00:00
n=`"${HEAD_CMD}" -n 1 "${f}" | "${CUT_CMD}" -d ':' -f 2`
"${EXPR_CMD}" ${n} + 0 >/dev/null 2>&1
if [ $? -ne 0 ]
then
2015-02-01 22:39:33 +00:00
echo >&2 " WARNING >>> Ignoring service in '${FIREHOL_SERVICES_DIR}/${f}' due to malformed header."
2004-10-28 23:03:06 +00:00
elif [ ${n} -ne ${FIREHOL_SERVICES_API} ]
then
2015-02-01 22:39:33 +00:00
echo >&2 " WARNING >>> Ignoring service '${FIREHOL_SERVICES_DIR}/${f}' due to incompatible API version."
2004-10-28 23:03:06 +00:00
else
2004-11-01 00:13:00 +00:00
n=`"${HEAD_CMD}" -n 1 "${f}" | "${CUT_CMD}" -d ':' -f 3`
"${EXPR_CMD}" ${n} + 0 >/dev/null 2>&1
if [ $? -ne 0 ]
2004-10-28 23:03:06 +00:00
then
2015-02-01 22:39:33 +00:00
echo >&2 " WARNING >>> Ignoring service in '${FIREHOL_SERVICES_DIR}/${f}' due to malformed API minor number."
2004-11-01 00:13:00 +00:00
else
2013-10-15 21:24:18 +00:00
source ${f}
ret=$?
if [ ${ret} -ne 0 ]
2004-11-01 00:13:00 +00:00
then
2015-02-01 22:39:33 +00:00
echo >&2 " WARNING >>> Service in '${FIREHOL_SERVICES_DIR}/${f}' returned code ${ret}."
2013-10-15 21:24:18 +00:00
continue
2004-11-01 00:13:00 +00:00
fi
2004-10-28 23:03:06 +00:00
fi
fi
done
2004-10-30 21:27:00 +00:00
cd "${FIREHOL_DEFAULT_WORKING_DIRECTORY}" || exit 1
2004-10-28 23:03:06 +00:00
2013-09-25 23:50:30 +00:00
# ------------------------------------------------------------------------------
# The caller may need just our services definitions
if [ "$1" = "gimme-the-services-defs" ]
then
return 0
exit 1
fi
2004-10-28 23:03:06 +00:00
2003-01-06 16:13:34 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# HELPER FUNCTIONS BELLOW THIS POINT
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
2015-02-19 21:06:00 +00:00
setup_lo_rpfilter=0
declare -A setup_lo_route_interfaces=()
setup_lo_for_synproxy() {
# disable rpfilter for lo
if [ ${setup_lo_rpfilter} -eq 0 ]
then
postprocess -warn ${SYSCTL_CMD} -w net.ipv4.conf.lo.rp_filter=0
setup_lo_rpfilter=1
fi
local x=
for x in "${@}"
do
if [ -z "${setup_lo_route_interfaces[$x]}" ]
then
2015-02-20 00:07:54 +00:00
postprocess -ne ${SYSCTL_CMD} -w net.ipv4.conf.${x}.route_localnet=1
2015-02-19 21:06:00 +00:00
syslog info "Enabling net.ipv4.conf.${x}.route_localnet=1."
setup_lo_route_interfaces[$x]=1
fi
done
return 0
}
finalize_synproxy() {
local oldns= x= ipvall=
[ ${synproxy_hooks_added4} -eq 1 ] && ipvall="${ipvall} ipv4"
[ ${synproxy_hooks_added6} -eq 1 ] && ipvall="${ipvall} ipv6"
for x in ${ipvall}
do
oldns="${FIREHOL_NS_CURR}"
FIREHOL_NS_CURR="${x}"
2015-02-19 23:37:52 +00:00
set_work_function -ne "Prevent SYNPROXY->SERVER SYN from traversing the raw table"
rule table raw chain SYNPROXY2SERVER_PRE action ACCEPT || return 1
rule table raw chain SYNPROXY2SERVER_OUT action ACCEPT || return 1
#set_work_function -ne "Prevent SYNPROXY->SERVER SYN from traversing the mangle table"
#rule table mangle chain SYNPROXY2SERVER_PRE action ACCEPT || return 1
#rule table mangle chain SYNPROXY2SERVER_IN action ACCEPT || return 1
#rule table mangle chain SYNPROXY2SERVER_OUT action ACCEPT || return 1
#rule table mangle chain SYNPROXY2SERVER_POST action ACCEPT || return 1
2015-02-19 21:06:00 +00:00
set_work_function -ne "Prevent SYNPROXY->SERVER SYN from traversing the nat table"
rule table nat chain SYNPROXY2SERVER_PRE action ACCEPT || return 1
rule table nat chain SYNPROXY2SERVER_OUT action ACCEPT || return 1
set_work_function -ne "Orphan SYN packet from SYNPROXY"
rule table filter chain SYNPROXY2SERVER_IN action DROP loglimit "ORPHAN SYNPROXY->SERVER filter.IN" || return 1
rule table filter chain SYNPROXY2SERVER_OUT action DROP loglimit "ORPHAN SYNPROXY->SERVER filter.OUT" || return 1
FIREHOL_NS_CURR="${oldns}"
done
}
synproxy_hooks_added4=0
synproxy_hooks_added6=0
synproxy_mark=
2015-02-15 18:30:34 +00:00
synproxy4() { ipv4 synproxy "${@}"; }
synproxy6() { ipv6 synproxy "${@}"; }
synproxy46() { both synproxy "${@}"; }
synproxy() {
work_realcmd_helper ${FUNCNAME} "${@}"
2015-02-22 05:35:29 +00:00
local where="${1}" chain= match=() action= action_args=() log=() \
2015-02-23 07:34:05 +00:00
inface=() dst=() src=() overwrite_in=() overwrite_out=() \
x= dohooks=0 owner=()
2015-02-15 18:30:34 +00:00
shift
2015-02-19 01:21:51 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2015-02-15 18:30:34 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
2015-02-16 01:29:21 +00:00
while [ ! -z "${1}" ]
do
case "${1,,}" in
2015-02-19 01:21:51 +00:00
dnat|redirect|accept|reject|drop)
2015-02-19 21:06:00 +00:00
action="${1^^}"; shift
2015-02-19 01:21:51 +00:00
action_args=("${@}")
break
;;
action)
action="${2}"; shift 2
action_args=("${@}")
break
;;
*) match=("${match[@]}" "${1}")
# collect things we need later
case "${1,,}" in
inface) inface=("${inface[@]}" ${2//,/ }) ;;
dst|dst4|dst6) dst=("${dst[@]}" ${2//,/ }) ;;
2015-02-23 07:34:05 +00:00
src|src4|src6) src=("${src[@]}" ${2//,/ }) ;;
2015-02-19 01:21:51 +00:00
esac
;;
2015-02-16 01:29:21 +00:00
esac
shift
done
2015-02-19 01:21:51 +00:00
# echo >&2 "MATCH: ${match[*]}"
# echo >&2 "ACTION: ${action} ${action_args[*]}"
# if no action is given, assume ACCEPT
[ -z "${action}" ] && action="ACCEPT"
# make sure we have an inface
if [ -z "${inface[*]}" ]
then
error "You should set 'inface' interfaces for SYNPROXY."
return 1
fi
# make sure we have a dst/dst4/dst6
2015-02-23 07:34:05 +00:00
if [ ${FIREHOL_SYNPROXY_EXCLUDE_OWNER} -eq 0 -a \( -z "${dst[*]}" -o "${dst[*]}" = "not" \) ]
2015-02-19 01:21:51 +00:00
then
error "You should set 'dst' IPs for SYNPROXY."
return 1
fi
2015-02-16 01:29:21 +00:00
2015-02-23 07:34:05 +00:00
if [ ${FIREHOL_SYNPROXY_EXCLUDE_OWNER} -eq 1 ]
then
owner=(user not 0-65535 group not 0-65535)
if [ \( -z "${dst[*]}" -o "${dst[*]}" = "not" \) -a ! "${src[*]}" = "not" ]
then
error "You have to set a 'dst' or a 'src not' with SYNPROXY."
return 1
fi
fi
2015-02-19 21:06:00 +00:00
if running_both
then
error "Cannot setup SYNPROXY for both IPv4 and IPv6 at the same time."
return 1
fi
if [ ${synproxy_hooks_added4} -eq 0 -a ${synproxy_hooks_added6} -eq 0 ]
then
# make sure we have a synproxy mark
if [ -z "${MARKS_MASKS[synproxy]}" ]
then
markdef synproxy 2 temporary stateless || return 1
fi
synproxy_mark=$(mark_value synproxy 1)
fi
if running_ipv4;
then
test ${synproxy_hooks_added4} -eq 0 && dohooks=1
synproxy_hooks_added4=1
fi
if running_ipv6;
then
test ${synproxy_hooks_added6} -eq 0 && dohooks=1
synproxy_hooks_added6=1
fi
if [ ${dohooks} -eq 1 ]
then
2015-02-19 23:37:52 +00:00
# all these chains are traversed by the packet sent by the SYNPROXY to the SERVER
# the PREROUTING and INPUT ones are traversed in case of REDIRECT
# we will make sure that packets entering these chains do not return back
# thus, synproxy will not interact with the rest of the firewall.
# no state in raw - it is always INVALID.
create_chain raw SYNPROXY2SERVER_PRE PREROUTING proto tcp rawmark ${synproxy_mark}
create_chain raw SYNPROXY2SERVER_OUT OUTPUT proto tcp rawmark ${synproxy_mark}
# mangle does not harm.
# it can be used for marking packets which can then be used for NAT, but NAT is blocked for
# synproxy. we prefer to keep mangling open - it might be needed in several cases.
# mangle.INPUT and mangle.POSTROUTING are needed for CONNMARKs
#create_chain mangle SYNPROXY2SERVER_PRE PREROUTING proto tcp state NEW rawmark ${synproxy_mark}
#create_chain mangle SYNPROXY2SERVER_IN INPUT proto tcp state NEW rawmark ${synproxy_mark}
#create_chain mangle SYNPROXY2SERVER_OUT OUTPUT proto tcp state NEW rawmark ${synproxy_mark}
#create_chain mangle SYNPROXY2SERVER_POST POSTROUTING proto tcp state NEW rawmark ${synproxy_mark}
create_chain nat SYNPROXY2SERVER_PRE PREROUTING proto tcp state NEW rawmark ${synproxy_mark}
create_chain nat SYNPROXY2SERVER_OUT OUTPUT proto tcp state NEW rawmark ${synproxy_mark}
# we leave nat.POSTROUTING since it mey be need for SNAT
2015-02-19 21:06:00 +00:00
2015-02-19 23:37:52 +00:00
create_chain filter SYNPROXY2SERVER_IN INPUT proto tcp state NEW rawmark ${synproxy_mark}
create_chain filter SYNPROXY2SERVER_OUT OUTPUT proto tcp state NEW rawmark ${synproxy_mark}
2015-02-19 21:06:00 +00:00
fi
2015-02-20 00:07:54 +00:00
set_work_function "CLIENT->SERVER SYN packet untracking at table 'raw'"
2015-02-19 21:06:00 +00:00
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "CLIENT->SYNPROXY SYN NOTRACK")
2015-02-22 05:35:29 +00:00
rule table raw chain PREROUTING "${match[@]}" proto tcp custom '-m tcp --syn' nosoftwarnings outface any physout any action CT --notrack "${log[@]}" || return 1
2015-02-15 18:30:34 +00:00
2015-02-19 01:21:51 +00:00
# based on where the user wants us to hook the SYNPROXY
2015-02-15 18:30:34 +00:00
for chain in ${where//,/ }
do
case "${chain^^}" in
2015-02-19 01:21:51 +00:00
PRE|PREROUTING) error "SYNPROXY cannot be used in PREROUTING"
return 1
;;
IN|INPUT) chain="INPUT"
2015-02-22 05:35:29 +00:00
if [ "${action}" = "DNAT" ]
then
overwrite_in=(nosoftwarnings outface any physout any)
overwrite_out=()
else
overwrite_in=(outface any physout any)
overwrite_out=(outface lo)
fi
2015-02-19 01:21:51 +00:00
;;
OUT|OUTPUT) error "There is no point to setup SYNPROXY on OUTPUT"
return 1
;;
PASS|FORWARD) chain="FORWARD"
2015-02-22 05:35:29 +00:00
overwrite_in=()
overwrite_out=()
2015-02-19 01:21:51 +00:00
;;
POST|POSTROUTING) error "SYNPROXY cannot be used in POSTROUTING"
return 1
2015-02-16 01:29:21 +00:00
;;
2015-02-15 18:30:34 +00:00
esac
# FIXME
# most probably we will have to support tcp options per call for this helper
2015-02-20 00:07:54 +00:00
set_work_function "CLIENT->SERVER untracked SYN (or ACK) packet intercepted by SYNPROXY at filter.${chain}"
2015-02-19 21:06:00 +00:00
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "CLIENT->SYNPROXY SYN or ACK")
2015-02-22 05:35:29 +00:00
rule table filter chain ${chain} "${match[@]}" ${overwrite_in[@]} proto tcp state INVALID,UNTRACKED "${log[@]}" action SYNPROXY ${FIREHOL_SYNPROXY_OPTIONS} || return 1
2015-02-16 01:29:21 +00:00
2015-02-23 07:34:05 +00:00
set_work_function "SYNPROXY->CLIENT SYN+ACK packet at filter.OUTPUT"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->CLIENT SYN,ACK")
rule table filter chain OUTPUT reverse custom '-m tcp --tcp-flags SYN,RST,ACK SYN,ACK' "${match[@]}" ${overwrite_in[@]} proto tcp state INVALID,UNTRACKED "${log[@]}" action ACCEPT nosoftwarnings outface any physout any "${owner[@]}" || return 1
2015-02-16 01:29:21 +00:00
2015-02-19 01:21:51 +00:00
# Once the client receives the ACK from SYNPROXY, it will send an ACK back.
# This ACK will be routed again to SYNPROXY (it will be UNTRACKED too).
# Once SYNPROXY receives this ACK packet from the client, it will send a SYN to the real server.
# This SYN packet will be sent via OUTPUT chain. If it goes to localhost, it will be routed via device lo.
2015-02-16 01:29:21 +00:00
2015-02-20 00:07:54 +00:00
set_work_function "SYNPROXY->SERVER marking SYN packet at mangle.OUTPUT"
2015-02-19 21:06:00 +00:00
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER SYN MARK")
2015-02-23 07:34:05 +00:00
rule table mangle chain OUTPUT "${match[@]}" proto tcp custom '-m tcp --syn' state NEW "${log[@]}" action MARK to ${synproxy_mark} nosoftwarnings inface any physin any ${overwrite_out[@]} "${owner[@]}" || return 1
2015-02-19 21:06:00 +00:00
case "${action}" in
2015-02-19 01:21:51 +00:00
DNAT)
# DNAT
# Practically we use 'dst' and a possibly defined 'dport' to make the DNAT on the OUTPUT.
# If we don't accept the traffic here, after the DNAT this traffic will use interface (not router) rules to reach the destination servers !
# src and sport will only survive this DNAT, making it impossible to match it.
# So, we mark the packet before the DNAT (matching dst and original dport) and accept it after the DNAT.
2015-02-20 00:07:54 +00:00
set_work_function "SYNPROXY->SERVER DNATing SYN packet at nat.OUTPUT"
2015-02-19 23:37:52 +00:00
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER DNAT")
2015-02-26 00:35:41 +00:00
dnat "${action_args[@]}" at SYNPROXY2SERVER_OUT "${match[@]}" proto tcp nosoftwarnings "${log[@]}" inface any physin any || return 1
2015-02-19 01:21:51 +00:00
2015-02-26 00:35:41 +00:00
for x in ${!FIREHOL_LAST_NAT_MAP[@]}
do
local ip=${x/:*/}
test ! -z "${ip}" && ip="dst ${ip}"
2015-02-19 21:06:00 +00:00
2015-02-26 00:35:41 +00:00
local port=${x/*:/}
test "${port}" = "${x}" && port=
test ! -z "${port}" && port="dport ${port}"
2015-02-16 01:29:21 +00:00
2015-02-26 00:35:41 +00:00
set_work_function "SYNPROXY->SERVER accepting DNAT'd SYN packet at filter.OUTPUT"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER DNAT'd OUT")
rule table filter chain SYNPROXY2SERVER_OUT "${match[@]}" proto tcp "${log[@]}" action ACCEPT nosoftwarnings inface any physin any ${ip} ${port} || return 1
2015-02-23 07:34:05 +00:00
2015-02-26 00:35:41 +00:00
set_work_function "SERVER->CLIENT droping INVALID ACK"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SERVER->CLIENT INVALID ACK")
rule table filter chain FORWARD reverse "${match[@]}" custom '-m tcp --tcp-flags RST,ACK ACK' proto tcp state INVALID "${log[@]}" nosoftwarnings ${ip} ${port} action DROP || return 1
done
2015-02-19 01:21:51 +00:00
;;
2015-02-15 21:00:36 +00:00
2015-02-19 01:21:51 +00:00
REDIRECT)
# REDIRECT
2015-02-20 00:07:54 +00:00
set_work_function "SYNPROXY->SERVER REDIRECTing packet at nat.OUTPUT"
2015-02-19 23:37:52 +00:00
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER REDIRECT")
2015-02-26 00:35:41 +00:00
redirect "${action_args[@]}" at SYNPROXY2SERVER_OUT "${match[@]}" proto tcp nosoftwarnings "${log[@]}" inface any physin any outface lo physout any || return 1
2015-02-19 01:21:51 +00:00
2015-02-19 21:06:00 +00:00
local localhost=
running_ipv4 && localhost="127.0.0.0/8"
running_ipv6 && localhost="::1"
2015-02-19 01:21:51 +00:00
2015-02-20 00:07:54 +00:00
set_work_function "SYNPROXY->SERVER accepting redirected packet at device lo at filter.OUTPUT"
2015-02-19 23:37:52 +00:00
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER lo OUT")
2015-02-26 00:35:41 +00:00
rule table filter chain SYNPROXY2SERVER_OUT "${match[@]}" proto tcp "${log[@]}" action ACCEPT nosoftwarnings inface any physin any outface lo physout any dst "${localhost}" dport "${!FIREHOL_LAST_NAT_MAP[*]}" || return 1
2015-02-19 01:21:51 +00:00
2015-02-20 00:07:54 +00:00
set_work_function "SYNPROXY->SERVER accepting re-routed packet at device lo at filter.INPUT"
2015-02-19 23:37:52 +00:00
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER lo IN")
2015-02-26 00:35:41 +00:00
rule table filter chain SYNPROXY2SERVER_IN "${match[@]}" proto tcp "${log[@]}" action ACCEPT nosoftwarnings inface lo physin any outface any physout any dst "${localhost}" dport "${!FIREHOL_LAST_NAT_MAP[*]}" || return 1
2015-02-20 14:04:46 +00:00
2015-02-23 07:34:05 +00:00
set_work_function "SERVER->CLIENT droping INVALID ACK"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SERVER->CLIENT INVALID ACK")
2015-02-26 00:35:41 +00:00
rule table filter chain OUTPUT reverse "${match[@]}" custom '-m tcp --tcp-flags RST,ACK ACK' proto tcp state INVALID "${log[@]}" nosoftwarnings action DROP outface any physout any dport "${!FIREHOL_LAST_NAT_MAP[*]}" || return 1
2015-02-23 07:34:05 +00:00
2015-02-20 14:04:46 +00:00
# this requires routing device lo
set_work_function "SYNPROXY->SERVER enabling routing ${inface[@]} <-> lo"
setup_lo_for_synproxy "${inface[@]}" || return 1
2015-02-19 01:21:51 +00:00
;;
*)
# Any other action
# we allow an action to be defined, since this traffic is now in device lo !
# Practically we use 'dst' and a possibly defined 'dport' to take the action on OUTPUT.
2015-02-19 21:06:00 +00:00
# FIXME
# we have to check that the action exists in mangle
if [ "${chain}" = "INPUT" ]
then
2015-02-20 14:04:46 +00:00
set_work_function "SYNPROXY->SERVER executing action ACCEPT at filter.OUTPUT (the packet will come back - re-routed via lo)"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER ACCEPT OUT (the packet will come back - re-routed via lo)")
rule table filter chain SYNPROXY2SERVER_OUT "${match[@]}" proto tcp "${log[@]}" nosoftwarnings action ACCEPT inface any physin any outface lo physout any || return 1
2015-02-19 21:06:00 +00:00
2015-02-20 00:07:54 +00:00
set_work_function "SYNPROXY->SERVER executing action ${action} after re-route at filter.INPUT"
2015-02-19 23:37:52 +00:00
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER ACTION ${action^^} IN")
rule table filter chain SYNPROXY2SERVER_IN "${match[@]}" proto tcp "${log[@]}" nosoftwarnings action "${action}" "${action_args[@]}" inface lo physin any outface any physout any || return 1
2015-02-20 14:04:46 +00:00
2015-02-23 07:34:05 +00:00
set_work_function "SERVER->CLIENT droping INVALID ACK"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SERVER->CLIENT INVALID ACK")
rule table filter chain OUTPUT reverse "${match[@]}" custom '-m tcp --tcp-flags RST,ACK ACK' proto tcp state INVALID "${log[@]}" nosoftwarnings action DROP outface any physout any || return 1
2015-02-20 14:04:46 +00:00
# this requires routing device lo
set_work_function "SYNPROXY->SERVER enabling routing ${inface[@]} <-> lo"
setup_lo_for_synproxy "${inface[@]}" || return 1
2015-02-19 21:06:00 +00:00
else
2015-02-20 00:07:54 +00:00
set_work_function "SYNPROXY->SERVER executing action ${action} at filter.OUTPUT (the packet should leave the machine)"
2015-02-19 23:37:52 +00:00
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SYNPROXY->SERVER ACTION ${action^^} OUT")
2015-02-22 05:35:29 +00:00
rule table filter chain SYNPROXY2SERVER_OUT "${match[@]}" proto tcp "${log[@]}" nosoftwarnings action "${action}" "${action_args[@]}" inface any physin any || return 1
2015-02-23 07:34:05 +00:00
set_work_function "SERVER->CLIENT droping INVALID ACK"
test ${FIREHOL_SYNPROXY_LOG} -eq 1 && log=(loglimit "SERVER->CLIENT INVALID ACK")
rule table filter chain FORWARD reverse "${match[@]}" custom '-m tcp --tcp-flags RST,ACK ACK' proto tcp state INVALID "${log[@]}" nosoftwarnings action DROP || return 1
2015-02-19 21:06:00 +00:00
fi
2015-02-19 01:21:51 +00:00
;;
esac
2015-02-15 18:30:34 +00:00
done
FIREHOL_TCP_SYN_COOKIES=1
FIREHOL_TCP_TIMESTAMPS=1
FIREHOL_DROP_INVALID=1
FIREHOL_CONNTRACK_LOOSE_MATCHING=0
}
2015-02-15 10:19:43 +00:00
FIREHOL_CTHELPER_WARNING=0
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
cthelper4() { ipv4 cthelper "${@}"; }
cthelper6() { ipv6 cthelper "${@}"; }
cthelper46() { both cthelper "${@}"; }
cthelper() {
work_realcmd_helper ${FUNCNAME} "${@}"
local helper="${1}" where="${2}"
shift 2
set_work_function -ne "Initializing ${FUNCNAME}"
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
2015-02-15 10:55:11 +00:00
if [ ! "${FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT}" = "manual" -a ${FIREHOL_CTHELPER_WARNING} -eq 0 ]
2015-02-15 10:19:43 +00:00
then
2015-02-15 10:55:11 +00:00
warning "Automatic helper assignment on all traffic is set to '${FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT}'. You should set FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT='manual' to disable it since you are using cthelper to configure the helpers."
2015-02-15 10:19:43 +00:00
FIREHOL_CTHELPER_WARNING=1
fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
case "${helper}" in
amanda) ;;
ftp) ;;
tftp) error "${FUNCNAME}: helper '${helper}' cannot be configured"
;;
h323) error "${FUNCNAME}: H.323 cannot be configured."
return 1
;;
irc) if running_ipv6
then
error "${FUNCNAME}: helper '${helper}' does not support IPv6."
return 1
fi
;;
netbios_ns|netbios-ns|samba)
helper="netbions_ns"
error "${FUNCNAME}: helper '${helper}' cannot be configured"
;;
pptp) if running_ipv6
then
error "${FUNCNAME}: helper '${helper}' does not support IPv6."
return 1
fi
;;
proto_gre|gre)
error "${FUNCNAME}: helper '${helper}' cannot be configured"
;;
sane) ;;
sip) # Should include a 'dst' towards the media servers
# https://home.regit.org/netfilter-en/secure-use-of-helpers/
;;
*) error "${FUNCNAME}: Unknown connection tracker helper '${helper}'."
return 1
;;
esac
2015-02-15 18:30:34 +00:00
case "${where^^}" in
IN|INPUT|PREROUTING)
2015-02-15 09:55:09 +00:00
rule table raw chain PREROUTING "${@}" action CT helper "${helper}" || return 1
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
;;
2015-02-15 18:30:34 +00:00
OUT|OUTPUT)
2015-02-15 09:55:09 +00:00
rule table raw chain OUTPUT "${@}" action CT helper "${helper}" || return 1
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
;;
2015-02-15 18:30:34 +00:00
BOTH|BIDIRECTIONAL|INOUT)
2015-02-15 09:55:09 +00:00
rule table raw chain PREROUTING "${@}" action CT helper "${helper}" || return 1
rule table raw chain OUTPUT reverse "${@}" action CT helper "${helper}" || return 1
;;
*)
rule table raw chain "${where}" "${@}" action CT helper "${helper}" || return 1
;;
esac
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
return 0
}
2004-05-05 23:41:19 +00:00
ecn_shame() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2012-09-23 13:49:31 +00:00
softwarning "ECN_SHAME IP list no longer available, helper is ignored."
return 0
}
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
# define custom actions
2015-02-08 12:42:35 +00:00
action4() { ipv4 action "${@}"; }
action6() { ipv6 action "${@}"; }
action46() { both action "${@}"; }
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
action() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
2015-02-08 12:42:35 +00:00
local name="${1}" type= tables="filter" t=
local -a args=()
shift
if [ "${1}" = "table" -o "${1}" = "tables" ]
then
tables="${2}"
shift 2
fi
2015-02-19 21:06:00 +00:00
for t in ${tables/,/ }
do
create_chain ${t} ${name} || return 1
done
2015-02-08 12:42:35 +00:00
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
while [ ! -z "${1}" ]
do
2015-02-08 12:42:35 +00:00
type="${1}"
shift
args=()
while [ ! -z "${1}" -a ! "${1}" = "next" ]
do
args=( "${args[@]}" "${1}" )
shift
done
[ "${1}" = "next" ] && shift
case "${type}" in
chain|action)
for t in ${tables//,/ }
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
do
2015-02-19 01:21:51 +00:00
set_work_function "Rules for type ${type} under table ${t}: ${args[@]}"
2015-02-08 12:42:35 +00:00
rule table ${t} chain "${name}" action "${args[0]}" || return 1
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
done
;;
2015-02-08 12:42:35 +00:00
rule)
for t in ${tables//,/ }
do
2015-02-19 01:21:51 +00:00
set_work_function "Rules for type ${type} under table ${t}: ${args[@]}"
2015-02-08 12:42:35 +00:00
rule table ${t} chain "${name}" "${args[@]}" || return 1
done
;;
iptrap)
local ipt1="${args[0]}" ipt2="${args[1]}" ipt3="${args[2]}"
unset args[0] args[1] args[2]
for t in ${tables//,/ }
do
2015-02-19 01:21:51 +00:00
set_work_function "Rules for type ${type} under table ${t}: ${args[@]}"
2015-02-08 12:42:35 +00:00
iptrap "${ipt1}" "${ipt2}" "${ipt3}" chain "${name}" table ${t} "${args[@]}" || return 1
done
;;
2015-02-10 22:26:11 +00:00
ipuntrap)
local ipt1="${args[0]}" ipt2="${args[1]}"
unset args[0] args[1]
for t in ${tables//,/ }
do
2015-02-19 01:21:51 +00:00
set_work_function "Rules for type ${type} under table ${t}: ${args[@]}"
2015-02-10 22:26:11 +00:00
ipuntrap "${ipt1}" "${ipt2}" chain "${name}" table ${t} "${args[@]}" || return 1
done
;;
2015-02-27 22:31:32 +00:00
sockets_suspects_trap)
if [ "${#args[@]}" -lt 3 ]
then
error "action ${type} requires 3 parameters: suspects_timeout, trap_timeout, valid_connections"
return 1
fi
local suspects_timeout="${args[0]}" trap_timeout="${args[1]}" connections="${args[2]}"
unset args[0] args[1] args[2]
for t in ${tables//,/ }
do
set_work_function "Rules for ${name}_sockets iptrap under table ${t}: ${args[@]}"
iptrap ${name}_sockets src,dst,dst ${suspects_timeout} method "hash:ip,port,ip" counters \
chain "${name}" table ${t} \
state NEW log "${name} NEW SOCKET" \
"${args[@]}" || return 1
set_work_function "Rules for ${name}_suspects iptrap under table ${t}"
iptrap ${name}_suspects src ${suspects_timeout} counters \
chain "${name}" table ${t} \
state NEW log "${name} NEW SUSPECT" \
ipset ${name}_sockets src,dst,dst no-counters packets 1 || return 1
set_work_function "Rules for ${name}_trap iptrap under table ${t}"
iptrap ${name}_trap src ${trap_timeout} \
chain "${name}" table ${t} \
state NEW log "${name} TRAPPED" \
ipset ${name}_suspects src no-counters packets-above ${connections} || return 1
done
;;
2015-02-08 12:42:35 +00:00
*)
error "${FUNCNAME}: Unknown action type '${type}'. Format is: ${FUNCNAME} name type type_parameters"
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
return 1
;;
esac
done
2015-02-08 12:42:35 +00:00
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
return 0
}
2015-02-01 19:20:14 +00:00
masquerade4() { ipv4 masquerade "${@}"; }
masquerade6() { ipv6 masquerade "${@}"; }
masquerade46() { both masquerade "${@}"; }
2003-01-07 20:21:57 +00:00
masquerade() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2003-01-07 20:21:57 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2003-01-07 20:21:57 +00:00
2015-02-02 21:28:35 +00:00
local f="${work_outface}" ports= random=
while [ ! -z "${1}" ]
do
case "${1}" in
reverse)
f="${work_inface}"
shift
;;
ports|to-ports|--to-ports)
ports="to-ports ${2}"
shift 2
;;
random|--random)
random="random"
shift
;;
*)
test -z "${f}" && f="${1}" && shift
break
;;
esac
done
2003-01-07 20:21:57 +00:00
test -z "${f}" && error "masquerade requires an interface set or as argument" && return 1
2015-02-19 01:21:51 +00:00
set_work_function "Masquerade on interface '${f}'"
2003-01-07 20:21:57 +00:00
2015-03-01 22:38:31 +00:00
rule noowner table nat chain POSTROUTING "${@}" inface any outface "${f}" state NEW action MASQUERADE ${ports} ${random} || return 1
2003-01-07 20:21:57 +00:00
FIREHOL_NAT=1
FIREHOL_ROUTING=1
return 0
}
2004-12-21 21:49:11 +00:00
transparent_proxy_count=0
2015-02-01 19:20:14 +00:00
transparent_proxy4() { ipv4 transparent_proxy "${@}"; }
transparent_proxy6() { ipv6 transparent_proxy "${@}"; }
transparent_proxy46() { both transparent_proxy "${@}"; }
2004-12-21 21:49:11 +00:00
transparent_proxy() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2003-01-06 16:13:34 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2003-01-13 23:31:03 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
2003-01-13 23:31:03 +00:00
2015-01-30 22:45:56 +00:00
local ports="${1}" \
redirect="${2}" \
user="${3}"
shift 3
2003-01-06 16:13:34 +00:00
2004-12-21 21:49:11 +00:00
test -z "${redirect}" && error "Proxy listening port is empty" && return 1
2003-01-06 16:13:34 +00:00
2004-12-21 21:49:11 +00:00
transparent_proxy_count=$[transparent_proxy_count + 1]
2003-01-06 16:13:34 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for catching routed tcp/${ports} traffic"
2003-01-06 16:13:34 +00:00
2015-02-13 00:43:38 +00:00
#create_chain nat "in_trproxy.${transparent_proxy_count}" PREROUTING noowner "${@}" outface any proto tcp sport "${DEFAULT_CLIENT_PORTS}" dport "${ports}" || return 1
#rule table nat chain "in_trproxy.${transparent_proxy_count}" proto tcp action REDIRECT to-port ${redirect} || return 1
rule table nat chain PREROUTING noowner "${@}" outface any proto tcp sport "${DEFAULT_CLIENT_PORTS}" dport "${ports}" action REDIRECT to-port ${redirect} || return 1
2003-01-06 16:13:34 +00:00
2003-01-07 20:21:57 +00:00
if [ ! -z "${user}" ]
then
2015-02-19 01:21:51 +00:00
set_work_function "Rules for catching outgoing tcp/${ports} traffic"
2015-02-06 20:43:23 +00:00
create_chain nat "out_trproxy.${transparent_proxy_count}" OUTPUT "${@}" uid not "${user}" nosoftwarnings inface any outface any src any proto tcp sport "${LOCAL_CLIENT_PORTS}" dport "${ports}" || return 1
2003-01-08 22:42:46 +00:00
2004-12-21 21:49:11 +00:00
# do not catch traffic for localhost servers
2015-02-13 00:43:38 +00:00
# rule table nat chain "out_trproxy.${transparent_proxy_count}" dst "127.0.0.1" action RETURN || return 1
rule table nat chain "out_trproxy.${transparent_proxy_count}" proto tcp dst not "127.0.0.1" action REDIRECT to-port ${redirect} || return 1
2003-01-07 20:21:57 +00:00
fi
2003-01-06 16:13:34 +00:00
FIREHOL_NAT=1
2003-01-07 20:21:57 +00:00
FIREHOL_ROUTING=1
2003-01-06 16:13:34 +00:00
return 0
}
2015-02-01 19:20:14 +00:00
transparent_squid4() { ipv4 transparent_squid "${@}"; }
transparent_squid6() { ipv6 transparent_squid "${@}"; }
transparent_squid46() { both transparent_squid "${@}"; }
2004-12-21 21:49:11 +00:00
transparent_squid() {
2015-02-06 20:43:23 +00:00
transparent_proxy 80 "${@}"
2004-12-21 21:49:11 +00:00
}
2015-01-22 21:09:18 +00:00
FIREHOL_TPROXY_MARK=
FIREHOL_TPROXY_IP_ROUTE_TABLE="241"
2014-03-25 21:13:20 +00:00
FIREHOL_TPROXY_ROUTE_DEVICE="lo"
tproxy_setup_ip_route() {
2015-01-22 21:09:18 +00:00
require_cmd ip
2015-01-22 22:34:22 +00:00
2014-03-25 21:13:20 +00:00
local x=
for x in inet inet6
do
# remove the existing ip rules for this mark
2015-01-22 21:09:18 +00:00
postprocess -ne ${IP_CMD} -f $x rule del lookup $FIREHOL_TPROXY_IP_ROUTE_TABLE
2014-03-25 21:13:20 +00:00
# remove the existing rules from the ip route table
2014-12-30 18:42:58 +00:00
postprocess -ne ${IP_CMD} -f $x route flush table $FIREHOL_TPROXY_IP_ROUTE_TABLE
2014-03-25 21:13:20 +00:00
2015-02-19 21:06:00 +00:00
# add the ip rule to match the mark and forward it to the proper ip route table for tproxy
2014-12-30 18:42:58 +00:00
postprocess -warn ${IP_CMD} -f $x rule add from all fwmark $FIREHOL_TPROXY_MARK lookup $FIREHOL_TPROXY_IP_ROUTE_TABLE
2014-03-25 21:13:20 +00:00
# add the route to forward all traffic to lo, on the ip route table for tproxy
2014-12-30 18:42:58 +00:00
postprocess -warn ${IP_CMD} -f $x route add local default dev $FIREHOL_TPROXY_ROUTE_DEVICE table $FIREHOL_TPROXY_IP_ROUTE_TABLE
2014-03-25 21:13:20 +00:00
done
# disable the reverse path discovery for lo
2014-12-30 18:42:58 +00:00
postprocess -warn ${SYSCTL_CMD} -w net.ipv4.conf.default.rp_filter=0
postprocess -warn ${SYSCTL_CMD} -w net.ipv4.conf.all.rp_filter=0
postprocess -warn ${SYSCTL_CMD} -w net.ipv4.conf.$FIREHOL_TPROXY_ROUTE_DEVICE.rp_filter=0
2014-03-25 21:13:20 +00:00
}
tproxy_count=0
2015-02-01 19:20:14 +00:00
tproxy4() { ipv4 tproxy "${@}"; }
tproxy6() { ipv6 tproxy "${@}"; }
tproxy46() { both tproxy "${@}"; }
2014-03-25 21:13:20 +00:00
tproxy() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2014-03-25 21:13:20 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2014-03-25 21:13:20 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
2014-03-25 21:13:20 +00:00
local ports="${1}"; shift
2015-01-22 21:09:18 +00:00
if [ -z "${FIREHOL_TPROXY_MARK}" ]
then
2015-01-24 15:32:23 +00:00
#FIREHOL_TPROXY_MARK="$[ MARKS_MAX[usermark] << MARKS_SHIFT[usermark] ]/${MARKS_MASKS[usermark]}"
FIREHOL_TPROXY_MARK="$(mark_value usermark MARKS_MAX[usermark])"
2015-01-22 21:09:18 +00:00
fi
2015-01-30 22:45:56 +00:00
local tproxy_action_options="tproxy-mark $FIREHOL_TPROXY_MARK" \
tport= \
tip=
2014-03-25 21:42:13 +00:00
if [ "$1" = "port" ]
then
2015-01-30 22:45:56 +00:00
tproxy_action_options="$tproxy_action_options on-port ${2}"
tport="${2}"
2014-03-25 21:42:13 +00:00
shift 2
else
error "TPROXY needs at least the port the proxy is listening at."
return 1
fi
if [ "$1" = "ip" ]
then
2015-01-30 22:45:56 +00:00
tproxy_action_options="$tproxy_action_options on-ip ${2}"
tip="${2}"
2014-03-25 21:42:13 +00:00
shift 2
fi
2014-03-25 21:13:20 +00:00
tproxy_count=$[tproxy_count + 1]
2015-02-19 01:21:51 +00:00
set_work_function "Rules for catching routed tcp/${ports} traffic"
2014-03-25 21:13:20 +00:00
2015-02-06 20:43:23 +00:00
create_chain mangle "in_tproxy.${tproxy_count}" PREROUTING "${@}" outface any proto tcp dport "${ports}" || return 1
2014-03-25 21:13:20 +00:00
2014-03-25 21:42:13 +00:00
create_chain mangle "in_tproxy.${tproxy_count}.divert" "in_tproxy.${tproxy_count}" proto tcp custom '-m socket' || return 1
2014-03-25 21:13:20 +00:00
rule table mangle chain "in_tproxy.${tproxy_count}.divert" action MARK to $FIREHOL_TPROXY_MARK
rule table mangle chain "in_tproxy.${tproxy_count}.divert" action ACCEPT
rule table mangle chain "in_tproxy.${tproxy_count}" proto tcp action TPROXY ${tproxy_action_options} || return 1
FIREHOL_NAT=1
FIREHOL_ROUTING=1
if [ $tproxy_count -eq 1 ]
then
2014-12-30 18:42:58 +00:00
tproxy_setup_ip_route
2014-03-25 21:13:20 +00:00
fi
return 0
}
2015-02-26 00:35:41 +00:00
declare -A FIREHOL_LAST_NAT_MAP=()
2003-01-16 00:55:36 +00:00
nat_count=0
2004-04-23 22:15:18 +00:00
nat_helper() {
2015-02-06 20:43:23 +00:00
# work_realcmd_helper ${FUNCNAME} "${@}"
2003-01-16 00:33:26 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2003-01-16 00:33:26 +00:00
2004-04-23 22:15:18 +00:00
require_work clear || ( error "NAT cannot be used in '${work_cmd}'. Put all NAT related commands before any '${work_cmd}' definition."; return 1 )
2003-01-16 00:33:26 +00:00
2015-02-26 00:35:41 +00:00
local type="${1}" to="${2}" tos=() name= persistent=0 \
chain= chains=() action= options= requirements= overwrite= \
x= w= total= balance=() args=() proto=(any) total_weight=0 without_weight=0 mode="nth"
2015-01-30 22:45:56 +00:00
shift 2
2003-01-16 00:33:26 +00:00
2003-01-16 00:55:36 +00:00
nat_count=$[nat_count + 1]
2015-02-26 00:35:41 +00:00
FIREHOL_LAST_NAT_MAP=()
2015-02-19 01:21:51 +00:00
set_work_function -ne "Rules for NAT type: '${type}'"
2003-01-16 00:55:36 +00:00
case ${type} in
to-source)
2015-02-26 00:35:41 +00:00
chains=(POSTROUTING)
#possible_chains="POSTROUTING INPUT"
2015-01-30 22:45:56 +00:00
action=snat
2015-03-01 21:59:35 +00:00
overwrite="inface any"
2015-02-26 00:35:41 +00:00
tos=(${to//,/ })
2003-01-16 00:55:36 +00:00
;;
to-destination)
2015-02-26 00:35:41 +00:00
chains=(PREROUTING)
#possible_chains="PREROUTING OUTPUT"
2015-01-30 22:45:56 +00:00
action=dnat
2015-02-13 00:43:38 +00:00
requirements=noowner
overwrite="outface any"
2015-02-26 00:35:41 +00:00
tos=(${to//,/ })
2003-01-16 00:55:36 +00:00
;;
2003-01-25 00:37:37 +00:00
redirect-to)
2015-02-26 00:35:41 +00:00
chains=(PREROUTING)
#possible_chains="PREROUTING OUTPUT"
2015-01-30 22:45:56 +00:00
action=redirect
2015-02-13 00:43:38 +00:00
requirements=noowner
overwrite="outface any"
2015-02-26 00:35:41 +00:00
tos=(${to//,/ })
2003-01-25 00:37:37 +00:00
;;
2003-01-16 00:55:36 +00:00
*)
2015-02-06 20:43:23 +00:00
error "${FUNCNAME} requires a type (i.e. to-source, to-destination, redirect-to, etc) as its first argument. '${type}' is not understood."
2003-01-16 00:55:36 +00:00
return 1
;;
esac
2003-01-16 00:33:26 +00:00
2015-02-26 00:35:41 +00:00
args=(${requirements})
2015-02-22 01:51:41 +00:00
while [ ! -z "${1}" ]
do
case "${1,,}" in
random|--random)
options="${options} random"
;;
persistent|--persistent)
2015-02-26 00:35:41 +00:00
persistent=1
2015-02-22 01:51:41 +00:00
options="${options} persistent"
2015-02-26 00:35:41 +00:00
[ "${action}" = "redirect" ] && error "Persistence is not supported by redirect." && return 1
2015-02-22 01:51:41 +00:00
;;
2015-02-26 00:35:41 +00:00
at) chains=()
for chain in ${2//,/ }
2015-02-22 01:51:41 +00:00
do
2015-02-26 00:35:41 +00:00
case "${chain^^}" in
PRE|PREROUTING) chains=("${chains[@]}" "PREROUTING") ;;
IN|INPUT) chains=("${chains[@]}" "INPUT") ;;
OUT|OUTPUT) chains=("${chains[@]}" "OUTPUT") ;;
PASS|FORWARD) chains=("${chains[@]}" "FORWARD") ;;
POST|POSTROUTING) chains=("${chains[@]}" "POSTROUTING") ;;
*) chains=("${chains[@]}" "${chain}");;
2015-02-22 01:51:41 +00:00
esac
done
2015-02-26 00:35:41 +00:00
shift
2015-02-22 01:51:41 +00:00
;;
2015-02-26 00:35:41 +00:00
name) name="${2}"
shift
;;
# we need the protocol in case of a balancer
proto) proto=(${2//,/ })
shift
;;
*) args=("${args[@]}" "${1}")
2015-02-22 01:51:41 +00:00
;;
esac
2015-02-26 00:35:41 +00:00
shift
2015-02-22 01:51:41 +00:00
done
2015-02-26 00:35:41 +00:00
args=("${args[@]}" ${overwrite} nosoftwarnings state NEW)
# the total combinations we have
total="${#tos[@]}"
if [ ${total} -gt 1 -a ${persistent} -eq 1 ]
then
warning "${action} will not map addresses persistently, since ${total} rules will be generated."
fi
# If a name is given, or a balancer is requested (multiple 'to' value) or multiple chains
# are requested, centralize it on one chain, so that the balancing rules will be applied
# just once (this will ensure proper balancing)
if [ ! -z "${name}" -o ${total} -gt 1 -o ${#chains[@]} -gt 1 ]
then
# If a balancer is requested on multiple chains centralize it on one chain,
# so that the balancing rules will be applied just once (this will ensure proper balancing)
test -z "${name}" && name="BALANCER.${nat_count}"
# create the chain
create_chain nat "${name}" || return 1
# link it to the places requested
for chain in ${chains[@]}
do
set_work_function "Linking chain ${name} at ${chain}"
rule table nat chain ${chain} proto "${proto[*]}" "${args[@]}" action "${name}" || return 1
done
# change the linking for the balancing rules
chains=("${name}")
# and empty the parameters (traffic on the chain BALANCER.x is already this traffic)
args=()
fi
# check if all 'to' have weights
total_weight=0
without_weight=0
for to in ${tos[@]}
2015-02-22 01:51:41 +00:00
do
2015-02-26 00:35:41 +00:00
x=${to/*\//}
[ "${x}" = "${to}" ] && x=
if [ -z "${x}" ]
then
(( without_weight += 1 ))
else
total_weight=$[total_weight + x]
fi
done
# if some have weight and some don't
# stop with an error
if [ ${total_weight} -ne 0 ]
then
if [ ${without_weight} -gt 0 ]
2015-02-22 01:51:41 +00:00
then
2015-02-26 00:35:41 +00:00
error "Weights based balancing is requested, but there are ${without_weight} value(s) that do not have a weight."
2015-02-22 01:51:41 +00:00
return 1
fi
2015-02-26 00:35:41 +00:00
mode="random"
else
mode="nth"
fi
x=0
for to in ${tos[@]}
do
balance=()
# if we build a balancer, generate the rule to split the traffic among
# the target servers, except if this is the last host
if [ ${total} -gt 1 -a $[x+1] -lt ${total} ]
then
if [ "${mode}" = "nth" ]
then
# round robin mode
balance=("custom" "-m statistic --mode nth --every ${total} --packet ${x}")
else
# weighted random mode
w=${to/*\//}
if [ "${w}" = "${to}" -o -z "${w}" ]
then
error "Cannot parse weight from ip ${ip}."
return 1
fi
w=$[(w * 1000) / total_weight]
if [ ${w} -lt 10 ]
then
w="0.00${w}"
elif [ ${w} -lt 100 ]
then
w="0.0${w}"
elif [ ${w} -lt 1000 ]
then
w="0.${w}"
elif [ ${w} -eq 1000 ]
then
w="1.0"
else
error "Cannot calculate weight for ${to}. Calculation gives ${w} / 1000."
return 1
fi
balance=("custom" "-m statistic --mode random --probability ${w}")
fi
fi
(( x += 1 ))
to=${to/\/*/}
FIREHOL_LAST_NAT_MAP[$to]="${balance[*]}"
for chain in ${chains[@]}
do
set_work_function "Rules for ${action} to ${to} at ${chain}"
rule table nat chain "${chain}" proto "${proto[*]}" "${args[@]}" "${balance[@]}" action "${action}" to ${to} ${options} || return 1
done
2015-02-22 01:51:41 +00:00
done
2003-01-16 00:33:26 +00:00
FIREHOL_NAT=1
2015-02-26 00:35:41 +00:00
[ ! "${action}" = "redirect" ] && FIREHOL_ROUTING=1
2003-01-16 00:33:26 +00:00
return 0
}
2015-02-01 19:20:14 +00:00
nat4() { ipv4 nat "${@}"; }
nat6() { ipv6 nat "${@}"; }
nat46() { both nat "${@}"; }
2004-04-23 22:15:18 +00:00
nat() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2004-04-23 22:15:18 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2004-04-23 22:15:18 +00:00
2015-02-06 20:43:23 +00:00
nat_helper "${@}"
2004-04-23 22:15:18 +00:00
}
2015-02-01 19:20:14 +00:00
snat4() { ipv4 snat "${@}"; }
snat6() { ipv6 snat "${@}"; }
snat46() { both snat "${@}"; }
2003-01-16 00:55:36 +00:00
snat() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2003-01-16 00:33:26 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2003-01-16 00:33:26 +00:00
2003-01-16 00:55:36 +00:00
local to="${1}"; shift
2015-01-30 22:45:56 +00:00
test "${to}" = "to" && to="${1}" && shift
2003-01-16 00:33:26 +00:00
2015-02-06 20:43:23 +00:00
nat_helper "to-source" "${to}" "${@}"
2003-01-16 00:55:36 +00:00
}
2015-02-01 19:20:14 +00:00
dnat4() { ipv4 dnat "${@}"; }
dnat6() { ipv6 dnat "${@}"; }
dnat46() { both dnat "${@}"; }
2003-01-16 00:55:36 +00:00
dnat() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2003-01-16 00:33:26 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2003-01-16 00:33:26 +00:00
2003-01-16 00:55:36 +00:00
local to="${1}"; shift
2015-01-30 22:45:56 +00:00
test "${to}" = "to" && to="${1}" && shift
2003-01-16 00:33:26 +00:00
2015-02-06 20:43:23 +00:00
nat_helper "to-destination" "${to}" "${@}"
2003-01-16 00:33:26 +00:00
}
2015-02-01 19:20:14 +00:00
redirect4() { ipv4 redirect "${@}"; }
redirect6() { ipv6 redirect "${@}"; }
redirect46() { both redirect "${@}"; }
2003-01-25 00:37:37 +00:00
redirect() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2003-01-25 00:37:37 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2003-01-25 00:37:37 +00:00
local to="${1}"; shift
2015-01-30 22:45:56 +00:00
test "${to}" = "to" -o "${to}" = "to-port" && to="${1}" && shift
2003-01-25 00:37:37 +00:00
2015-02-06 20:43:23 +00:00
nat_helper "redirect-to" "${to}" "${@}"
2003-01-25 00:37:37 +00:00
}
2003-06-18 22:56:24 +00:00
wrongmac_chain=0
2013-11-10 12:38:37 +00:00
wrongmac6_chain=0
2015-02-01 19:20:14 +00:00
mac4() { ipv4 mac "${@}"; }
mac6() { ipv6 mac "${@}"; }
mac46() { both mac "${@}"; }
2003-06-18 22:56:24 +00:00
mac() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2003-06-18 22:56:24 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2003-06-18 22:56:24 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
2003-06-18 22:56:24 +00:00
2013-11-10 12:38:37 +00:00
if running_ipv4; then
if [ ${wrongmac_chain} -eq 0 ]
then
set_work_function "Creating the MAC-MISSMATCH chain (only once)"
2003-06-28 23:22:49 +00:00
2013-11-10 12:38:37 +00:00
iptables -t filter -N WRONGMAC
rule table filter chain WRONGMAC loglimit "MAC MISSMATCH" action DROP || return 1
2003-06-18 22:56:24 +00:00
2013-11-10 12:38:37 +00:00
wrongmac_chain=1
fi
2003-06-18 22:56:24 +00:00
fi
2013-11-10 12:38:37 +00:00
if running_ipv6; then
if [ ${wrongmac6_chain} -eq 0 ]
then
set_work_function "Creating the MAC-MISSMATCH chain (only once)"
ip6tables -t filter -N WRONGMAC
rule table filter chain WRONGMAC loglimit "MAC MISSMATCH" action DROP || return 1
wrongmac6_chain=1
fi
fi
2015-02-19 01:21:51 +00:00
set_work_function "Source IP ${1} does not match MAC ${2}"
2013-05-05 17:32:27 +00:00
2013-11-03 17:44:18 +00:00
iptables_both -t filter -A INPUT -s "${1}" -m mac ! --mac-source "${2}" -j WRONGMAC
iptables_both -t filter -A FORWARD -s "${1}" -m mac ! --mac-source "${2}" -j WRONGMAC
2013-05-05 17:32:27 +00:00
2003-06-18 22:56:24 +00:00
return 0
}
2003-01-30 21:36:07 +00:00
Added "blacklist" helper to create blacklists.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert
2003-08-23 21:42:35 +00:00
# blacklist creates two types of blacklists: unidirectional or bidirectional
2015-02-05 23:08:15 +00:00
FIREHOL_BLACKLIST_COUNTER=0
2015-02-01 19:20:14 +00:00
blacklist4() { ipv4 blacklist "${@}"; }
blacklist6() { ipv6 blacklist "${@}"; }
blacklist46() { both blacklist "${@}"; }
Added "blacklist" helper to create blacklists.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert
2003-08-23 21:42:35 +00:00
blacklist() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
Added "blacklist" helper to create blacklists.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert
2003-08-23 21:42:35 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
Added "blacklist" helper to create blacklists.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert
2003-08-23 21:42:35 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
Added "blacklist" helper to create blacklists.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert
2003-08-23 21:42:35 +00:00
2015-02-05 23:08:15 +00:00
FIREHOL_BLACKLIST_COUNTER=$[ FIREHOL_BLACKLIST_COUNTER + 1 ]
2015-02-15 18:30:34 +00:00
local mode=1 chain= name="bi" accounting= x=
2015-02-07 00:57:14 +00:00
local -a inface=() src=() logopts_in_arg=(log "BLACKLIST-IN") logopts_out_arg=(log "BLACKLIST-OUT")
2015-02-01 15:17:34 +00:00
2015-02-05 23:08:15 +00:00
case "${1}" in
them|him|her|it|this|these|input)
mode=0
name="uni"
shift
;;
2015-02-01 15:17:34 +00:00
2015-02-05 23:08:15 +00:00
all|full)
mode=1
name="bi"
shift
;;
*) ;;
esac
Added "blacklist" helper to create blacklists.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert
2003-08-23 21:42:35 +00:00
2015-02-05 23:08:15 +00:00
while [ ! -z "${1}" ]
Added "blacklist" helper to create blacklists.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert
2003-08-23 21:42:35 +00:00
do
2015-02-11 23:42:38 +00:00
case "${1,,}" in
src)
2015-02-07 15:28:43 +00:00
shift
;;
2015-02-11 23:42:38 +00:00
except)
2015-02-06 21:50:28 +00:00
shift
break
;;
2015-02-11 23:42:38 +00:00
log)
2015-02-07 00:57:14 +00:00
logopts_in_arg=(log "${2}-IN")
logopts_out_arg=(log "${2}-OUT")
2015-02-05 23:08:15 +00:00
shift 2
;;
2015-01-31 17:25:19 +00:00
2015-02-11 23:42:38 +00:00
loglimit)
2015-02-07 00:57:14 +00:00
logopts_in_arg=(loglimit "${2}-IN")
logopts_out_arg=(loglimit "${2}-OUT")
2015-02-05 23:08:15 +00:00
shift 2
;;
2015-02-01 22:16:33 +00:00
2015-02-11 23:42:38 +00:00
acct|accounting)
2015-02-06 21:50:28 +00:00
accounting="${2}"
shift 2
;;
2015-02-11 23:42:38 +00:00
inface)
2015-02-05 23:08:15 +00:00
inface=(inface "${2}")
shift 2
2015-01-31 17:25:19 +00:00
;;
2015-02-05 23:08:15 +00:00
2015-02-06 21:50:28 +00:00
*) src=( "${src[@]}" "${1}" )
shift
2015-01-31 17:25:19 +00:00
;;
esac
Added "blacklist" helper to create blacklists.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert
2003-08-23 21:42:35 +00:00
done
2015-02-05 23:08:15 +00:00
2015-02-07 10:01:40 +00:00
# Now in $src[@] we have all the positive IPs
# and in $@ the excepted rules
2015-02-06 21:50:28 +00:00
2015-02-05 23:08:15 +00:00
2015-02-06 21:50:28 +00:00
chain="BLACKLIST.${name}.${FIREHOL_BLACKLIST_COUNTER}"
2015-02-19 01:21:51 +00:00
set_work_function "Blacklist input chain"
2015-02-05 23:08:15 +00:00
2015-02-07 10:01:40 +00:00
# create the input chain (common for both stateless and stateful)
2015-02-15 18:30:34 +00:00
iptables_both -t filter -N "${chain}.in"
2015-02-06 21:50:28 +00:00
# add the excepted rules
2015-02-26 00:35:41 +00:00
if [ ! -z "${1}" ]; then rule table filter chain "${chain}.in" in action RETURN "${@}" || return 1; fi
2015-02-06 21:50:28 +00:00
# add the accounting rules
2015-02-26 00:35:41 +00:00
if [ ! -z "${accounting}" ]; then iptables_both -t filter -A "${chain}.in" -m nfacct --nfacct-name "${accounting}" || return 1; fi
2015-02-06 21:50:28 +00:00
2015-02-07 10:01:40 +00:00
# drop the traffic (input)
2015-02-15 18:30:34 +00:00
rule table filter chain "${chain}.in" in "${logopts_in_arg[@]}" action DROP || return 1
2015-02-06 21:50:28 +00:00
2015-02-07 10:01:40 +00:00
# ---
# send traffic from the main flow to the generated chains
if [ ${mode} -eq 0 ]
2015-02-06 21:50:28 +00:00
then
2015-02-07 10:01:40 +00:00
# uni-directional stateful
# we will be able to connect to them, they will not be able to connect to us
2015-02-19 01:21:51 +00:00
set_work_function "Unidirectional blacklist rules"
2015-02-07 10:01:40 +00:00
2015-02-15 18:30:34 +00:00
for x in INPUT FORWARD
do
rule table filter chain ${x} in "${inface[@]}" src "${src[*]}" state NEW action "${chain}.in" || return 1
done
2015-02-07 10:01:40 +00:00
else
# bi-directional stateless
# no traffic from/to them
2015-02-19 01:21:51 +00:00
set_work_function "Blacklist input"
2015-02-07 10:01:40 +00:00
2015-02-15 18:30:34 +00:00
for x in INPUT FORWARD
do
rule table filter chain ${x} in "${inface[@]}" src "${src[*]}" action "${chain}.in" || return 1
done
2015-02-07 10:01:40 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Blacklist output chain"
2015-02-07 10:01:40 +00:00
# create the output chain
2015-02-06 21:50:28 +00:00
iptables_both -t filter -N "${chain}.out"
# add the excepted rules
2015-02-26 00:35:41 +00:00
if [ ! -z "${1}" ]; then rule table filter chain "${chain}.out" out reverse action RETURN "${@}" || return 1; fi
2015-02-06 21:50:28 +00:00
# add the accounting rules
2015-02-26 00:35:41 +00:00
if [ ! -z "${accounting}" ]; then iptables_both -t filter -A "${chain}.out" -m nfacct --nfacct-name "${accounting}" || return 1; fi
2015-02-06 21:50:28 +00:00
if running_ipv4
then
push_namespace ipv4
2015-02-07 00:57:14 +00:00
rule table filter chain "${chain}.out" out "${logopts_out_arg[@]}" action REJECT with icmp-host-unreachable
2015-02-06 21:50:28 +00:00
pop_namespace
fi
if running_ipv6
then
2015-03-01 09:05:15 +00:00
push_namespace ipv6
2015-02-07 00:57:14 +00:00
rule table filter chain "${chain}.out" out "${logopts_out_arg[@]}" action REJECT with icmp6-addr-unreachable
2015-02-06 21:50:28 +00:00
pop_namespace
fi
2015-02-05 23:08:15 +00:00
# bi-directional stateless
# none connects from/to these hosts
2015-02-19 01:21:51 +00:00
set_work_function "Bidirectional blacklist rules"
2015-02-05 23:08:15 +00:00
2015-02-07 10:01:40 +00:00
# iptables does not accept REJECT on mangle - we are forced to use filter for this
2015-02-15 18:30:34 +00:00
for x in FORWARD OUTPUT
do
rule table filter chain ${x} out reverse "${inface[@]}" src "${src[*]}" action "${chain}.out" || return 1
done
2015-02-06 00:57:06 +00:00
fi
2015-02-05 23:08:15 +00:00
2015-02-06 00:57:06 +00:00
return 0
}
FIREHOL_IPTRAP_COUNTER=0
2015-02-07 15:28:43 +00:00
2015-02-09 21:18:49 +00:00
declare -A FIREHOL_IPTRAP_MODE=()
2015-02-10 22:26:11 +00:00
declare -A FIREHOL_IPTRAP_METHOD=()
2015-02-09 21:18:49 +00:00
2015-02-07 15:28:43 +00:00
ipuntrap4() { ipv4 iptrap undo "${@}"; }
ipuntrap6() { ipv6 iptrap undo "${@}"; }
ipuntrap46() { both iptrap undo "${@}"; }
ipuntrap() { iptrap undo "${@}"; }
2015-02-06 00:57:06 +00:00
iptrap4() { ipv4 iptrap "${@}"; }
iptrap6() { ipv6 iptrap "${@}"; }
iptrap46() { both iptrap "${@}"; }
iptrap() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2015-02-06 00:57:06 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2015-02-06 00:57:06 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
running_both && error "${FUNCNAME} cannot be used in both IPv4 and IPv6. Please give use either iptrap4 or iptrap6." && return 1
2015-02-06 00:57:06 +00:00
2015-02-15 18:30:34 +00:00
local type= ipset= timeout= chain= method= tables="filter" undo=0 action="RETURN" t= link_to="INPUT FORWARD" mode="TIMEOUT" x=
2015-02-07 15:28:43 +00:00
local -a args=() logopts_arg=()
2015-02-09 20:28:35 +00:00
if [ "${1}" = "undo" ]
2015-02-07 15:28:43 +00:00
then
undo=1
2015-02-08 20:59:41 +00:00
ipset="${2}"
type="${3}"
2015-02-07 15:28:43 +00:00
logopts_arg=(log "UNTRAP")
else
2015-02-08 20:59:41 +00:00
ipset="${1}"
type="${2}"
2015-02-07 15:28:43 +00:00
timeout="${3}"
logopts_arg=(log "TRAP")
fi
2015-02-06 00:57:06 +00:00
shift 3
if [ ${ENABLE_IPSET} -ne 1 ]
then
2015-02-06 20:43:23 +00:00
error "${FUNCNAME} requires ipset but ut is not enabled. Do you have ipset installed?"
2015-02-06 00:57:06 +00:00
return 1
2015-02-05 23:08:15 +00:00
fi
2015-02-10 22:26:11 +00:00
# validate type and generate default ipset storage method
for x in ${type//,/ }
do
case "${x}" in
src|dst)
if [ ! -z "${method}" ]
then
method="${method},ip"
else
method="hash:ip"
fi
;;
*)
error "${FUNCNAME}: invalid type '${x}'. It can either be 'src' or 'dst'."
return 1
;;
esac
done
2015-02-08 20:59:41 +00:00
2015-02-09 21:18:49 +00:00
# get the last mode used
[ ! -z "${FIREHOL_IPTRAP_MODE[$ipset]}" ] && mode="${FIREHOL_IPTRAP_MODE[$ipset]}"
2015-02-06 00:57:06 +00:00
while [ ! -z "${1}" ]
do
2015-02-27 22:31:32 +00:00
case "${1,,}" in
method)
2015-02-10 22:26:11 +00:00
method="${2}"
shift
;;
2015-02-27 22:31:32 +00:00
counters)
2015-02-09 20:28:35 +00:00
mode="COUNTERS"
;;
2015-02-27 22:31:32 +00:00
timeout)
2015-02-09 20:28:35 +00:00
mode="TIMEOUT"
;;
2015-02-27 22:31:32 +00:00
at|chain)
2015-02-08 12:42:35 +00:00
link_to="${2}"
2015-02-08 10:05:42 +00:00
shift
;;
2015-02-27 22:31:32 +00:00
table|tables)
2015-02-08 10:05:42 +00:00
tables="${2}"
shift
;;
2015-02-27 22:31:32 +00:00
action)
2015-02-08 10:05:42 +00:00
action="${2}"
shift
;;
2015-02-27 22:31:32 +00:00
except)
2015-02-07 10:01:40 +00:00
shift
break
;;
2015-02-27 22:31:32 +00:00
log|loglimit)
2015-02-06 00:57:06 +00:00
logopts_arg=("${1}" "${2}")
shift
;;
*) args=("${args[@]}" "${1}")
;;
esac
shift
done
2015-02-07 10:01:40 +00:00
# Now in $args[@] we have all the positive IPs
# and in $@ the excepted rules
2015-02-10 22:26:11 +00:00
# check if the caller changed the update mode of the ipset
2015-02-09 21:18:49 +00:00
if [ ! -z "${FIREHOL_IPTRAP_MODE[$ipset]}" ]
then
if [ ! "${FIREHOL_IPTRAP_MODE[$ipset]}" = "${mode}" ]
then
warning "${FUNCNAME}: ipset '${ipset}' was previously used with option ${FIREHOL_IPTRAP_MODE[$ipset]}, while now ${mode} is requested."
fi
else
# remember the mode if this ipset
FIREHOL_IPTRAP_MODE[$ipset]="${mode}"
fi
2015-02-07 10:01:40 +00:00
2015-02-10 22:26:11 +00:00
# check if the caller changed the storage method of the ipset
if [ ! -z "${FIREHOL_IPTRAP_METHOD[$ipset]}" ]
then
if [ ! "${FIREHOL_IPTRAP_METHOD[$ipset]}" = "${method}" ]
then
warning "${FUNCNAME}: ipset '${ipset}' was previously used with storage method ${FIREHOL_IPTRAP_METHOD[$ipset]}, while now ${method} is requested."
fi
else
# remember the mode if this ipset
FIREHOL_IPTRAP_METHOD[$ipset]="${method}"
fi
2015-02-26 21:10:47 +00:00
# if the ipset has not been created by us, create it
if [ ! "${FIREHOL_IPSETS_USED[$ipset]}" = "CREATED" ]
2015-02-06 09:12:30 +00:00
then
2015-02-09 21:18:49 +00:00
local opts="${IPTRAP_DEFAULT_IPSET_TIMEOUT_OPTIONS}"
test "${mode}" = "COUNTERS" && opts="${IPTRAP_DEFAULT_IPSET_COUNTERS_OPTIONS}"
2015-02-10 22:26:11 +00:00
ipset create ${ipset} ${method} ${opts} prevent_reset_on_restart
2015-02-06 09:12:30 +00:00
fi
2015-02-06 00:57:06 +00:00
2015-02-08 12:42:35 +00:00
FIREHOL_IPTRAP_COUNTER=$[ FIREHOL_IPTRAP_COUNTER + 1 ]
chain="IPTRAP.${FIREHOL_IPTRAP_COUNTER}"
2015-02-06 00:57:06 +00:00
2015-02-08 10:05:42 +00:00
for t in ${tables//,/ }
do
2015-02-19 01:21:51 +00:00
set_work_function "Trap chain ${chain} in table ${t}"
2015-02-06 00:57:06 +00:00
2015-02-08 10:05:42 +00:00
# create the chain
iptables_both -t ${t} -N "${chain}"
2015-02-07 10:01:40 +00:00
2015-02-08 10:05:42 +00:00
# add the excepted rules
2015-02-26 00:35:41 +00:00
if [ ! -z "${1}" ]; then rule table ${t} chain "${chain}" in action RETURN "${@}" || return 1; fi
2015-02-07 10:01:40 +00:00
2015-02-08 10:05:42 +00:00
# do the job
if [ ${undo} -eq 1 ]
2015-02-08 08:44:00 +00:00
then
2015-02-08 10:05:42 +00:00
# remove the ip
iptables_both -t ${t} -A "${chain}" -j SET --del-set ${ipset} ${type}
2015-02-08 08:44:00 +00:00
else
2015-02-09 20:28:35 +00:00
if [ "${mode}" = "COUNTERS" ]
then
# this command updates the counters
# but its presence mean that the timer is not updated
iptables_both -t ${t} -A "${chain}" -m set --match-set ${ipset} ${type} -j RETURN || return 1
fi
2015-02-08 10:05:42 +00:00
# add the ip
if [ -z "${timeout}" -o "${timeout}" = "default" ]
then
2015-02-09 20:28:35 +00:00
iptables_both -t ${t} -A "${chain}" -j SET --add-set ${ipset} ${type} --exist || return 1
2015-02-08 10:05:42 +00:00
else
2015-02-09 20:28:35 +00:00
iptables_both -t ${t} -A "${chain}" -j SET --add-set ${ipset} ${type} --exist --timeout ${timeout} || return 1
2015-02-08 10:05:42 +00:00
fi
2015-02-08 08:44:00 +00:00
fi
2015-02-07 10:01:40 +00:00
2015-02-08 10:05:42 +00:00
# log and return
2015-02-09 20:28:35 +00:00
rule table ${t} chain "${chain}" in "${logopts_arg[@]}" action "${action}" || return 1
2015-02-06 00:57:06 +00:00
2015-02-08 10:05:42 +00:00
# ---
2015-02-06 00:57:06 +00:00
2015-02-15 18:30:34 +00:00
for x in ${link_to}
do
2015-02-19 01:21:51 +00:00
set_work_function "iptrap rules in table ${t} chain ${x}"
2015-02-15 18:30:34 +00:00
rule table ${t} chain ${x} in "${args[@]}" action "${chain}" || return 1
done
2015-02-08 10:05:42 +00:00
done
2015-02-06 00:57:06 +00:00
Added "blacklist" helper to create blacklists.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert
2003-08-23 21:42:35 +00:00
return 0
}
2009-02-05 02:03:07 +00:00
classify_count=0
2015-02-01 19:20:14 +00:00
classify4() { ipv4 classify "${@}"; }
classify6() { ipv6 classify "${@}"; }
classify46() { both classify "${@}"; }
2009-02-05 02:03:07 +00:00
classify() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2009-02-05 02:03:07 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2009-02-05 02:03:07 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
2009-02-05 02:03:07 +00:00
local class="${1}"; shift
classify_count=$[classify_count + 1]
2015-02-19 01:21:51 +00:00
set_work_function "Rules for CLASSIFY"
2009-02-05 02:03:07 +00:00
2015-02-06 20:43:23 +00:00
create_chain mangle "classify.${classify_count}" POSTROUTING "${@}" || return 1
2013-11-03 17:44:18 +00:00
iptables_both -t mangle -A "classify.${classify_count}" -j CLASSIFY --set-class ${class}
2009-02-05 02:03:07 +00:00
return 0
}
2015-02-01 19:20:14 +00:00
connmark4() { ipv4 connmark "${@}"; }
connmark6() { ipv6 connmark "${@}"; }
connmark46() { both connmark "${@}"; }
2009-02-05 02:03:07 +00:00
connmark() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2009-02-05 02:03:07 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2009-02-05 02:03:07 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
2009-02-05 02:03:07 +00:00
2015-02-15 18:30:34 +00:00
local num="${1}" where="${2}" chain=
2015-01-30 22:45:56 +00:00
shift 2
2014-03-13 01:08:34 +00:00
if [ "${num}" = "save" ]
2014-03-13 00:35:12 +00:00
then
2015-01-19 19:28:43 +00:00
# backward compatibility - nothing to be done here
2014-03-13 00:35:12 +00:00
return 0
2014-03-13 01:08:34 +00:00
fi
if [ "${num}" = "restore" ]
2014-03-13 00:35:12 +00:00
then
2014-03-13 01:08:34 +00:00
# backward compatibility - nothing to be done here
2014-03-13 00:35:12 +00:00
return 0
fi
2015-01-24 15:32:23 +00:00
local mark="$(mark_value connmark $num)"
2015-01-24 16:58:57 +00:00
test -z "${mark}" && work_error=$[work_error + 1] && return 1
2015-01-19 19:28:43 +00:00
2015-02-15 18:30:34 +00:00
test -z "${where}" && where="OUTPUT POSTROUTING"
for chain in ${where//,/ }
2014-03-12 22:20:00 +00:00
do
2015-02-15 18:30:34 +00:00
case "${chain^^}" in
PRE|PREROUTING) chain="PREROUTING" ;;
IN|INPUT) chain="INPUT" ;;
OUT|OUTPUT) chain="OUTPUT" ;;
PASS|FORWARD) chain="FORWARD" ;;
POST|POSTROUTING) chain="POSTROUTING" ;;
esac
2014-03-12 22:20:00 +00:00
case "${chain}" in
interface)
2015-01-25 15:59:28 +00:00
if [ ${MARKS_STATEFUL[connmark]} -eq 1 ]
then
2015-02-19 01:21:51 +00:00
set_work_function "Stateful rules for CONNMARK ${mark} for interface ${1}"
2015-02-11 23:42:38 +00:00
rule table mangle chain PREROUTING state NEW inface "${@}" action MARK to "${mark}" || return 1
rule table mangle chain POSTROUTING state NEW outface "${@}" action MARK to "${mark}" || return 1
2015-01-25 15:59:28 +00:00
else
2015-02-19 01:21:51 +00:00
set_work_function "Stateless rules for CONNMARK ${mark} for interface ${1}"
2015-01-25 15:59:28 +00:00
rule table mangle chain PREROUTING inface "${@}" action MARK to "${mark}" || return 1
rule table mangle chain POSTROUTING outface "${@}" action MARK to "${mark}" || return 1
fi
2014-03-12 22:20:00 +00:00
;;
*)
2015-01-25 15:59:28 +00:00
if [ ${MARKS_STATEFUL[connmark]} -eq 1 ]
then
2015-02-19 01:21:51 +00:00
set_work_function "Stateful rules for CONNMARK ${mark} on chain ${chain}"
2015-02-11 23:42:38 +00:00
rule table mangle chain "${chain}" state NEW "${@}" action MARK to "${mark}" || return 1
2015-01-25 15:59:28 +00:00
else
2015-02-19 01:21:51 +00:00
set_work_function "Stateless rules for CONNMARK ${mark} on chain ${chain}"
2015-01-25 15:59:28 +00:00
rule table mangle chain "${chain}" action MARK to "${mark}" || return 1
fi
2014-03-12 22:20:00 +00:00
;;
esac
done
2009-02-05 02:03:07 +00:00
return 0
}
2015-02-01 19:20:14 +00:00
custommark4() { ipv4 custommark "${@}"; }
custommark6() { ipv6 custommark "${@}"; }
custommark46() { both custommark "${@}"; }
2015-01-22 22:34:22 +00:00
custommark() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2003-09-13 01:03:46 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2003-09-13 01:03:46 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
2003-09-13 01:03:46 +00:00
2015-02-15 18:30:34 +00:00
local name="${1}" num="${2}" where="${3}" chain=
2015-01-30 22:45:56 +00:00
shift 3
2015-01-24 15:32:23 +00:00
local mark="$(mark_value $name $num)"
2015-01-24 16:58:57 +00:00
test -z "${mark}" && work_error=$[work_error + 1] && return 1
2015-01-19 19:28:43 +00:00
2015-02-15 18:30:34 +00:00
test -z "${where}" && where="OUTPUT"
for chain in ${where//,/ }
do
case "${chain^^}" in
PRE|PREROUTING) chain="PREROUTING" ;;
IN|INPUT) chain="INPUT" ;;
OUT|OUTPUT) chain="OUTPUT" ;;
PASS|FORWARD) chain="FORWARD" ;;
POST|POSTROUTING) chain="POSTROUTING" ;;
esac
if [ ${MARKS_STATEFUL[$name]} -eq 1 ]
then
2015-02-19 01:21:51 +00:00
set_work_function "Rules for stateful MARK ${mark} on chain ${chain}"
2015-02-15 18:30:34 +00:00
rule table mangle chain "${chain}" state NEW "${@}" action MARK to "${mark}" || return 1
else
2015-02-19 01:21:51 +00:00
set_work_function "Rules for stateless MARK ${mark} on chain ${chain}"
2015-02-15 18:30:34 +00:00
rule table mangle chain "${chain}" "${@}" action MARK to "${mark}" || return 1
fi
done
2003-09-13 01:03:46 +00:00
return 0
}
Added "blacklist" helper to create blacklists.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert
2003-08-23 21:42:35 +00:00
2015-02-01 19:20:14 +00:00
mark4() { ipv4 mark "${@}"; }
mark6() { ipv6 mark "${@}"; }
mark46() { both mark "${@}"; }
2015-01-22 22:34:22 +00:00
mark() {
custommark usermark "${@}"
}
2015-02-01 19:20:14 +00:00
tos4() { ipv4 tos "${@}"; }
tos6() { ipv6 tos "${@}"; }
tos46() { both tos "${@}"; }
2004-10-31 02:21:02 +00:00
tos() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2004-10-31 02:21:02 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2004-10-31 02:21:02 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
2004-10-31 02:21:02 +00:00
2015-02-15 18:30:34 +00:00
local num="${1}" where="${2}" chain=
shift
2015-01-30 22:45:56 +00:00
2015-02-15 18:30:34 +00:00
test -z "${where}" && where="OUTPUT"
for chain in ${where//,/ }
do
case "${chain^^}" in
PRE|PREROUTING) chain="PREROUTING" ;;
IN|INPUT) chain="INPUT" ;;
OUT|OUTPUT) chain="OUTPUT" ;;
PASS|FORWARD) chain="FORWARD" ;;
POST|POSTROUTING) chain="POSTROUTING" ;;
esac
2015-02-19 01:21:51 +00:00
set_work_function "Rules for TOS on chain '${chain}'"
2015-02-15 18:30:34 +00:00
rule table mangle chain ${chain} "${@}" action TOS to "${num}"
done
2004-10-31 02:21:02 +00:00
return 0
}
2008-12-02 20:01:11 +00:00
# from http://blog.edseek.com/~jasonb/articles/traffic_shaping/scenarios.html
2015-02-15 18:30:34 +00:00
tosfix_created_chains4=0
tosfix_created_chains6=0
2015-02-01 19:20:14 +00:00
tosfix4() { ipv4 tosfix "${@}"; }
tosfix6() { ipv6 tosfix "${@}"; }
tosfix46() { both tosfix "${@}"; }
2008-12-02 20:28:02 +00:00
tosfix() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2008-12-02 20:01:11 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2008-12-02 20:01:11 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
2008-12-02 20:01:11 +00:00
2015-02-15 18:30:34 +00:00
local where="${1}" x= chain=
shift
for x in ipv4 ipv6
do
local iptables_cmd=
case "${x}" in
ipv4) running_ipv4 || continue
[ ${tosfix_created_chains4} -eq 1 ] && continue
tosfix_created_chains4=1
iptables_cmd="iptables"
;;
ipv6) running_ipv6 || continue
[ ${tosfix_created_chains6} -eq 1 ] && continue
tosfix_created_chains6=1
iptables_cmd="ip6tables"
;;
esac
2015-02-19 01:21:51 +00:00
set_work_function "ackfix chain for ${x}"
2015-02-15 18:30:34 +00:00
${iptables_cmd} -t mangle -N ackfix
${iptables_cmd} -t mangle -A ackfix -m tos ! --tos Normal-Service -j RETURN
${iptables_cmd} -t mangle -A ackfix -p tcp -m length --length 0:128 -j TOS --set-tos Minimize-Delay
${iptables_cmd} -t mangle -A ackfix -p tcp -m length --length 128: -j TOS --set-tos Maximize-Throughput
${iptables_cmd} -t mangle -A ackfix -j RETURN
2015-02-19 01:21:51 +00:00
set_work_function "tosfix chain for ${x}"
2015-02-15 18:30:34 +00:00
${iptables_cmd} -t mangle -N tosfix
${iptables_cmd} -t mangle -A tosfix -p tcp -m length --length 0:512 -j RETURN
${iptables_cmd} -t mangle -A tosfix -m limit --limit 2/s --limit-burst 10 -j RETURN
${iptables_cmd} -t mangle -A tosfix -j TOS --set-tos Maximize-Throughput
${iptables_cmd} -t mangle -A tosfix -j RETURN
done
test -z "${where}" && where="PREROUTING POSTROUTING"
for chain in ${where//,/ }
do
case "${chain^^}" in
PRE|PREROUTING) chain="PREROUTING" ;;
IN|INPUT) chain="INPUT" ;;
OUT|OUTPUT) chain="OUTPUT" ;;
PASS|FORWARD) chain="FORWARD" ;;
POST|POSTROUTING) chain="POSTROUTING" ;;
esac
set_work_function "Fixing TOS for TCP ACK packets"
rule table mangle chain ${chain} "${@}" proto tcp custom '-m tcp --tcp-flags SYN,RST,ACK ACK' action ackfix
set_work_function "Fixing TOS for Minimize-Delay packets"
rule table mangle chain ${chain} "${@}" proto tcp custom '-m tos --tos Minimize-Delay' action tosfix
done
2008-12-02 20:01:11 +00:00
return 0
}
2015-02-01 19:20:14 +00:00
dscp4() { ipv4 dscp "${@}"; }
dscp6() { ipv6 dscp "${@}"; }
dscp46() { both dscp "${@}"; }
2004-10-31 02:21:02 +00:00
dscp() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2004-10-31 02:21:02 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2004-10-31 02:21:02 +00:00
2015-02-06 20:43:23 +00:00
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
2004-10-31 02:21:02 +00:00
2015-02-15 18:30:34 +00:00
local value="${1}" class= where=
2015-01-30 22:45:56 +00:00
shift
2004-10-31 02:21:02 +00:00
if [ "${value}" = "class" ]
then
2015-01-30 22:45:56 +00:00
value=
class="${1}"
shift
2004-10-31 02:21:02 +00:00
fi
2015-01-30 22:45:56 +00:00
where="${1}"
shift
2015-02-15 18:30:34 +00:00
test -z "${where}" && where="OUTPUT"
for chain in ${where//,/ }
do
case "${chain^^}" in
PRE|PREROUTING) chain="PREROUTING" ;;
IN|INPUT) chain="INPUT" ;;
OUT|OUTPUT) chain="OUTPUT" ;;
PASS|FORWARD) chain="FORWARD" ;;
POST|POSTROUTING) chain="POSTROUTING" ;;
esac
2015-02-19 01:21:51 +00:00
set_work_function "Rules for DSCP"
2015-02-15 18:30:34 +00:00
if [ ! -z "${class}" ]
then
rule table mangle chain ${chain} "${@}" action DSCP to class ${class}
else
rule table mangle chain ${chain} "${@}" action DSCP to ${value}
fi
done
2004-10-31 02:21:02 +00:00
return 0
}
Added "blacklist" helper to create blacklists.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert
2003-08-23 21:42:35 +00:00
2015-02-01 19:20:14 +00:00
tcpmss4() { ipv4 tcpmss "${@}"; }
tcpmss6() { ipv6 tcpmss "${@}"; }
tcpmss46() { both tcpmss "${@}"; }
2004-10-08 22:30:52 +00:00
tcpmss() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2004-10-08 22:30:52 +00:00
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2004-10-08 22:30:52 +00:00
2015-02-15 18:30:34 +00:00
local value="${1}" iface="$2" target=
2013-10-13 21:11:35 +00:00
if [ -z "$iface" ]
2008-08-09 21:48:02 +00:00
then
2013-10-13 21:11:35 +00:00
if [ ! -z "${work_cmd}" ]
2008-08-09 21:48:02 +00:00
then
2015-01-30 22:45:56 +00:00
iface="${work_outface}"
2013-10-13 21:11:35 +00:00
if [ -z "$iface" ]
then
2015-02-06 20:43:23 +00:00
error "${FUNCNAME} cannot find the interfaces to setup. Did you set an outface?"
2013-10-13 21:11:35 +00:00
return 1
fi
2008-08-09 21:48:02 +00:00
else
2015-01-30 22:45:56 +00:00
iface="all"
2008-08-09 21:48:02 +00:00
fi
2013-10-13 21:11:35 +00:00
fi
case "$value" in
auto)
2015-01-30 22:45:56 +00:00
target="-j TCPMSS --clamp-mss-to-pmtu"
2013-10-13 21:11:35 +00:00
;;
[0-9]*)
2015-01-30 22:45:56 +00:00
target="-j TCPMSS --set-mss $value"
2013-10-13 21:11:35 +00:00
;;
*)
;;
esac
if [ -z "$target" ]
2008-08-09 21:48:02 +00:00
then
2015-02-06 20:43:23 +00:00
error "${FUNCNAME} requires either the word 'auto' or a numeric argument for mss."
2013-10-13 21:11:35 +00:00
return 1
2008-08-09 21:48:02 +00:00
fi
2015-02-15 18:30:34 +00:00
if [ "${iface}" = "all" ]
2004-10-08 22:30:52 +00:00
then
2015-02-19 01:21:51 +00:00
set_work_function "TCPMSS for all interfaces"
2004-10-08 22:30:52 +00:00
2015-02-15 18:30:34 +00:00
iptables_both -t mangle -A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN $target
2013-10-13 21:11:35 +00:00
else
2008-08-09 21:48:02 +00:00
local f=
2013-10-13 21:11:35 +00:00
for f in $iface
2004-10-08 22:30:52 +00:00
do
2015-02-19 01:21:51 +00:00
set_work_function "TCPMSS for interface '${f}'"
2015-02-15 18:30:34 +00:00
iptables_both -t mangle -A POSTROUTING -o ${f} -p tcp -m tcp --tcp-flags SYN,RST SYN $target
2004-10-08 22:30:52 +00:00
done
fi
return 0
}
2015-02-01 05:15:10 +00:00
ipset_addfile() {
2015-02-04 22:05:13 +00:00
local name="${1}" file= opts= final_cmd="${CAT_CMD}" ipv_match="^[0-9a-fA-F\.:/\-]+$"
2015-02-01 05:15:10 +00:00
shift
2015-02-04 22:05:13 +00:00
while [ ! -z "${1}" ]
do
case "${1}" in
ip|ips) final_cmd="${GREP_CMD} -v /";;
net|nets) final_cmd="${GREP_CMD} /";;
ipv4) ipv_match="^[0-9\./\-]+$";;
ipv6) ipv_match="^[0-9a-fA-F:/\-]+$";;
*) break;;
esac
shift
done
2015-02-01 05:15:10 +00:00
file="${1}"
shift
opts="${*}"
[ ! -f "${file}" ] && file="${FIREHOL_CONFIG_DIR}/${file}"
if [ ! -f "${file}" ]
then
error "${FUNCNAME}: Cannot find file '${file}'."
return 1
fi
# cleanup the file
${CAT_CMD} "${file}" |\
2015-02-04 22:05:13 +00:00
${SED_CMD} -e "s/#.*$//g" -e "s/[\t ]\+//g" |\
${EGREP_CMD} "${ipv_match}" |\
2015-02-01 05:15:10 +00:00
${final_cmd} |\
${SORT_CMD} -u |\
while read
do
2015-02-01 22:16:33 +00:00
echo "${IPSET_ADD_OPTION} ${name} ${REPLY} ${opts}"
2015-02-01 05:15:10 +00:00
done
}
2004-10-08 22:30:52 +00:00
2015-02-01 22:16:33 +00:00
ipset_warning() {
if [ ${IPSET_WARNING} -eq 1 ]
then
warning "ipset is requested, but ipset is not installed. Firewall may not be able to be activated."
IPSET_WARNING=0
fi
}
ipset_list_active_names() {
eval "${IPSET_CMD} ${IPSET_LIST_NAMES_EVAL}"
}
ipset_save_active_to_spool() {
${IPSET_CMD} ${IPSET_SAVE_OPTION} >"${FIREHOL_SPOOL_DIR}/last.ipset.save"
}
2015-01-31 23:08:12 +00:00
# keep track of all the ipsets the firewall uses
declare -A FIREHOL_IPSETS_USED=()
2015-02-04 22:05:13 +00:00
declare -A FIREHOL_IPSETS_IPV=()
2015-02-06 20:43:23 +00:00
declare -A FIREHOL_IPSETS_KEEP=()
2015-02-09 21:18:49 +00:00
FIREHOL_IPSETS_RESPECT_KEEP=1
2015-01-31 23:08:12 +00:00
# this is a wrapper around ipset
# it has the same syntax
2015-02-01 19:20:14 +00:00
ipset4() { ipv4 ipset "${@}"; }
ipset6() { ipv6 ipset "${@}"; }
ipset46() { both ipset "${@}"; }
2015-01-31 23:08:12 +00:00
ipset() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2015-01-31 23:08:12 +00:00
2015-02-01 22:16:33 +00:00
if [ ${ENABLE_IPSET} -ne 1 ]
then
error "ipset is not enabled. Do you have ipset installed?"
return 1
fi
2015-02-01 21:06:48 +00:00
2015-01-31 23:08:12 +00:00
local cmd="${1}" name="${2}"
shift 2
2015-02-27 22:31:32 +00:00
if [ "z${IPSET_ADD_OPTION:0:2}" = "z-!" ]
then
error "Your IPSET_ADD_OPTION has -! in it. This will make your IPs not to be added to the ipset. Please remove it. You can add -! to the IPSET_RESTORE_OPTION to accept duplicate IPs without error."
return 1
fi
2015-02-01 20:51:13 +00:00
case "${cmd}" in
create|-N|--create)
2015-02-06 20:43:23 +00:00
local type="${1}" inet= opts=
2015-02-01 20:51:13 +00:00
shift
2015-01-31 23:08:12 +00:00
2015-02-01 20:51:13 +00:00
if [ ! -z "${FIREHOL_IPSETS_USED[$name]}" ]
then
error "ipset ${name} already exists."
return 1
fi
2015-01-31 23:08:12 +00:00
2015-02-01 20:51:13 +00:00
if running_both
then
error "Cannot run ipset for both IPv4 and IPv6 at the same time."
return 1
elif running_ipv6
then
2015-02-01 22:16:33 +00:00
inet="${IPSET_CREATE_IPV6_OPTION}"
2015-02-04 22:05:13 +00:00
FIREHOL_IPSETS_IPV[$name]="ipv6"
else
FIREHOL_IPSETS_IPV[$name]="ipv4"
2015-02-01 20:51:13 +00:00
fi
2015-01-31 23:08:12 +00:00
2015-02-06 20:43:23 +00:00
opts="${*}"
if [ "${opts/*prevent_reset_on_restart*/prevent_reset_on_restart}" = "prevent_reset_on_restart" ]
then
shift
FIREHOL_IPSETS_KEEP[$name]=1
opts="${opts/prevent_reset_on_restart/}"
fi
2015-01-31 23:08:12 +00:00
2015-02-01 22:16:33 +00:00
echo "${IPSET_CREATE_OPTION} ${name} ${type} ${inet} ${opts}" >"${FIREHOL_DIR}/ipset.${name}.rules"
echo "${IPSET_FLUSH_OPTION} ${name}" >>"${FIREHOL_DIR}/ipset.${name}.rules"
2015-02-01 20:51:13 +00:00
FIREHOL_IPSETS_USED[$name]="CREATED"
;;
2015-01-31 23:08:12 +00:00
2015-02-01 20:51:13 +00:00
add|-A|--add)
if [ ! "${FIREHOL_IPSETS_USED[$name]}" = "CREATED" ]
then
error "${FUNCNAME}: Cannot add IPs to ipset '${name}'. The ipset must be created first."
return 1
fi
local ip="${1}" x=
2015-01-31 23:08:12 +00:00
shift
2015-02-07 10:01:40 +00:00
if [ "${FIREHOL_IPSETS_IPV[$name]}" = "ipv6" ]
then
ip=${ip//reserved_ips()/${RESERVED_IPV6}}
ip=${ip//private_ips()/${PRIVATE_IPV6}}
ip=${ip//multicast_ips()/${MULTICAST_IPV6}}
ip=${ip//unroutable_ips()/${UNROUTABLE_IPV6}}
else
ip=${ip//reserved_ips()/${RESERVED_IPV4}}
ip=${ip//private_ips()/${PRIVATE_IPV4}}
ip=${ip//multicast_ips()/${MULTICAST_IPV4}}
ip=${ip//unroutable_ips()/${UNROUTABLE_IPV4}}
fi
2015-02-11 23:42:38 +00:00
for x in ${ip}
2015-02-01 20:51:13 +00:00
do
2015-02-01 22:16:33 +00:00
echo "${IPSET_ADD_OPTION} ${name} ${x} ${*}" >>"${FIREHOL_DIR}/ipset.${name}.rules"
2015-02-01 20:51:13 +00:00
done
;;
2015-01-31 23:08:12 +00:00
2015-02-01 20:51:13 +00:00
addfile|--addfile)
if [ ! "${FIREHOL_IPSETS_USED[$name]}" = "CREATED" ]
then
error "${FUNCNAME}: Cannot add IPs to ipset '${name}'. The ipset must be created first."
return 1
fi
2015-02-01 04:09:17 +00:00
2015-02-04 22:05:13 +00:00
ipset_addfile "${name}" ${FIREHOL_IPSETS_IPV[$name]} "${@}" >>"${FIREHOL_DIR}/ipset.${name}.rules" || return 1
2015-02-01 20:51:13 +00:00
;;
2015-02-01 04:09:17 +00:00
2015-02-01 20:51:13 +00:00
*)
test -z "${FIREHOL_IPSETS_USED[$name]}" && FIREHOL_IPSETS_USED[$name]="USED"
2015-02-01 04:09:17 +00:00
2015-02-01 20:51:13 +00:00
postprocess ${IPSET_CMD} ${cmd} ${name} "${@}"
;;
esac
}
2015-02-03 22:33:17 +00:00
FIREHOL_IPSET_TMP_COUNTER=0
declare -A FIREHOL_IPSET_TMP_SETS=()
ipset_to_temp_and_swap() {
local name="${1}"
# find a temporary name for the new ipset
FIREHOL_IPSET_TMP_COUNTER=$[ FIREHOL_IPSET_TMP_COUNTER + 1 ]
local tmpname="tmp-$$-${RANDOM}-${FIREHOL_IPSET_TMP_COUNTER}"
FIREHOL_IPSET_TMP_SETS[$tmpname]=1
# give the temporary name to the set
${SED_CMD} -e "s|^\([^[:space:]]*\) ${name} \(.*\)|\1 ${tmpname} \2|g" \
-e "s|^\([^[:space:]]*\) ${name}$|\1 ${tmpname}|g"
# swap them, to activate the temporary ipset
echo "${IPSET_SWAP_OPTION} ${tmpname} ${name}"
# destroy the temporary ipset
echo "${IPSET_DESTROY_OPTION} ${tmpname}"
}
2015-02-05 20:36:29 +00:00
ipset_done_all_tmp_sets() {
# empty temp variables to prevent cleanup from running at exit
FIREHOL_IPSET_TMP_SETS=()
}
2015-02-04 22:05:13 +00:00
ipset_remove_all_tmp_sets() {
if [ ${ENABLE_IPSET} -eq 1 ]
then
local x=
for x in ${!FIREHOL_IPSET_TMP_SETS[@]}
do
${IPSET_CMD} ${IPSET_DESTROY_OPTION} "${x}" >/dev/null 2>&1
done
2015-02-05 20:36:29 +00:00
ipset_done_all_tmp_sets
2015-02-04 22:05:13 +00:00
fi
}
2015-04-24 17:39:09 +00:00
ipsets_restore() {
local file="${1}"
if [ ${IPSET_RESTORE_SUPPORTS_FLUSH_SWAP_DESTROY} -eq 1 ]
then
${IPSET_CMD} ${IPSET_RESTORE_OPTION} <"${file}"
return $?
fi
# get all the CREATE and FLUSH statements
${CAT_CMD} "${file}" | ${EGREP_CMD} "^(${IPSET_CREATE_OPTION}|${IPSET_FLUSH_OPTION}) " >"${file}.pre"
${CAT_CMD} "${file}" | ${EGREP_CMD} "^(${IPSET_SWAP_OPTION}|${IPSET_DESTROY_OPTION}) " >"${file}.post"
2015-04-24 17:57:20 +00:00
${CAT_CMD} "${file}" | ${EGREP_CMD} -v "^(${IPSET_FLUSH_OPTION}|${IPSET_SWAP_OPTION}|${IPSET_DESTROY_OPTION}) " >"${file}.add"
2015-04-24 18:31:32 +00:00
echo "COMMIT" >>"${file}.add"
2015-04-24 17:39:09 +00:00
2015-04-24 18:01:40 +00:00
# the older versions of ipset will return an error if the
# ipset to be created already exists.
#set_work_function -ne "Executing IPSET pre-rules"
#while read
#do
# ${IPSET_CMD} ${REPLY} || return $?
#done <"${file}.pre"
2015-04-24 17:39:09 +00:00
set_work_function -ne "Executing IPSET add-rules"
${IPSET_CMD} ${IPSET_RESTORE_OPTION} <"${file}.add" || return $?
set_work_function -ne "Executing IPSET post-rules"
while read
do
${IPSET_CMD} ${REPLY} || return $?
done <"${file}.post"
return 0
}
2015-01-31 23:08:12 +00:00
ipsets_apply() {
2015-02-03 22:33:17 +00:00
local from="${1}" base="${FIREHOL_DIR}" restoring=0 x=
2015-01-31 23:08:12 +00:00
# if we have nothing to do, return
# if we are called with 'spool', FIREHOL_IPSETS_USED is empty and we will load it from the spool file
# otherwise, if FIREHOL_IPSETS_USED is empty and the mode is START, there is nothing to be done
[ ! "${from}" = "spool" -a "${#FIREHOL_IPSETS_USED[@]}" -eq 0 ] && return 0
2015-02-01 22:16:33 +00:00
if [ ${ENABLE_IPSET} -ne 1 ]
then
error "ipset is not enabled. Do you have ipset installed?"
return 1
fi
2015-02-03 22:33:17 +00:00
2015-01-31 23:08:12 +00:00
if [ "${from}" = "spool" ]
then
2015-02-03 22:33:17 +00:00
# If $from=spool, we are restoring ipsets
# when we are restoring, we only add new ipsets
# we will not alter existing ipsets
2015-01-31 23:08:12 +00:00
base="${FIREHOL_SPOOL_DIR}"
2015-02-03 22:33:17 +00:00
restoring=1
2015-01-31 23:08:12 +00:00
if [ -f "${FIREHOL_SPOOL_DIR}/ipsets.conf" ]
then
source "${FIREHOL_SPOOL_DIR}/ipsets.conf"
if [ $? -ne 0 ]
then
warning "Cannot load ${FIREHOL_SPOOL_DIR}/ipsets.conf"
return 1
fi
fi
2015-02-02 20:54:11 +00:00
progress "Restoring ipsets from '${FIREHOL_SPOOL_DIR}'"
2015-01-31 23:08:12 +00:00
else
2015-02-02 20:54:11 +00:00
progress "Activating ipsets"
2015-02-03 22:33:17 +00:00
# when we are activating the firewall, we will overwrite
# existing ipsets.
2015-01-31 23:08:12 +00:00
fi
# take a list of all active ipsets
# and mark each one that we have too as existing
2015-02-01 22:16:33 +00:00
for x in $( ipset_list_active_names )
2015-01-31 23:08:12 +00:00
do
if [ "${FIREHOL_IPSETS_USED[$x]}" = "CREATED" ]
then
FIREHOL_IPSETS_USED[$x]="EXISTS"
fi
done
for x in ${!FIREHOL_IPSETS_USED[@]}
do
# did we had an ipset helper for this ipset?
[ ! -s "${base}/ipset.${x}.rules" ] && continue
# shall we restore this ipset?
if [ "${FIREHOL_IPSETS_USED[$x]}" = "EXISTS" ]
then
2015-02-03 22:33:17 +00:00
test $restoring -eq 1 && continue
2015-02-09 21:25:23 +00:00
[ ${FIREHOL_IPSETS_RESPECT_KEEP} -eq 1 -a "${FIREHOL_IPSETS_KEEP[$x]}" = "1" ] && continue
2015-01-31 23:08:12 +00:00
2015-02-03 22:33:17 +00:00
ipset_to_temp_and_swap "${x}" <"${base}/ipset.${x}.rules" >>"${FIREHOL_DIR}/ipsets.restore"
2015-01-31 23:08:12 +00:00
else
2015-02-03 22:33:17 +00:00
# it does not exist...
2015-01-31 23:08:12 +00:00
# copy the generated rules to the ipset restoration file
${CAT_CMD} "${base}/ipset.${x}.rules" >>"${FIREHOL_DIR}/ipsets.restore"
fi
FIREHOL_IPSETS_USED[$x]="RESTORED"
done
if [ -s "${FIREHOL_DIR}/ipsets.restore" ]
then
2015-04-24 17:39:09 +00:00
ipsets_restore "${FIREHOL_DIR}/ipsets.restore"
2015-01-31 23:08:12 +00:00
if [ $? -ne 0 ]
then
error "${FUNCNAME}: Cannot apply generated ipset rules."
2015-02-03 22:33:17 +00:00
# remove all temporary ipsets
2015-02-04 22:05:13 +00:00
ipset_remove_all_tmp_sets
2015-01-31 23:08:12 +00:00
return 1
else
2015-02-05 20:36:29 +00:00
ipset_done_all_tmp_sets
2015-02-02 20:54:11 +00:00
success
2015-01-31 23:08:12 +00:00
fi
if [ ! "${from}" = "spool" ]
then
# save the list and the new rules to our spool directory
for x in ${!FIREHOL_IPSETS_USED[@]}
do
if [ "${FIREHOL_IPSETS_USED[$x]}" = "RESTORED" ]
then
cp -p "${base}/ipset.${x}.rules" "${FIREHOL_SPOOL_DIR}/ipset.${x}.rules"
FIREHOL_IPSETS_USED[$x]="CREATED"
elif [ "${FIREHOL_IPSETS_USED[$x]}" = "EXISTS" ]
then
FIREHOL_IPSETS_USED[$x]="CREATED"
fi
done
2015-02-06 20:43:23 +00:00
declare -p FIREHOL_IPSETS_USED FIREHOL_IPSETS_IPV FIREHOL_IPSETS_KEEP >"${FIREHOL_SPOOL_DIR}/ipsets.conf"
2015-01-31 23:08:12 +00:00
cp "${FIREHOL_DIR}/ipsets.restore" "${FIREHOL_SPOOL_DIR}/last.ipsets.restore"
2015-02-01 22:16:33 +00:00
ipset_save_active_to_spool
2015-01-31 23:08:12 +00:00
fi
else
2015-02-02 20:54:11 +00:00
success "sets already exist, not updated IPs"
2015-01-31 23:08:12 +00:00
fi
return 0
}
2002-09-05 20:57:59 +00:00
# ------------------------------------------------------------------------------
2002-12-23 14:39:19 +00:00
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# INTERNAL FUNCTIONS BELLOW THIS POINT - Primary commands
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
2002-09-05 20:57:59 +00:00
2002-12-23 14:39:19 +00:00
# ------------------------------------------------------------------------------
# Check the version required by the configuration file
# WHY:
# We have to make sure the configuration file has been written for this version
# of FireHOL. Note that the version command does not actually check the version
2014-02-09 18:11:39 +00:00
# of firehol.sh. It checks only its config version number.
2002-09-05 20:57:59 +00:00
2002-12-23 14:39:19 +00:00
version() {
2015-02-06 20:43:23 +00:00
work_realcmd_helper ${FUNCNAME} "${@}"
2002-10-27 02:49:34 +00:00
2002-12-23 14:39:19 +00:00
if [ ${1} -gt ${FIREHOL_VERSION} ]
then
2014-02-09 18:11:39 +00:00
error "Wrong version. FireHOL is v${FIREHOL_VERSION}, your script requires v${1}. See http://firehol.org/upgrade/#config-version-${FIREHOL_VERSION}"
fi
if [ ${1} -eq 5 ]
then
ENABLE_IPV6=0
2015-03-01 02:16:16 +00:00
FIREHOL_DEFAULT_NAMESPACE=
FIREHOL_NS_CURR=
2015-01-24 02:21:04 +00:00
FIREHOL_NS_STACK=()
2014-12-19 21:46:53 +00:00
warning "Running version 5 config. Update configuration to version 6 for IPv6 support. See http://firehol.org/upgrade/#config-version-${FIREHOL_VERSION}"
2002-12-23 14:39:19 +00:00
fi
2002-10-27 02:49:34 +00:00
}
2002-12-23 14:39:19 +00:00
2002-09-05 20:57:59 +00:00
# ------------------------------------------------------------------------------
# PRIMARY COMMAND: interface
# Setup rules specific to an interface (physical or logical)
2015-03-01 02:16:16 +00:00
interface4() { ipv4 interface "${@}"; }
interface6() { ipv6 interface "${@}"; }
interface46() { both interface "${@}"; }
2002-09-05 20:57:59 +00:00
interface() {
2015-02-06 20:43:23 +00:00
work_realcmd_primary ${FUNCNAME} "${@}"
2002-12-23 13:49:09 +00:00
2002-09-05 20:57:59 +00:00
# --- close any open command ---
2002-12-18 23:36:07 +00:00
close_cmd || return 1
2013-11-10 13:05:29 +00:00
2002-09-05 20:57:59 +00:00
# --- test prerequisites ---
require_work clear || return 1
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2015-03-01 02:16:16 +00:00
local ipv="${FIREHOL_NS_CURR}"
if [ "z${1}" = "z-ns" ]
then
ipv="${2}"
shift 2
fi
push_namespace "${ipv}"
2002-09-05 20:57:59 +00:00
# --- get paramaters and validate them ---
# Get the interface
2015-01-30 22:45:56 +00:00
local inface="${1}" \
name="${2}"
shift 2
2003-01-13 23:31:03 +00:00
test -z "${inface}" && error "real interface is not set" && return 1
2015-02-06 20:43:23 +00:00
test -z "${name}" && error "${FUNCNAME} name is not set" && return 1
2002-09-05 20:57:59 +00:00
# --- do the job ---
work_cmd="${FUNCNAME}"
work_name="${name}"
2003-01-06 00:41:10 +00:00
work_realcmd=("(unset)")
2002-09-05 20:57:59 +00:00
2015-02-19 01:21:51 +00:00
set_work_function -ne "Rules for ${FUNCNAME} '${work_name}'"
2002-11-30 22:53:55 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
create_chain filter "in_${work_name}" INPUT push_flow_inheritance in in set_work_inface "${@}" inface "${inface}" outface any || return 1
create_chain filter "out_${work_name}" OUTPUT push_flow_inheritance out out set_work_outface reverse "${@}" inface "${inface}" outface any || return 1
2002-09-05 20:57:59 +00:00
return 0
}
2015-03-01 02:16:16 +00:00
router4() { ipv4 router "${@}"; }
router6() { ipv6 router "${@}"; }
router46() { both router "${@}"; }
2002-12-23 14:39:19 +00:00
router() {
2015-02-06 20:43:23 +00:00
work_realcmd_primary ${FUNCNAME} "${@}"
2002-09-05 20:57:59 +00:00
2002-12-23 14:39:19 +00:00
# --- close any open command ---
2002-09-05 20:57:59 +00:00
2002-12-18 23:36:07 +00:00
close_cmd || return 1
2002-09-05 20:57:59 +00:00
# --- test prerequisites ---
require_work clear || return 1
2015-02-06 20:43:23 +00:00
set_work_function -ne "Initializing ${FUNCNAME}"
2002-09-05 20:57:59 +00:00
2015-03-01 02:16:16 +00:00
local ipv="${FIREHOL_NS_CURR}"
if [ "z${1}" = "z-ns" ]
then
ipv="${2}"
shift 2
fi
push_namespace "${ipv}"
2002-09-05 20:57:59 +00:00
# --- get paramaters and validate them ---
# Get the name for this router
2002-11-30 22:53:55 +00:00
local name="${1}"; shift
2015-02-06 20:43:23 +00:00
test -z "${name}" && error "${FUNCNAME} name is not set" && return 1
2002-09-05 20:57:59 +00:00
# --- do the job ---
work_cmd="${FUNCNAME}"
work_name="${name}"
2003-01-06 00:41:10 +00:00
work_realcmd=("(unset)")
2002-09-05 20:57:59 +00:00
2015-02-19 01:21:51 +00:00
set_work_function -ne "Rules for ${FUNCNAME} '${work_name}'"
2002-11-30 22:53:55 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
create_chain filter "in_${work_name}" FORWARD push_flow_inheritance in in set_work_inface set_work_outface "${@}" || return 1
create_chain filter "out_${work_name}" FORWARD push_flow_inheritance out out reverse "${@}" || return 1
2002-09-05 20:57:59 +00:00
2002-12-16 20:41:39 +00:00
FIREHOL_ROUTING=1
2002-09-05 20:57:59 +00:00
return 0
}
2014-12-30 18:42:58 +00:00
save_for_restore() {
2015-01-03 05:45:19 +00:00
local check="$1"; shift
2015-02-06 20:43:23 +00:00
printf "%q " "${@}" >&20
2015-01-03 05:45:19 +00:00
if [ "${check}" = "none" -o "${check}" = "warn" ]
then
2015-01-30 22:45:56 +00:00
printf " || echo >/dev/null\n" >&20
2015-01-03 05:45:19 +00:00
else
2015-01-30 22:45:56 +00:00
printf " || exit 1\n" >&20
2015-01-03 05:45:19 +00:00
fi
2014-12-30 18:42:58 +00:00
}
2002-12-23 14:39:19 +00:00
postprocess() {
2015-01-30 22:45:56 +00:00
# if the caller is not from the program file, get the config line calling us
2015-02-06 20:43:23 +00:00
[ ! "${BASH_SOURCE[1]}" = "${PROGRAM_FILE}" ] && work_realcmd_helper ${FUNCNAME} "${@}"
2004-04-21 21:35:29 +00:00
2015-01-30 22:45:56 +00:00
local check="error" save=1
2014-12-30 18:42:58 +00:00
while [ ! "A${1}" = "A" ]
do
case "A${1}" in
2015-01-30 22:45:56 +00:00
A-ne) shift; check="none";;
A-warn) shift; check="warn";;
A-ns) shift; save=0;;
2014-12-30 18:42:58 +00:00
*) break;;
esac
done
2015-02-07 15:28:43 +00:00
if [ "${FIREHOL_MODE}" = "EXPLAIN" ]
then
printf "%q " "${@}"
printf "\n"
return 0
elif [ "${FIREHOL_MODE}" = "DEBUG" ]
then
check="debug"
fi
2004-04-21 21:35:29 +00:00
2015-02-06 20:43:23 +00:00
printf "%q " "${@}" >&21
2015-01-30 22:45:56 +00:00
case "${check}" in
debug) printf "\n" >&21
;;
none) printf " >/dev/null 2>&1 || echo >/dev/null\n" >&21
;;
2015-01-03 05:45:19 +00:00
2015-01-30 22:45:56 +00:00
warn|error)
# do not run config_line here, it is very slow
# config_line -ne
printf " >${FIREHOL_OUTPUT}.log 2>&1 || runtime_error ${check} \$? '${LAST_CONFIG_LINE}' " >&21
2015-02-06 20:43:23 +00:00
printf "%q " "${@}" >&21
2015-01-30 22:45:56 +00:00
printf "\n" >&21
;;
esac
2015-01-03 05:45:19 +00:00
test $save -eq 1 && save_for_restore ${check} "${@}"
2014-12-30 18:42:58 +00:00
2004-04-21 21:35:29 +00:00
return 0
}
2002-12-23 14:39:19 +00:00
2013-09-28 09:03:57 +00:00
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# fast activation
# in fast activation mode we catch all /sbin/iptables commands and instead of
# executing them, we generate an iptables-restore compatible file.
2013-12-01 14:59:44 +00:00
run_fast() {
2015-01-30 22:45:56 +00:00
local n=table \
t=filter \
2015-02-19 01:21:51 +00:00
cmd="$1" \
log=
2013-12-01 14:59:44 +00:00
shift
2015-01-30 22:45:56 +00:00
[ "${cmd}" = "ip6tables" ] && n=table6
2013-09-28 09:03:57 +00:00
2015-01-24 02:21:04 +00:00
if [ "z${1}" = "z-t" ]
2013-09-28 09:03:57 +00:00
then
2015-01-30 22:45:56 +00:00
t="${2}"
2013-09-28 09:03:57 +00:00
shift 2
fi
2015-02-19 01:21:51 +00:00
#[ "${FIREHOL_FAST_ACTIVATION_TRACE}"" = "1" ] && log="${*}"
2013-09-28 09:03:57 +00:00
case "$1" in
2015-01-24 02:21:04 +00:00
-P) echo ":$2 $3 [0:0]" >>"${FIREHOL_DIR}/fast/${n}.${t}.policy"
2013-09-28 09:03:57 +00:00
;;
2015-01-24 02:21:04 +00:00
-N) echo ":$2 - [0:0]" >>"${FIREHOL_DIR}/fast/${n}.${t}.chains"
2013-09-28 09:03:57 +00:00
;;
2015-02-19 01:21:51 +00:00
-A) #[ "${FIREHOL_FAST_ACTIVATION_TRACE}" = "1" ] && echo "${log/ -j */ -j NFLOG --nflog-prefix=\"${t}.${2} ${work_function}\"}" >>"${FIREHOL_DIR}/fast/${n}.${t}.rules"
echo "${*}" >>"${FIREHOL_DIR}/fast/${n}.${t}.rules"
;;
-I) echo "${*}" >>"${FIREHOL_DIR}/fast/${n}.${t}.rules"
#[ "${FIREHOL_FAST_ACTIVATION_TRACE}" = "1" ] && echo "${log/ -j */ -j NFLOG --nflog-prefix=\"${t}.${2} ${work_function}\"}" >>"${FIREHOL_DIR}/fast/${n}.${t}.rules"
2013-09-28 09:03:57 +00:00
;;
# if it is none of the above, we execute it normally.
2015-02-01 22:39:33 +00:00
*) echo >&2 "WARNING: Ignoring command '${cmd} -t ${t} ${@}'"
2013-09-28 09:03:57 +00:00
;;
esac
2015-01-24 02:21:04 +00:00
test ! -f "${FIREHOL_DIR}/fast/${n}s/${t}" && ${TOUCH_CMD} "${FIREHOL_DIR}/fast/${n}s/${t}"
2013-09-28 09:03:57 +00:00
return 0
}
2003-12-29 22:40:11 +00:00
FIREHOL_COMMAND_COUNTER=0
2002-12-23 14:39:19 +00:00
iptables() {
2015-01-30 22:45:56 +00:00
# if the caller is not from the program file, get the config line calling us
2015-02-06 20:43:23 +00:00
[ ! "${BASH_SOURCE[1]}" = "${PROGRAM_FILE}" ] && work_realcmd_helper ${FUNCNAME} "${@}"
2015-01-30 22:45:56 +00:00
2013-09-28 09:03:57 +00:00
if [ $FIREHOL_FAST_ACTIVATION -eq 1 ]
then
2013-12-01 14:59:44 +00:00
run_fast iptables "${@}"
2013-09-28 09:03:57 +00:00
else
2015-02-06 20:43:23 +00:00
postprocess -ns "${IPTABLES_CMD}" "${@}"
2013-09-28 09:03:57 +00:00
fi
2015-02-11 23:42:38 +00:00
FIREHOL_COMMAND_COUNTER=$[FIREHOL_COMMAND_COUNTER + 1]
2002-12-23 14:39:19 +00:00
return 0
}
2013-11-03 17:44:18 +00:00
ip6tables() {
2015-01-30 22:45:56 +00:00
# if the caller is not from the program file, get the config line calling us
2015-02-06 20:43:23 +00:00
[ ! "${BASH_SOURCE[1]}" = "${PROGRAM_FILE}" ] && work_realcmd_helper ${FUNCNAME} "${@}"
2015-01-30 22:45:56 +00:00
2013-11-03 17:44:18 +00:00
if [ $FIREHOL_FAST_ACTIVATION -eq 1 ]
then
2013-12-01 14:59:44 +00:00
run_fast ip6tables "${@}"
2013-11-03 17:44:18 +00:00
else
2015-02-06 20:43:23 +00:00
postprocess -ns "${IP6TABLES_CMD}" "${@}"
2013-11-03 17:44:18 +00:00
fi
2015-02-19 01:21:51 +00:00
FIREHOL_COMMAND_COUNTER=$[FIREHOL_COMMAND_COUNTER + 1]
2013-11-03 17:44:18 +00:00
return 0
}
iptables_both() {
if running_ipv4; then iptables "${@}" || return; fi
if running_ipv6; then ip6tables "${@}" || return; fi
return 0
}
2002-12-23 14:39:19 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# INTERNAL FUNCTIONS BELLOW THIS POINT - Sub-commands
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
# ------------------------------------------------------------------------------
# Change the policy of an interface
# WHY:
# Not all interfaces have the same policy. The admin must have control over it.
# Here we just set what the admin wants. At the interface finalization we
# produce the iptables rules.
policy() {
2015-02-06 20:43:23 +00:00
work_realcmd_secondary ${FUNCNAME} "${@}"
2002-12-23 14:39:19 +00:00
2006-06-05 17:25:33 +00:00
require_work set any || return 1
2002-12-23 14:39:19 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Policy of ${work_name} to ${1}"
2002-12-31 09:10:15 +00:00
work_policy="$*"
2002-12-23 14:39:19 +00:00
return 0
}
2015-03-01 02:16:16 +00:00
server4() { ipv4 server "${@}"; }
server6() { ipv6 server "${@}"; }
server46() { both server "${@}"; }
2002-12-23 14:39:19 +00:00
server() {
2015-02-06 20:43:23 +00:00
work_realcmd_secondary ${FUNCNAME} "${@}"
2002-12-23 14:39:19 +00:00
require_work set any || return 1
2015-02-06 20:43:23 +00:00
smart_function server "${@}"
2002-12-23 14:39:19 +00:00
return $?
}
2015-03-01 02:16:16 +00:00
client4() { ipv4 client "${@}"; }
client6() { ipv6 client "${@}"; }
client46() { both client "${@}"; }
2002-12-23 14:39:19 +00:00
client() {
2015-02-06 20:43:23 +00:00
work_realcmd_secondary ${FUNCNAME} "${@}"
2002-12-23 14:39:19 +00:00
require_work set any || return 1
2015-02-06 20:43:23 +00:00
smart_function client "${@}"
2002-12-23 14:39:19 +00:00
return $?
}
2015-03-01 02:16:16 +00:00
route4() { ipv4 route "${@}"; }
route6() { ipv6 route "${@}"; }
route46() { both route "${@}"; }
2002-12-23 14:39:19 +00:00
route() {
2015-02-06 20:43:23 +00:00
work_realcmd_secondary ${FUNCNAME} "${@}"
2002-12-23 14:39:19 +00:00
require_work set router || return 1
2015-02-06 20:43:23 +00:00
smart_function server "${@}"
2002-12-23 14:39:19 +00:00
return $?
}
# --- protection ---------------------------------------------------------------
protection() {
2015-02-06 20:43:23 +00:00
work_realcmd_secondary ${FUNCNAME} "${@}"
2002-12-23 14:39:19 +00:00
require_work set any || return 1
2015-01-30 22:45:56 +00:00
local in="in" \
prface="${work_inface}" \
pre="pr" \
reverse= \
x=
2002-12-23 14:39:19 +00:00
if [ "${1}" = "reverse" ]
then
2015-01-30 22:45:56 +00:00
reverse="reverse" # needed to recursion
pre="prr" # in case a router has protections
2002-12-23 14:39:19 +00:00
# both ways, the second needs to
# have different chain names
2015-01-30 22:45:56 +00:00
in="out" # reverse the interface
2002-12-23 14:39:19 +00:00
prface="${work_outface}"
shift
fi
2015-01-30 22:45:56 +00:00
local type="${1}" \
rate="${2}" \
burst="${3}"
2002-12-23 14:39:19 +00:00
test -z "${rate}" && rate="100/s"
test -z "${burst}" && burst="50"
2015-02-19 01:21:51 +00:00
set_work_function -ne "Rules for rotections on '${prface}' for ${work_cmd} '${work_name}'"
2002-12-23 14:39:19 +00:00
for x in ${type}
do
case "${x}" in
none|NONE)
return 0
;;
2006-04-22 17:26:18 +00:00
bad-packets|BAD-PACKETS)
2007-08-20 00:53:22 +00:00
protection ${reverse} "fragments new-tcp-w/o-syn malformed-xmas malformed-null malformed-bad invalid" "${rate}" "${burst}"
2006-04-22 17:26:18 +00:00
return $?
;;
2002-12-23 14:39:19 +00:00
strong|STRONG|full|FULL|all|ALL)
2007-08-20 00:53:22 +00:00
protection ${reverse} "fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad invalid" "${rate}" "${burst}"
2002-12-23 14:39:19 +00:00
return $?
;;
2004-04-01 23:30:28 +00:00
invalid|INVALID)
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
if [ "${FIREHOL_DROP_INVALID}" -eq 0 ]
then
iptables_both -A "${in}_${work_name}" -m conntrack --ctstate INVALID -j DROP || return 1
2013-11-16 16:47:48 +00:00
fi
2002-12-23 14:39:19 +00:00
;;
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
fragments|FRAGMENTS)
# not needed - no use with connection tracking
# if running_ipv4; then
# push_namespace ipv4
# local frag_status=0 mychain="${pre}_${work_name}_fragments"
# create_chain filter "${mychain}" "${in}_${work_name}" in custom "-f" || frag_status=$[frag_status+1]
#
2015-02-19 01:21:51 +00:00
# set_work_function "Rules for protection from packet fragments on '${prface}' for ${work_cmd} '${work_name}'"
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
#
# rule in chain "${mychain}" loglimit "PACKET FRAGMENTS" action drop || frag_status=$[frag_status+1]
# pop_namespace
# if [ $frag_status -gt 0 ]
# then
# return 1
# fi
# fi
# # IPv6 packet fragments can be used to
# # evade stateless firewalls. FireHOL
# # creates a stateful firewall with connection
# # tracking, so fragments will be reassembled
# # before checking.
;;
2002-12-23 14:39:19 +00:00
new-tcp-w/o-syn|NEW-TCP-W/O-SYN)
local mychain="${pre}_${work_name}_nosyn"
2003-01-13 23:31:03 +00:00
create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp state NEW custom "! --syn" || return 1
2002-12-23 14:39:19 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for protection from new TCP connections without the SYN flag set on '${prface}' for ${work_cmd} '${work_name}'"
2002-12-23 14:39:19 +00:00
2003-01-13 23:31:03 +00:00
rule in chain "${mychain}" loglimit "NEW TCP w/o SYN" action drop || return 1
2002-12-23 14:39:19 +00:00
;;
icmp-floods|ICMP-FLOODS)
local mychain="${pre}_${work_name}_icmpflood"
2013-11-16 16:47:48 +00:00
if running_ipv4; then
ipv4 create_chain filter "${mychain}" "${in}_${work_name}" in proto icmp custom "--icmp-type echo-request" || return 1
fi
if running_ipv6; then
ipv6 create_chain filter "${mychain}" "${in}_${work_name}" in proto icmpv6 custom "--icmpv6-type echo-request" || return 1
fi
2002-12-23 14:39:19 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for protection from ICMP floods on '${prface}' for ${work_cmd} '${work_name}'"
2002-12-23 14:39:19 +00:00
2003-01-13 23:31:03 +00:00
rule in chain "${mychain}" limit "${rate}" "${burst}" action return || return 1
rule in chain "${mychain}" loglimit "ICMP FLOOD" action drop || return 1
2002-12-23 14:39:19 +00:00
;;
syn-floods|SYN-FLOODS)
local mychain="${pre}_${work_name}_synflood"
2003-01-13 23:31:03 +00:00
create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--syn" || return 1
2002-12-23 14:39:19 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for protection from TCP SYN floods on '${prface}' for ${work_cmd} '${work_name}'"
2002-12-23 14:39:19 +00:00
2003-01-13 23:31:03 +00:00
rule in chain "${mychain}" limit "${rate}" "${burst}" action return || return 1
rule in chain "${mychain}" loglimit "SYN FLOOD" action drop || return 1
2002-12-23 14:39:19 +00:00
;;
2005-04-03 21:48:04 +00:00
all-floods|ALL-FLOODS)
local mychain="${pre}_${work_name}_allflood"
create_chain filter "${mychain}" "${in}_${work_name}" in state NEW || return 1
2015-02-19 01:21:51 +00:00
set_work_function "Rules for protection from ALL floods on '${prface}' for ${work_cmd} '${work_name}'"
2005-04-03 21:48:04 +00:00
rule in chain "${mychain}" limit "${rate}" "${burst}" action return || return 1
rule in chain "${mychain}" loglimit "ALL FLOOD" action drop || return 1
;;
2002-12-23 14:39:19 +00:00
malformed-xmas|MALFORMED-XMAS)
local mychain="${pre}_${work_name}_malxmas"
2003-01-13 23:31:03 +00:00
create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--tcp-flags ALL ALL" || return 1
2002-12-23 14:39:19 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for protection from packets with all TCP flags set on '${prface}' for ${work_cmd} '${work_name}'"
2002-12-23 14:39:19 +00:00
2003-01-13 23:31:03 +00:00
rule in chain "${mychain}" loglimit "MALFORMED XMAS" action drop || return 1
2002-12-23 14:39:19 +00:00
;;
malformed-null|MALFORMED-NULL)
local mychain="${pre}_${work_name}_malnull"
2003-01-13 23:31:03 +00:00
create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--tcp-flags ALL NONE" || return 1
2002-12-23 14:39:19 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for protection from packets with all TCP flags unset on '${prface}' for ${work_cmd} '${work_name}'"
2002-12-23 14:39:19 +00:00
2003-01-13 23:31:03 +00:00
rule in chain "${mychain}" loglimit "MALFORMED NULL" action drop || return 1
2002-12-23 14:39:19 +00:00
;;
malformed-bad|MALFORMED-BAD)
local mychain="${pre}_${work_name}_malbad"
2003-01-13 23:31:03 +00:00
create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--tcp-flags SYN,FIN SYN,FIN" || return 1
2002-12-23 14:39:19 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Rules for protection from packets with illegal TCP flags on '${prface}' for ${work_cmd} '${work_name}'"
2002-12-23 14:39:19 +00:00
2003-01-13 23:31:03 +00:00
rule in chain "${in}_${work_name}" action "${mychain}" proto tcp custom "--tcp-flags SYN,RST SYN,RST" || return 1
rule in chain "${in}_${work_name}" action "${mychain}" proto tcp custom "--tcp-flags ALL SYN,RST,ACK,FIN,URG" || return 1
rule in chain "${in}_${work_name}" action "${mychain}" proto tcp custom "--tcp-flags ALL FIN,URG,PSH" || return 1
2002-12-23 14:39:19 +00:00
2003-01-13 23:31:03 +00:00
rule in chain "${mychain}" loglimit "MALFORMED BAD" action drop || return 1
2002-12-23 14:39:19 +00:00
;;
*)
error "Protection '${x}' does not exists."
return 1
;;
esac
done
return 0
}
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
2003-10-26 21:40:30 +00:00
# KERNEL MODULE MANAGEMENT
2002-12-23 14:39:19 +00:00
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
# ------------------------------------------------------------------------------
# Manage kernel modules
# WHY:
# We need to load a set of kernel modules during postprocessing, and after the
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
# new firewall has been activated.
# The whole point of the following code, is not to attempt loading modules when
# they are compiled into the kernel.
2005-02-09 22:36:24 +00:00
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
# Try to find the current kernel configuration
2003-10-26 21:40:30 +00:00
KERNEL_CONFIG=
if [ -f "/proc/config" ]
then
KERNEL_CONFIG="/proc/config"
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
${CAT_CMD} /proc/config >"${FIREHOL_DIR}/kcfg" || KERNEL_CONFIG=
fi
if [ -z "${KERNEL_CONFIG}" -a -f "/proc/config.gz" ]
2005-02-09 22:36:24 +00:00
then
KERNEL_CONFIG="/proc/config.gz"
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
zcat_cmd /proc/config.gz >"${FIREHOL_DIR}/kcfg" || KERNEL_CONFIG=
fi
if [ -z "${KERNEL_CONFIG}" -a -f "/lib/modules/`${UNAME_CMD} -r`/build/.config" ]
2003-11-23 13:43:19 +00:00
then
KERNEL_CONFIG="/lib/modules/`${UNAME_CMD} -r`/build/.config"
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
"${CAT_CMD}" "${KERNEL_CONFIG}" >"${FIREHOL_DIR}/kcfg" || KERNEL_CONFIG=
fi
if [ -z "${KERNEL_CONFIG}" -a -f "/boot/config-`${UNAME_CMD} -r`" ]
2004-04-21 21:48:29 +00:00
then
KERNEL_CONFIG="/boot/config-`${UNAME_CMD} -r`"
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
"${CAT_CMD}" "${KERNEL_CONFIG}" >"${FIREHOL_DIR}/kcfg" || KERNEL_CONFIG=
fi
if [ -z "${KERNEL_CONFIG}" -a -f "/usr/src/linux/.config" ]
2003-10-26 21:40:30 +00:00
then
KERNEL_CONFIG="/usr/src/linux/.config"
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
"${CAT_CMD}" "${KERNEL_CONFIG}" >"${FIREHOL_DIR}/kcfg" || KERNEL_CONFIG=
fi
# Did we managed to find the kernel configuration?
if [ ! -z "{$KERNEL_CONFIG}" -a -s "${FIREHOL_DIR}/kcfg" ]
then
# We found a kernel configuration
# Load all the definitions for CONFIG_*_NF_* variables
# We grep what we care for, to make sure there is no garbage or malicious code
# in the file we will run.
"${CAT_CMD}" "${FIREHOL_DIR}/kcfg" | ${GREP_CMD} -e "^CONFIG_[A-Z0-9_]\+_NF_[A-Z0-9_]\+=[ynm]$" >"${FIREHOL_DIR}/kcfg.nf"
# run it to get the variables
source "${FIREHOL_DIR}/kcfg.nf"
2003-10-26 21:40:30 +00:00
else
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
# We could not find a kernel configuration
KERNEL_CONFIG=
2014-10-04 09:22:11 +00:00
if [ ! ${FIREHOL_LOAD_KERNEL_MODULES} -eq 0 ]
then
echo >&2 " "
2015-02-01 22:39:33 +00:00
echo >&2 " WARNING:"
echo >&2 " --------"
2014-10-04 09:22:11 +00:00
echo >&2 " FireHOL cannot find your current kernel configuration."
echo >&2 " Please, either compile your kernel with /proc/config,"
echo >&2 " or make sure there is a valid kernel config in:"
echo >&2 " /usr/src/linux/.config"
echo >&2 " "
echo >&2 " Because of this, FireHOL will simply attempt to load"
echo >&2 " all kernel modules for the services used, without"
echo >&2 " being able to detect failures."
echo >&2 " "
sleep 2
fi
2003-10-26 21:40:30 +00:00
fi
# activation-phase command to check for the existance of
# a kernel configuration directive. It returns:
# 0 = module is already in the kernel
# 1 = module can be loaded with modprobe
# 2 = no info about this module in the kernel
2003-10-26 21:27:31 +00:00
check_kernel_config() {
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
# In kernels 2.6.20+ _IP_ was removed from kernel iptables config names.
2009-02-21 21:42:07 +00:00
# A few kernels have _CONNTRACT_ replaced with _CT_ for certain modules.
# Try all versions.
# the original way
2007-05-06 14:42:43 +00:00
eval local kcfg1="\$${1}"
2009-02-21 21:42:07 +00:00
# without _IP_
2013-09-26 20:10:00 +00:00
local t=`echo ${1} | ${SED_CMD} "s/_IP_//g"`
2007-05-06 14:42:43 +00:00
eval local kcfg2="\$${t}"
2009-02-21 21:42:07 +00:00
# _CONNTRACK_ as _CT_
2013-09-26 20:10:00 +00:00
local t=`echo ${1} | ${SED_CMD} "s/_CONNTRACK_/_CT_/g"`
2009-02-21 21:42:07 +00:00
eval local kcfg3="\$${t}"
'less' is no more required. Now FireHOL can use 'less', 'more' or 'cat'
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
2007-10-15 00:43:17 +00:00
# prefer the kernel 2.6.20+ way
2007-05-06 14:42:43 +00:00
if [ ! -z "${kcfg2}" ]
then
kcfg="${kcfg2}"
2009-02-21 21:42:07 +00:00
elif [ ! -z "${kcfg3}" ]
then
kcfg="${kcfg3}"
2007-05-06 14:42:43 +00:00
else
kcfg="${kcfg1}"
fi
2003-10-26 21:27:31 +00:00
case ${kcfg} in
y) return 0
;;
m) return 1
;;
*) return 2
;;
esac
return 2
}
2003-10-26 21:40:30 +00:00
# activation-phase command to check for the existance of
# a kernel module. It returns:
# 0 = module is already in the kernel
# 1 = module can be loaded with modprobe
# 2 = no info about this module in the kernel
2003-04-18 20:52:44 +00:00
check_kernel_module() {
local mod="${1}"
case ${mod} in
ip_tables)
2003-08-19 22:21:32 +00:00
test -f /proc/net/ip_tables_names && return 0
2003-10-26 21:27:31 +00:00
check_kernel_config CONFIG_IP_NF_IPTABLES
2014-12-30 18:42:58 +00:00
test $? -ne 0 && check_kernel_config CONFIG_NF_TABLES_IPV4
return $?
;;
ip6_tables)
test -f /proc/net/ip6_tables_names && return 0
check_kernel_config CONFIG_NF_TABLES_IPV6
2003-10-26 21:27:31 +00:00
return $?
2003-04-18 20:52:44 +00:00
;;
2007-05-06 14:42:43 +00:00
ip_conntrack|nf_conntrack)
test -f /proc/net/ip_conntrack -o -f /proc/net/nf_conntrack && return 0
2003-10-26 21:27:31 +00:00
check_kernel_config CONFIG_IP_NF_CONNTRACK
2014-12-30 18:42:58 +00:00
test $? -ne 0 && check_kernel_config CONFIG_NF_CONNTRACK_IPV4
2003-10-26 21:27:31 +00:00
return $?
;;
2007-05-06 14:42:43 +00:00
ip_conntrack_*|nf_conntrack_*)
2004-04-23 07:36:12 +00:00
local mnam="CONFIG_IP_NF_`echo ${mod} | ${CUT_CMD} -d '_' -f 3- | ${TR_CMD} a-z A-Z`"
2003-10-26 21:27:31 +00:00
check_kernel_config ${mnam}
return $?
;;
2007-05-06 14:42:43 +00:00
ip_nat_*|nf_nat_*)
2004-04-23 07:36:12 +00:00
local mnam="CONFIG_IP_NF_NAT_`echo ${mod} | ${CUT_CMD} -d '_' -f 3- | ${TR_CMD} a-z A-Z`"
2003-10-26 21:27:31 +00:00
check_kernel_config ${mnam}
return $?
;;
*)
return 2
2003-04-18 20:52:44 +00:00
;;
esac
2003-10-26 21:27:31 +00:00
return 2
2003-04-18 20:52:44 +00:00
}
2003-10-26 21:40:30 +00:00
# activation-phase command to load a kernel module.
2014-12-30 18:42:58 +00:00
LOADED_KERNEL_MODULES=
2003-04-18 20:52:44 +00:00
load_kernel_module() {
local mod="${1}"
if [ ! ${FIREHOL_LOAD_KERNEL_MODULES} -eq 0 ]
then
2014-12-30 18:42:58 +00:00
local m=
for m in ${LOADED_KERNEL_MODULES}
do
test "${m}" = "${mod}" && return 0
done
LOADED_KERNEL_MODULES="${LOADED_KERNEL_MODULES} ${mod}"
modprobe_cmd ${mod} -q
2003-04-18 20:52:44 +00:00
if [ $? -gt 0 ]
then
2015-01-30 22:45:56 +00:00
check_kernel_module ${mod} || runtime_error warn 1 "$(config_line)" "${MODPROBE_CMD}" ${mod} -q
2003-04-18 20:52:44 +00:00
fi
fi
return 0
}
2003-10-26 21:40:30 +00:00
# Processing-phase command to tell FireHOL to find one or more
# kernel modules to load, during activation-phase.
2002-12-23 14:39:19 +00:00
require_kernel_module() {
2015-02-06 20:43:23 +00:00
[ ! "${BASH_SOURCE[1]}" = "${PROGRAM_FILE}" ] && work_realcmd_helper ${FUNCNAME} "${@}"
2015-01-30 22:45:56 +00:00
2002-12-23 14:39:19 +00:00
local new="${1}"
2015-01-24 02:21:04 +00:00
if [ -z "${FIREHOL_KERNEL_MODULES[$new]}" ]
then
set_work_function "Adding kernel module '${new}' in the list of kernel modules to load"
FIREHOL_KERNEL_MODULES[$new]="1"
fi
2002-12-23 14:39:19 +00:00
return 0
}
2003-10-26 21:40:30 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# INTERNAL FUNCTIONS BELLOW THIS POINT - FireHOL internals
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
set_work_function() {
local show_explain=1
2015-01-30 22:45:56 +00:00
test "$1" = "-ne" && shift && show_explain=0
2003-10-26 21:40:30 +00:00
work_function="$*"
2009-02-26 02:13:54 +00:00
if [ "${FIREHOL_MODE}" = "EXPLAIN" ]
2004-04-21 21:35:29 +00:00
then
test ${show_explain} -eq 1 && printf "\n# %s\n" "$*"
elif [ ${FIREHOL_CONF_SHOW} -eq 1 ]
then
2015-01-30 22:45:56 +00:00
test ${show_explain} -eq 1 && printf "\n# INFO>>> %s\n" "$*" >&21
2004-04-21 21:35:29 +00:00
fi
2003-10-26 21:40:30 +00:00
}
2002-12-23 14:39:19 +00:00
# ------------------------------------------------------------------------------
# Check the status of the current primary command.
# WHY:
# Some sanity check for the order of commands in the configuration file.
# Each function has a "require_work type command" in order to check that it is
# placed in a valid point. This means that if you place a "route" command in an
2003-12-29 22:40:11 +00:00
# interface section (and many other combinations) it will fail.
2002-12-23 14:39:19 +00:00
require_work() {
2015-01-30 22:45:56 +00:00
local type="${1}" \
cmd="${2}"
2002-12-23 14:39:19 +00:00
case "${type}" in
clear)
test ! -z "${work_cmd}" && error "Previous work was not applied." && return 1
;;
set)
test -z "${work_cmd}" && error "The command used requires that a primary command is set." && return 1
test ! "${work_cmd}" = "${cmd}" -a ! "${cmd}" = "any" && error "Primary command is '${work_cmd}' but '${cmd}' is required." && return 1
;;
*)
error "Unknown work status '${type}'."
return 1
;;
esac
return 0
}
# ------------------------------------------------------------------------------
# Finalizes the rules of the last primary command.
# WHY:
# At the end of an interface or router we need to add some code to apply its
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# policy, etc.
2002-12-23 14:39:19 +00:00
# Finalization occures automatically when a new primary command is executed and
# when the configuration file finishes.
close_cmd() {
set_work_function -ne "Closing last open primary command (${work_cmd}/${work_name})"
case "${work_cmd}" in
interface)
close_interface || return 1
;;
router)
close_router || return 1
;;
'')
;;
*)
error "Unknown work '${work_cmd}'."
return 1
;;
esac
# Reset the current status variables to empty/default
2013-11-03 17:44:18 +00:00
work_counter4=0
work_counter6=0
2002-12-23 14:39:19 +00:00
work_cmd=
2003-01-06 00:41:10 +00:00
work_realcmd=("(unset)")
2002-12-23 14:39:19 +00:00
work_name=
work_inface=
work_outface=
2006-06-05 17:25:33 +00:00
work_policy=
2002-12-23 14:39:19 +00:00
return 0
}
2006-06-05 17:25:33 +00:00
2002-12-23 14:39:19 +00:00
# ------------------------------------------------------------------------------
# close_interface
# WHY:
# Finalizes the rules for the last interface().
close_interface() {
require_work set interface || return 1
2004-05-04 21:39:33 +00:00
close_all_groups
2002-12-23 14:39:19 +00:00
set_work_function "Finilizing interface '${work_name}'"
2015-02-07 15:28:43 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# accepting RELATED packets
set_work_function "Accepting all ICMP RELATED sockets in interface '${work_name}'"
if running_ipv4
then
push_namespace ipv4
rule chain "in_${work_name}" state RELATED proto icmp action ACCEPT || return 1
rule chain "out_${work_name}" state RELATED proto icmp action ACCEPT || return 1
pop_namespace
fi
if running_ipv6
then
2015-03-01 09:05:15 +00:00
push_namespace ipv6
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
rule chain "in_${work_name}" state RELATED proto icmpv6 action ACCEPT || return 1
rule chain "out_${work_name}" state RELATED proto icmpv6 action ACCEPT || return 1
pop_namespace
fi
2015-03-11 20:52:16 +00:00
set_work_function "Accepting TCP-RESET on the output of interface '${work_name}'"
rule chain "out_${work_name}" state RELATED proto tcp custom '--tcp-flags ALL ACK,RST' action ACCEPT || return 1
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
pop_flow_inheritance
2006-06-05 17:25:33 +00:00
# make sure we have a policy
test -z "${work_policy}" && work_policy="${DEFAULT_INTERFACE_POLICY}"
2015-03-11 20:52:16 +00:00
local inlog=() outlog=()
2002-12-23 14:39:19 +00:00
case "${work_policy}" in
return|RETURN)
2015-02-07 15:28:43 +00:00
set_work_function "Nothing to be done for policy RETURN of interface '${work_name}'"
2015-03-01 02:16:16 +00:00
pop_namespace
2002-12-23 14:39:19 +00:00
return 0
;;
accept|ACCEPT)
;;
2006-06-05 17:25:33 +00:00
*)
2015-03-11 20:52:16 +00:00
inlog=(loglimit "IN-${work_name}")
outlog=(loglimit "OUT-${work_name}")
2002-12-23 14:39:19 +00:00
;;
esac
2015-02-07 15:28:43 +00:00
set_work_function "Applying default policy of ${work_policy} on interface '${work_name}'"
2002-12-31 09:10:15 +00:00
rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
2002-12-23 14:39:19 +00:00
2015-03-01 02:16:16 +00:00
pop_namespace
2002-12-23 14:39:19 +00:00
return 0
}
# ------------------------------------------------------------------------------
# close_router
# WHY:
# Finalizes the rules for the last router().
2002-11-30 22:53:55 +00:00
close_router() {
2002-09-05 20:57:59 +00:00
require_work set router || return 1
2002-10-30 23:25:07 +00:00
2004-05-04 21:39:33 +00:00
close_all_groups
2002-12-17 20:47:34 +00:00
set_work_function "Finilizing router '${work_name}'"
2002-11-30 22:53:55 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
set_work_function "Accepting all ICMP RELATED sockets in router '${work_name}'"
if running_ipv4
then
push_namespace ipv4
rule chain "in_${work_name}" state RELATED proto icmp action ACCEPT || return 1
rule chain "out_${work_name}" state RELATED proto icmp action ACCEPT || return 1
pop_namespace
fi
if running_ipv6
then
2015-03-01 09:05:15 +00:00
push_namespace ipv6
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
rule chain "in_${work_name}" state RELATED proto icmpv6 action ACCEPT || return 1
rule chain "out_${work_name}" state RELATED proto icmpv6 action ACCEPT || return 1
pop_namespace
fi
2002-10-30 23:25:07 +00:00
2015-03-11 20:52:16 +00:00
set_work_function "Accepting TCP-RESET on router '${work_name}'"
rule chain "in_${work_name}" state RELATED proto tcp custom '--tcp-flags ALL ACK,RST' action ACCEPT || return 1
rule chain "out_${work_name}" state RELATED proto tcp custom '--tcp-flags ALL ACK,RST' action ACCEPT || return 1
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
pop_flow_inheritance
2006-06-05 17:25:33 +00:00
# make sure we have a policy
test -z "${work_policy}" && work_policy="${DEFAULT_ROUTER_POLICY}"
2015-03-11 20:52:16 +00:00
local inlog=() outlog=()
2006-06-05 17:25:33 +00:00
case "${work_policy}" in
return|RETURN)
2015-02-07 15:28:43 +00:00
set_work_function "Nothing to be done for policy RETURN of router '${work_name}'"
2015-03-01 02:16:16 +00:00
pop_namespace
2006-06-05 17:25:33 +00:00
return 0
;;
accept|ACCEPT)
;;
*)
2015-03-11 20:52:16 +00:00
inlog=(loglimit "PASS-${work_name}")
outlog=(loglimit "PASS-${work_name}")
2006-06-05 17:25:33 +00:00
;;
esac
2015-02-07 15:28:43 +00:00
set_work_function "Applying default policy of ${work_policy} on router '${work_name}'"
2006-06-05 17:25:33 +00:00
rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
2015-03-01 02:16:16 +00:00
pop_namespace
2002-09-05 20:57:59 +00:00
return 0
}
2002-12-23 14:39:19 +00:00
# ------------------------------------------------------------------------------
# close_master
# WHY:
# Finalizes the rules for the whole firewall.
# It assummes there is not primary command open.
2002-09-05 20:57:59 +00:00
close_master() {
2002-12-17 20:47:34 +00:00
set_work_function "Finilizing firewall policies"
2015-02-19 21:06:00 +00:00
finalize_synproxy
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2015-01-25 15:59:28 +00:00
if [ ! "${MARKS_SAVERESTORE_STATEFUL_MASK}" = "0x00000000" ]
then
2015-02-07 15:28:43 +00:00
set_work_function "Restoring stateful permanent marks"
2015-01-25 15:59:28 +00:00
# copy CONNMARK to MARK at the top of mangle, on entry points
iptables_both -t mangle -I OUTPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}
iptables_both -t mangle -I PREROUTING 1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}
2015-02-07 15:28:43 +00:00
set_work_function "Saving stateful permanent marks"
2015-01-25 15:59:28 +00:00
# save MARK to CONNMARK at the end of mangle, on exit points
iptables_both -t mangle -A INPUT -m conntrack --ctstate NEW -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}
iptables_both -t mangle -A POSTROUTING -m conntrack --ctstate NEW -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}
fi
2015-01-19 19:28:43 +00:00
2015-01-25 15:59:28 +00:00
if [ ! "${MARKS_SAVERESTORE_STATELESS_MASK}" = "0x00000000" ]
then
2015-02-07 15:28:43 +00:00
set_work_function "Restoring stateless permanent marks"
2015-01-25 15:59:28 +00:00
# copy CONNMARK to MARK at the top of mangle, on entry points
iptables_both -t mangle -I OUTPUT 1 -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
iptables_both -t mangle -I PREROUTING 1 -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
2015-02-07 15:28:43 +00:00
set_work_function "Saving stateless permanent marks"
2015-01-25 15:59:28 +00:00
# save MARK to CONNMARK at the end of mangle, on exit points
iptables_both -t mangle -A INPUT -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
iptables_both -t mangle -A POSTROUTING -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
fi
2014-03-13 01:08:34 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
set_work_function "Matching all ICMP related packets to the ESTABLISHED connections"
2002-10-30 23:25:07 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
if [ ${ENABLE_IPV4} -eq 1 ]
2005-10-16 08:55:53 +00:00
then
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
iptables -A INPUT -m conntrack --ctstate RELATED -p icmp -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate RELATED -p icmp -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED -p icmp -j ACCEPT
2005-10-16 08:55:53 +00:00
fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
if [ ${ENABLE_IPV6} -eq 1 ]
then
ip6tables -A INPUT -m conntrack --ctstate RELATED -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -m conntrack --ctstate RELATED -p icmpv6 -j ACCEPT
ip6tables -A FORWARD -m conntrack --ctstate RELATED -p icmpv6 -j ACCEPT
fi
2015-03-11 20:52:16 +00:00
set_work_function "Accepting TCP-RESET at the end of the firewall."
rule chain "OUTPUT" state RELATED proto tcp custom '--tcp-flags ALL ACK,RST' action ACCEPT || return 1
rule chain "FORWARD" state RELATED proto tcp custom '--tcp-flags ALL ACK,RST' action ACCEPT || return 1
2015-02-15 21:00:36 +00:00
# TEST
# this should not match anything
#iptables -A INPUT -m conntrack --ctstate RELATED -j ACCEPT
#iptables -A OUTPUT -m conntrack --ctstate RELATED -j ACCEPT
#iptables -A FORWARD -m conntrack --ctstate RELATED -j ACCEPT
2015-02-07 15:28:43 +00:00
set_work_function "Setting default unmatched policy (options: UNMATCHED_INPUT_POLICY UNMATCHED_OUTPUT_POLICY UNMATCHED_ROUTER_POLICY)"
2002-12-18 23:36:07 +00:00
rule chain INPUT loglimit "IN-unknown" action ${UNMATCHED_INPUT_POLICY} || return 1
rule chain OUTPUT loglimit "OUT-unknown" action ${UNMATCHED_OUTPUT_POLICY} || return 1
rule chain FORWARD loglimit "PASS-unknown" action ${UNMATCHED_ROUTER_POLICY} || return 1
2015-02-19 21:06:00 +00:00
# ---------------------------------------------------------------------
# execute all postprocessing commands for this firewall
2015-02-26 00:35:41 +00:00
if [ ${FIREHOL_ROUTING} -eq 1 ]; then postprocess -warn ${SYSCTL_CMD} -w "net.ipv4.ip_forward=1" || return 1; fi
2015-02-19 21:06:00 +00:00
if [ "${FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT}" = "kernel" ]
then
2015-02-26 12:30:50 +00:00
if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]
then
postprocess -warn ${SYSCTL_CMD} -w "net.netfilter.nf_conntrack_helper=1" || return 1
fi
2015-02-19 21:06:00 +00:00
else
postprocess -warn ${SYSCTL_CMD} -w "net.netfilter.nf_conntrack_helper=0" || return 1
fi
2015-02-26 00:35:41 +00:00
if [ ! -z "${FIREHOL_CONNTRACK_LOOSE_MATCHING}" ]; then postprocess -warn ${SYSCTL_CMD} -e "net.netfilter.nf_conntrack_tcp_loose=${FIREHOL_CONNTRACK_LOOSE_MATCHING}" || return 1; fi
if [ ! -z "${FIREHOL_TCP_SYN_COOKIES}" ]; then postprocess -warn ${SYSCTL_CMD} -e "net.ipv4.tcp_syncookies=${FIREHOL_TCP_SYN_COOKIES}" || return 1; fi
if [ ! -z "${FIREHOL_TCP_TIMESTAMPS}" ]; then postprocess -warn ${SYSCTL_CMD} -e "net.ipv4.tcp_timestamps=${FIREHOL_TCP_TIMESTAMPS}" || return 1; fi
if [ ! -z "${FIREHOL_CONNTRACK_MAX}" ]; then postprocess -warn ${SYSCTL_CMD} -e "net.netfilter.nf_conntrack_max=${FIREHOL_CONNTRACK_MAX}" || return 1; fi
if [ ! -z "${FIREHOL_CONNTRACK_HASHSIZE}" ]; then postprocess -warn postprocess_echo_to ${FIREHOL_CONNTRACK_HASHSIZE} /sys/module/nf_conntrack/parameters/hashsize || return 1; fi
2015-02-19 21:06:00 +00:00
for m in "${!FIREHOL_NFACCT[@]}"
do
# -ne here because nfacct will generate an error
# if the object already exists.
postprocess -ne "${NFACCT_CMD}" add "${m}" || return 1
done
# FIXME
# ipsets_apply() should generate post-processing commands
# which should be added here
2002-09-05 20:57:59 +00:00
return 0
}
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# ------------------------------------------------------------------------------
# flow inheritance
# this system keeps track of inface, outface, src, dst for all branching
# done by interfaces, routers and groups, thus providing a stack of all the
# required branches (the path) the flow of packets takes in the filter table.
# we use this flow inheritance to re-construct the path in table 'raw' when
2015-02-15 10:55:11 +00:00
# FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT=firehol and a helper is required to be configured.
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# So in table 'raw' we have only the part of the path that is really required.
FIREHOL_FLOW_INHERITANCE_STACK_IN=()
FIREHOL_FLOW_INHERITANCE_STACK_OUT=()
reconstruct_flow_inheritance() {
2015-02-15 10:55:11 +00:00
test ! "${FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT}" = "firehol" && return 0
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
local type="${1}" table="${2}" chain="${3}" overwrite=() stack=() x= ns= new_chain=
shift 3
# we expect at $* optional rule parameters to be appended
# this is required to overwrite for example the outface in raw table
overwrite=("${@}")
if [ "${type}" = "in" ]
then
stack=("${FIREHOL_FLOW_INHERITANCE_STACK_IN[@]}")
else
stack=("${FIREHOL_FLOW_INHERITANCE_STACK_OUT[@]}")
fi
for x in "${!stack[@]}"
do
set -- ${stack[$x]}
ns="${1}"
new_chain="${2}"
shift 2
set_work_function "Reconstruction check of '${ns}' table '${table}'' chain '${new_chain}' with options: ${@}"
push_namespace "${ns}"
chain_exists "${table}" "${new_chain}"
if [ $? -eq 0 ]
then
set_work_function "Reconstructing chain '${new_chain}' in ${table}.${chain} with options: ${@} nosoftwarnings ${overwrite[@]}"
create_chain ${table} "${new_chain}" "${chain}" "${@}" nosoftwarnings "${overwrite[@]}" || return 1
chain="${new_chain}"
else
set_work_function "Chain '${new_chain}' already exists under ${table}.${chain}"
chain="${new_chain}"
fi
pop_namespace
done
}
push_flow_inheritance() {
2015-02-15 10:55:11 +00:00
test ! "${FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT}" = "firehol" && return 0
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
local type="${1}" chain="${2}" infacenot="${3}" inface="${4}" outfacenot="${5}" outface="${6}" srcnot="${7}" src4="${8}" src6="${9}" dstnot="${10}" dst4="${11}" dst6="${12}"
if [ "${type}" = "in" ]
then
FIREHOL_FLOW_INHERITANCE_STACK_IN=("${FIREHOL_FLOW_INHERITANCE_STACK_IN[@]}" "${FIREHOL_NS_CURR} ${chain} inface ${infacenot} ${inface// /,} outface ${outfacenot} ${outface// /,} src4 ${srcnot} ${src4// /,} dst4 ${dstnot} ${dst4// /,} src6 ${srcnot} ${src6// /,} dst6 ${dstnot} ${dst6// /,}")
# declare >&2 -p FIREHOL_FLOW_INHERITANCE_STACK_IN
else
FIREHOL_FLOW_INHERITANCE_STACK_OUT=("${FIREHOL_FLOW_INHERITANCE_STACK_OUT[@]}" "${FIREHOL_NS_CURR} ${chain} inface ${infacenot} ${inface// /,} outface ${outfacenot} ${outface// /,} src4 ${srcnot} ${src4// /,} dst4 ${dstnot} ${dst4// /,} src6 ${srcnot} ${src6// /,} dst6 ${dstnot} ${dst6// /,}")
# declare >&2 -p FIREHOL_FLOW_INHERITANCE_STACK_OUT
fi
}
pop_flow_inheritance() {
2015-02-15 10:55:11 +00:00
test ! "${FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT}" = "firehol" && return 0
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
local type="${1}" items_in=${#FIREHOL_FLOW_INHERITANCE_STACK_IN[*]} items_out=${#FIREHOL_FLOW_INHERITANCE_STACK_OUT[*]}
items_in=$[ items_in - 1 ]
unset FIREHOL_FLOW_INHERITANCE_STACK_IN[$items_in]
items_out=$[ items_out - 1 ]
unset FIREHOL_FLOW_INHERITANCE_STACK_OUT[$items_out]
}
# ------------------------------------------------------------------------------
# groups
# groups are used to group services together, with the same optional rule
# parameters.
# all optional rule parameters given to group are checked only once
2002-12-23 14:39:19 +00:00
2004-05-04 21:39:33 +00:00
FIREHOL_GROUP_COUNTER=0
FIREHOL_GROUP_DEPTH=0
FIREHOL_GROUP_STACK=()
2015-03-01 02:16:16 +00:00
group4() { ipv4 group "${@}"; }
group6() { ipv6 group "${@}"; }
group46() { both group "${@}"; }
2004-05-04 21:39:33 +00:00
group() {
2015-02-06 20:43:23 +00:00
work_realcmd_primary ${FUNCNAME} "${@}"
2004-05-04 21:39:33 +00:00
require_work set any || return 1
2015-03-01 02:16:16 +00:00
local ipv="${FIREHOL_NS_CURR}"
if [ "z${1}" = "z-ns" ]
then
ipv="${2}"
shift 2
fi
2004-05-04 21:39:33 +00:00
local type="${1}"; shift
case $type in
with|start|begin)
2015-03-01 02:16:16 +00:00
push_namespace "${ipv}"
2004-05-04 21:39:33 +00:00
# increase the counter
FIREHOL_GROUP_COUNTER=$[FIREHOL_GROUP_COUNTER + 1]
2015-02-19 01:21:51 +00:00
set_work_function "Rules for new group No ${FIREHOL_GROUP_COUNTER}, under '${work_name}'"
2004-05-04 21:39:33 +00:00
# put the current name in the stack
FIREHOL_GROUP_STACK[$FIREHOL_GROUP_DEPTH]=${work_name}
FIREHOL_GROUP_DEPTH=$[FIREHOL_GROUP_DEPTH + 1]
# name for the new chain
mychain="group${FIREHOL_GROUP_COUNTER}"
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# create the new chain in filter
create_chain filter "in_${mychain}" "in_${work_name}" push_flow_inheritance in in "${@}" || return 1
create_chain filter "out_${mychain}" "out_${work_name}" push_flow_inheritance out out reverse "${@}" || return 1
2004-05-04 21:39:33 +00:00
# set a new name for new rules
work_name=${mychain}
;;
end|stop|close)
if [ ${FIREHOL_GROUP_DEPTH} -eq 0 ]
then
error "There is no group open to close."
return 1
fi
# pop one name from the stack
FIREHOL_GROUP_DEPTH=$[FIREHOL_GROUP_DEPTH - 1]
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
pop_flow_inheritance
2004-05-04 21:39:33 +00:00
set_work_function "Closing group '${work_name}'. Now working under '${FIREHOL_GROUP_STACK[$FIREHOL_GROUP_DEPTH]}'"
work_name=${FIREHOL_GROUP_STACK[$FIREHOL_GROUP_DEPTH]}
2014-02-03 22:49:51 +00:00
pop_namespace
2004-05-04 21:39:33 +00:00
;;
*)
error "Statement 'group' requires the first argument to be one of with, start, begin, end, stop, close."
return 1
;;
esac
return 0
}
close_all_groups() {
while [ ${FIREHOL_GROUP_DEPTH} -gt 0 ]
do
group close || return 1
done
return 0
}
2002-12-23 14:39:19 +00:00
# ------------------------------------------------------------------------------
# rule - the heart of FireHOL - iptables commands generation
# WHY:
# This is the function that gives all the magic to FireHOL. Actually it is a
# wrapper for iptables, producing multiple iptables commands based on its
# arguments. The rest of FireHOL is simply a "driver" for this function.
2002-09-05 20:57:59 +00:00
2003-01-06 16:13:34 +00:00
# rule_action_param() is a function - part of rule() - to create the final iptables cmd
# taking into account the "action_param" parameter of the action.
# rule_action_param() should only be used within rule() - no other place
2015-02-11 23:42:38 +00:00
declare -A SMART_REJECT_CREATED=()
2004-09-14 21:15:44 +00:00
FIREHOL_ACCEPT_CHAIN_COUNT=0
2003-01-06 16:13:34 +00:00
rule_action_param() {
2015-02-07 15:28:43 +00:00
# echo >&2 " >>> ${FUNCNAME}: ${*}"
2015-01-30 22:45:56 +00:00
local iptables_cmd="${1}" \
action="${2}" \
2015-02-11 23:42:38 +00:00
statenot="${3}" \
state="${4}" \
table="${5}" \
2015-01-31 12:35:25 +00:00
count=0 val=
2015-02-11 23:42:38 +00:00
shift 5
2003-01-22 20:54:05 +00:00
local -a action_param=()
2003-01-06 16:13:34 +00:00
2004-12-22 23:05:57 +00:00
# All arguments until the separator are the parameters of the action
2015-01-31 12:35:25 +00:00
for val in "${@}"
2003-01-06 16:13:34 +00:00
do
2015-01-31 12:35:25 +00:00
[ "A${val}" = "A--" ] && break
2003-01-06 16:13:34 +00:00
2015-01-31 12:35:25 +00:00
action_param[$count]="${val}"
((count += 1))
2003-01-06 16:13:34 +00:00
done
2015-01-31 12:35:25 +00:00
shift $[count + 1]
2004-12-22 23:05:57 +00:00
# If we don't have a seperator, generate an error
2015-01-31 12:35:25 +00:00
if [ ! "A${val}" = "A--" ]
2003-01-06 16:13:34 +00:00
then
2015-02-11 23:42:38 +00:00
error "Internal Error, in parsing action_param parameters (${FUNCNAME} '${action}' '${statenot}' '${state}' '${table}' '${action_param[@]}' '${@}')."
2003-01-06 16:13:34 +00:00
return 1
fi
# Do the rule
case "${action}" in
NONE)
return 0
;;
2004-09-14 21:15:44 +00:00
ACCEPT)
# do we have any options for this accept?
2004-12-22 23:05:57 +00:00
if [ ! -z "${action_param[0]}" ]
2004-09-14 21:15:44 +00:00
then
# find the options we have
case "${action_param[0]}" in
"limit")
# limit NEW connections to the specified rate
2015-01-30 22:45:56 +00:00
local freq="${action_param[1]}" \
burst="${action_param[2]}" \
overflow="REJECT"
2004-09-14 21:15:44 +00:00
# if we have a custom overflow action, parse it.
2015-01-30 22:45:56 +00:00
test "${action_param[3]}" = "overflow" && overflow="`echo "${action_param[4]}" | tr "a-z" "A-Z"`"
2004-09-14 21:15:44 +00:00
# unset the action_param, so that if this rule does not include NEW connections,
# we will not append anything to the generated iptables statements.
2015-01-30 22:45:56 +00:00
action_param=()
2004-09-14 21:15:44 +00:00
# find is this rule matches NEW connections
local has_new=`echo "${state}" | grep -i NEW`
local do_accept_limit=0
if [ -z "${statenot}" ]
then
2015-01-30 22:45:56 +00:00
test ! -z "${has_new}" && do_accept_limit=1
2004-09-14 21:15:44 +00:00
else
2015-01-30 22:45:56 +00:00
test -z "${has_new}" && do_accept_limit=1
2004-09-14 21:15:44 +00:00
fi
# we have a match for NEW connections.
# redirect the traffic to a new chain, which will control
# the NEW connections while allowing all the other traffic
# to pass.
if [ "${do_accept_limit}" = "1" ]
then
2014-10-15 16:11:03 +00:00
local accept_limit_chain="`echo "ACC LIM ${freq} ${burst} ${overflow}" | tr " /." "___"`"
2004-09-14 21:15:44 +00:00
# does the chain we need already exist?
2015-01-03 05:45:19 +00:00
#if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_limit_chain}.${iptables_cmd}" ]
2015-01-03 13:42:15 +00:00
if [ -z "${FIREHOL_CHAINS[${accept_limit_chain}.${iptables_cmd}]}" ]
2004-09-14 21:15:44 +00:00
then
# the chain does not exist. create it.
2015-02-13 00:43:38 +00:00
$iptables_cmd -t ${table} -N "${accept_limit_chain}"
2015-01-03 05:45:19 +00:00
FIREHOL_CHAINS[${accept_limit_chain}.${iptables_cmd}]="1"
#touch "${FIREHOL_CHAINS_DIR}/${accept_limit_chain}.${iptables_cmd}"
2004-09-14 21:15:44 +00:00
# first, if the traffic is not a NEW connection, allow it.
# doing this first will speed up normal traffic.
2015-02-13 00:43:38 +00:00
$iptables_cmd -t ${table} -A "${accept_limit_chain}" -m conntrack ! --ctstate NEW -j ACCEPT
2004-09-14 21:15:44 +00:00
# accept NEW connections within the given limits.
2015-02-13 00:43:38 +00:00
$iptables_cmd -t ${table} -A "${accept_limit_chain}" -m limit --limit "${freq}" --limit-burst "${burst}" -j ACCEPT
2004-09-14 21:15:44 +00:00
# log the overflow NEW connections reaching this step within the new chain
2015-02-19 01:21:51 +00:00
prepare_iptables_log_arg "LIMIT OVERFLOW" || return 1
$iptables_cmd -t ${table} -A "${accept_limit_chain}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${FIREHOL_LOG_IPTABLES_ARG[@]}"
2004-09-14 21:15:44 +00:00
# if the overflow is to be rejected is tcp, reject it with TCP-RESET
if [ "${overflow}" = "REJECT" ]
then
2015-02-13 00:43:38 +00:00
$iptables_cmd -t ${table} -A "${accept_limit_chain}" -p tcp -j REJECT --reject-with tcp-reset
2004-09-14 21:15:44 +00:00
fi
# do the specified action on the overflow
2015-02-13 00:43:38 +00:00
$iptables_cmd -t ${table} -A "${accept_limit_chain}" -j ${overflow}
2004-09-14 21:15:44 +00:00
fi
# send the rule to be generated to this chain
2015-01-30 22:45:56 +00:00
action=${accept_limit_chain}
2004-09-14 21:15:44 +00:00
fi
;;
2005-11-11 21:49:03 +00:00
"recent")
# limit NEW connections to the specified rate
2015-01-30 22:45:56 +00:00
local name="${action_param[1]}" \
seconds="${action_param[2]}" \
hits="${action_param[3]}"
2005-11-11 21:49:03 +00:00
# unset the action_param, so that if this rule does not include NEW connections,
# we will not append anything to the generated iptables statements.
2015-01-30 22:45:56 +00:00
action_param=()
2005-11-11 21:49:03 +00:00
# find is this rule matches NEW connections
local has_new=`echo "${state}" | grep -i NEW`
local do_accept_recent=0
if [ -z "${statenot}" ]
then
2015-01-30 22:45:56 +00:00
test ! -z "${has_new}" && do_accept_recent=1
2005-11-11 21:49:03 +00:00
else
2015-01-30 22:45:56 +00:00
test -z "${has_new}" && do_accept_recent=1
2005-11-11 21:49:03 +00:00
fi
# we have a match for NEW connections.
# redirect the traffic to a new chain, which will control
# the NEW connections while allowing all the other traffic
# to pass.
if [ "${do_accept_recent}" = "1" ]
then
2014-10-15 16:11:03 +00:00
local accept_recent_chain="`echo "ACC REC $name $seconds $hits" | tr " /." "___"`"
2005-11-11 21:49:03 +00:00
# does the chain we need already exist?
2015-01-03 05:45:19 +00:00
#if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}.${iptables_cmd}" ]
2015-01-03 13:42:15 +00:00
if [ -z "${FIREHOL_CHAINS[${accept_recent_chain}.${iptables_cmd}]}" ]
2005-11-11 21:49:03 +00:00
then
# the chain does not exist. create it.
2015-02-13 00:43:38 +00:00
$iptables_cmd -t ${table} -N "${accept_recent_chain}"
2015-01-03 05:45:19 +00:00
FIREHOL_CHAINS[${accept_recent_chain}.${iptables_cmd}]="1"
#touch "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}.${iptables_cmd}"
2005-11-11 21:49:03 +00:00
# first, if the traffic is not a NEW connection, allow it.
# doing this first will speed up normal traffic.
2015-02-13 00:43:38 +00:00
$iptables_cmd -t ${table} -A "${accept_recent_chain}" -m conntrack ! --ctstate NEW -j ACCEPT
2005-11-11 21:49:03 +00:00
# accept NEW connections within the given limits.
2015-02-13 00:43:38 +00:00
$iptables_cmd -t ${table} -A "${accept_recent_chain}" -m recent --set --name "${name}"
2005-11-11 21:49:03 +00:00
2015-01-30 22:45:56 +00:00
local t1= t2=
test ! -z $seconds && t1="--seconds ${seconds}"
test ! -z $hits && t2="--hitcount ${hits}"
2005-11-11 21:49:03 +00:00
2015-02-13 00:43:38 +00:00
$iptables_cmd -t ${table} -A "${accept_recent_chain}" -m recent --update ${t1} ${t2} --name "${name}" -j RETURN
$iptables_cmd -t ${table} -A "${accept_recent_chain}" -j ACCEPT
2005-11-11 21:49:03 +00:00
fi
# send the rule to be generated to this chain
2015-01-30 22:45:56 +00:00
action=${accept_recent_chain}
2005-11-11 21:49:03 +00:00
fi
;;
2004-12-22 23:05:57 +00:00
'knock')
# the name of the knock
local name="knock_${action_param[1]}"
# unset the action_param, so that if this rule does not include NEW connections,
# we will not append anything to the generated iptables statements.
2015-01-30 22:45:56 +00:00
action_param=()
2004-12-22 23:05:57 +00:00
# does the knock chain exists?
2015-01-03 05:45:19 +00:00
#if [ ! -f "${FIREHOL_CHAINS_DIR}/${name}.${iptables_cmd}" ]
2015-01-03 13:42:15 +00:00
if [ -z "${FIREHOL_CHAINS[${name}.${iptables_cmd}]}" ]
2004-12-22 23:05:57 +00:00
then
# the chain does not exist. create it.
2015-02-13 00:43:38 +00:00
$iptables_cmd -t ${table} -N "${name}"
2015-01-03 05:45:19 +00:00
FIREHOL_CHAINS[${name}.${iptables_cmd}]="1"
#touch "${FIREHOL_CHAINS_DIR}/${name}.${iptables_cmd}"
2004-12-22 23:05:57 +00:00
2013-11-10 11:34:28 +00:00
$iptables_cmd -A "${name}" -m conntrack --ctstate ESTABLISHED -j ACCEPT
2004-12-23 18:43:03 +00:00
2004-12-22 23:05:57 +00:00
# knockd (http://www.zeroflux.org/knock/)
2004-12-23 18:43:03 +00:00
# will create more rules inside this chain to match NEW packets.
2004-12-22 23:05:57 +00:00
fi
# send the rule to be generated to this knock chain
2015-01-30 22:45:56 +00:00
action=${name}
2004-12-22 23:05:57 +00:00
;;
2004-09-14 21:15:44 +00:00
*)
2004-12-22 23:05:57 +00:00
error "Internal error. Cannot understand action ${action} with parameter '${action_param[0]}'."
2004-09-14 21:15:44 +00:00
return 1
;;
esac
fi
;;
2015-02-11 23:42:38 +00:00
SMART_REJECT)
2015-02-13 00:43:38 +00:00
local key="${iptables_cmd}.${table}"
2015-02-11 23:42:38 +00:00
key=${key// /_}; key=${key//-/_}; key=${key//\//_}
if [ -z "${SMART_REJECT_CREATED[$key]}" ]
2003-01-06 16:13:34 +00:00
then
2015-02-11 23:42:38 +00:00
SMART_REJECT_CREATED[$key]="1"
2015-02-13 00:43:38 +00:00
$iptables_cmd -t ${table} -N SMART_REJECT
$iptables_cmd -t ${table} -A SMART_REJECT -p tcp -j REJECT --reject-with tcp-reset
$iptables_cmd -t ${table} -A SMART_REJECT -j REJECT
2003-01-06 16:13:34 +00:00
fi
;;
esac
2015-02-06 20:43:23 +00:00
$iptables_cmd "${@}" -j "${action}" "${action_param[@]}"
2003-01-06 16:13:34 +00:00
}
2015-02-11 23:42:38 +00:00
PROGRAM_SPINNER_SPACES=' '
PROGRAM_SPINNER_BACKSPACES='\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b'
PROGRAM_SPINNER_LAST=0
PROGRAM_SPINNER='|/-\'
PROGRAM_SPINNER_RUNNING=0
PROGRAM_SPINNER_PREFIX="iptables rules:"
spinner()
{
local t="${PROGRAM_SPINNER_PREFIX} ${1}"
printf >&2 "${PROGRAM_SPINNER_BACKSPACES:0:$PROGRAM_SPINNER_LAST}"
PROGRAM_SPINNER_LAST=$(( (${#t} + 5) * 2 ))
local temp=${PROGRAM_SPINNER#?}
printf >&2 "[${t} %c] " "${PROGRAM_SPINNER}"
PROGRAM_SPINNER=$temp${PROGRAM_SPINNER%"$temp"}
PROGRAM_SPINNER_RUNNING=1
}
spinner_end() {
local last=$((PROGRAM_SPINNER_LAST / 2))
printf >&2 "${PROGRAM_SPINNER_BACKSPACES:0:$PROGRAM_SPINNER_LAST}"
printf >&2 "${PROGRAM_SPINNER_SPACES:0:$last}"
printf >&2 "${PROGRAM_SPINNER_BACKSPACES:0:$PROGRAM_SPINNER_LAST}"
PROGRAM_SPINNER_RUNNING=0
PROGRAM_SPINNER_LAST=0
}
2015-02-19 01:21:51 +00:00
# generate the LOG action parameters according to current logging mode
FIREHOL_LOG_IPTABLES_ARG=()
prepare_iptables_log_arg() {
case "${FIREHOL_LOG_MODE}" in
ULOG) FIREHOL_LOG_IPTABLES_ARG=("--ulog-prefix=${FIREHOL_LOG_ESCAPE}${FIREHOL_LOG_PREFIX}${*}:${FIREHOL_LOG_ESCAPE}") ;;
NFLOG) FIREHOL_LOG_IPTABLES_ARG=("--nflog-prefix=${FIREHOL_LOG_ESCAPE}${FIREHOL_LOG_PREFIX}${*}:${FIREHOL_LOG_ESCAPE}") ;;
LOG) FIREHOL_LOG_IPTABLES_ARG=("--log-level" "${loglevel}" "--log-prefix=${FIREHOL_LOG_ESCAPE}${FIREHOL_LOG_PREFIX}${*}:${FIREHOL_LOG_ESCAPE}");;
*) FIREHOL_LOG_IPTABLES_ARG=(); error "Invalid log mode ${FIREHOL_LOG_MODE}"; return 1;;
esac
return 0
}
FIREHOL_RULE_POSITIVE_STATEMENTS_GENERATED=0
2002-09-05 20:57:59 +00:00
rule() {
2015-02-07 15:28:43 +00:00
# echo >&2 " >>> ${FUNCNAME}: ${*}"
2015-02-02 23:36:15 +00:00
2015-01-30 22:45:56 +00:00
# defining these local variables together speeds FireHOL up by 4%
local failed=0 \
table= chain= \
2015-02-11 23:42:38 +00:00
inface=(any) infacenot= outface=(any) outfacenot= \
physin=(any) physinnot= physout=(any) physoutnot= \
mac=(any) macnot= \
src4=(default) src4not= dst4=(default) dst4not= \
src6=(default) src6not= dst6=(default) dst6not= \
2015-01-30 22:45:56 +00:00
srctype= srctypenot= dsttype= dsttypenot= \
2015-02-11 23:42:38 +00:00
sport=(any) sportnot= dport=(any) dportnot= \
proto=(any) protonot= \
uid=(any) uidnot= gid=(any) gidnot= \
mark=(any) marknot= markname= \
dscp=(any) dscptype= dscpnot= \
tos=(any) tosnot= \
2015-01-30 22:45:56 +00:00
log= logtxt= loglevel= \
2015-02-12 20:23:00 +00:00
limit= burst= connlimit= connlimit_mask= \
2015-01-30 22:45:56 +00:00
action= state= statenot= \
failed=0 reverse=0 \
swi=0 swo=0 \
custom= \
2015-02-02 23:36:15 +00:00
accounting= \
2015-02-08 20:59:41 +00:00
ipsetnot= ipsetname= ipsetflags= ipsetopts= \
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
inout= x= param= not= helper=() helpernot=
2002-12-01 04:34:00 +00:00
2003-01-13 23:31:03 +00:00
# if set to 1, all owner module options will be ignored
local noowner=0
2004-03-03 20:32:35 +00:00
# if set to 1, all mac options will be ignored
local nomac=0
2003-03-19 21:51:56 +00:00
# if set to 1, MIRROR will be converted to REJECT
local nomirror=0
2003-01-29 23:19:20 +00:00
# if set to 1, log and loglimit are ignored.
local nolog=0
2015-02-03 18:18:44 +00:00
# if set to 1, detection algorithm about overwriting optional rule
2003-01-08 23:33:25 +00:00
# parameters will take place.
local softwarnings=1
2015-02-13 00:43:38 +00:00
# if set to 1, rule() will may use the main chain
# for returning back
local return_if_not_matched=0
2003-01-22 20:54:05 +00:00
# set it, in order to be local
2015-02-07 06:46:46 +00:00
local -a action_param=() tmparray=()
2015-02-13 00:43:38 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# a copy of the protocols that should always be given
# to iptables when taking the action
2015-02-13 00:43:38 +00:00
local -a require_protocol_with_action=(any)
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# if set to 1, we will only process state NEW rules
local optimal=0
2003-01-08 23:33:25 +00:00
2015-02-15 18:30:34 +00:00
local push_flow_inheritance_type= positive_rule_number=
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2002-11-30 22:53:55 +00:00
while [ ! -z "${1}" ]
2002-09-05 20:57:59 +00:00
do
2015-02-11 23:42:38 +00:00
param="${1,,}" # to lowercase
2015-02-07 15:28:43 +00:00
2015-02-11 23:42:38 +00:00
not=
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
if [ "${2,,}" = "not" -o "${2}" = "!" ]
2015-02-11 23:42:38 +00:00
then
not="!"
shift 2
else
shift
fi
2015-02-08 08:44:00 +00:00
2015-02-11 23:42:38 +00:00
case "${param}" in
reverse) reverse=1 ;;
nolog) nolog=1 ;;
noowner) noowner=1 ;;
softwarnings) softwarnings=1 ;;
nosoftwarnings) softwarnings=0 ;;
set_work_inface) swi=1 ;;
set_work_outface) swo=1 ;;
2015-02-13 00:43:38 +00:00
return_if_not_matched) return_if_not_matched=1 ;;
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
optimal) optimal=1 ;;
accurate) optimal=0 ;;
push_flow_inheritance) push_flow_inheritance_type="${1}"; shift ;;
2015-02-19 01:21:51 +00:00
insert) positive_rule_number=1 ;;
insert_at) positive_rule_number="${1}"; shift ;;
2015-02-08 08:44:00 +00:00
2015-02-11 23:42:38 +00:00
in) # this is incoming traffic - ignore packet ownership
inout="in"
noowner=1
nomirror=0
nomac=0
2002-09-05 20:57:59 +00:00
;;
2015-02-11 23:42:38 +00:00
out) # this is outgoing traffic - ignore packet ownership if not in an interface
inout="out"
if [ ! "${work_cmd}" = "interface" ]
2002-09-05 20:57:59 +00:00
then
2015-02-11 23:42:38 +00:00
noowner=1
2002-09-05 20:57:59 +00:00
else
2015-02-11 23:42:38 +00:00
nomirror=1
2002-09-05 20:57:59 +00:00
fi
2015-02-11 23:42:38 +00:00
nomac=1
2002-09-05 20:57:59 +00:00
;;
2015-02-11 23:42:38 +00:00
table) test ${softwarnings} -eq 1 -a ! -z "${table}" && softwarning "Overwriting param: ${1} '${chain}' becomes '${1}'"
2015-02-13 00:43:38 +00:00
table="${1}"
2002-09-05 20:57:59 +00:00
shift
;;
2015-02-11 23:42:38 +00:00
chain) test ${softwarnings} -eq 1 -a ! -z "${chain}" && softwarning "Overwriting param: ${1} '${chain}' becomes '${1}'"
chain="${1}"
2003-10-16 22:05:22 +00:00
shift
;;
2015-02-11 23:42:38 +00:00
inface|outface)
if [ \( "${param}" = "inface" -a ${reverse} -eq 0 \) -o \( "${param}" = "outface" -a ${reverse} -eq 1 \) ]
2003-10-16 22:05:22 +00:00
then
2015-02-11 23:42:38 +00:00
infacenot="${not}"
test ${softwarnings} -eq 1 -a ! "${inface[*]}" = "any" && softwarning "Overwriting param: inface '${inface[*]}' becomes '${1}'"
inface=(${1//,/ })
[ -z "${infacenot}" -a ${swi} -eq 1 ] && work_inface="${inface[*]}"
test -z "${inface[*]}" && error "Cannot accept an empty 'inface'." && return 1
2003-10-16 22:05:22 +00:00
else
2015-02-11 23:42:38 +00:00
outfacenot="${not}"
2015-02-22 05:35:29 +00:00
test ${softwarnings} -eq 1 -a ! "${outface[*]}" = "any" && softwarning "Overwriting param: outface '${outface[*]}' becomes '${1}'"
2015-02-11 23:42:38 +00:00
outface=(${1//,/ })
[ -z "${outfacenot}" -a ${swo} -eq 1 ] && work_outface="${outface[*]}"
test -z "${outface[*]}" && error "Cannot accept an empty 'outface'." && return 1
2003-10-16 22:05:22 +00:00
fi
shift
;;
2015-02-11 23:42:38 +00:00
physin|physout)
if [ \( "${param}" = "physin" -a ${reverse} -eq 0 \) -o \( "${param}" = "physout" -a ${reverse} -eq 1 \) ]
2003-06-18 22:56:24 +00:00
then
2015-02-11 23:42:38 +00:00
physinnot="${not}"
test ${softwarnings} -eq 1 -a ! "${physin[*]}" = "any" && softwarning "Overwriting param: physin '${physin[*]}' becomes '${1}'"
physin=(${1//,/ })
test -z "${physin[*]}" && error "Cannot accept an empty 'physin'." && return 1
else
physoutnot="${not}"
test ${softwarnings} -eq 1 -a ! "${physout[*]}" = "any" && softwarning "Overwriting param: physout '${physout[*]}' becomes '${1}'"
physout=(${1//,/ })
test -z "${physout[*]}" && error "Cannot accept an empty 'physout'." && return 1
2003-06-18 22:56:24 +00:00
fi
shift
;;
2015-02-11 23:42:38 +00:00
mac)
macnot="${not}"
test ${softwarnings} -eq 1 -a ! "${mac[*]}" = "any" && softwarning "Overwriting param: mac '${mac[*]}' becomes '${1}'"
test ${nomac} -eq 0 && mac=(${1//,/ })
2002-09-05 20:57:59 +00:00
shift
2015-02-11 23:42:38 +00:00
test -z "${mac[*]}" && error "Cannot accept an empty 'mac'." && return 1
2002-09-05 20:57:59 +00:00
;;
2015-02-11 23:42:38 +00:00
src|src4|src6|dst|dst4|dst6)
2015-02-15 21:00:36 +00:00
if [ "${param/*4/4}" = "4" ]; then push_namespace ipv4 || return 1;
elif [ "${param/*6/6}" = "6" ]; then push_namespace ipv6 || return 1;
else push_namespace "${FIREHOL_NS_CURR}" || return 1; fi
2015-02-15 21:39:33 +00:00
2015-02-11 23:42:38 +00:00
if [ \( "${param//src*/src}" = "src" -a ${reverse} -eq 0 \) -o \( "${param/dst*/dst}" = "dst" -a ${reverse} -eq 1 \) ]
2002-09-05 20:57:59 +00:00
then
2015-02-15 19:29:58 +00:00
if running_ipv4
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
then
2015-02-11 23:42:38 +00:00
src4not="${not}"
test ${softwarnings} -eq 1 -a ! "${src4[*]}" = "default" && softwarning "Overwriting param: src4 '${src4[*]}' becomes '${1}'"
src4=(${1//,/ })
test -z "${src4[*]}" && error "Cannot accept an empty 'src4'." && return 1
2015-02-15 19:29:58 +00:00
fi
if running_ipv6
then
2015-02-11 23:42:38 +00:00
src6not="${not}"
test ${softwarnings} -eq 1 -a ! "${src6[*]}" = "default" && softwarning "Overwriting param: src6 '${src6[*]}' becomes '${1}'"
src6=(${1//,/ })
test -z "${src6[*]}" && error "Cannot accept an empty 'src6'." && return 1
2002-09-05 20:57:59 +00:00
fi
else
2015-02-15 19:29:58 +00:00
if running_ipv4
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
then
2015-02-11 23:42:38 +00:00
dst4not="${not}"
test ${softwarnings} -eq 1 -a ! "${dst4[*]}" = "default" && softwarning "Overwriting param: dst4 '${dst4[*]}' becomes '${1}'"
dst4=(${1//,/ })
test -z "${dst4[*]}" && error "Cannot accept an empty 'dst4'." && return 1
2015-02-15 19:29:58 +00:00
fi
if running_ipv6
then
2015-02-11 23:42:38 +00:00
dst6not="${not}"
test ${softwarnings} -eq 1 -a ! "${dst6[*]}" = "default" && softwarning "Overwriting param: dst6 '${dst6[*]}' becomes '${1}'"
dst6=(${1//,/ })
test -z "${dst6[*]}" && error "Cannot accept an empty 'dst6'." && return 1
2002-09-05 20:57:59 +00:00
fi
fi
shift
2015-02-15 21:00:36 +00:00
pop_namespace
2002-09-05 20:57:59 +00:00
;;
2015-02-11 23:42:38 +00:00
srctype|dsttype)
if [ \( "${param}" = "srctype" -a ${reverse} -eq 0 \) -o \( "${param}" = "dsttype" -a ${reverse} -eq 1 \) ]
2005-04-18 22:38:23 +00:00
then
2015-02-11 23:42:38 +00:00
srctypenot="${not}"
test ${softwarnings} -eq 1 -a ! -z "${srctype[*]}" && softwarning "Overwriting param: srctype '${srctype[*]}' becomes '${1}'"
2015-02-07 06:46:46 +00:00
tmparray=( ${1^^} ); srctype="${tmparray[*]}"; srctype="${srctype// /,}"
2005-04-18 22:38:23 +00:00
else
2015-02-11 23:42:38 +00:00
dsttypenot="${not}"
test ${softwarnings} -eq 1 -a ! -z "${dsttype}" && softwarning "Overwriting param: dsttype '${dsttype}' becomes '${1}'"
2015-02-07 06:46:46 +00:00
tmparray=( ${1^^} ); dsttype="${tmparray[*]}"; dsttype="${dsttype// /,}"
2005-04-18 22:38:23 +00:00
fi
shift
;;
2015-02-11 23:42:38 +00:00
sport|dport)
if [ \( "${param}" = "sport" -a ${reverse} -eq 0 \) -o \( "${param}" = "dport" -a ${reverse} -eq 1 \) ]
2005-04-18 22:38:23 +00:00
then
2015-02-11 23:42:38 +00:00
sportnot="${not}"
test ${softwarnings} -eq 1 -a ! "${sport[*]}" = "any" && softwarning "Overwriting param: sport '${sport[*]}' becomes '${1}'"
sport=(${1//,/ })
test -z "${sport[*]}" && error "Cannot accept an empty 'sport'." && return 1
2005-04-18 22:38:23 +00:00
else
2015-02-11 23:42:38 +00:00
dportnot="${not}"
test ${softwarnings} -eq 1 -a ! "${dport[*]}" = "any" && softwarning "Overwriting param: dport '${dport[*]}' becomes '${1}'"
dport=(${1//,/ })
test -z "${dport[*]}" && error "Cannot accept an empty 'dport'." && return 1
2005-04-18 22:38:23 +00:00
fi
shift
;;
2015-02-11 23:42:38 +00:00
proto|protocol)
protonot="${not}"
test ${softwarnings} -eq 1 -a ! "${proto[*]}" = "any" && softwarning "Overwriting param: proto '${proto[*]}' becomes '${1}'"
proto=(${1//,/ })
shift
test -z "${proto[*]}" && error "Cannot accept an empty 'proto'." && return 1
;;
custommark)
marknot="${not}"
markname="${1}"; shift
test ${softwarnings} -eq 1 -a ! "${mark[*]}" = "any" && softwarning "Overwriting param: mark '${mark[*]}' becomes ${markname} '${1}'"
mark=
for x in ${1//,/ }
do
mark=("${mark[@]}" "$(mark_value $markname ${x})")
done
test -z "${mark[*]}" && error "Cannot accept an empty 'mark'." && return 1
shift
;;
2005-04-18 22:38:23 +00:00
2015-02-11 23:42:38 +00:00
mark)
marknot="${not}"
test ${softwarnings} -eq 1 -a ! "${mark[*]}" = "any" && softwarning "Overwriting param: mark '${mark[*]}' becomes usermark '${1}'"
mark=
for x in ${1//,/ }
do
mark=("${mark[@]}" "$(mark_value usermark ${x})")
done
test -z "${mark[*]}" && error "Cannot accept an empty 'mark'." && return 1
2002-09-05 20:57:59 +00:00
shift
2015-02-11 23:42:38 +00:00
;;
connmark)
marknot="${not}"
test ${softwarnings} -eq 1 -a ! "${mark[*]}" = "any" && softwarning "Overwriting param: mark '${mark[*]}' becomes connmark '${1}'"
mark=
for x in ${1//,/ }
do
mark=("${mark[@]}" "$(mark_value connmark ${x})")
done
test -z "${mark[*]}" && error "Cannot accept an empty 'mark'." && return 1
2002-09-05 20:57:59 +00:00
shift
;;
2015-02-11 23:42:38 +00:00
rawmark)
marknot="${not}"
test ${softwarnings} -eq 1 -a ! "${mark[*]}" = "any" && softwarning "Overwriting param: mark '${mark[*]}' becomes '${1}'"
mark=(${1//,/ })
test -z "${mark[*]}" && error "Cannot accept an empty 'mark'." && return 1
2002-09-05 20:57:59 +00:00
shift
2015-02-11 23:42:38 +00:00
;;
tos)
tosnot="${not}"
test ${softwarnings} -eq 1 -a ! "${tos[*]}" = "any" && softwarning "Overwriting param: tos '${tos[*]}' becomes '${1}'"
tos=(${1//,/ })
test -z "${tos[*]}" && error "Cannot accept an empty 'tos'." && return 1
2002-09-05 20:57:59 +00:00
shift
;;
2015-02-11 23:42:38 +00:00
dscp)
dscpnot="${not}"
test ${softwarnings} -eq 1 -a ! "${dscp[*]}" = "any" && softwarning "Overwriting param: dscp '${dscp[*]}' becomes '${1}'"
dscp=(${1//,/ })
2002-09-05 20:57:59 +00:00
shift
2015-02-11 23:42:38 +00:00
if [ "${dscp[*]}" = "class" ]
2002-09-05 20:57:59 +00:00
then
2015-02-11 23:42:38 +00:00
dscptype="-class"
dscp=(${1//,/ })
2002-09-05 20:57:59 +00:00
shift
fi
2015-02-11 23:42:38 +00:00
test -z "${dscp[*]}" && error "Cannot accept an empty 'dscp'." && return 1
;;
state)
statenot="${not}"
test ${softwarnings} -eq 1 -a ! -z "${state}" && softwarning "Overwriting param: state '${state}' becomes '${1}'"
state="${1^^}"
2002-09-05 20:57:59 +00:00
shift
;;
2015-01-22 22:34:22 +00:00
2015-02-11 23:42:38 +00:00
user|uid)
uidnot="${not}"
test ${softwarnings} -eq 1 -a ! "${uid[*]}" = "any" && softwarning "Overwriting param: uid '${uid[*]}' becomes '${1}'"
uid=(${1//,/ })
test -z "${uid[*]}" && error "Cannot accept an empty 'uid'." && return 1
2015-01-22 22:34:22 +00:00
shift
2015-02-11 23:42:38 +00:00
;;
group|gid)
gidnot="${not}"
test ${softwarnings} -eq 1 -a ! "${gid[*]}" = "any" && softwarning "Overwriting param: gid '${gid[*]}' becomes '${1}'"
gid=(${1//,/ })
test -z "${gid[*]}" && error "Cannot accept an empty 'gid'." && return 1
2015-01-22 22:34:22 +00:00
shift
2015-02-11 23:42:38 +00:00
;;
2015-02-12 21:02:13 +00:00
2015-02-11 23:42:38 +00:00
custom)
2015-02-12 21:02:13 +00:00
test ${softwarnings} -eq 1 -a ! -z "${not}" && softwarning "Cannot negate a custom match. 'not' ignored."
2015-02-11 23:42:38 +00:00
test ${softwarnings} -eq 1 -a ! -z "${custom}" && softwarning "Overwriting param: custom '${custom}' becomes '${1}'"
custom="${1}"
2015-01-19 19:28:43 +00:00
shift
2015-02-11 23:42:38 +00:00
;;
customin|custom-in)
2015-02-12 21:02:13 +00:00
test ${softwarnings} -eq 1 -a ! -z "${not}" && softwarning "Cannot negate a custom match. 'not' ignored."
2015-02-11 23:42:38 +00:00
if [ "${inout}" = "in" ]
2015-01-19 19:28:43 +00:00
then
2015-02-11 23:42:38 +00:00
test ${softwarnings} -eq 1 -a ! -z "${custom}" && softwarning "Overwriting param: custom '${custom}' becomes '${1}'"
custom="${1}"
2015-01-19 19:28:43 +00:00
fi
shift
;;
2015-02-11 23:42:38 +00:00
customout|custom-out)
2015-02-12 21:02:13 +00:00
test ${softwarnings} -eq 1 -a ! -z "${not}" && softwarning "Cannot negate a custom match. 'not' ignored."
2015-02-11 23:42:38 +00:00
if [ "${inout}" = "out" ]
2015-01-19 19:28:43 +00:00
then
2015-02-11 23:42:38 +00:00
test ${softwarnings} -eq 1 -a ! -z "${custom}" && softwarning "Overwriting param: custom '${custom}' becomes '${1}'"
custom="${1}"
2015-01-19 19:28:43 +00:00
fi
2004-10-31 02:21:02 +00:00
shift
;;
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
helper)
helpernot="${not}"
test ${softwarnings} -eq 1 -a ! -z "${helper[*]}" && softwarning "Overwriting param: helper '${helper[*]}' becomes '${1}'"
helper=(${1//,/ })
shift
;;
2004-10-31 02:21:02 +00:00
2015-02-11 23:42:38 +00:00
log)
2015-02-12 21:02:13 +00:00
test ${softwarnings} -eq 1 -a ! -z "${not}" && softwarning "Cannot negate a log. 'not' ignored."
2015-02-11 23:42:38 +00:00
if [ ${nolog} -eq 0 ]
2004-10-31 02:21:02 +00:00
then
2015-02-11 23:42:38 +00:00
test ${softwarnings} -eq 1 -a ! -z "${log}" && softwarning "Overwriting param: log '${log}/${logtxt}' becomes 'normal/${1}'"
log=normal
2015-02-19 01:21:51 +00:00
logtxt="${1}"
2004-10-31 02:21:02 +00:00
fi
shift
2015-02-11 23:42:38 +00:00
if [ "${1}" = "level" ]
then
loglevel="${2}"
shift 2
else
loglevel="${FIREHOL_LOG_LEVEL}"
fi
2004-10-31 02:21:02 +00:00
;;
2015-02-11 23:42:38 +00:00
loglimit)
2015-02-12 21:02:13 +00:00
test ${softwarnings} -eq 1 -a ! -z "${not}" && softwarning "Cannot negate a log. 'not' ignored."
2015-02-11 23:42:38 +00:00
if [ ${nolog} -eq 0 ]
2004-10-31 02:21:02 +00:00
then
2015-02-11 23:42:38 +00:00
test ${softwarnings} -eq 1 -a ! -z "${log}" && softwarning "Overwriting param: log '${log}/${logtxt}' becomes 'limit/${1}'"
log=limit
2015-02-19 01:21:51 +00:00
logtxt="${1}"
2004-10-31 02:21:02 +00:00
fi
shift
2015-02-11 23:42:38 +00:00
if [ "${1}" = "level" ]
2004-10-31 02:21:02 +00:00
then
2015-02-11 23:42:38 +00:00
loglevel="${2}"
shift 2
else
loglevel="${FIREHOL_LOG_LEVEL}"
2004-10-31 02:21:02 +00:00
fi
;;
2015-02-11 23:42:38 +00:00
limit)
2015-02-12 21:02:13 +00:00
test ${softwarnings} -eq 1 -a ! -z "${not}" && softwarning "Cannot negate a limit. 'not' ignored."
2015-02-11 23:42:38 +00:00
test ${softwarnings} -eq 1 -a ! -z "${limit}" && softwarning "Overwriting param: limit '${limit}' becomes '${1}'"
limit="${1}"
burst="${2}"
shift 2
;;
2015-02-12 20:23:00 +00:00
connlimit|iplimit)
2015-02-12 21:02:13 +00:00
test ${softwarnings} -eq 1 -a ! -z "${not}" && softwarning "Cannot negate a connlimit. 'not' ignored."
2015-02-12 20:23:00 +00:00
test ${softwarnings} -eq 1 -a ! -z "${connlimit}" && softwarning "Overwriting param: connlimit '${connlimit}' becomes '${1}'"
connlimit="${1}"
connlimit_mask="${2}"
2015-02-11 23:42:38 +00:00
shift 2
;;
acct|accounting)
2015-02-12 21:02:13 +00:00
test ${softwarnings} -eq 1 -a ! -z "${not}" && softwarning "Cannot negate an accounting. 'not' ignored."
2015-02-11 23:42:38 +00:00
if [ ${ENABLE_ACCOUNTING} -eq 1 ]
2015-02-08 20:59:41 +00:00
then
2015-02-11 23:42:38 +00:00
accounting="$2"
FIREHOL_NFACCT[$accounting]="1"
elif [ ${ACCOUNTING_WARNING} -eq 1 ]
then
softwarning "Accounting is requested, but accounting is disabled. Is nfacct installed?"
ACCOUNTING_WARNING=0
2015-02-08 20:59:41 +00:00
fi
2015-02-11 23:42:38 +00:00
shift
;;
ipset)
ipsetnot="${not}"
2015-02-08 20:59:41 +00:00
ipsetname="${1}"
ipsetflags="${2}"
shift 2
ipsetopts=
while [ ! -z "${1}" ]
do
case "${1}" in
options)
ipsetopts="${ipsetopts} ${2}"
shift 2
;;
2015-02-10 22:26:11 +00:00
no-counters)
ipsetopts="${ipsetopts} ! --update-counters ! --update-subcounters"
shift
;;
2015-02-08 20:59:41 +00:00
bytes-above|bytes-gt)
ipsetopts="${ipsetopts} --bytes-gt ${2}"
shift 2
;;
bytes|bytes-eq)
ipsetopts="${ipsetopts} --bytes-eq ${2}"
shift 2
;;
2015-02-10 22:26:11 +00:00
bytes-different-than|bytes-not-eq)
ipsetopts="${ipsetopts} ! --bytes-eq ${2}"
shift 2
;;
2015-02-08 20:59:41 +00:00
bytes-below|bytes-lt)
ipsetopts="${ipsetopts} --bytes-lt ${2}"
shift 2
;;
packets-above|packets-gt)
ipsetopts="${ipsetopts} --packets-gt ${2}"
shift 2
;;
packets|packets-eq)
ipsetopts="${ipsetopts} --packets-eq ${2}"
shift 2
;;
2015-02-10 22:26:11 +00:00
packets-different-than|packets-not-eq)
ipsetopts="${ipsetopts} ! --packets-eq ${2}"
shift 2
;;
2015-02-08 20:59:41 +00:00
packets-below|packets-lt)
ipsetopts="${ipsetopts} --packets-lt ${2}"
shift 2
;;
*) break
;;
esac
done
;;
2004-10-31 02:21:02 +00:00
2015-02-11 23:42:38 +00:00
action)
2015-02-03 18:18:44 +00:00
test ${softwarnings} -eq 1 -a ! -z "${action}" && softwarning "Overwriting param: action '${action}' becomes '${2}'"
2015-02-11 23:42:38 +00:00
test ${softwarnings} -eq 1 -a ! -z "${not}" && softwarning "Cannot negate an action. 'not' ignored."
action="${1}"
shift
2003-01-06 16:13:34 +00:00
2015-01-30 22:45:56 +00:00
action_param=()
2003-01-06 16:13:34 +00:00
local action_is_chain=0
2015-02-12 20:23:00 +00:00
case "${action^^}" in
DENY) action="DROP" ;;
DROP) action="DROP" ;;
RETURN) action="RETURN" ;;
NONE) action="NONE" ;;
TARPIT) action="TARPIT" ;;
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
CT) action="CT"
if [ ! "${table}" = "raw" ]
then
error "${action} must on a the 'raw' table but table ${table} is given."
return 1
fi
2015-02-15 18:30:34 +00:00
while [ ! -z "${1}" ]
do
case "${1}" in
helper|--helper) action_param=("${action_param[@]}" "--helper" "${2}"); shift 2 ;;
notrack|--notrack) action_param=("${action_param[@]}" "--notrack"); shift ;;
*) break ;;
esac
done
if [ -z "${action_param[*]}" ]
then
error "${action} cannot work without any arguments."
return 1
fi
;;
SYNPROXY)
action="SYNPROXY"
2015-02-15 21:39:33 +00:00
if [ ! "${proto[*]}" = "tcp" ]
then
error "SYNPROXY cannot only be used with TCP, but proto is ${proto[*]}."
return 1
fi
require_protocol_with_action=("${proto[@]}")
2015-02-15 18:30:34 +00:00
while [ ! -z "${1}" ]
do
case "${1}" in
sack-perm|--sack-perm) action_param=("${action_param[@]}" "--sack-perm"); shift ;;
timestamp|--timestamp) action_param=("${action_param[@]}" "--timestamp"); shift ;;
wscale|--wscale) action_param=("${action_param[@]}" "--wscale" "${2}"); shift 2 ;;
mss|--mss) action_param=("${action_param[@]}" "--mss" "${2}"); shift 2 ;;
*) break ;;
esac
done
if [ -z "${action_param[*]}" ]
then
error "${action} cannot work without any arguments."
return 1
fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
;;
2015-02-12 20:23:00 +00:00
ACCEPT) action="ACCEPT"
2004-09-14 21:15:44 +00:00
if [ "${1}" = "with" ]
then
shift
case "${1}" in
limit|LIMIT)
2015-01-30 22:45:56 +00:00
action_param=("limit" "${2}" "${3}")
2004-09-14 21:15:44 +00:00
shift 3
if [ "${1}" = "overflow" ]
then
2015-01-30 22:45:56 +00:00
action_param[3]="overflow"
action_param[4]="${2}"
2004-09-14 21:15:44 +00:00
shift 2
fi
;;
2005-11-11 21:49:03 +00:00
recent|RECENT)
2015-01-30 22:45:56 +00:00
action_param=("recent" "${2}" "${3}" "${4}")
2005-11-11 21:49:03 +00:00
shift 4
;;
2004-12-22 23:05:57 +00:00
knock|KNOCK)
2015-01-30 22:45:56 +00:00
action_param=("knock" "${2}")
2004-12-22 23:05:57 +00:00
shift 2
;;
2004-09-14 21:15:44 +00:00
*)
error "Cannot understand action's '${action}' directive '${1}'"
return 1
;;
esac
fi
2003-01-06 16:13:34 +00:00
;;
2015-02-12 20:23:00 +00:00
REJECT) action="REJECT"
2003-01-06 16:13:34 +00:00
if [ "${1}" = "with" ]
then
2015-01-30 22:45:56 +00:00
action_param=("--reject-with" "${2}")
2003-01-06 16:13:34 +00:00
shift 2
else
2015-01-30 22:45:56 +00:00
action_param=("--reject-with" "auto")
2003-01-06 16:13:34 +00:00
fi
;;
2015-02-12 20:23:00 +00:00
MIRROR) action="MIRROR"
2003-03-19 21:51:56 +00:00
test $nomirror -eq 1 && action="REJECT"
2003-01-06 16:13:34 +00:00
;;
2015-02-12 20:23:00 +00:00
MASQUERADE)
2015-02-02 21:28:35 +00:00
action="MASQUERADE"
2015-02-13 00:43:38 +00:00
if [ ! "${table}" = "nat" ]
2015-02-02 21:28:35 +00:00
then
2015-02-13 00:43:38 +00:00
error "${action} must on a the 'nat' table but table ${table} is given."
2015-02-02 21:28:35 +00:00
return 1
fi
while [ ! -z "${1}" ]
do
case "${1}" in
ports|to-ports|--to-ports)
action_param=( "${action_param[@]}" "--to-ports" "${2//:/-}" )
# ports need a protocol: either tcp or udp (or both if unset)
test "${proto}" = "any" && proto="tcp udp"
2015-04-24 17:39:09 +00:00
require_protocol_with_action=("${proto[@]}")
2015-02-02 21:28:35 +00:00
shift 2
;;
random|--random)
action_param=( "${action_param[@]}" "--random" )
shift
;;
*) break
;;
esac
done
;;
2015-02-12 20:23:00 +00:00
SNAT) action="SNAT"
2015-02-13 00:43:38 +00:00
if [ ! "${table}" = "nat" ]
2015-02-02 21:28:35 +00:00
then
2015-02-13 00:43:38 +00:00
error "${action} must on a the 'nat' table but table ${table} is given."
2015-02-02 21:28:35 +00:00
return 1
fi
2015-02-02 21:59:49 +00:00
local hasto=0
while [ ! -z "${1}" ]
do
case "${1}" in
to|to-source|--to-source)
action_param=( "${action_param[@]}" "--to-source" "${2}" )
# ports need a protocol: either tcp or udp (or both if unset)
2015-04-24 17:39:09 +00:00
if [[ "${2}" =~ ":" ]]
then
[ "${proto}" = "any" ] && proto="tcp udp"
require_protocol_with_action=("${proto[@]}")
fi
2015-02-02 21:59:49 +00:00
hasto=1
shift 2
;;
random|--random)
action_param=( "${action_param[@]}" "--random" )
shift
;;
persistent|--persistent)
action_param=( "${action_param[@]}" "--persistent" )
shift
;;
*) break
;;
esac
done
if [ $hasto -eq 0 ]
2003-01-16 00:33:26 +00:00
then
2003-01-30 21:36:07 +00:00
error "${action} requires a 'to' argument."
return 1
fi
2015-02-02 21:28:35 +00:00
;;
2015-02-12 20:23:00 +00:00
DNAT) action="DNAT"
2015-02-13 00:43:38 +00:00
if [ ! "${table}" = "nat" ]
2003-01-30 21:36:07 +00:00
then
2015-02-13 00:43:38 +00:00
error "${action} must on a the 'nat' table but table ${table} is given."
2003-01-16 00:33:26 +00:00
return 1
fi
2015-02-02 21:59:49 +00:00
local hasto=0
while [ ! -z "${1}" ]
do
case "${1}" in
to|to-destination|--to-destination)
action_param=( "${action_param[@]}" "--to-destination" "${2}" )
# ports need a protocol: either tcp or udp (or both if unset)
2015-04-24 17:39:09 +00:00
if [[ "${2}" =~ ":" ]]
then
[ "${proto}" = "any" ] && proto="tcp udp"
require_protocol_with_action=("${proto[@]}")
fi
2015-02-02 21:59:49 +00:00
hasto=1
shift 2
;;
random|--random)
action_param=( "${action_param[@]}" "--random" )
shift
;;
persistent|--persistent)
action_param=( "${action_param[@]}" "--persistent" )
shift
;;
*) break
;;
esac
done
if [ $hasto -eq 0 ]
2003-01-16 00:33:26 +00:00
then
2015-02-02 21:59:49 +00:00
error "${action} requires a 'to' argument."
2003-01-30 21:36:07 +00:00
return 1
fi
2003-01-16 00:33:26 +00:00
;;
2015-02-12 20:23:00 +00:00
REDIRECT)
2015-01-30 22:45:56 +00:00
action="REDIRECT"
2015-02-13 00:43:38 +00:00
require_protocol_with_action=("${proto[@]}")
if [ ! "${table}" = "nat" ]
2003-01-16 00:33:26 +00:00
then
2015-02-13 00:43:38 +00:00
error "${action} must on a the 'nat' table but table ${table} is given."
2003-01-30 21:36:07 +00:00
return 1
fi
2015-02-02 21:59:49 +00:00
local hasto=0
while [ ! -z "${1}" ]
do
case "${1}" in
to|to-port|--to-port|to-ports|--to-ports)
action_param=( "${action_param[@]}" "--to-ports" "${2}" )
# ports need a protocol: either tcp or udp (or both if unset)
2015-02-03 10:31:57 +00:00
test "${proto}" = "any" && proto="tcp udp"
2015-04-24 17:39:09 +00:00
require_protocol_with_action=("${proto[@]}")
2015-02-02 21:59:49 +00:00
hasto=1
shift 2
;;
random|--random)
action_param=( "${action_param[@]}" "--random" )
shift
;;
*) break
;;
esac
done
if [ $hasto -eq 0 ]
2003-01-30 21:36:07 +00:00
then
2015-02-02 21:59:49 +00:00
error "${action} requires a 'to' argument."
2003-01-30 21:36:07 +00:00
return 1
fi
;;
2015-02-12 20:23:00 +00:00
TPROXY) action="TPROXY"
2015-01-30 22:45:56 +00:00
action_param=()
2014-03-25 21:13:20 +00:00
if [ "${1}" = "mark" -o "${1}" = "tproxy-mark" ]
then
2015-01-30 22:45:56 +00:00
action_param=("--tproxy-mark" "${2}")
2014-03-25 21:13:20 +00:00
shift 2
fi
if [ "${1}" = "on-port" -o "${1}" = "to-port" -o "${1}" = "to" ]
then
2015-01-30 22:45:56 +00:00
action_param=("${action_param[@]}" "--on-port" "${2}")
2014-03-25 21:13:20 +00:00
shift 2
else
error "${action} requires a 'on-port' or 'on-ip' argument."
return 1
fi
2014-03-25 21:42:13 +00:00
if [ "${1}" = "on-ip" -o "${1}" = "to-ip" ]
then
2015-01-30 22:45:56 +00:00
action_param=("${action_param[@]}" "--on-ip" "${2}")
2014-03-25 21:42:13 +00:00
shift 2
fi
2015-02-13 00:43:38 +00:00
if [ ! "${table}" = "mangle" ]
2014-03-25 21:13:20 +00:00
then
error "${action} cannot be on '$table', only on a the 'mangle' table."
return 1
fi
;;
2015-02-12 20:23:00 +00:00
TOS) action="TOS"
2003-01-30 21:36:07 +00:00
if [ "${1}" = "to" ]
then
2015-01-30 22:45:56 +00:00
action_param=("--set-tos" "${2}")
2003-01-30 21:36:07 +00:00
shift 2
else
error "${action} requires a 'to' argument"
return 1
fi
2015-02-13 00:43:38 +00:00
if [ ! "${table}" = "mangle" ]
2003-01-30 21:36:07 +00:00
then
2015-02-13 00:43:38 +00:00
error "${action} cannot be on '$table', only on a the 'mangle' table."
2003-01-30 21:36:07 +00:00
return 1
fi
;;
2015-02-12 20:23:00 +00:00
MARK) action="MARK"
2003-01-30 21:36:07 +00:00
if [ "${1}" = "to" ]
then
2015-01-30 22:45:56 +00:00
action_param=("--set-mark" "${2}")
2003-01-30 21:36:07 +00:00
shift 2
else
error "${action} requires a 'to' argument"
return 1
fi
2015-02-13 00:43:38 +00:00
if [ ! "${table}" = "mangle" ]
2003-01-30 21:36:07 +00:00
then
2015-02-13 00:43:38 +00:00
error "${action} cannot be on '$table', only on a the 'mangle' table."
2003-01-16 00:33:26 +00:00
return 1
fi
;;
2015-02-12 20:23:00 +00:00
CONNMARK)
2015-01-30 22:45:56 +00:00
action="CONNMARK"
2014-03-12 22:20:00 +00:00
case "${1}" in
to)
2015-01-30 22:45:56 +00:00
action_param=("--set-mark" "${2}")
2014-03-12 22:20:00 +00:00
shift 2
;;
save)
if [ "${2}" = "mask" ]
then
2015-01-30 22:45:56 +00:00
action_param=("--save-mark" "--mask" "${3}")
2014-03-12 22:20:00 +00:00
shift 3
else
2015-01-30 22:45:56 +00:00
action_param=("--save-mark")
2014-03-12 22:20:00 +00:00
shift 1
fi
;;
restore)
if [ "${2}" = "mask" ]
then
2015-01-30 22:45:56 +00:00
action_param=("--restore-mark" "--mask" "${3}")
2014-03-12 22:20:00 +00:00
shift 3
else
2015-01-30 22:45:56 +00:00
action_param=("--restore-mark")
2014-03-12 22:20:00 +00:00
shift 1
fi
;;
*)
error "${action} requires a either 'to', 'save' or 'restore' argument"
return 1
;;
esac
2015-02-13 00:43:38 +00:00
if [ ! "${table}" = "mangle" ]
2014-03-12 22:20:00 +00:00
then
2015-02-13 00:43:38 +00:00
error "${action} cannot be on '$table', only on a the 'mangle' table."
2014-03-12 22:20:00 +00:00
return 1
fi
;;
2015-02-12 20:23:00 +00:00
DSCP) action="DSCP"
2004-10-31 02:21:02 +00:00
if [ "${1}" = "to" ]
then
if [ "${2}" = "class" ]
then
2015-01-30 22:45:56 +00:00
action_param=("--set-dscp-class" "${2}")
2004-10-31 02:21:02 +00:00
shift
else
2015-01-30 22:45:56 +00:00
action_param=("--set-dscp" "${2}")
2004-10-31 02:21:02 +00:00
fi
shift 2
else
error "${action} requires a 'to' argument"
return 1
fi
2015-02-13 00:43:38 +00:00
if [ ! "${table}" = "mangle" ]
2004-10-31 02:21:02 +00:00
then
2015-02-13 00:43:38 +00:00
error "${action} cannot be on '$table', only on a the 'mangle' table."
2004-10-31 02:21:02 +00:00
return 1
fi
;;
2015-02-12 20:23:00 +00:00
SET) action="SET"
2015-02-08 20:59:41 +00:00
local hasadd=0 hasdel=0
while [ ! -z "${1}" ]
do
case "${1}" in
add|set|add-set|--add-set)
action_param=( "${action_param[@]}" "--add-set" "${2}" "${3}" )
hasadd=1
shift 3
;;
del|unset|remove|del-set|--del-set)
action_param=( "${action_param[@]}" "--del-set" "${2}" "${3}" )
hasdel=1
shift 3
;;
exist|--exist)
action_param=( "${action_param[@]}" "--exist" )
shift
;;
timeout|--timeout)
action_param=( "${action_param[@]}" "--timeout" "${2}" )
shift 2
;;
*) break
;;
esac
done
if [ $hasadd -eq 0 -a $hasdel -eq 0 ]
then
error "${action} requires either 'add' or 'del' argument with at least name and type."
return 1
fi
;;
2003-01-06 16:13:34 +00:00
*)
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
chain_exists "${table}" "${action}"
2003-01-06 16:13:34 +00:00
local action_is_chain=$?
;;
esac
2002-12-31 09:10:15 +00:00
;;
2015-02-11 23:42:38 +00:00
*)
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
error "Cannot understand directive '${param}'."
2015-02-11 23:42:38 +00:00
return 1
2002-09-05 20:57:59 +00:00
;;
esac
done
2015-02-07 06:46:46 +00:00
# ----------------------------------------------------------------------------------
# Validations
2015-02-13 00:43:38 +00:00
test -z "${table}" && table="filter"
[ ! -z "${FIREHOL_CHAIN_ALIASES[$table.$chain]}" ] && chain="${FIREHOL_CHAIN_ALIASES[$table.$chain]}"
if [ -z "${require_protocol_with_action[*]}" ]
then
error "Action ${action} requires a protocol to be given."
return 1
fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# In FIREHOL_RULESET_MODE="optimal" (given as the parameter optimal=1) to us,
# we just create the state=NEW rules.
# We will work normaly though if a helper is required.
if [ ${optimal} -eq 1 -a "${table}" = "filter" -a -z "${helper[*]}" ]
then
if [[ "${state}" =~ 'NEW' ]]
then
# only NEW is required
# discard all other states
state="NEW"
else
# No NEW state found
# no need to generate these rules
return 0
fi
fi
2015-02-23 03:49:52 +00:00
# if there are custom arguments, keep the procol with it
2015-02-23 04:10:44 +00:00
[ ! -z "${custom}" -a "${require_protocol_with_action[*]}" = "any" ] && require_protocol_with_action=("${proto[@]}")
2015-02-23 03:49:52 +00:00
2003-01-06 16:13:34 +00:00
2015-02-23 03:49:52 +00:00
# If the user did not specify a rejection message,
2003-01-06 16:13:34 +00:00
# we have to be smart and produce a tcp-reset if the protocol
# is TCP and an ICMP port unreachable in all other cases.
2015-02-11 23:42:38 +00:00
# we will change the action to SMART_REJECT
if [ "${action}" = "REJECT" -a "${action_param[1]}" = "auto" ]
then
action="SMART_REJECT"
action_param=()
fi
if [ ${noowner} -eq 1 ]
then
uid=(any)
uidnot=
gid=(any)
gidnot=
fi
2013-11-10 11:28:23 +00:00
2015-01-03 05:45:19 +00:00
local physbridge="--physdev-is-bridged"
2014-11-18 23:50:47 +00:00
if [ ! "${work_cmd}" = "router" -a ! "${physin}${physout}" = "anyany" ]
then
if [ ! "${physin}" = "any" -a "${physout}" = "any" ]
then
2015-01-30 22:45:56 +00:00
physbridge="--physdev-is-in"
2014-11-18 23:50:47 +00:00
elif [ "${physin}" = "any" -a ! "${physout}" = "any" ]
then
2015-01-30 22:45:56 +00:00
physbridge="--physdev-is-out"
2014-11-18 23:50:47 +00:00
fi
fi
2015-01-30 22:45:56 +00:00
local srcnot= dstnot=
2013-11-10 12:40:28 +00:00
if running_both; then
if [ "${src4not}" != "${src6not}" ]
then
error "Mixed use of 'not' with src4 and src6." && return 1
2013-11-23 10:44:16 +00:00
else
2015-01-30 22:45:56 +00:00
srcnot="${src4not}"
2013-11-10 12:40:28 +00:00
fi
if [ "${dst4not}" != "${dst6not}" ]
then
error "Mixed use of 'not' with dst4 and dst6." && return 1
2013-11-23 10:44:16 +00:00
else
2015-01-30 22:45:56 +00:00
dstnot="${dst4not}"
2013-11-10 12:40:28 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ "${src4[*]}" = "default" -a "${src6[*]}" != "default" ]
2013-11-10 12:40:28 +00:00
then
error "Must specify src4 when specifying src6" && return 1
fi
2013-11-10 11:28:23 +00:00
2015-02-11 23:42:38 +00:00
if [ "${dst4[*]}" = "default" -a "${dst6[*]}" != "default" ]
2013-11-10 12:40:28 +00:00
then
error "Must specify dst4 when specifying dst6" && return 1
fi
2015-02-11 23:42:38 +00:00
if [ "${src6[*]}" = "default" -a "${src4[*]}" != "default" ]
2013-11-10 12:40:28 +00:00
then
error "Must specify src6 when specifying src4" && return 1
fi
2015-02-11 23:42:38 +00:00
if [ "${dst6[*]}" = "default" -a "${dst4[*]}" != "default" ]
2013-11-10 12:40:28 +00:00
then
error "Must specify dst6 when specifying dst4" && return 1
fi
elif running_ipv6; then
2015-01-30 22:45:56 +00:00
srcnot="${src6not}"
dstnot="${dst6not}"
2013-11-10 12:40:28 +00:00
else
2015-01-30 22:45:56 +00:00
srcnot="${src4not}"
dstnot="${dst4not}"
2013-11-10 11:28:23 +00:00
fi
2013-11-10 12:40:28 +00:00
2015-02-11 23:42:38 +00:00
test "${src4[*]}" = "default" && src4=(any)
test "${dst4[*]}" = "default" && dst4=(any)
test "${src6[*]}" = "default" && src6=(any)
test "${dst6[*]}" = "default" && dst6=(any)
2013-11-10 12:40:28 +00:00
2015-02-11 23:42:38 +00:00
if [ ! "${src4[*]}" = "any" ]
2015-01-24 02:21:04 +00:00
then
2015-02-11 23:42:38 +00:00
src4=(${src4[*]//reserved_ips()/${RESERVED_IPV4}})
src4=(${src4[*]//private_ips()/${PRIVATE_IPV4}})
src4=(${src4[*]//multicast_ips()/${MULTICAST_IPV4}})
src4=(${src4[*]//unroutable_ips()/${UNROUTABLE_IPV4}})
2015-01-24 02:21:04 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! "${dst4[*]}" = "any" ]
2015-01-24 02:21:04 +00:00
then
2015-02-11 23:42:38 +00:00
dst4=(${dst4[*]//reserved_ips()/${RESERVED_IPV4}})
dst4=(${dst4[*]//private_ips()/${PRIVATE_IPV4}})
dst4=(${dst4[*]//multicast_ips()/${MULTICAST_IPV4}})
dst4=(${dst4[*]//unroutable_ips()/${UNROUTABLE_IPV4}})
2015-01-24 02:21:04 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! "${src6[*]}" = "any" ]
2015-01-24 02:21:04 +00:00
then
2015-02-11 23:42:38 +00:00
src6=(${src6[*]//reserved_ips()/${RESERVED_IPV6}})
src6=(${src6[*]//private_ips()/${PRIVATE_IPV6}})
src6=(${src6[*]//multicast_ips()/${MULTICAST_IPV6}})
src6=(${src6[*]//unroutable_ips()/${UNROUTABLE_IPV6}})
2015-01-24 02:21:04 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! "${dst6[*]}" = "any" ]
2015-01-24 02:21:04 +00:00
then
2015-02-11 23:42:38 +00:00
dst6=(${dst6[*]//reserved_ips()/${RESERVED_IPV6}})
dst6=(${dst6[*]//private_ips()/${PRIVATE_IPV6}})
dst6=(${dst6[*]//multicast_ips()/${MULTICAST_IPV6}})
dst6=(${dst6[*]//unroutable_ips()/${UNROUTABLE_IPV6}})
2015-01-24 02:21:04 +00:00
fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
[ ! -z "${push_flow_inheritance_type}" ] && push_flow_inheritance "${push_flow_inheritance_type}" "${action}" "${infacenot//!/not}" "${inface[*]}" "${outfacenot//!/not}" "${outface[*]}" "${srcnot//!/not}" "${src4[*]}" "${src6[*]}" "${dstnot//!/not}" "${dst4[*]}" "${dst6[*]}"
2002-10-04 17:35:49 +00:00
# ----------------------------------------------------------------------------------
2015-02-07 06:46:46 +00:00
# Preparations for the main loop
local -a \
addrtype_arg=() stp_arg=() dtp_arg=() state_arg=() \
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
logopts_arg=() \
2015-02-12 21:02:13 +00:00
uid_arg=() owner_arg=() gid_arg=() \
2015-02-07 06:46:46 +00:00
mark_arg=() tos_arg=() dscp_arg=() proto_arg=() \
inf_arg=() outf_arg=() inph_arg=() physdev_arg=() outph_arg=() \
mc_arg=() s_arg=() d_arg=() sp_arg=() dp_arg=() \
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
basecmd=() protected_args=() positive_args=()
2015-02-07 06:46:46 +00:00
local logrule= ipvall= \
2015-02-12 21:02:13 +00:00
tuid= tgid= \
2015-02-07 06:46:46 +00:00
tmark= ttos= tdscp= pr= \
inf= outf= inph= outph= \
mc= ipv= iptables= src= dst= s= d= sp= dp= \
2015-02-12 20:23:00 +00:00
not= src_has_ipset=0 dst_has_ipset=0 \
2015-02-19 01:21:51 +00:00
DYNAMIC_CHAIN_COUNTER attachement=
2015-02-07 06:46:46 +00:00
# log / loglimit
case "${log}" in
'')
logrule=none
;;
limit)
logrule=limit
2015-02-19 01:21:51 +00:00
prepare_iptables_log_arg "${logtxt}" || return 1
logopts_arg=("${FIREHOL_LOG_IPTABLES_ARG[@]}")
2015-02-07 06:46:46 +00:00
;;
normal)
logrule=normal
2015-02-19 01:21:51 +00:00
prepare_iptables_log_arg "${logtxt}" || return 1
logopts_arg=("${FIREHOL_LOG_IPTABLES_ARG[@]}")
2015-02-07 06:46:46 +00:00
;;
*)
error "Unknown log value '${log}'."
;;
esac
# keep a list of all ip versions we need
running_ipv4 && ipvall="ipv4"
running_ipv6 && ipvall="${ipvall} ipv6"
2015-02-11 23:42:38 +00:00
# ---------------------------------------------------------------------
# BRANCH OPTIMIZATION
#
# Facts: - the caller expects us to add statements to a chain and
# perform the action only if all conditions are met - AND'd
# (multiple options to the same condition which are OR'd).
2003-01-16 00:33:26 +00:00
#
2015-02-11 23:42:38 +00:00
# example:
2003-01-16 00:33:26 +00:00
#
2015-02-11 23:42:38 +00:00
# inface "eth0 eth1" outface eth2 =
# ( ( inface=eth0 OR inface=eth1 ) AND outface=eth2 )
#
# while
#
# inface not "eth0 eth1" outface eth2 =
# ( inface!=eth0 AND inface!=eth1 AND outface=eth2 )
#
# All conditions that are negative and have only one possible
# value to match, can be executed in the main loop (negative
2015-02-12 01:09:45 +00:00
# and positive conditions on the same command).
2015-02-11 23:42:38 +00:00
#
# - we can only branch (i.e. create a chain and jump to it) only
# if the action is not RETURN. If it is RETURN, then we have
# only one exit point and we cannot do any complex expressions
#
# - A branch is required when we have multiple values in
2015-02-12 01:09:45 +00:00
# positive conditions, to avoid executing certain features
2015-02-12 20:23:00 +00:00
# multiple times (I call these features: protected
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# parameters, because we should protect them from multiple
# executions - a branch is cheaper than 2 of these)
2015-02-11 23:42:38 +00:00
#
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# These require branching always:
# (we can only avoid it if we have a negative branch)
2015-02-11 23:42:38 +00:00
#
# * log
# * loglimit
# * accounting
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
#
# These require branching if we are going to generate multiple statements:
# (so that they are applied only once per rule)
#
2015-02-11 23:42:38 +00:00
# * limit
2015-02-12 20:23:00 +00:00
# * connlimit
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# * ipset
# * helpers
# * custom rules
2015-02-11 23:42:38 +00:00
#
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# We will not stop though if we are not allowed to branch for them.
# We will just issue a warning that the generated firewall is not optimal.
2015-02-11 23:42:38 +00:00
#
# Let's calculate a few sums to help us take decisions:
2015-02-12 20:23:00 +00:00
local positive_single=0 negative_single=0 positive_multi=0 negative_multi=0 action_is_our_branch=0 placed_protected_in_a_branch=0 have_protected=0
2015-02-11 23:42:38 +00:00
#
# positive_single - counts the number of positive parameters that have just one possible value
# negative_single - counts the number of negative parameters that have just one possible value
# positive_multi - counts the number of positive parameters that have multiple values
# negative_multi - counts the number of negative parameters that have multiple values
# action_is_our_branch - is set when we create our branch
2015-02-12 20:23:00 +00:00
# placed_protected_in_a_branch - is set if we place the log, loglimit, accounting, limit, connlimit, ipset in our branch
# have_protected - is set when there are protected parameters
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# ---------------------------------------------------------------------
# prepare the protected parameters
# protected = we will try run them only once.
# We should put here matches that are more expensive than branching.
protected_args=(${custom})
# limit
[ ! -z "${limit}" ] && protected_args=("${protected_args[@]}" "-m" "limit" "--limit" "${limit}" "--limit-burst" "${burst}")
# connlimit
[ ! -z "${connlimit}" ] && protected_args=("${protected_args[@]}" "-m" "connlimit" "--connlimit-above" "${connlimit}" "--connlimit-mask" "${connlimit_mask}")
# ipset
[ ! -z "${ipsetname}" ] && protected_args=("${protected_args[@]}" "-m" "set" ${ipsetnot} "--match-set" "${ipsetname}" "${ipsetflags}" ${ipsetopts})
# helpers
for x in ${helper[@]}
do
protected_args=("${protected_args[@]}" "-m" "helper" ${helpernot} "--helper" "${x}")
done
if [ ${FIREHOL_PROTECTED_MATCHES} -eq 1 ]
then
[ ! -z "${protected_args[*]}" ] && have_protected=1
else
positive_args=("${protected_args[@]}")
protected_args=()
have_protected=0
fi
# ---------------------------------------------------------------------
# prepare the positive parameters
# these are parameters that will be executed, any number of times,
# together with the positive statements.
if [ ${FIREHOL_SUPPORT_MULTIPORT} -ne 0 ]
then
2015-02-23 06:08:00 +00:00
# we cannot have both source ports and destination ports as multiport
# we have to pick
sp=0
dp=0
# pick the one with the most ports
if [ "${#sport[*]}" -ge "${#dport[*]}" ]
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
then
2015-02-23 06:08:00 +00:00
sp=1
else
dp=1
fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2015-02-23 06:08:00 +00:00
if [ ${sp} -eq 1 -a "${#sport[*]}" -gt 1 ]
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
then
2015-02-23 06:08:00 +00:00
# do sport
sp_arg=()
x=0
src=
for s in ${sport[@]}
do
# echo >&2 "Adding ${s}, x=${x}, src=${src}"
if [ ${x} -ge 14 ]
then
sp_arg=("${sp_arg[@]}" "multiport:${src}")
src=
x=0
fi
test ! -z "${src}" && src="${src},"
case "${s}" in
any|ANY) continue ;;
*-*|*:*) (( x += 2 )); src="${src}${s//-/:}" ;;
*) (( x += 1 )); src="${src}${s}" ;;
esac
done
if [ ! -z "${src}" ]
then
if [ ${x} -gt 1 ]
then
sp_arg=("${sp_arg[@]}" "multiport:${src}")
else
sp_arg=("${sp_arg[@]}" "${src}")
fi
fi
sport=("${sp_arg[@]}")
sp_arg=()
src=
x=
fi
sp=
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2015-02-23 06:08:00 +00:00
if [ ${dp} -eq 1 -a "${#dport[*]}" -gt 1 ]
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
then
2015-02-23 06:08:00 +00:00
# do dport
dp_arg=()
x=0
dst=
for d in ${dport[@]}
do
# echo >&2 "Adding ${d}, x=${x}, dst=${dst}"
if [ ${x} -ge 14 ]
then
dp_arg=("${dp_arg[@]}" "multiport:${dst}")
dst=
x=0
fi
test ! -z "${dst}" && dst="${dst},"
case "${d}" in
any|ANY) continue ;;
*-*|*:*) (( x += 2 )); dst="${dst}${d//-/:}" ;;
*) (( x += 1 )); dst="${dst}${d}" ;;
esac
done
if [ ! -z "${dst}" ]
then
if [ ${x} -gt 1 ]
then
dp_arg=("${dp_arg[@]}" "multiport:${dst}")
else
dp_arg=("${dp_arg[@]}" "${dst}")
fi
fi
dport=("${dp_arg[@]}")
dp_arg=()
dst=
x=
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
fi
2015-02-23 06:08:00 +00:00
dp=
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
fi
# ---------------------------------------------------------------------
# make the calculations
2015-02-11 23:42:38 +00:00
if [ "${#inface[*]}" -gt 1 ]
then
if [ -z "${infacenot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${infacenot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#outface[*]}" -gt 1 ]
then
if [ -z "${outfacenot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${outfacenot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#physin[*]}" -gt 1 ]
then
if [ -z "${physinnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${physinnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#physout[*]}" -gt 1 ]
then
if [ -z "${physoutnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${physoutnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#mac[*]}" -gt 1 ]
then
if [ -z "${macnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${macnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#src4[*]}" -gt 1 ]
then
if [ -z "${srcnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${srcnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
2015-02-12 20:23:00 +00:00
[[ "${src4[*]}" =~ 'ipset:' ]] && src_has_ipset=1
2015-02-11 23:42:38 +00:00
if [ "${#dst4[*]}" -gt 1 ]
then
if [ -z "${dstnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${dstnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
2015-02-12 20:23:00 +00:00
[[ "${dst4[*]}" =~ 'ipset:' ]] && dst_has_ipset=1
2015-02-11 23:42:38 +00:00
if [ "${#src6[*]}" -gt 1 ]
then
if [ -z "${srcnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${srcnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
2015-02-12 20:23:00 +00:00
[[ "${src6[*]}" =~ 'ipset:' ]] && src_has_ipset=1
2015-02-11 23:42:38 +00:00
if [ "${#dst6[*]}" -gt 1 ]
then
if [ -z "${dstnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${dstnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
2015-02-12 20:23:00 +00:00
[[ "${dst6[*]}" =~ 'ipset:' ]] && dst_has_ipset=1
2015-02-11 23:42:38 +00:00
if [ "${#proto[*]}" -gt 1 ]
then
if [ -z "${protonot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${protonot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#sport[*]}" -gt 1 ]
then
if [ -z "${sportnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${sportnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#dport[*]}" -gt 1 ]
then
if [ -z "${dportnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${dportnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#mark[*]}" -gt 1 ]
then
if [ -z "${marknot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${marknot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#tos[*]}" -gt 1 ]
then
if [ -z "${tosnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${tosnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#dscp[*]}" -gt 1 ]
2002-10-04 17:35:49 +00:00
then
2015-02-11 23:42:38 +00:00
if [ -z "${dscpnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${dscpnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#uid[*]}" -gt 1 ]
then
if [ -z "${uidnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${uidnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
if [ "${#gid[*]}" -gt 1 ]
then
if [ -z "${gidnot}" ]; then (( positive_multi += 1 )) ; else (( negative_multi += 1)) ; fi
else
if [ -z "${gidnot}" ]; then (( positive_single += 1 )); else (( negative_single += 1)); fi
fi
# ignore 'state', 'srctype', 'dsttype' are not counted, since they are negated in the positive rules
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# Test cases:
#
# multiple negatives with logging
# mark4 10 OUTPUT src not "1.1.1.1 2.2.2.2" log "matched all packets except from 1.1.1.1 and 2.2.2.2"
#
# branch to log
# mark4 10 OUTPUT src "1.1.1.1 2.2.2.2" dst "3.3.3.3 4.4.4.4" log "branch to log"
#
# double branching for protected matches and logging
# mark4 10 OUTPUT src "1.1.1.1 2.2.2.2" dst "3.3.3.3 4.4.4.4" connlimit 10 32 log "double branch for connlimit and log"
#
#
2015-02-11 23:42:38 +00:00
# ---------------------------------------------------------------------
# process the negative rules
if [ ${negative_multi} -gt 0 ]
then
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
local negative_chain= negative_action=
2015-02-11 23:42:38 +00:00
if [ "${action}" = "RETURN" ]
2015-02-07 15:28:43 +00:00
then
2015-02-11 23:42:38 +00:00
error "iptables cannot do this! You have requested multiple values in a NOT rule. This is OK, except when the action is RETURN. You hit that case. Sorry..."
2015-02-07 15:28:43 +00:00
return 1
fi
2015-02-13 00:43:38 +00:00
if [ ${return_if_not_matched} -eq 1 ]
then
# we can return from this chain
# add the negatives here
negative_chain="${chain}"
negative_action=
not="!"
# echo >&2 " >>> ${FUNCNAME}: NEGATIVES: RETURNING IF NOT MATCHED"
elif [ ${action_is_chain} -eq 1 ]
2002-12-04 22:41:13 +00:00
then
2003-01-16 00:33:26 +00:00
# if the action is a chain name, then just add the negative
2002-12-04 22:41:13 +00:00
# expressions to this chain. Nothing more.
2002-10-04 17:35:49 +00:00
2015-02-07 06:46:46 +00:00
negative_chain="${action}"
negative_action=
2015-02-08 08:44:00 +00:00
not=
2015-02-13 00:43:38 +00:00
# echo >&2 " >>> ${FUNCNAME}: NEGATIVES: TARGET ACTION IS CHAIN"
2002-12-04 22:41:13 +00:00
else
# if the action is a native iptables action, then create
# an intermidiate chain to store the negative expression,
# and change the action of the rule to point to this action.
2002-10-04 17:35:49 +00:00
2002-12-04 22:41:13 +00:00
# In this case, bellow we add after all negatives, the original
# action of the rule.
2013-11-03 21:08:26 +00:00
get_next_dynamic_counter DYNAMIC_CHAIN_COUNTER
2015-01-30 22:45:56 +00:00
negative_chain="${chain}.${DYNAMIC_CHAIN_COUNTER}"
2002-10-04 17:35:49 +00:00
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -N "${negative_chain}"
2015-01-30 22:45:56 +00:00
negative_action="${action}"
action="${negative_chain}"
2015-02-08 08:44:00 +00:00
not=
2015-02-11 23:42:38 +00:00
# notify the positive rules that the action is our banch
action_is_our_branch=1
2015-02-13 00:43:38 +00:00
# echo >&2 " >>> ${FUNCNAME}: NEGATIVES: BRANCHING TO NEW CHAIN ${negative_action}"
2002-12-04 22:41:13 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${infacenot}" -a "${#inface[*]}" -gt 1 ]
2002-12-04 22:41:13 +00:00
then
2015-02-11 23:42:38 +00:00
for inf in ${inface[*]}
2002-12-04 22:41:13 +00:00
do
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -A "${negative_chain}" ${not} -i "${inf}" -j RETURN
2002-12-04 22:41:13 +00:00
done
2015-01-30 22:45:56 +00:00
infacenot=
2015-02-11 23:42:38 +00:00
inface=(any)
2002-12-04 22:41:13 +00:00
fi
2002-10-04 17:35:49 +00:00
2015-02-11 23:42:38 +00:00
if [ ! -z "${outfacenot}" -a "${#outface[*]}" -gt 1 ]
2002-12-04 22:41:13 +00:00
then
2015-02-11 23:42:38 +00:00
for outf in ${outface[*]}
2002-12-04 22:41:13 +00:00
do
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -A "${negative_chain}" ${not} -o "${outf}" -j RETURN
2002-12-04 22:41:13 +00:00
done
2015-01-30 22:45:56 +00:00
outfacenot=
2015-02-11 23:42:38 +00:00
outface=(any)
2002-12-04 22:41:13 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${physinnot}" -a "${#physin[*]}" -gt 1 ]
2003-10-16 22:05:22 +00:00
then
2015-02-11 23:42:38 +00:00
for inph in ${physin[*]}
2003-10-16 22:05:22 +00:00
do
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -A "${negative_chain}" -m physdev ${physbridge} ${not} --physdev-in "${inph}" -j RETURN
2003-10-16 22:05:22 +00:00
done
2015-01-30 22:45:56 +00:00
physinnot=
2015-02-11 23:42:38 +00:00
physin=(any)
2003-10-16 22:05:22 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${physoutnot}" -a "${#physout[*]}" -gt 1 ]
2003-10-16 22:05:22 +00:00
then
2015-02-11 23:42:38 +00:00
for outph in ${physout[*]}
2003-10-16 22:05:22 +00:00
do
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -A "${negative_chain}" -m physdev ${physbridge} ${not} --physdev-out "${outph}" -j RETURN
2003-10-16 22:05:22 +00:00
done
2015-01-30 22:45:56 +00:00
physoutnot=
2015-02-11 23:42:38 +00:00
physout=(any)
2003-10-16 22:05:22 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${macnot}" -a "${#mac[*]}" -gt 1 ]
2003-06-18 22:56:24 +00:00
then
2015-02-11 23:42:38 +00:00
for mc in ${mac[*]}
2003-06-18 22:56:24 +00:00
do
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -A "${negative_chain}" -m mac ${not} --mac-source "${mc}" -j RETURN
2003-06-18 22:56:24 +00:00
done
2015-01-30 22:45:56 +00:00
macnot=
2015-02-11 23:42:38 +00:00
mac=(any)
2003-06-18 22:56:24 +00:00
fi
2015-02-12 20:23:00 +00:00
if [ ! -z "${srcnot}" -a \( ${src_has_ipset} -eq 1 -o "${#src4[*]}" -gt 1 -o "${#src6[*]}" -gt 1 \) ]
2002-12-04 22:41:13 +00:00
then
2015-02-03 18:39:25 +00:00
for ipv in ${ipvall}
2015-01-31 17:25:19 +00:00
do
2015-02-03 18:39:25 +00:00
case "${ipv}" in
ipv4) iptables="iptables"
2015-02-11 23:42:38 +00:00
src="${src4[*]}"
2015-01-31 17:25:19 +00:00
;;
2015-02-03 18:39:25 +00:00
ipv6) iptables="ip6tables"
2015-02-11 23:42:38 +00:00
src="${src6[*]}"
2015-01-31 17:25:19 +00:00
;;
esac
2015-02-03 18:39:25 +00:00
for s in ${src}
do
case "${s}" in
ipset:*)
[ ${IPSET_WARNING} -eq 1 ] && ipset_warning
s="${s/ipset:/}"
test -z "${FIREHOL_IPSETS_USED[$s]}" && FIREHOL_IPSETS_USED[$s]="USED"
2015-02-13 00:43:38 +00:00
${iptables} -t ${table} -A "${negative_chain}" -m set ${not} --match-set "${s}" src ${IPSET_SRC_DST_OPTIONS} -j RETURN
2015-02-03 18:39:25 +00:00
;;
2015-02-19 21:06:00 +00:00
*-*)
${iptables} -t ${table} -A "${negative_chain}" -m iprange ${not} --src-range "${s}" -j RETURN
;;
2015-02-03 18:39:25 +00:00
*)
2015-02-13 00:43:38 +00:00
${iptables} -t ${table} -A "${negative_chain}" ${not} -s "${s}" -j RETURN
2015-02-03 18:39:25 +00:00
;;
esac
done
2015-01-31 17:25:19 +00:00
done
2015-01-30 22:45:56 +00:00
srcnot=
2015-02-11 23:42:38 +00:00
src4=(any)
src6=(any)
2002-12-04 22:41:13 +00:00
fi
2015-02-12 20:23:00 +00:00
if [ ! -z "${dstnot}" -a \( ${dst_has_ipset} -eq 1 -o "${#dst4[*]}" -gt 1 -o "${#dst6[*]}" -gt 1 \) ]
2002-12-04 22:41:13 +00:00
then
2015-02-03 18:39:25 +00:00
for ipv in ${ipvall}
2015-01-31 17:25:19 +00:00
do
2015-02-03 18:39:25 +00:00
case "${ipv}" in
ipv4) iptables="iptables"
2015-02-11 23:42:38 +00:00
dst="${dst4[*]}"
2015-01-31 17:25:19 +00:00
;;
2015-02-03 18:39:25 +00:00
ipv6) iptables="ip6tables"
2015-02-11 23:42:38 +00:00
dst="${dst6[*]}"
2015-01-31 17:25:19 +00:00
;;
esac
2015-02-03 18:39:25 +00:00
for d in ${dst}
do
case "${d}" in
ipset:*)
[ ${IPSET_WARNING} -eq 1 ] && ipset_warning
d="${d/ipset:/}"
test -z "${FIREHOL_IPSETS_USED[$d]}" && FIREHOL_IPSETS_USED[$d]="USED"
2015-02-13 00:43:38 +00:00
${iptables} -t ${table} -A "${negative_chain}" -m set ${not} --match-set "${d}" dst ${IPSET_SRC_DST_OPTIONS} -j RETURN
2015-02-03 18:39:25 +00:00
;;
2015-02-19 21:06:00 +00:00
*-*)
${iptables} -t ${table} -A "${negative_chain}" -m iprange ${not} --dst-range "${d}" -j RETURN
;;
2015-02-03 18:39:25 +00:00
*)
2015-02-13 00:43:38 +00:00
${iptables} -t ${table} -A "${negative_chain}" ${not} -d "${d}" -j RETURN
2015-02-03 18:39:25 +00:00
;;
esac
done
2015-01-31 17:25:19 +00:00
done
2015-01-30 22:45:56 +00:00
dstnot=
2015-02-11 23:42:38 +00:00
dst4=(any)
dst6=(any)
2002-12-04 22:41:13 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${protonot}" -a "${#proto[*]}" -gt 1 ]
2002-12-04 22:41:13 +00:00
then
2003-01-16 00:33:26 +00:00
if [ ! -z "${sportnot}" -o ! -z "${dportnot}" ]
then
2015-02-11 23:42:38 +00:00
error "Cannot have negative protocol(s) and positive source/destination port(s)."
2003-01-16 00:33:26 +00:00
return 1
fi
2015-02-11 23:42:38 +00:00
for pr in ${proto[*]}
2003-01-16 00:33:26 +00:00
do
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -A "${negative_chain}" ${not} -p "${pr}" -j RETURN
2003-01-16 00:33:26 +00:00
done
2015-01-30 22:45:56 +00:00
protonot=
2015-02-11 23:42:38 +00:00
proto=(any)
2003-01-16 00:33:26 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${sportnot}" -a "${#sport[*]}" -gt 1 ]
2003-01-16 00:33:26 +00:00
then
if [ "${proto}" = "any" ]
then
2015-02-11 23:42:38 +00:00
error "Cannot have negative source port without a protocol."
2003-01-16 00:33:26 +00:00
return 1
fi
2015-02-23 06:08:00 +00:00
for pr in ${proto[*]}
2002-12-04 22:41:13 +00:00
do
2015-02-23 06:08:00 +00:00
for sp in ${sport[*]}
2003-01-16 00:33:26 +00:00
do
2015-02-23 06:08:00 +00:00
case "${sp}" in
multiport:*)
sp="${sp/multiport:/}"
iptables_both -t ${table} -A "${negative_chain}" -p "${pr}" -m multiport ${not} --source-ports "${sp//-/:}" -j RETURN
;;
*)
iptables_both -t ${table} -A "${negative_chain}" -p "${pr}" ${not} --sport "${sp//-/:}" -j RETURN
;;
esac
2003-01-16 00:33:26 +00:00
done
2002-12-04 22:41:13 +00:00
done
2015-01-30 22:45:56 +00:00
sportnot=
2015-02-11 23:42:38 +00:00
sport=(any)
2002-12-04 22:41:13 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${dportnot}" -a "${#dport[*]}" -gt 1 ]
2002-12-04 22:41:13 +00:00
then
2003-01-16 00:33:26 +00:00
if [ "${proto}" = "any" ]
then
2015-02-11 23:42:38 +00:00
error "Cannot have negative destination port without a protocol."
2003-01-16 00:33:26 +00:00
return 1
fi
2015-02-23 06:08:00 +00:00
for pr in ${proto[*]}
2002-12-04 22:41:13 +00:00
do
2015-02-23 06:08:00 +00:00
for dp in ${dport[*]}
2003-01-16 00:33:26 +00:00
do
2015-02-23 06:08:00 +00:00
case "${sp}" in
multiport:*)
dp="${dp/multiport:/}"
iptables_both -t ${table} -A "${negative_chain}" -p "${pr}" -m multiport ${not} --destination-ports "${dp//-/:}" -j RETURN
;;
*)
iptables_both -t ${table} -A "${negative_chain}" -p "${pr}" ${not} --dport "${dp//-/:}" -j RETURN
;;
esac
2003-01-16 00:33:26 +00:00
done
2002-12-04 22:41:13 +00:00
done
2015-01-30 22:45:56 +00:00
dportnot=
2015-02-11 23:42:38 +00:00
dport=(any)
2002-12-04 22:41:13 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${uidnot}" -a "${#uid[*]}" -gt 1 ]
2003-01-13 23:31:03 +00:00
then
2015-02-11 23:42:38 +00:00
for tuid in ${uid[*]}
2003-01-13 23:31:03 +00:00
do
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -A "${negative_chain}" -m owner ${not} --uid-owner "${tuid}" -j RETURN
2003-01-13 23:31:03 +00:00
done
2015-01-30 22:45:56 +00:00
uidnot=
2015-02-11 23:42:38 +00:00
uid=(any)
2003-01-13 23:31:03 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${gidnot}" -a "${#gid[*]}" -gt 1 ]
2003-01-13 23:31:03 +00:00
then
2015-02-11 23:42:38 +00:00
for tgid in ${gid[*]}
2003-01-13 23:31:03 +00:00
do
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -A "${negative_chain}" -m owner ${not} --gid-owner "${tgid}" -j RETURN
2003-01-13 23:31:03 +00:00
done
2015-01-30 22:45:56 +00:00
gidnot=
2015-02-11 23:42:38 +00:00
gid=(any)
2003-01-13 23:31:03 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${marknot}" -a "${#mark[*]}" -gt 1 ]
2004-10-31 02:21:02 +00:00
then
2015-02-11 23:42:38 +00:00
for tmark in ${mark[*]}
2004-10-31 02:21:02 +00:00
do
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -A "${negative_chain}" -m mark ${not} --mark "${tmark}" -j RETURN
2004-10-31 02:21:02 +00:00
done
2015-01-30 22:45:56 +00:00
marknot=
2015-02-11 23:42:38 +00:00
mark=(any)
2004-10-31 02:21:02 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${tosnot}" -a "${#tos[*]}" -gt 1 ]
2004-10-31 02:21:02 +00:00
then
2015-02-11 23:42:38 +00:00
for ttos in ${tos[*]}
2004-10-31 02:21:02 +00:00
do
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -A "${negative_chain}" -m tos ${not} --tos "${ttos}" -j RETURN
2004-10-31 02:21:02 +00:00
done
2015-01-30 22:45:56 +00:00
tosnot=
2015-02-11 23:42:38 +00:00
tos=(any)
2004-10-31 02:21:02 +00:00
fi
2015-02-11 23:42:38 +00:00
if [ ! -z "${dscpnot}" -a "${#dscp[*]}" -gt 1 ]
2004-10-31 02:21:02 +00:00
then
2015-02-11 23:42:38 +00:00
for tdscp in ${dscp[*]}
2004-10-31 02:21:02 +00:00
do
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -A "${negative_chain}" -m dscp ${not} --dscp${dscptype} "${tdscp}" -j RETURN
2004-10-31 02:21:02 +00:00
done
2015-01-30 22:45:56 +00:00
dscpnot=
2015-02-11 23:42:38 +00:00
dscp=(any)
2004-10-31 02:21:02 +00:00
fi
2015-02-08 08:44:00 +00:00
if [ ! -z "${negative_action}" ]
then
# in case this is temporary chain we created for the negative expression,
# just make it have the final action of the rule.
2015-02-13 00:43:38 +00:00
if [ "${negative_action}" = "${negative_chain}" ]
then
error "Cannot create an infinite loop chain."
return 1
fi
2015-02-11 23:42:38 +00:00
2015-02-08 08:44:00 +00:00
for ipv in ${ipvall}
2003-01-06 16:13:34 +00:00
do
2015-02-08 08:44:00 +00:00
case "${ipv}" in
ipv4) iptables="iptables";;
ipv6) iptables="ip6tables";;
2003-01-06 16:13:34 +00:00
esac
2015-02-07 06:46:46 +00:00
2015-02-11 23:42:38 +00:00
# since this is the target of the positive rules,
# logging and accounting can be attached here
2015-02-26 00:35:41 +00:00
if [ "$logrule" = "limit" ]; then ${iptables} -t ${table} -A "${negative_chain}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" || failed=$[failed + 1]; fi
if [ "$logrule" = "normal" ]; then ${iptables} -t ${table} -A "${negative_chain}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" || failed=$[failed + 1]; fi
if [ ! -z "${accounting}" ]; then ${iptables} -t ${table} -A "${negative_chain}" -m nfacct --nfacct-name "${accounting}" || failed=$[failed + 1]; fi
2015-02-13 00:43:38 +00:00
for pr in ${require_protocol_with_action[*]}
do
[ "${pr}" = "any" ] && pr=
[ ! -z "${pr}" ] && pr="-p ${pr}"
2015-02-08 08:44:00 +00:00
2015-02-13 00:43:38 +00:00
# the original action of the rule
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# we cannot add positive_args or protected_args here - if we do, the logging and accounting will be broken
2015-02-23 04:02:28 +00:00
rule_action_param ${iptables} "${negative_action}" "" "" "${table}" "${action_param[@]}" -- -t ${table} -A "${negative_chain}" ${pr} "${protected_args[@]}" || failed=$[failed + 1]
2015-02-13 00:43:38 +00:00
done
2015-02-11 23:42:38 +00:00
done
2015-02-07 06:46:46 +00:00
2015-02-11 23:42:38 +00:00
# The positive rules will just send traffic to a
# chains - there is not need for params
action_param=()
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
require_protocol_with_action=(any)
2015-02-23 04:02:28 +00:00
protected_args=()
have_protected=0
2015-02-11 23:42:38 +00:00
# disable logging and accounting
# already did it above
logrule=none
accounting=
fi
fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2015-02-11 23:42:38 +00:00
# ----------------------------------------------------------------------------------
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# If we have not placed logging and accounting in the negative branch we may have to
# branch to put them here, only if the action is not RETURN.
#
# If it is RETURN, it will be executed with the positive rules.
2015-02-15 18:30:34 +00:00
if [ \( ${positive_multi} -gt 0 -o ! -z "${positive_rule_number}" \) -a \( ! "${logrule}" = "none" -o ! -z "${accounting}" \) -a ! "${action}" = "RETURN" ]
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
then
local logging_chain= logging_action=
# echo >&2 " >>> ${FUNCNAME}: MOVING LOGGING AND ACCOUNTING TO BRANCH"
get_next_dynamic_counter DYNAMIC_CHAIN_COUNTER
logging_chain="${chain}.${DYNAMIC_CHAIN_COUNTER}"
iptables_both -t ${table} -N "${logging_chain}"
logging_action="${action}"
action="${logging_chain}"
# notify the positive rules that the action is our banch
action_is_our_branch=1
if [ "${logging_action}" = "${logging_chain}" ]
then
error "Cannot create an infinite loop chain."
return 1
fi
if [ -z "${logging_action}" ]
then
error "Cannot create iptables commands without an action."
return 1
fi
for ipv in ${ipvall}
do
case "${ipv}" in
ipv4) iptables="iptables";;
ipv6) iptables="ip6tables";;
esac
2015-02-26 00:35:41 +00:00
if [ "$logrule" = "limit" ]; then ${iptables} -t ${table} -A "${logging_chain}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" || failed=$[failed + 1]; fi
if [ "$logrule" = "normal" ]; then ${iptables} -t ${table} -A "${logging_chain}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" || failed=$[failed + 1]; fi
if [ ! -z "${accounting}" ]; then ${iptables} -t ${table} -A "${logging_chain}" -m nfacct --nfacct-name "${accounting}" || failed=$[failed + 1]; fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
for pr in ${require_protocol_with_action[*]}
do
[ "${pr}" = "any" ] && pr=
[ ! -z "${pr}" ] && pr="-p ${pr}"
# the original action of the rule
# we cannot add positive_args or protected_args here - if we do, the logging and accounting will be broken
2015-02-23 04:02:28 +00:00
rule_action_param ${iptables} "${logging_action}" "" "" "${table}" "${action_param[@]}" -- -t ${table} -A "${logging_chain}" ${pr} "${protected_args[@]}" || failed=$[failed + 1]
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
done
done
# The positive rules will just send traffic to a
# chains - there is not need for params
action_param=()
require_protocol_with_action=(any)
2015-02-23 04:02:28 +00:00
protected_args=()
have_protected=0
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# disable logging and accounting
# already did it above
logrule=none
accounting=
fi
2015-02-11 23:42:38 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# ----------------------------------------------------------------------------------
# If there are protected parameters and we will generate multiple statements
# we have to branch
2015-02-12 20:23:00 +00:00
if [ ${have_protected} -eq 1 -a ${positive_multi} -gt 0 ]
2015-02-11 23:42:38 +00:00
then
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
local protected_chain= protected_action=
2015-02-11 23:42:38 +00:00
if [ "${action}" = "RETURN" ]
then
warning "Generated iptables rules may not be optimal."
else
2015-02-12 20:23:00 +00:00
# echo >&2 " >>> ${FUNCNAME}: MOVING PROTECTED PARAMS TO BRANCH"
2015-02-11 23:42:38 +00:00
get_next_dynamic_counter DYNAMIC_CHAIN_COUNTER
2015-02-12 20:23:00 +00:00
protected_chain="${chain}.${DYNAMIC_CHAIN_COUNTER}"
2015-02-11 23:42:38 +00:00
2015-02-13 00:43:38 +00:00
iptables_both -t ${table} -N "${protected_chain}"
2015-02-12 20:23:00 +00:00
protected_action="${action}"
action="${protected_chain}"
2015-02-11 23:42:38 +00:00
# notify the positive rules that the action is our banch
action_is_our_branch=1
2015-02-13 00:43:38 +00:00
if [ "${protected_action}" = "${protected_chain}" ]
then
error "Cannot create an infinite loop chain."
return 1
fi
if [ -z "${protected_action}" ]
then
error "Cannot create iptables commands without an action."
return 1
fi
2015-02-11 23:42:38 +00:00
for ipv in ${ipvall}
do
case "${ipv}" in
ipv4) iptables="iptables";;
ipv6) iptables="ip6tables";;
esac
2015-02-13 00:43:38 +00:00
for pr in ${require_protocol_with_action[*]}
do
[ "${pr}" = "any" ] && pr=
[ ! -z "${pr}" ] && pr="-p ${pr}"
2015-02-11 23:42:38 +00:00
2015-02-13 00:43:38 +00:00
# the original action of the rule
rule_action_param ${iptables} "${protected_action}" "" "" "${table}" "${action_param[@]}" -- -t ${table} -A "${protected_chain}" ${pr} "${protected_args[@]}" || failed=$[failed + 1]
done
2003-01-06 16:13:34 +00:00
done
2015-02-07 06:46:46 +00:00
2015-02-12 20:23:00 +00:00
# notify the positive rules that we have placed all protected in the branch
placed_protected_in_a_branch=1
2015-02-11 23:42:38 +00:00
# empty the contrained parameters
# so that the positive rules do not add them again
2015-02-12 20:23:00 +00:00
protected_args=()
2015-02-23 04:02:28 +00:00
have_protected=0
2015-02-11 23:42:38 +00:00
2015-02-08 08:44:00 +00:00
# The positive rules will just send traffic to a
# chains - there is not need for params
action_param=()
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
require_protocol_with_action=(any)
2015-02-08 08:44:00 +00:00
fi
2002-10-04 17:35:49 +00:00
fi
2015-02-08 08:44:00 +00:00
2002-10-04 17:35:49 +00:00
# ----------------------------------------------------------------------------------
# Process the positive rules
2013-11-10 10:58:00 +00:00
2015-02-19 01:21:51 +00:00
FIREHOL_RULE_POSITIVE_STATEMENTS_GENERATED=0
2015-02-13 00:43:38 +00:00
if [ "${action}" = "${chain}" ]
then
error "Cannot create an infinite loop chain."
return 1
fi
if [ -z "${action}" ]
then
error "Cannot create iptables commands without an action."
return 1
fi
if [ -z "${chain}" ]
then
error "Cannot create iptables commands without a chain to attach them to."
return 1
fi
2013-11-10 10:58:00 +00:00
# addrtype (srctype, dsttype)
2015-02-11 23:42:38 +00:00
# this accepts a comma separated list of type, so no need to loop
2013-11-10 10:58:00 +00:00
if [ ! -z "${srctype}${dsttype}" ]
then
2015-01-30 22:45:56 +00:00
addrtype_arg=("-m" "addrtype")
2013-11-10 10:58:00 +00:00
if [ ! -z "${srctype}" ]
then
2015-01-30 22:45:56 +00:00
stp_arg=(${srctypenot} "--src-type" "${srctype}")
2013-11-10 10:58:00 +00:00
fi
if [ ! -z "${dsttype}" ]
then
2015-01-30 22:45:56 +00:00
dtp_arg=(${dsttypenot} "--dst-type" "${dsttype}")
2013-11-10 10:58:00 +00:00
fi
fi
# state
2015-01-30 22:45:56 +00:00
[ ! -z "${state}" ] && state_arg=("-m" "conntrack" ${statenot} "--ctstate" "${state}")
2013-11-10 10:58:00 +00:00
2015-02-16 01:29:21 +00:00
if [ -z "${positive_rule_number}" ]
then
2015-02-19 01:21:51 +00:00
attachement="-A ${chain}"
2015-02-16 01:29:21 +00:00
else
if [ ${positive_rule_number} -gt 1 ]
then
2015-02-19 01:21:51 +00:00
attachement="-I ${chain} ${positive_rule_number}"
2015-02-16 01:29:21 +00:00
else
2015-02-19 01:21:51 +00:00
attachement="-I ${chain}"
2015-02-16 01:29:21 +00:00
fi
fi
2015-02-11 23:42:38 +00:00
# ipvall
for ipv in ${ipvall}
do
case "${ipv}" in
ipv4)
iptables="iptables"
src="${src4[*]}"
dst="${dst4[*]}"
;;
2013-11-10 10:58:00 +00:00
2015-02-11 23:42:38 +00:00
ipv6)
iptables="ip6tables"
src="${src6[*]}"
dst="${dst6[*]}"
;;
esac
2015-02-08 20:59:41 +00:00
2004-10-31 02:21:02 +00:00
# uid
2015-02-11 23:42:38 +00:00
for tuid in ${uid[*]}
2002-09-05 20:57:59 +00:00
do
2003-01-13 23:31:03 +00:00
case ${tuid} in
2002-09-05 20:57:59 +00:00
any|ANY)
2015-01-30 22:45:56 +00:00
uid_arg=()
owner_arg=()
2002-09-05 20:57:59 +00:00
;;
*)
2015-01-30 22:45:56 +00:00
owner_arg=("-m" "owner")
2015-02-23 07:34:05 +00:00
uid_arg=(${uidnot} "--uid-owner" "${tuid}")
2002-09-05 20:57:59 +00:00
;;
esac
2003-01-13 23:31:03 +00:00
2004-10-31 02:21:02 +00:00
# gid
2015-02-11 23:42:38 +00:00
for tgid in ${gid[*]}
2004-10-31 02:21:02 +00:00
do
case ${tgid} in
any|ANY)
2015-01-30 22:45:56 +00:00
gid_arg=()
# do not reset owner_arg=() here
2004-10-31 02:21:02 +00:00
;;
2003-01-13 23:31:03 +00:00
2004-10-31 02:21:02 +00:00
*)
2015-01-30 22:45:56 +00:00
owner_arg=("-m" "owner")
2015-02-23 07:34:05 +00:00
gid_arg=(${gidnot} "--gid-owner" "${tgid}")
2004-10-31 02:21:02 +00:00
;;
esac
# mark
2015-02-11 23:42:38 +00:00
for tmark in ${mark[*]}
2004-10-31 02:21:02 +00:00
do
case ${tmark} in
any|ANY)
2015-01-30 22:45:56 +00:00
mark_arg=()
2004-10-31 02:21:02 +00:00
;;
*)
2015-02-11 23:42:38 +00:00
mark_arg=("-m" "mark" ${marknot} "--mark" "${tmark}")
2004-10-31 02:21:02 +00:00
;;
esac
# tos
2015-02-11 23:42:38 +00:00
for ttos in ${tos[*]}
2004-10-31 02:21:02 +00:00
do
case ${ttos} in
any|ANY)
2015-01-30 22:45:56 +00:00
tos_arg=()
2004-10-31 02:21:02 +00:00
;;
*)
2015-02-11 23:42:38 +00:00
tos_arg=("-m" "tos" ${tosnot} "--tos" "${ttos}")
2004-10-31 02:21:02 +00:00
;;
esac
# dscp
2015-02-11 23:42:38 +00:00
for tdscp in ${dscp[*]}
2004-10-31 02:21:02 +00:00
do
case ${tdscp} in
any|ANY)
2015-01-30 22:45:56 +00:00
dscp_arg=()
2004-10-31 02:21:02 +00:00
;;
*)
2015-02-11 23:42:38 +00:00
dscp_arg=("-m" "dscp" ${dscpnot} "--dscp${dscptype}" "${tdscp}")
2004-10-31 02:21:02 +00:00
;;
esac
# proto
2015-02-11 23:42:38 +00:00
for pr in ${proto[*]}
2004-10-31 02:21:02 +00:00
do
case ${pr} in
any|ANY)
2015-01-30 22:45:56 +00:00
proto_arg=()
2004-10-31 02:21:02 +00:00
;;
*)
2015-02-11 23:42:38 +00:00
proto_arg=(${protonot} "-p" "${pr}")
2004-10-31 02:21:02 +00:00
;;
esac
# inface
2015-02-11 23:42:38 +00:00
for inf in ${inface[*]}
2004-10-31 02:21:02 +00:00
do
case ${inf} in
any|ANY)
2015-01-30 22:45:56 +00:00
inf_arg=()
2004-10-31 02:21:02 +00:00
;;
*)
2015-02-11 23:42:38 +00:00
inf_arg=(${infacenot} "-i" "${inf}")
2004-10-31 02:21:02 +00:00
;;
esac
# outface
2015-02-11 23:42:38 +00:00
for outf in ${outface[*]}
2004-10-31 02:21:02 +00:00
do
case ${outf} in
any|ANY)
2015-01-30 22:45:56 +00:00
outf_arg=()
2004-10-31 02:21:02 +00:00
;;
*)
2015-02-11 23:42:38 +00:00
outf_arg=(${outfacenot} "-o" "${outf}")
2004-10-31 02:21:02 +00:00
;;
esac
# physin
2015-02-11 23:42:38 +00:00
for inph in ${physin[*]}
2004-10-31 02:21:02 +00:00
do
case ${inph} in
any|ANY)
2015-01-30 22:45:56 +00:00
inph_arg=()
physdev_arg=()
2004-10-31 02:21:02 +00:00
;;
*)
2015-01-30 22:45:56 +00:00
physdev_arg=("-m" "physdev" ${physbridge})
2015-02-11 23:42:38 +00:00
inph_arg=(${physinnot} "--physdev-in" "${inph}")
2004-10-31 02:21:02 +00:00
;;
esac
# physout
2015-02-11 23:42:38 +00:00
for outph in ${physout[*]}
2004-10-31 02:21:02 +00:00
do
case ${outph} in
any|ANY)
2015-01-30 22:45:56 +00:00
outph_arg=()
# do not reset physdev_arg=() here
2004-10-31 02:21:02 +00:00
;;
*)
2015-01-30 22:45:56 +00:00
physdev_arg=("-m" "physdev" ${physbridge})
2015-02-11 23:42:38 +00:00
outph_arg=(${physoutnot} "--physdev-out" "${outph}")
2004-10-31 02:21:02 +00:00
;;
esac
# mac
2015-02-11 23:42:38 +00:00
for mc in ${mac[*]}
2004-10-31 02:21:02 +00:00
do
case ${mc} in
any|ANY)
2015-01-30 22:45:56 +00:00
mc_arg=()
2004-10-31 02:21:02 +00:00
;;
*)
2015-02-11 23:42:38 +00:00
mc_arg=("-m" "mac" ${macnot} "--mac-source" "${mc}")
2015-01-24 02:21:04 +00:00
;;
esac
2013-11-10 11:28:23 +00:00
2015-01-24 02:21:04 +00:00
# src
for s in ${src}
do
case ${s} in
any|ANY)
2015-01-30 22:45:56 +00:00
s_arg=()
2015-01-24 02:21:04 +00:00
;;
2013-11-10 11:28:23 +00:00
2015-01-31 17:25:19 +00:00
ipset:*)
2015-02-01 22:16:33 +00:00
[ ${IPSET_WARNING} -eq 1 ] && ipset_warning
2015-01-31 23:08:12 +00:00
s="${s/ipset:/}"
test -z "${FIREHOL_IPSETS_USED[$s]}" && FIREHOL_IPSETS_USED[$s]="USED"
2015-02-12 15:46:22 +00:00
s_arg=("-m" "set" ${srcnot} "--match-set" "${s}" "src" ${IPSET_SRC_DST_OPTIONS})
2015-01-31 17:25:19 +00:00
;;
2015-02-19 21:06:00 +00:00
*-*)
s_arg=("-m" "iprange" ${srcnot} "--src-range" "${s}")
;;
2015-01-24 02:21:04 +00:00
*)
2015-02-11 23:42:38 +00:00
s_arg=(${srcnot} "-s" "${s}")
2015-01-24 02:21:04 +00:00
;;
esac
2013-11-10 10:58:00 +00:00
2015-01-24 02:21:04 +00:00
# dst
for d in ${dst}
do
case ${d} in
any|ANY)
2015-01-30 22:45:56 +00:00
d_arg=()
2015-01-24 02:21:04 +00:00
;;
2015-01-03 05:45:19 +00:00
2015-01-31 17:25:19 +00:00
ipset:*)
2015-02-01 22:16:33 +00:00
[ ${IPSET_WARNING} -eq 1 ] && ipset_warning
2015-01-31 23:08:12 +00:00
d="${d/ipset:/}"
test -z "${FIREHOL_IPSETS_USED[$d]}" && FIREHOL_IPSETS_USED[$d]="USED"
2015-02-12 15:46:22 +00:00
d_arg=("-m" "set" ${dstnot} "--match-set" "${d}" "dst" ${IPSET_SRC_DST_OPTIONS})
2015-01-31 17:25:19 +00:00
;;
2015-02-19 21:06:00 +00:00
*-*)
d_arg=("-m" "iprange" ${dstnot} "--dst-range" "${d}")
;;
2015-01-24 02:21:04 +00:00
*)
2015-02-11 23:42:38 +00:00
d_arg=(${dstnot} "-d" "${d}")
2015-01-24 02:21:04 +00:00
;;
esac
2013-11-10 11:28:23 +00:00
2015-01-30 22:45:56 +00:00
# sport
2015-02-11 23:42:38 +00:00
for sp in ${sport[*]}
2015-01-30 22:45:56 +00:00
do
case ${sp} in
any|ANY)
sp_arg=()
;;
2015-02-23 06:08:00 +00:00
multiport:*)
sp="${sp/multiport:/}"
sp_arg=("-m" "multiport" ${sportnot} "--source-ports" "${sp//-/:}")
;;
2015-01-30 22:45:56 +00:00
*)
2015-02-19 21:06:00 +00:00
sp_arg=(${sportnot} "--sport" "${sp//-/:}")
2015-01-30 22:45:56 +00:00
;;
esac
# dport
2015-02-11 23:42:38 +00:00
for dp in ${dport[*]}
2015-01-30 22:45:56 +00:00
do
case ${dp} in
any|ANY)
dp_arg=()
;;
2015-02-23 06:08:00 +00:00
multiport:*)
dp="${dp/multiport:/}"
dp_arg=("-m" "multiport" ${dportnot} "--destination-ports" "${dp//-/:}")
;;
2015-01-30 22:45:56 +00:00
*)
2015-02-19 21:06:00 +00:00
dp_arg=(${dportnot} "--dport" "${dp//-/:}")
2015-01-30 22:45:56 +00:00
;;
esac
2015-02-23 06:08:00 +00:00
# if there is sport or dport with multiport
# we have to give the multiport second
if [ "${sp_arg[1]}" = "multiport" ]
then
sp_arg=("${dp_arg[@]}" "${sp_arg[@]}")
dp_arg=()
elif [ "${dp_arg[1]}" = "multiport" ]
then
dp_arg=("${sp_arg[@]}" "${dp_arg[@]}")
sp_arg=()
fi
2015-01-24 02:21:04 +00:00
# build the command
2015-02-11 23:42:38 +00:00
basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${proto_arg[@]}" \
"${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${mc_arg[@]}" "${tos_arg[@]}" \
2015-02-12 21:02:13 +00:00
"${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" \
2015-02-11 23:42:38 +00:00
"${addrtype_arg[@]}" "${stp_arg[@]}" "${dtp_arg[@]}" "${state_arg[@]}" "${mark_arg[@]}" "${dscp_arg[@]}" \
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
"${protected_args[@]}" "${positive_args[@]}")
2015-02-08 08:44:00 +00:00
2015-02-15 18:30:34 +00:00
if [ -z "${positive_rule_number}" ]
then
2015-02-26 00:35:41 +00:00
if [ "$logrule" = "limit" ]; then ${iptables} -t ${table} ${attachement} "${basecmd[@]}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" || failed=$[failed + 1]; fi
if [ "$logrule" = "normal" ]; then ${iptables} -t ${table} ${attachement} "${basecmd[@]}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" || failed=$[failed + 1]; fi
if [ ! -z "${accounting}" ]; then ${iptables} -t ${table} ${attachement} "${basecmd[@]}" -m nfacct --nfacct-name "${accounting}" || failed=$[failed + 1]; fi
2015-02-15 18:30:34 +00:00
fi
2013-11-10 11:28:23 +00:00
2015-01-24 02:21:04 +00:00
# do it!
2015-02-19 01:21:51 +00:00
rule_action_param ${iptables} "${action}" "${statenot}" "${state}" "${table}" "${action_param[@]}" -- -t ${table} ${attachement} "${basecmd[@]}" || failed=$[failed + 1]
(( FIREHOL_RULE_POSITIVE_STATEMENTS_GENERATED += 1 ))
if [ ! -z "${positive_rule_number}" ]
then
2015-02-26 00:35:41 +00:00
if [ "$logrule" = "limit" ]; then ${iptables} -t ${table} ${attachement} "${basecmd[@]}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" || failed=$[failed + 1]; fi
if [ "$logrule" = "normal" ]; then ${iptables} -t ${table} ${attachement} "${basecmd[@]}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" || failed=$[failed + 1]; fi
if [ ! -z "${accounting}" ]; then ${iptables} -t ${table} ${attachement} "${basecmd[@]}" -m nfacct --nfacct-name "${accounting}" || failed=$[failed + 1]; fi
2015-02-19 01:21:51 +00:00
fi
2015-01-24 02:21:04 +00:00
2015-01-30 22:45:56 +00:00
done # dport
done # sport
2015-01-24 02:21:04 +00:00
done # dst
done # src
2004-10-31 02:21:02 +00:00
done # mac
done # physout
done # physin
done # outface
done # inface
done # proto
done # dscp
done # tos
done # mark
done # gid
2003-10-16 22:05:22 +00:00
done # uid
2015-02-11 23:42:38 +00:00
done # ipvall
2002-09-05 20:57:59 +00:00
test ${failed} -gt 0 && error "There are ${failed} failed commands." && return 1
return 0
}
2014-12-19 21:46:53 +00:00
warning() {
2015-02-11 23:42:38 +00:00
test ${PROGRAM_SPINNER_RUNNING} -eq 1 && spinner_end
2014-12-19 21:46:53 +00:00
echo >&2
2015-02-26 00:35:41 +00:00
echo >&2 -e "${COLOR_YELLOW}WARNING${COLOR_RESET} ${COLOR_CYAN}${LAST_CONFIG_LINE}${COLOR_RESET}: " "${@}"
2015-01-06 17:53:45 +00:00
echo >&2
2014-12-19 21:46:53 +00:00
return 0
}
2002-09-05 20:57:59 +00:00
2003-01-08 23:33:25 +00:00
softwarning() {
2015-02-11 23:42:38 +00:00
test ${PROGRAM_SPINNER_RUNNING} -eq 1 && spinner_end
2003-01-08 23:33:25 +00:00
echo >&2
2015-02-07 15:28:43 +00:00
echo >&2 -e "--------------------------------------------------------------------------------"
echo >&2 -e "${COLOR_BOLD}${COLOR_YELLOW}WARNING${COLOR_RESET}"
echo >&2 -e "WHEN : ${work_function}"
echo >&2 -e "WHY : ${COLOR_BOLD}${COLOR_YELLOW}${@}${COLOR_RESET}"
printf >&2 "COMMAND: ${COLOR_YELLOW}"; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
echo >&2 -e "${COLOR_RESET}MODE :" "${FIREHOL_NS_CURR}"
echo >&2 -e "SOURCE : $(config_line)"
2003-01-08 23:33:25 +00:00
echo >&2
return 0
}
2002-12-23 14:39:19 +00:00
# ------------------------------------------------------------------------------
# error - error reporting while still parsing the configuration file
# WHY:
# This is the error handler that presents to the user detected errors during
# processing FireHOL's configuration file.
# This command is directly called by other functions of FireHOL.
error() {
2015-02-11 23:42:38 +00:00
test ${PROGRAM_SPINNER_RUNNING} -eq 1 && spinner_end
2015-01-30 22:45:56 +00:00
test "${FIREHOL_MODE}" = "START" && syslog err "Error '${@}' when '${work_function}' $(config_line)"
2009-02-26 02:13:54 +00:00
2002-12-23 14:39:19 +00:00
work_error=$[work_error + 1]
echo >&2
2015-02-07 15:28:43 +00:00
echo >&2 -e "--------------------------------------------------------------------------------"
echo >&2 -e "${COLOR_BOLD}${COLOR_BGRED}${COLOR_WHITE} ERROR ${COLOR_RESET}: # ${work_error}"
echo >&2 -e "WHEN : ${work_function}"
echo >&2 -e "WHY : ${COLOR_BGRED}${COLOR_WHITE} ${@} ${COLOR_RESET}"
printf >&2 "COMMAND: ${COLOR_YELLOW}"; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
echo >&2 -e "${COLOR_RESET}MODE :" "${FIREHOL_NS_CURR}"
echo >&2 -e "SOURCE : $(config_line)"
2002-12-23 14:39:19 +00:00
echo >&2
2002-09-05 20:57:59 +00:00
return 0
}
2002-12-23 14:39:19 +00:00
# ------------------------------------------------------------------------------
2003-01-25 02:33:59 +00:00
# runtime_error - postprocessing evaluation of commands run
2002-12-23 14:39:19 +00:00
# WHY:
# The generated iptables commands must be checked for errors in case they fail.
# This command is executed after every postprocessing command to find out
# if it has been successfull or failed.
2003-01-25 02:33:59 +00:00
runtime_error() {
2015-01-30 22:45:56 +00:00
local type="ERROR" id=
2003-01-25 02:33:59 +00:00
case "${1}" in
error)
2015-01-30 22:45:56 +00:00
type="ERROR "
2009-02-26 02:13:54 +00:00
work_runtime_error=$[work_runtime_error + 1]
2015-01-30 22:45:56 +00:00
id="# ${work_runtime_error}."
2003-01-25 02:33:59 +00:00
;;
warn)
2015-01-30 22:45:56 +00:00
type="WARNING"
id="This might or might not affect the operation of your firewall."
2003-01-25 02:33:59 +00:00
;;
*)
2009-02-26 02:13:54 +00:00
work_runtime_error=$[work_runtime_error + 1]
2015-01-30 22:45:56 +00:00
id="# ${work_runtime_error}."
2003-01-25 02:33:59 +00:00
echo >&2
echo >&2
2015-02-01 22:39:33 +00:00
echo >&2 "WARNING: unsupported final status type '${1}'. Assuming it is 'ERROR'"
2003-01-25 02:33:59 +00:00
echo >&2
echo >&2
;;
esac
shift
2015-01-30 22:45:56 +00:00
local ret="${1}" line="${2}"
shift 2
2003-01-25 02:33:59 +00:00
2015-01-30 22:45:56 +00:00
syslog err "Runtime ${type} '${id}'. Source ${line}"
2009-02-26 02:13:54 +00:00
2003-01-25 02:33:59 +00:00
echo >&2
echo >&2
echo >&2 "--------------------------------------------------------------------------------"
echo >&2 "${type} : ${id}"
echo >&2 "WHAT : A runtime command failed to execute (returned error ${ret})."
2015-01-30 22:45:56 +00:00
echo >&2 "SOURCE : ${line}"
2003-01-25 02:33:59 +00:00
printf >&2 "COMMAND : "
2015-02-06 20:43:23 +00:00
printf >&2 "%q " "${@}"
2003-01-25 02:33:59 +00:00
printf >&2 "\n"
echo >&2 "OUTPUT : "
echo >&2
2012-07-28 20:24:48 +00:00
${CAT_CMD} ${FIREHOL_OUTPUT}.log >&2
2003-01-25 02:33:59 +00:00
echo >&2
2002-09-05 20:57:59 +00:00
return 0
}
2002-12-23 14:39:19 +00:00
# ------------------------------------------------------------------------------
# chain_exists - find if chain name has already being specified
# WHY:
# We have to make sure each service gets its own chain.
# Although FireHOL chain naming makes chains with unique names, this is just
# an extra sanity check.
2015-01-03 05:45:19 +00:00
declare -A FIREHOL_NFACCT=()
declare -A FIREHOL_CHAINS=()
2002-12-04 22:41:13 +00:00
chain_exists() {
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
local table="${1}" chain="${2}"
2013-11-10 13:05:29 +00:00
if running_ipv4; then
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
test ! -z "${FIREHOL_CHAINS[${table}.${chain}.4]}" && return 1
2015-01-03 05:45:19 +00:00
# test -f "${FIREHOL_CHAINS_DIR}/${chain}.4" && return 1
2013-11-10 13:05:29 +00:00
fi
if running_ipv6; then
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
test ! -z "${FIREHOL_CHAINS[${table}.${chain}.6]}" && return 1
2015-01-03 05:45:19 +00:00
# test -f "${FIREHOL_CHAINS_DIR}/${chain}.6" && return 1
2013-11-10 13:05:29 +00:00
fi
2002-12-04 22:41:13 +00:00
return 0
}
2002-12-23 14:39:19 +00:00
# ------------------------------------------------------------------------------
# create_chain - create a chain and link it to the firewall
# WHY:
# When a chain is created it must somehow to be linked to the rest of the
# firewall apropriately. This function first creates the chain and then
# it links it to its final position within the generated firewall.
2015-02-13 00:43:38 +00:00
# An associative array to hold chain aliases
# it is used to prevent creating unecessary chain, while allowing
# simple and complex services to create virtual chains.
declare -A FIREHOL_CHAIN_ALIASES=()
2002-09-05 20:57:59 +00:00
create_chain() {
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# echo >&2 "${FUNCNAME} ${*}"
2015-02-13 00:43:38 +00:00
local doalias=0 table= newchain= oldchain=
# requested an alias
if [ "${1}" = "alias" ]
then
[ ${FIREHOL_CHAIN_PER_SERVICE} -eq 0 ] && doalias=1
shift
fi
table="${1}"
newchain="${2}"
oldchain="${3}"
2002-10-30 23:25:07 +00:00
shift 3
2002-09-05 20:57:59 +00:00
2015-02-13 00:43:38 +00:00
# we have to jump to the new chain
# cannot do it with an alias
test ! -z "${*}" && doalias=0
2002-12-17 20:47:34 +00:00
set_work_function "Creating chain '${newchain}' under '${oldchain}' in table '${table}'"
2002-11-30 22:53:55 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
chain_exists "${table}" "${newchain}"
2013-11-10 13:05:29 +00:00
test $? -eq 1 && error "Chain '${newchain}' already exists." && return 1
2002-09-05 20:57:59 +00:00
2015-02-13 00:43:38 +00:00
if [ ${doalias} -eq 1 ]
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
then
2015-02-13 00:43:38 +00:00
FIREHOL_CHAIN_ALIASES[$table.$newchain]="${oldchain}"
else
iptables_both -t ${table} -N "${newchain}" || return 1
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
running_ipv4 && FIREHOL_CHAINS[${table}.${newchain}.4]="1"
running_ipv6 && FIREHOL_CHAINS[${table}.${newchain}.6]="1"
2015-02-13 00:43:38 +00:00
if [ ! -z "${oldchain}" ]
then
rule table ${table} chain "${oldchain}" action "${newchain}" "${@}" || return 1
fi
Added helper action:
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
2007-07-20 19:58:38 +00:00
fi
2003-01-06 00:41:10 +00:00
return 0
}
# ------------------------------------------------------------------------------
# smart_function - find the valid service definition for a service
# WHY:
# FireHOL supports simple and complex services. This function first tries to
# detect if there are the proper variables set for a simple service, and if
# they do not exist, it then tries to find the complex function definition for
# the service.
#
# Additionally, it creates a chain for the subcommand.
2015-03-13 09:59:51 +00:00
ALL_SHOULD_ALSO_RUN_WARNING=0
2003-01-06 00:41:10 +00:00
smart_function() {
2015-02-13 00:43:38 +00:00
local type="${1}" services=(${2//,/ }) service= servname= suffix= mychain= ret= fn= dogroup=0 reverse=
# type = the current subcommand: server/client/route
# services = the services to implement
2003-01-06 00:41:10 +00:00
shift 2
2015-02-13 00:43:38 +00:00
# if [ "${#services[*]}" -gt 1 -a ! -z "${*}" ]
# then
# dogroup=1
# [ "${type}" = "client" ] && reverse="reverse"
# # create a new chain for their target
# # add all args to it
# # change the action with it for all services
# shift "${#@}"
# fi
for service in ${services[@]}
2003-01-06 00:41:10 +00:00
do
2015-01-30 22:45:56 +00:00
servname="${service}"
test "${service}" = "custom" && servname="${1}"
2003-01-06 00:41:10 +00:00
2015-03-13 09:59:51 +00:00
if [ "${service}" = "all" -a ! -z "${ALL_SHOULD_ALSO_RUN}" -a ${ALL_SHOULD_ALSO_RUN_WARNING} -eq 0 ]
then
ALL_SHOULD_ALSO_RUN_WARNING=1
warning "ALL_SHOULD_ALSO_RUN has been deprecated. Service 'all' now runs all these conntrack helpers: helper_all='${helper_all}'"
fi
2003-01-06 00:41:10 +00:00
set_work_function "Preparing for service '${service}' of type '${type}' under interface '${work_name}'"
# Increase the command counter, to make all chains within a primary
# command, unique.
2013-11-03 21:08:26 +00:00
local work_counter
get_next_work_counter work_counter
2003-01-06 00:41:10 +00:00
2015-01-30 22:45:56 +00:00
suffix="u${work_counter}"
2003-01-06 00:41:10 +00:00
case "${type}" in
client)
suffix="c${work_counter}"
;;
server)
suffix="s${work_counter}"
;;
route)
suffix="r${work_counter}"
;;
*) error "Cannot understand type '${type}'."
return 1
;;
esac
2015-01-30 22:45:56 +00:00
mychain="${work_name}_${servname}_${suffix}"
2003-01-06 00:41:10 +00:00
2015-02-13 00:43:38 +00:00
create_chain alias filter "in_${mychain}" "in_${work_name}" || return 1
create_chain alias filter "out_${mychain}" "out_${work_name}" || return 1
2003-01-06 00:41:10 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
# Create it in the raw table for the reconstruction to work
2015-02-15 10:55:11 +00:00
if [ "${FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT}" = "firehol" ]
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
then
create_chain alias raw "in_${mychain}" "in_${work_name}" || return 1
create_chain alias raw "out_${mychain}" "out_${work_name}" || return 1
fi
2003-01-06 00:41:10 +00:00
# Try the simple services first
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
simple_service "${mychain}" "${type}" "${service}" "${@}" "${FIREHOL_RULESET_MODE}"
2015-01-30 22:45:56 +00:00
ret=$?
2003-01-06 00:41:10 +00:00
# simple service completed succesfully.
test $ret -eq 0 && continue
# simple service exists but failed.
if [ $ret -ne 127 ]
then
error "Simple service '${service}' returned an error ($ret)."
return 1
fi
# Try the custom services
2015-01-30 22:45:56 +00:00
fn="rules_${service}"
2003-01-06 00:41:10 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Complex rules for ${fn}() for ${type} '${service}'"
2003-01-06 00:41:10 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
"${fn}" "${mychain}" "${type}" "${@}" "${FIREHOL_RULESET_MODE}"
2015-01-30 22:45:56 +00:00
ret=$?
2003-01-06 00:41:10 +00:00
test $ret -eq 0 && continue
if [ $ret -eq 127 ]
then
error "There is no service '${service}' defined."
else
error "Complex service '${service}' returned an error ($ret)."
fi
return 1
done
2015-02-13 00:43:38 +00:00
2003-01-06 00:41:10 +00:00
return 0
}
# ------------------------------------------------------------------------------
# simple_service - convert a service definition to an inline service definition
# WHY:
# When a simple service is detected, there must be someone to call
# rules_custom() with the appropriate service definition parameters.
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
declare -A FIREHOL_SERVER_PORTS_CACHE=()
declare -A FIREHOL_CLIENT_PORTS_CACHE=()
declare -A FIREHOL_SERVER_HELPERS_CACHE=()
declare -A FIREHOL_SERVER_MODS_CACHE=()
declare -A FIREHOL_SERVER_MODS_NAT_CACHE=()
2003-01-06 00:41:10 +00:00
simple_service() {
2015-01-30 22:45:56 +00:00
local mychain="${1}" \
type="${2}" \
server="${3}" \
server_varname= server_ports= \
client_varname= client_ports= \
varname= helpers= \
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
modules= modules_nat= \
x=
2015-01-30 22:45:56 +00:00
shift 3
2003-01-06 00:41:10 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
server_ports="${FIREHOL_SERVER_PORTS_CACHE[$server]}"
if [ ! -z "${server_ports}" ]
2003-01-06 00:41:10 +00:00
then
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
[ "${server_ports}" = "127" ] && return 127
client_ports="${FIREHOL_CLIENT_PORTS_CACHE[$server]}"
helpers="${FIREHOL_SERVER_HELPERS_CACHE[$server]}"
modules="${FIREHOL_SERVER_MODS_CACHE[$server]}"
modules_nat="${FIREHOL_SERVER_MODS_NAT_CACHE[$server]}"
else
server_varname="server_${server}_ports"
eval server_ports="\$${server_varname}"
client_varname="client_${server}_ports"
eval client_ports="\$${client_varname}"
varname="helper_${server}"
eval helpers="\$${varname}"
varname="require_${server}_modules"
eval modules="\$${varname}"
2015-01-30 22:45:56 +00:00
varname="require_${server}_nat_modules"
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
eval modules_nat="\$${varname}"
FIREHOL_SERVER_PORTS_CACHE[$server]="${server_ports}"
FIREHOL_CLIENT_PORTS_CACHE[$server]="${client_ports}"
FIREHOL_SERVER_HELPERS_CACHE[$server]="${helpers}"
FIREHOL_SERVER_MODS_CACHE[$server]="${modules}"
FIREHOL_SERVER_MODS_NAT_CACHE[$server]="${modules_nat}"
if [ ! -z "${server_ports}" -a -z "${client_ports}" ]
then
error "Simple service '${service}' has server ports, but no client ports defined."
return 1
elif [ -z "${server_ports}" -a ! -z "${client_ports}" ]
then
error "Simple service '${service}' has client ports, but no server ports defined."
return 1
elif [ -z "${server_ports}" -a -z "${client_ports}" ]
then
# this will make the caller attempt to find a complex service
FIREHOL_SERVER_PORTS_CACHE[$server]="127"
return 127
fi
for x in ${modules}
2003-01-06 00:41:10 +00:00
do
require_kernel_module $x || return 1
done
2009-02-19 05:27:49 +00:00
if [ ${FIREHOL_NAT} -eq 1 ]
then
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
for x in ${modules_nat}
do
require_kernel_module $x || return 1
done
fi
# load the helper modules
for x in ${helpers}
do
2009-02-19 05:27:49 +00:00
case "${x}" in
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
snmp_basic) # this does not exist in conntrack
;;
*) require_kernel_module nf_conntrack_$x
;;
2009-02-19 05:27:49 +00:00
esac
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
if [ ${FIREHOL_NAT} -eq 1 ]
then
case "${x}" in
netbios_ns|netlink|sane)
# these do not exist in nat
;;
*) require_kernel_module nf_nat_$x
;;
esac
fi
done
fi
2009-02-19 05:27:49 +00:00
2015-02-19 01:21:51 +00:00
set_work_function "Simple rules for ${type} '${service}'"
2015-02-06 20:43:23 +00:00
rules_custom "${mychain}" "${type}" "${server}" "${server_ports}" "${client_ports}" helpers "${helpers}" "${@}"
2003-01-06 00:41:10 +00:00
return $?
}
2004-04-21 21:35:29 +00:00
show_work_realcmd() {
2009-02-26 02:13:54 +00:00
test "${FIREHOL_MODE}" = "EXPLAIN" && return 0
2004-04-21 21:35:29 +00:00
(
printf "\n\n"
printf "# === CONFIGURATION STATEMENT =================================================\n"
2015-01-30 22:45:56 +00:00
printf "# $(config_line)\n"
printf "# >>> "
2004-04-21 21:35:29 +00:00
case $1 in
2) printf " "
;;
*) ;;
esac
printf "%q " "${work_realcmd[@]}"
printf "\n\n"
2015-01-30 22:45:56 +00:00
) >&21
2004-04-21 21:35:29 +00:00
}
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
FIREHOL_FILTERING_STARTED=0
2004-04-21 21:35:29 +00:00
work_realcmd_primary() {
2015-03-01 02:16:16 +00:00
test -z "${FIREHOL_DEFAULT_NAMESPACE}" && init_namespace
2015-02-11 23:42:38 +00:00
test ${FIREHOL_ENABLE_SPINNER} -eq 1 && spinner ${FIREHOL_COMMAND_COUNTER}
2015-02-19 21:06:00 +00:00
if [ ${FIREHOL_FILTERING_STARTED} -eq 0 ]
then
FIREHOL_FILTERING_STARTED=1
firewall_filtering_policy
fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2015-01-30 22:45:56 +00:00
config_line -ne
2015-02-06 20:43:23 +00:00
work_realcmd=("${@}")
2004-04-21 21:35:29 +00:00
test ${FIREHOL_CONF_SHOW} -eq 1 && show_work_realcmd 1
2015-03-01 02:16:16 +00:00
# echo >&2 "CMD: ${@}: NS STACK: ${FIREHOL_NS_STACK[@]}"
2004-04-21 21:35:29 +00:00
}
work_realcmd_secondary() {
2015-03-01 02:16:16 +00:00
test -z "${FIREHOL_DEFAULT_NAMESPACE}" && init_namespace
2015-02-11 23:42:38 +00:00
test ${FIREHOL_ENABLE_SPINNER} -eq 1 && spinner ${FIREHOL_COMMAND_COUNTER}
2015-01-30 22:45:56 +00:00
config_line -ne
2015-02-06 20:43:23 +00:00
work_realcmd=("${@}")
2004-04-21 21:35:29 +00:00
test ${FIREHOL_CONF_SHOW} -eq 1 && show_work_realcmd 2
2015-03-01 02:16:16 +00:00
# echo >&2 "CMD: ${@}: NS STACK: ${FIREHOL_NS_STACK[@]}"
2004-04-21 21:35:29 +00:00
}
work_realcmd_helper() {
2015-03-01 02:16:16 +00:00
test -z "${FIREHOL_DEFAULT_NAMESPACE}" && init_namespace
2015-02-11 23:42:38 +00:00
test ${FIREHOL_ENABLE_SPINNER} -eq 1 && spinner ${FIREHOL_COMMAND_COUNTER}
2015-01-30 22:45:56 +00:00
config_line -ne
2015-02-06 20:43:23 +00:00
work_realcmd=("${@}")
2004-04-21 21:35:29 +00:00
test ${FIREHOL_CONF_SHOW} -eq 1 && show_work_realcmd 3
2015-03-01 02:16:16 +00:00
# echo >&2 "CMD: ${@}: NS STACK: ${FIREHOL_NS_STACK[@]}"
2004-04-21 21:35:29 +00:00
}
2013-10-15 21:59:25 +00:00
wait_for_interface() {
2015-01-30 22:45:56 +00:00
local iface="${1}" timeout=60 found=0 start=`date +%s` addr=
shift
2013-10-15 21:59:25 +00:00
2015-01-30 22:45:56 +00:00
[ -n "$1" ] && timeout="${1}"
2013-10-15 21:59:25 +00:00
while [ "`date +%s`" -lt $(($start+$timeout)) -a $found -eq 0 ]
do
2015-01-30 22:45:56 +00:00
addr=`ip addr show $iface 2> /dev/null | awk '$1 ~ /^inet$/ {print $2}'`
[ -n "$addr" ] && found=1
[ $found -eq 0 ] && sleep 0.5
2013-10-15 21:59:25 +00:00
done
2015-01-30 22:45:56 +00:00
# the interface is up
[ $found -eq 1 ] && return 0
return 1
2013-10-15 21:59:25 +00:00
}
2004-04-21 21:35:29 +00:00
2003-01-06 00:41:10 +00:00
2014-12-19 21:46:53 +00:00
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# keep a copy of the running firewall on disk for fast restoration
fixed_save() {
2015-01-30 22:45:56 +00:00
local command="$1" tmp="${FIREHOL_DIR}/iptables-save-$$" err=
2014-12-19 21:46:53 +00:00
load_kernel_module ip_tables
${command} -c >$tmp
err=$?
if [ ! $err -eq 0 ]
then
${RM_CMD} -f $tmp >/dev/null 2>&1
return $err
fi
${CAT_CMD} ${tmp} |\
${SED_CMD} \
-e "s/--uid-owner !/! --uid-owner /g" \
2015-02-12 21:02:13 +00:00
-e "s/--gid-owner !/! --gid-owner /g"
2014-12-19 21:46:53 +00:00
err=$?
${RM_CMD} -f $tmp >/dev/null 2>&1
return $err
}
2015-01-06 17:53:45 +00:00
FIREHOL_LAST_SUCCESSFUL_COMMAND="${FIREHOL_SPOOL_DIR}/firehol-last-ok-command"
2014-12-19 21:46:53 +00:00
firehol_save_activated_firewall() {
2015-02-02 20:54:11 +00:00
progress "Saving activated firewall to '${FIREHOL_SPOOL_DIR}'"
2014-12-19 21:46:53 +00:00
if [ -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" ]
then
fixed_save ${IPTABLES_SAVE_CMD} >"${FIREHOL_SPOOL_DIR}/ipv4.rules"
if [ ! $? -eq 0 ]
then
2015-02-02 20:54:11 +00:00
failure # "Saving activated firewall to '${FIREHOL_SPOOL_DIR}'"
2014-12-19 21:46:53 +00:00
return 1
fi
2015-01-06 17:53:45 +00:00
"${CHOWN_CMD}" root:root "${FIREHOL_SPOOL_DIR}/ipv4.rules"
"${CHMOD_CMD}" 600 "${FIREHOL_SPOOL_DIR}/ipv4.rules"
2014-12-19 21:46:53 +00:00
else
test -f "${FIREHOL_SPOOL_DIR}/ipv4.rules" && rm "${FIREHOL_SPOOL_DIR}/ipv4.rules"
fi
if [ -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" ]
then
fixed_save ${IP6TABLES_SAVE_CMD} >"${FIREHOL_SPOOL_DIR}/ipv6.rules"
if [ ! $? -eq 0 ]
then
2015-02-02 20:54:11 +00:00
failure # "Saving activated firewall to '${FIREHOL_SPOOL_DIR}'"
2014-12-19 21:46:53 +00:00
return 1
fi
2015-01-06 17:53:45 +00:00
"${CHOWN_CMD}" root:root "${FIREHOL_SPOOL_DIR}/ipv6.rules"
"${CHMOD_CMD}" 600 "${FIREHOL_SPOOL_DIR}/ipv6.rules"
2014-12-19 21:46:53 +00:00
else
test -f "${FIREHOL_SPOOL_DIR}/ipv6.rules" && rm "${FIREHOL_SPOOL_DIR}/ipv6.rules"
fi
2015-01-06 17:53:45 +00:00
printf "%q " "${FIREHOL_ARGS[@]}" >"${FIREHOL_LAST_SUCCESSFUL_COMMAND}"
printf "\n" >>"${FIREHOL_LAST_SUCCESSFUL_COMMAND}"
2015-02-02 20:54:11 +00:00
success # "Saving activated firewall to '${FIREHOL_SPOOL_DIR}'"
2014-12-19 21:46:53 +00:00
return 0
}
2015-01-06 17:53:45 +00:00
firehol_can_restore_saved_firewall() {
test ! -f "${FIREHOL_LAST_SUCCESSFUL_COMMAND}" \
&& warning "No saved firewall found to restore." \
&& return 1
local args="`printf "%q " "${FIREHOL_ARGS[@]}"`"
local old_args="`cat "${FIREHOL_LAST_SUCCESSFUL_COMMAND}"`"
test ! "${args}" = "${old_args}" \
&& warning "Saved firewall cannot be restored because it was run with different parameters." \
&& return 2
2015-01-30 22:45:56 +00:00
local do_ipv4=0 do_ipv6=0
test -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv4.rules" && do_ipv4=1
test -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv6.rules" && do_ipv6=1
2015-01-06 17:53:45 +00:00
test "${do_ipv4}${do_ipv6}" = "00" \
&& warning "Saved firewall includes neither IPv4 nor IPv6 rules to restore." \
&& return 1
2014-12-19 21:46:53 +00:00
2015-01-06 17:53:45 +00:00
test "${FIREHOL_CONFIG}" -nt "${FIREHOL_LAST_SUCCESSFUL_COMMAND}" \
&& warning "${FIREHOL_CONFIG} is newer than saved firewall. Cannot restore saved firewall." \
&& return 3
test ! -z "`${FIND_CMD} "${FIREHOL_CONFIG_DIR}" -newer "${FIREHOL_LAST_SUCCESSFUL_COMMAND}"`" \
&& warning "${FIREHOL_CONFIG_DIR} has updated files. Cannot restore saved firewall." \
&& return 4
test ! -z "`${FIND_CMD} "${FIREHOL_SERVICES_DIR}" -newer "${FIREHOL_LAST_SUCCESSFUL_COMMAND}"`" \
&& warning "${FIREHOL_SERVICES_DIR} has updated files. Cannot restore saved firewall." \
&& return 5
2015-02-01 22:16:33 +00:00
if [ ${ENABLE_IPSET} -eq 1 ]
then
ipsets_apply spool || return 6
fi
2015-01-31 23:08:12 +00:00
2015-01-06 17:53:45 +00:00
return 0
}
firehol_restore_last_activated_firewall() {
firehol_can_restore_saved_firewall || return 2
2014-12-19 21:46:53 +00:00
2015-02-02 20:54:11 +00:00
progress "Restoring last activated firewall from '${FIREHOL_SPOOL_DIR}'"
2014-12-19 21:46:53 +00:00
2014-12-30 18:42:58 +00:00
if [ -x "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh" ]
2014-12-19 21:46:53 +00:00
then
2015-01-06 17:53:45 +00:00
"${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh" >/dev/null
2014-12-19 21:46:53 +00:00
if [ $? -ne 0 ]
then
2015-01-06 17:53:45 +00:00
warning "Failed to execute restoration script."
2015-02-02 20:54:11 +00:00
failure # "Restoring last activated firewall from '${FIREHOL_SPOOL_DIR}'"
2014-12-19 21:46:53 +00:00
return 3
fi
fi
if [ -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv4.rules" ]
then
${IPTABLES_RESTORE_CMD} <"${FIREHOL_SPOOL_DIR}/ipv4.rules"
if [ $? -ne 0 ]
then
2015-01-06 17:53:45 +00:00
warning "Failed to restore IPv4 rules."
2015-02-02 20:54:11 +00:00
failure # "Restoring last activated firewall from '${FIREHOL_SPOOL_DIR}'"
2014-12-19 21:46:53 +00:00
return 3
fi
fi
if [ -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" -a -f "${FIREHOL_SPOOL_DIR}/ipv6.rules" ]
then
${IP6TABLES_RESTORE_CMD} <"${FIREHOL_SPOOL_DIR}/ipv6.rules"
if [ $? -ne 0 ]
then
2015-01-06 17:53:45 +00:00
warning "Failed to restore IPv6 rules."
2015-02-02 20:54:11 +00:00
failure # "Restoring last activated firewall from '${FIREHOL_SPOOL_DIR}'"
2014-12-19 21:46:53 +00:00
return 3
fi
fi
2015-02-02 20:54:11 +00:00
success # "Saving activated firewall to '${FIREHOL_SPOOL_DIR}'"
2014-12-19 21:46:53 +00:00
return 0
}
2003-01-06 00:41:10 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# START UP SCRIPT PROCESSING
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
2011-10-14 20:31:00 +00:00
kernel_maj_min() {
local kmaj kmin IFS=.-
kmaj=$1
kmin=$2
set -- $(uname -r)
eval $kmaj=\$1 $kmin=\$2
}
kernel_maj_min KERNELMAJ KERNELMIN
2003-01-06 00:41:10 +00:00
if [ "$KERNELMAJ" -lt 2 ] ; then
2003-09-18 20:54:25 +00:00
echo >&2 "FireHOL requires a kernel version higher than 2.3."
2003-01-06 00:41:10 +00:00
exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
2003-09-18 20:54:25 +00:00
echo >&2 "FireHOL requires a kernel version higher than 2.3."
2003-01-06 00:41:10 +00:00
exit 0
fi
2003-04-08 00:12:02 +00:00
if ${LSMOD_CMD} 2>/dev/null | ${GREP_CMD} -q ipchains ; then
2003-01-06 00:41:10 +00:00
# Don't do both
2003-09-18 20:54:25 +00:00
echo >&2 "ipchains is loaded in the kernel. Please remove ipchains to run iptables."
2003-01-06 00:41:10 +00:00
exit 0
fi
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# COMMAND LINE ARGUMENTS PROCESSING
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
2015-02-02 20:54:11 +00:00
syslog info "FireHOL started from '$PWD' with: ${0} ${*}"
2015-02-09 21:18:49 +00:00
while [ ! -z "${1}" ]
do
case "${1}" in
fast) FIREHOL_FAST_ACTIVATION=1
;;
2003-01-06 00:41:10 +00:00
2015-02-09 21:18:49 +00:00
nofast) FIREHOL_FAST_ACTIVATION=0
;;
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
optimal)
FIREHOL_RULESET_MODE="optimal"
;;
accurate)
FIREHOL_RULESET_MODE="accurate"
;;
2015-02-09 21:18:49 +00:00
reset-ipsets|reset_ipsets)
FIREHOL_IPSETS_RESPECT_KEEP=0
;;
*) break;;
esac
2015-01-06 17:53:45 +00:00
shift
2015-02-09 21:18:49 +00:00
done
arg="${1}"
shift
2015-01-06 17:53:45 +00:00
2003-01-06 00:41:10 +00:00
case "${arg}" in
explain)
2015-01-06 17:53:45 +00:00
test ! -z "${1}" && warning "Arguments after parameter '${arg}' are ignored."
2015-02-19 21:06:00 +00:00
FIREHOL_FILTERING_STARTED=1
2015-01-18 19:38:38 +00:00
FIREHOL_FAST_ACTIVATION=0
2009-02-26 02:13:54 +00:00
FIREHOL_MODE="EXPLAIN"
2003-01-06 00:41:10 +00:00
;;
2003-02-20 22:32:56 +00:00
helpme|wizard)
2015-01-06 17:53:45 +00:00
test ! -z "${1}" && warning "Arguments after parameter '${arg}' are ignored."
2009-02-26 02:13:54 +00:00
FIREHOL_MODE="WIZARD"
2003-02-20 22:32:56 +00:00
;;
2003-01-06 00:41:10 +00:00
try)
2009-02-26 02:13:54 +00:00
FIREHOL_MODE="START"
2003-01-06 00:41:10 +00:00
FIREHOL_TRY=1
;;
start)
2009-02-26 02:13:54 +00:00
FIREHOL_MODE="START"
2009-10-01 10:25:23 +00:00
FIREHOL_TRY=0
2003-01-06 00:41:10 +00:00
;;
stop)
2009-02-26 02:13:54 +00:00
FIREHOL_MODE="STOP"
2015-01-06 17:53:45 +00:00
test ! -z "${1}" && warning "Arguments after parameter '${arg}' are ignored."
2015-02-02 20:54:11 +00:00
progress "Clearing firewall"
2013-11-23 08:48:37 +00:00
if [ $ENABLE_IPV4 -eq 1 ]; then
load_kernel_module ip_tables
tables=`${CAT_CMD} /proc/net/ip_tables_names`
for t in ${tables}
2003-04-20 10:18:10 +00:00
do
2013-11-23 08:48:37 +00:00
${IPTABLES_CMD} -t "${t}" -F
${IPTABLES_CMD} -t "${t}" -X
${IPTABLES_CMD} -t "${t}" -Z
2013-11-03 10:32:23 +00:00
2013-11-23 08:48:37 +00:00
# Find all default chains in this table.
chains=`${IPTABLES_CMD} -t "${t}" -nL | ${GREP_CMD} "^Chain " | ${CUT_CMD} -d ' ' -f 2`
for c in ${chains}
do
${IPTABLES_CMD} -t "${t}" -P "${c}" ACCEPT
done
done
fi
if [ $ENABLE_IPV6 -eq 1 ]; then
load_kernel_module ip6_tables
tables6=`${CAT_CMD} /proc/net/ip6_tables_names`
for t in ${tables6}
2013-11-03 10:32:23 +00:00
do
2013-11-23 08:48:37 +00:00
${IP6TABLES_CMD} -t "${t}" -F
${IP6TABLES_CMD} -t "${t}" -X
${IP6TABLES_CMD} -t "${t}" -Z
# Find all default chains in this table.
chains=`${IP6TABLES_CMD} -t "${t}" -nL | ${GREP_CMD} "^Chain " | ${CUT_CMD} -d ' ' -f 2`
for c in ${chains}
do
${IP6TABLES_CMD} -t "${t}" -P "${c}" ACCEPT
done
2013-11-03 10:32:23 +00:00
done
2013-11-23 08:48:37 +00:00
fi
2015-02-02 20:54:11 +00:00
success # "Clearing firewall"
2015-03-23 15:19:49 +00:00
# Remove the saved firewall, so that the trap will not restore it.
${RM_CMD} -f "${FIREHOL_SAVED}" "${FIREHOL_SAVED6}" >/dev/null 2>&1
# signal the trap to exit with success
FIREHOL_ACTIVATED_SUCCESSFULLY=1
2003-01-06 00:41:10 +00:00
exit 0
;;
2015-01-06 17:53:45 +00:00
restore|condrestart)
FIREHOL_RESTORE_INSTEAD_OF_START=1
2014-12-19 21:46:53 +00:00
FIREHOL_MODE="START"
2015-01-06 17:53:45 +00:00
FIREHOL_TRY=0
2014-12-19 21:46:53 +00:00
;;
2003-04-30 23:29:47 +00:00
restart|force-reload)
2009-02-26 02:13:54 +00:00
FIREHOL_MODE="START"
2015-01-06 17:53:45 +00:00
FIREHOL_TRY=0
2003-01-06 00:41:10 +00:00
;;
2015-02-19 01:21:51 +00:00
cstatus|conntrack_status)
2015-02-13 00:43:38 +00:00
lnstat -c -1 -f nf_conntrack
exit $?
;;
2015-02-19 01:21:51 +00:00
sstatus|synproxy_status)
lnstat -c -1 -f synproxy
exit $?
;;
2003-01-06 00:41:10 +00:00
status)
2015-01-06 17:53:45 +00:00
test ! -z "${1}" && warning "Arguments after parameter '${arg}' are ignored."
2003-01-08 23:33:25 +00:00
(
2015-02-13 00:43:38 +00:00
if [ $ENABLE_IPV4 -eq 1 ]; then
echo
echo
echo "--- RAW IPv4 -------------------------------------------------------------------"
echo
${IPTABLES_CMD} -t raw -nxvL
fi
if [ $ENABLE_IPV6 -eq 1 ]; then
echo
echo
echo "--- RAW IPv6 -------------------------------------------------------------------"
echo
${IP6TABLES_CMD} -t raw -nxvL
fi
2013-11-23 08:48:37 +00:00
if [ $ENABLE_IPV4 -eq 1 ]; then
2013-11-03 10:32:23 +00:00
echo
echo
echo "--- MANGLE IPv4 ----------------------------------------------------------------"
echo
2003-04-08 00:12:02 +00:00
${IPTABLES_CMD} -t mangle -nxvL
2013-11-23 08:48:37 +00:00
fi
2013-11-03 10:32:23 +00:00
2013-11-23 08:48:37 +00:00
if [ $ENABLE_IPV6 -eq 1 ]; then
2013-11-03 10:32:23 +00:00
echo
echo
echo "--- MANGLE IPv6 ----------------------------------------------------------------"
echo
${IP6TABLES_CMD} -t mangle -nxvL
2013-11-23 08:48:37 +00:00
fi
2013-11-03 10:32:23 +00:00
2013-11-23 08:48:37 +00:00
if [ $ENABLE_IPV4 -eq 1 ]; then
2013-11-03 10:32:23 +00:00
echo
echo
echo "--- NAT IPv4 -------------------------------------------------------------------"
echo
2003-04-08 00:12:02 +00:00
${IPTABLES_CMD} -t nat -nxvL
2013-11-23 08:48:37 +00:00
fi
2013-11-03 10:32:23 +00:00
2013-11-23 08:48:37 +00:00
if [ $ENABLE_IPV6 -eq 1 ]; then
2013-11-03 10:32:23 +00:00
echo
echo
echo "--- NAT IPv6 -------------------------------------------------------------------"
2013-11-03 18:11:16 +00:00
echo
2013-11-03 10:32:23 +00:00
if grep -q '^nat$' /proc/net/ip6_tables_names
then
${IP6TABLES_CMD} -t nat -nxvL
else
echo "IPv6 NAT not available"
fi
2013-11-23 08:48:37 +00:00
fi
2013-11-03 10:32:23 +00:00
2013-11-23 08:48:37 +00:00
if [ $ENABLE_IPV4 -eq 1 ]; then
2013-11-03 10:32:23 +00:00
echo
echo
echo "--- FILTER IPv4 ----------------------------------------------------------------"
echo
2003-04-08 00:12:02 +00:00
${IPTABLES_CMD} -nxvL
2013-11-23 08:48:37 +00:00
fi
2013-11-03 10:32:23 +00:00
2013-11-23 08:48:37 +00:00
if [ $ENABLE_IPV6 -eq 1 ]; then
2013-11-03 10:32:23 +00:00
echo
echo
echo "--- FILTER IPv6 ----------------------------------------------------------------"
echo
${IP6TABLES_CMD} -nxvL
2013-11-23 08:48:37 +00:00
fi
2015-02-13 00:43:38 +00:00
if [ ${ENABLE_IPSET} -eq 1 ]; then
echo
echo
echo "--- IPSETs ---------------------------------------------------------------------"
echo
${IPSET_CMD} -L
fi
) >"${FIREHOL_DIR}/status"
pager_cmd <"${FIREHOL_DIR}/status"
2003-01-06 00:41:10 +00:00
exit $?
;;
panic)
2009-02-26 02:13:54 +00:00
FIREHOL_MODE="PANIC"
2003-03-15 00:59:27 +00:00
ssh_src=
ssh_sport="0:65535"
ssh_dport="0:65535"
if [ ! -z "${SSH_CLIENT}" ]
then
set -- ${SSH_CLIENT}
ssh_src="${1}"
ssh_sport="${2}"
ssh_dport="${3}"
elif [ ! -z "${1}" ]
then
ssh_src="${1}"
fi
2009-02-26 02:13:54 +00:00
syslog info "Starting PANIC mode (SSH SOURCE_IP=${ssh_src} SOURCE_PORTS=${ssh_sport} DESTINATION_PORTS=${ssh_dport})"
2015-02-02 20:54:11 +00:00
progress "Blocking all communications"
2013-11-23 08:48:37 +00:00
if [ $ENABLE_IPV4 -eq 1 ]; then
load_kernel_module ip_tables
tables=`${CAT_CMD} /proc/net/ip_tables_names`
for t in ${tables}
2003-03-14 20:59:07 +00:00
do
2013-11-23 08:48:37 +00:00
${IPTABLES_CMD} -t "${t}" -F
${IPTABLES_CMD} -t "${t}" -X
${IPTABLES_CMD} -t "${t}" -Z
2013-11-03 10:32:23 +00:00
2013-11-23 08:48:37 +00:00
# Find all default chains in this table.
chains=`${IPTABLES_CMD} -t "${t}" -nL | ${GREP_CMD} "^Chain " | ${CUT_CMD} -d ' ' -f 2`
for c in ${chains}
do
${IPTABLES_CMD} -t "${t}" -P "${c}" ACCEPT
if [ ! -z "${ssh_src}" ]
then
${IPTABLES_CMD} -t "${t}" -A "${c}" -p tcp -s "${ssh_src}" --sport "${ssh_sport}" --dport "${ssh_dport}" -m conntrack --ctstate ESTABLISHED -j ACCEPT
${IPTABLES_CMD} -t "${t}" -A "${c}" -p tcp -d "${ssh_src}" --dport "${ssh_sport}" --sport "${ssh_dport}" -m conntrack --ctstate ESTABLISHED -j ACCEPT
fi
if [ "${t}" != "nat" ] ; then
${IPTABLES_CMD} -t "${t}" -A "${c}" -j DROP
fi
done
done
fi
if [ $ENABLE_IPV6 -eq 1 ]; then
load_kernel_module ip6_tables
tables6=`${CAT_CMD} /proc/net/ip6_tables_names`
for t in ${tables6}
2013-11-03 10:32:23 +00:00
do
2013-11-23 08:48:37 +00:00
${IP6TABLES_CMD} -t "${t}" -F
${IP6TABLES_CMD} -t "${t}" -X
${IP6TABLES_CMD} -t "${t}" -Z
2013-11-03 10:32:23 +00:00
2013-11-23 08:48:37 +00:00
# Find all default chains in this table.
chains=`${IP6TABLES_CMD} -t "${t}" -nL | ${GREP_CMD} "^Chain " | ${CUT_CMD} -d ' ' -f 2`
for c in ${chains}
do
${IP6TABLES_CMD} -t "${t}" -P "${c}" ACCEPT
if [ ! -z "${ssh_src}" ]
then
${IP6TABLES_CMD} -t "${t}" -A "${c}" -p tcp -s "${ssh_src}" --sport "${ssh_sport}" --dport "${ssh_dport}" -m conntrack --ctstate ESTABLISHED -j ACCEPT
${IP6TABLES_CMD} -t "${t}" -A "${c}" -p tcp -d "${ssh_src}" --dport "${ssh_sport}" --sport "${ssh_dport}" -m conntrack --ctstate ESTABLISHED -j ACCEPT
fi
if [ "${t}" != "nat" ] ; then
${IP6TABLES_CMD} -t "${t}" -A "${c}" -j DROP
fi
done
2013-11-03 10:32:23 +00:00
done
2013-11-23 08:48:37 +00:00
fi
2015-02-02 20:54:11 +00:00
success # "Blocking all communications"
2003-03-14 20:59:07 +00:00
exit 0
2003-01-06 00:41:10 +00:00
;;
save)
2012-09-11 18:51:36 +00:00
test ! -z "${1}" && test ${1} != "--" && softwarning "Arguments after parameter '${arg}' are ignored."
2009-02-26 02:13:54 +00:00
FIREHOL_MODE="START"
2003-01-06 00:41:10 +00:00
FIREHOL_SAVE=1
;;
debug)
2012-09-11 18:51:36 +00:00
test ! -z "${1}" && test ${1} != "--" && softwarning "Arguments after parameter '${arg}' are ignored."
2009-02-26 02:13:54 +00:00
FIREHOL_MODE="DEBUG"
2003-01-06 00:41:10 +00:00
;;
2015-02-01 05:15:10 +00:00
ipset_update_from_file)
2015-02-01 22:16:33 +00:00
if [ ${ENABLE_IPSET} -ne 1 ]
then
echo >&2 "ipset is not enabled. Is ipset installed?"
exit 1
fi
2015-02-01 05:15:10 +00:00
name="${1}"
shift
2015-02-03 22:33:17 +00:00
progress "Updating ipset '${name}' with options: ${*}"
2015-02-01 14:22:12 +00:00
found=0
2015-02-01 22:16:33 +00:00
for x in $( ipset_list_active_names )
2015-02-01 14:22:12 +00:00
do
[ "$x" = "${name}" ] && found=1 && break
done
if [ $found -eq 1 ]
2015-02-01 05:15:10 +00:00
then
2015-02-01 14:22:12 +00:00
tmp=$(${MKTEMP_CMD} "${FIREHOL_DIR}/ipset-XXXXXXXXXX") || exit 1
2015-02-03 22:33:17 +00:00
2015-02-04 22:05:13 +00:00
# save the current set
${IPSET_CMD} ${IPSET_SAVE_OPTION} ${name} >${tmp}.old
2015-02-03 22:33:17 +00:00
# find the create statement
2015-02-05 00:24:56 +00:00
${EGREP_CMD} "^(${IPSET_CREATE_OPTION}|create|-N|--create) " <${tmp}.old >${tmp}
if [ ! -s ${tmp} -a -f "${FIREHOL_SPOOL_DIR}/ipset.${name}.rules" ]
2015-02-03 22:33:17 +00:00
then
2015-02-05 00:24:56 +00:00
# try the rules we generated previously
${GREP_CMD} "^${IPSET_CREATE_OPTION} ${name} " \
<"${FIREHOL_SPOOL_DIR}/ipset.${name}.rules" \
>${tmp}
2015-02-03 22:33:17 +00:00
fi
# do we have a 'create' statement?
if [ ! -s ${tmp} ]
then
failure "cannot find ipset create statement" # "Updating ipset '${name}' with options: ${*}"
echo >&2 "Sorry. Cannot find the template to re-create ipset '${name}'."
echo >&2 "Make sure the firehol-defaults.conf reflects your ipset create statement."
exit 1
fi
# ok, we have the ipset 'create' statement in $tmp
# add a flush to it
echo "${IPSET_FLUSH_OPTION} ${name}" >>${tmp}
# add the IPs from the file
2015-02-01 14:22:12 +00:00
ipset_addfile "${name}" "${@}" >>${tmp}
2015-02-01 05:15:10 +00:00
if [ $? -ne 0 ]
then
2015-02-03 22:37:59 +00:00
failure # "Updating ipset '${name}' with options: ${*}"
2015-02-01 05:15:10 +00:00
exit 1
fi
2015-02-03 22:33:17 +00:00
# lets rename it
ipset_to_temp_and_swap "${name}" <${tmp} >"${FIREHOL_DIR}/ipsets.restore"
2015-04-02 03:35:42 +00:00
# cp "${FIREHOL_DIR}/ipsets.restore" /tmp/
2015-02-03 22:33:17 +00:00
# and activate it
2015-04-24 17:39:09 +00:00
ipsets_restore "${FIREHOL_DIR}/ipsets.restore"
2015-02-01 05:15:10 +00:00
if [ $? -ne 0 ]
then
2015-02-03 22:36:55 +00:00
failure # "Updating ipset '${name}' with options: ${*}"
2015-02-04 22:05:13 +00:00
ipset_remove_all_tmp_sets
2015-02-01 05:15:10 +00:00
exit 1
fi
2015-02-05 20:36:29 +00:00
ipset_done_all_tmp_sets
2015-02-03 22:33:17 +00:00
# let the user know
success "$(( $(cat ${tmp} | wc -l) - 2 )) IPs" # "Updating ipset '${name}' with options: ${*}"
2015-02-01 14:22:12 +00:00
2015-02-04 22:05:13 +00:00
# save the new ipset
${IPSET_CMD} ${IPSET_SAVE_OPTION} ${name} >${tmp}.new
# sort the two sets
2015-02-05 20:36:29 +00:00
# we use the files saved from ipset, so that if the kernel is
# making something magic to them (it does not currently),
# we will compare what the kernel actually sees.
2015-02-04 22:05:13 +00:00
${SORT_CMD} <${tmp}.new >${tmp}.new.sorted
${SORT_CMD} <${tmp}.old >${tmp}.old.sorted
2015-02-05 20:36:29 +00:00
diff ${tmp}.old.sorted ${tmp}.new.sorted |\
${SED_CMD} -e "s|[\t ]\+| |g" -e "s|^ \+||g" -e "s| \+$||g" \
-e "s|^\([<>]\) [^[:space:]]* ${name} \([0-9a-fA-F/\.:-]\+\) .*$|\1 \2|g" \
-e "s|^\([<>]\) [^[:space:]]* ${name} \([0-9a-fA-F/\.:-]\+\)$|\1 \2|g" |\
${EGREP_CMD} "^[<>] [0-9a-fA-F/\.:-]+$" >${tmp}.diff
echo
2015-02-05 23:08:15 +00:00
2015-02-05 20:36:29 +00:00
if [ ! -s ${tmp}.diff ]
then
echo " >> No differences - the new set is exactly the same with the old."
else
cat ${tmp}.diff | ${GREP_CMD} "^< " | ${SED_CMD} "s|^< ||g" | ${TR_CMD} "\n" " " >${tmp}.removed
cat ${tmp}.diff | ${GREP_CMD} "^> " | ${SED_CMD} "s|^> ||g" | ${TR_CMD} "\n" " " >${tmp}.added
if [ -s ${tmp}.removed ]
then
echo -n " < Removed: "
cat ${tmp}.removed
echo
fi
if [ -s ${tmp}.added ]
then
echo -n " > Added : "
cat ${tmp}.added
echo
fi
fi
echo
2015-02-04 22:05:13 +00:00
2015-02-01 14:22:12 +00:00
# keep it for restoration
if [ -f "${FIREHOL_SPOOL_DIR}/ipset.${name}.rules" ]
then
2015-02-03 22:33:17 +00:00
progress "Keeping ipset '${name}' for later restoration"
cp ${tmp} "${FIREHOL_SPOOL_DIR}/ipset.${name}.rules"
if [ $? -eq 0 ]
then
success
else
failure
fi
2015-02-01 14:22:12 +00:00
fi
2015-02-01 15:17:34 +00:00
2015-02-03 22:33:17 +00:00
# save the whole ipset to spool
2015-02-01 22:16:33 +00:00
ipset_save_active_to_spool
2015-02-01 14:22:12 +00:00
# make the exit handler exit with 0
FIREHOL_ACTIVATED_SUCCESSFULLY=1
2015-02-01 05:15:10 +00:00
exit 0
else
2015-04-02 03:35:42 +00:00
failure "no collection with name '${name}'" # "Updating ipset '${name}' with options: ${*}"
2015-02-01 05:15:10 +00:00
fi
exit 1
;;
2015-03-23 15:19:49 +00:00
2003-01-06 00:41:10 +00:00
*) if [ ! -z "${arg}" -a -f "${arg}" ]
then
2009-02-26 02:13:54 +00:00
FIREHOL_MODE="START"
FIREHOL_TRY=1
2003-01-06 00:41:10 +00:00
FIREHOL_CONFIG="${arg}"
arg="${1}"
test -z "${arg}" && arg="try"
2015-01-06 17:53:45 +00:00
2003-01-06 00:41:10 +00:00
case "${arg}" in
start)
FIREHOL_TRY=0
2015-01-06 17:53:45 +00:00
shift
2003-01-06 00:41:10 +00:00
;;
2015-03-23 15:19:49 +00:00
2003-01-06 00:41:10 +00:00
try)
FIREHOL_TRY=1
2015-01-06 17:53:45 +00:00
shift
2003-01-06 00:41:10 +00:00
;;
2015-03-23 15:19:49 +00:00
2003-01-06 00:41:10 +00:00
debug)
2009-02-26 02:13:54 +00:00
FIREHOL_MODE="DEBUG"
2003-01-06 00:41:10 +00:00
FIREHOL_TRY=0
2015-01-06 17:53:45 +00:00
shift
2003-01-06 00:41:10 +00:00
;;
2015-01-06 17:53:45 +00:00
2015-03-23 15:19:49 +00:00
restore|condrestart)
FIREHOL_RESTORE_INSTEAD_OF_START=1
FIREHOL_TRY=0
shift
2015-01-06 17:53:45 +00:00
;;
2015-03-23 15:19:49 +00:00
--) ;;
2003-01-06 00:41:10 +00:00
*)
2015-02-01 22:39:33 +00:00
echo >&2 "Cannot accept command line argument '${1}' here."
2003-01-06 00:41:10 +00:00
exit 1
;;
esac
else
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
test ! -z "${arg}" -a ! -f "${arg}" && echo >&2 "File '${arg}' not found."
2012-03-25 13:52:07 +00:00
emit_version
2003-04-08 00:12:02 +00:00
${CAT_CMD} <<EOF
2015-02-09 21:18:49 +00:00
FireHOL supports the following options (before any command):
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
fast sets FIREHOL_FAST_ACTIVATION=1
nofast sets FIREHOL_FAST_ACTIVATION=0
2015-02-09 21:18:49 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
optimal sets FIREHOL_RULESET_MODE="optimal"
accurate sets FIREHOL_RULESET_MODE="accurate"
2015-02-09 21:18:49 +00:00
reset-ipsets removes and recreates all ipsets used.
dynamic ipsets (such as the ones created
by the iptrap helper), are not recreated
so that they will keep their data.
this option recreates them.
FireHOL supports the following commands (only one of them):
2003-01-06 00:41:10 +00:00
start to activate the firewall configuration.
The configuration is expected to be found in
2004-10-28 23:03:06 +00:00
${FIREHOL_CONFIG_DIR}/firehol.conf
2003-01-06 00:41:10 +00:00
try to activate the firewall, but wait until
the user types the word "commit". If this word
is not typed within 30 seconds, the previous
firewall is restored.
stop to stop a running iptables firewall.
This will allow all traffic to pass unchecked.
restart this is an alias for start and is given for
compatibility with /etc/init.d/iptables.
status will show the running firewall, as in:
2013-11-03 10:32:23 +00:00
${IPTABLES_CMD} -nxvL
and
${IP6TABLES_CMD} -nxvL
2015-02-13 00:43:38 +00:00
cstatus show connection tracker status
2003-04-08 00:12:02 +00:00
panic will block all IP communication.
2002-09-05 20:57:59 +00:00
2014-12-19 21:46:53 +00:00
restore will restore the last activated firewall.
Useful for quickly restoring at boot the last
successfully activated FireHOL firewall.
2003-07-20 22:14:28 +00:00
save to start the firewall and then save it to the
place where /etc/init.d/iptables looks for it.
2003-01-06 00:41:10 +00:00
Note that not all firewalls will work if
restored with:
/etc/init.d/iptables start
2014-12-19 21:46:53 +00:00
The fastest way to restore a FireHOL firewall
at boot is the 'restore' feature.
2003-01-06 00:41:10 +00:00
debug to parse the configuration file but instead of
activating it, to show the generated iptables
statements.
2002-12-04 22:41:13 +00:00
2003-01-06 00:41:10 +00:00
explain to enter interactive mode and accept configuration
directives. It also gives the iptables commands
for each directive together with reasoning.
2003-02-20 22:32:56 +00:00
helpme or to enter a wizard mode where FireHOL will try
wizard to figure out the configuration you need.
2003-03-05 00:33:56 +00:00
You can redirect the standard output of FireHOL to
a file to get the config to this file.
2003-02-20 22:32:56 +00:00
2003-01-06 00:41:10 +00:00
<a filename> a different configuration file.
If not other argument is given, the configuration
will be "tried" (default = try).
Otherwise the argument next to the filename can
be one of 'start', 'debug' and 'try'.
2002-09-05 20:57:59 +00:00
2003-01-06 00:41:10 +00:00
-------------------------------------------------------------------------
2002-11-30 22:53:55 +00:00
2003-01-06 00:41:10 +00:00
FireHOL supports the following services (sorted by name):
EOF
(
# The simple services
2015-01-30 22:45:56 +00:00
${CAT_CMD} "${PROGRAM_FILE}" |\
2003-04-08 00:12:02 +00:00
${GREP_CMD} -e "^server_.*_ports=" |\
${CUT_CMD} -d '=' -f 1 |\
${SED_CMD} "s/^server_//" |\
${SED_CMD} "s/_ports\$//"
2002-11-30 22:53:55 +00:00
2003-01-06 00:41:10 +00:00
# The complex services
2015-01-30 22:45:56 +00:00
${CAT_CMD} "${PROGRAM_FILE}" |\
2003-04-08 00:12:02 +00:00
${GREP_CMD} -e "^rules_.*()" |\
${CUT_CMD} -d '(' -f 1 |\
${SED_CMD} "s/^rules_/(*) /"
) | ${SORT_CMD} | ${UNIQ_CMD} |\
2003-01-06 00:41:10 +00:00
(
x=0
while read
do
x=$[x + 1]
if [ $x -gt 4 ]
then
printf "\n"
x=1
fi
printf "% 16s |" "$REPLY"
done
printf "\n\n"
)
2002-11-30 22:53:55 +00:00
2003-04-08 00:12:02 +00:00
${CAT_CMD} <<EOF
2003-01-06 00:41:10 +00:00
Services marked with (*) are "smart" or complex services.
All the others are simple single socket services.
Please note that the service:
2014-07-27 10:23:42 +00:00
all matches all packets and all protocols, while ensuring that
required kernel modules are loaded. Packets "untracked" by
iptables (e.g. ICMPv6 neighbour discovery packets) are not
included in "all" and must be handled separately.
2003-01-06 00:41:10 +00:00
any allows the matching of packets with unusual rules, like
only protocol but no ports. If service any is used
without other parameters, it does what service all does
but it does not handle kernel modules.
For example, to match GRE traffic use:
2002-11-30 22:53:55 +00:00
2003-01-06 00:41:10 +00:00
server any mygre accept proto 47
2002-11-30 22:53:55 +00:00
2003-01-06 00:41:10 +00:00
Service any does not handle kernel modules.
2002-11-30 22:53:55 +00:00
2003-01-06 00:41:10 +00:00
custom allows the definition of a custom service.
The template is:
2002-09-08 12:05:10 +00:00
2003-01-06 00:41:10 +00:00
server custom name protocol/sport cport accept
2002-12-17 20:47:34 +00:00
2003-01-06 00:41:10 +00:00
where name is just a name, protocol is the protocol the
service uses (tcp, udp, etc), sport is server port,
cport is the client port. For example, IMAP4 is:
2002-12-17 20:47:34 +00:00
2003-01-06 00:41:10 +00:00
server custom imap tcp/143 default accept
2003-03-05 00:33:56 +00:00
YOU DO NOT KNOW WHAT TO DO? FireHOL can help you! Just run it with the
argument 'helpme' and it will generate its configuration file for this
machine. Your running firewall will not be altered or stopped, and no
systems settings will be modified. Just run:
2015-01-30 22:45:56 +00:00
${PROGRAM_FILE} helpme >/tmp/firehol.conf
2003-03-05 00:33:56 +00:00
and you will get the configuration written to /tmp/firehol.conf
2003-01-06 00:41:10 +00:00
EOF
exit 1
2002-11-30 22:53:55 +00:00
2002-09-08 12:05:10 +00:00
fi
2003-01-06 00:41:10 +00:00
;;
esac
2002-09-05 20:57:59 +00:00
2015-01-06 17:53:45 +00:00
# Remove all parameters until --
while [ ! -z "${1}" ]
do
if [ "${1}" = "--" ]
then
shift
break
fi
warning "Parameter '${1}' is ignored."
shift
done
2002-09-05 20:57:59 +00:00
2009-02-26 02:13:54 +00:00
if [ "${FIREHOL_MODE}" = "START" -o "${FIREHOL_MODE}" = "DEBUG" ]
2003-01-06 00:41:10 +00:00
then
2009-02-26 02:13:54 +00:00
if [ ! -f "${FIREHOL_CONFIG}" ]
then
2015-02-02 20:54:11 +00:00
echo >&2 " ERROR: FireHOL config '${FIREHOL_CONFIG}' not found."
2009-02-26 02:13:54 +00:00
exit 1
fi
2003-01-06 00:41:10 +00:00
fi
2002-09-05 20:57:59 +00:00
2015-02-07 15:28:43 +00:00
test "${FIREHOL_MODE}" = "DEBUG" && FIREHOL_CONF_SHOW=1
2002-09-05 20:57:59 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
2002-12-23 14:39:19 +00:00
# MAIN PROCESSING - Interactive mode
2002-09-05 20:57:59 +00:00
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
2009-02-26 02:13:54 +00:00
if [ "${FIREHOL_MODE}" = "EXPLAIN" ]
2002-12-17 20:47:34 +00:00
then
2015-01-30 22:45:56 +00:00
FIREHOL_CONF_SHOW=1
FIREHOL_FAST_ACTIVATION=0
2002-12-17 20:47:34 +00:00
FIREHOL_CONFIG="Interactive User Input"
2015-01-30 22:45:56 +00:00
lineid="1"
FORCE_CONFIG_LINEID="${lineid}@${FIREHOL_CONFIG}"
2012-03-25 13:52:07 +00:00
2002-12-18 00:30:28 +00:00
FIREHOL_TEMP_CONFIG="${FIREHOL_DIR}/firehol.conf"
2012-03-25 13:52:07 +00:00
2002-12-18 00:30:28 +00:00
echo "version ${FIREHOL_VERSION}" >"${FIREHOL_TEMP_CONFIG}"
version ${FIREHOL_VERSION}
2002-12-18 23:36:07 +00:00
2012-03-25 13:52:07 +00:00
emit_version
2002-12-18 00:30:28 +00:00
2012-03-25 13:52:07 +00:00
${CAT_CMD} <<EOF
You can now start typing firehol configuration directives.
2002-12-18 23:36:07 +00:00
Special interactive commands: help, show, quit
2002-12-18 00:30:28 +00:00
EOF
2015-02-08 08:44:00 +00:00
HISTFILE="${HOME}/.firehol_history"
test ! -f ${HISTFILE} && touch ${HISTFILE}
history -r
2002-12-17 20:47:34 +00:00
while [ 1 = 1 ]
do
2015-02-11 12:15:06 +00:00
# \001 = begin ignoring characters
# \002 = end ignoring characters
# without the above codes, lines do not wrap properly (readline counts also the color escape codes)
prompt="\001${COLOR_RESET}\002#\001${COLOR_GREEN}\002 FireHOL \001${COLOR_RESET}\002[\001${COLOR_BOLD}${COLOR_BLUE}\002${work_cmd}\001${COLOR_RESET}\002:\001${COLOR_CYAN}\002${work_name}\001${COLOR_RESET}\002] > "
2015-02-08 08:44:00 +00:00
eval "read -ep \$'${prompt}' -e -r REPLY"
2002-12-17 20:47:34 +00:00
test -z "${REPLY}" && continue
2015-02-08 08:44:00 +00:00
history -s "${REPLY}"
history -w
2015-02-07 15:28:43 +00:00
2002-12-18 00:30:28 +00:00
set_work_function -ne "Executing user input"
2002-12-17 20:47:34 +00:00
2002-12-18 23:36:07 +00:00
while [ 1 = 1 ]
do
2002-12-18 00:30:28 +00:00
set -- ${REPLY}
2002-12-17 20:47:34 +00:00
2002-12-18 00:30:28 +00:00
case "${1}" in
help)
2003-07-20 22:14:28 +00:00
${CAT_CMD} <<EOF
2002-12-18 00:30:28 +00:00
You can use anything a FireHOL configuration file accepts, including variables,
loops, etc. Take only care to write loops in one row.
2002-12-17 20:47:34 +00:00
2002-12-18 23:36:07 +00:00
Additionaly, you can use the following commands:
help to print this text on your screen.
show to show all the successfull commands so far.
quit to show the interactively given configuration file
and quit.
2015-02-08 08:44:00 +00:00
in|in4|in6
same as typing: interface(4|6) eth0 world
2002-12-18 23:36:07 +00:00
This is used as a shortcut to get into the server/client
mode in which you can test the rules for certain
services.
2002-12-18 00:30:28 +00:00
EOF
2002-12-18 23:36:07 +00:00
break
2002-12-18 00:30:28 +00:00
;;
show)
echo
2003-04-08 00:12:02 +00:00
${CAT_CMD} "${FIREHOL_TEMP_CONFIG}"
2002-12-18 00:30:28 +00:00
echo
2002-12-18 23:36:07 +00:00
break
2002-12-18 00:30:28 +00:00
;;
2015-02-08 08:44:00 +00:00
quit|exit)
2002-12-18 00:30:28 +00:00
echo
2003-04-08 00:12:02 +00:00
${CAT_CMD} "${FIREHOL_TEMP_CONFIG}"
2002-12-18 00:30:28 +00:00
echo
exit 1
;;
2002-12-18 23:36:07 +00:00
in)
2015-02-08 08:44:00 +00:00
REPLY="interface eth0 world"
continue
;;
in4)
REPLY="interface4 eth0 world"
continue
;;
in6)
REPLY="interface6 eth0 world"
2002-12-18 23:36:07 +00:00
continue
;;
2002-12-18 00:30:28 +00:00
*)
2015-02-08 10:05:42 +00:00
echo -e "# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/"
echo -e "# Cmd Line : ${FORCE_CONFIG_LINEID}"
echo -e "# Command : ${COLOR_YELLOW}${REPLY}${COLOR_RESET}"
2002-12-17 20:47:34 +00:00
2015-02-06 20:43:23 +00:00
eval "${@}"
2002-12-18 00:30:28 +00:00
if [ $? -gt 0 ]
then
printf "\n# > FAILED <\n"
else
if [ "${1}" = "interface" -o "${1}" = "router" ]
then
echo >>"${FIREHOL_TEMP_CONFIG}"
else
printf " " >>"${FIREHOL_TEMP_CONFIG}"
fi
printf "%s\n" "${REPLY}" >>"${FIREHOL_TEMP_CONFIG}"
2015-01-30 22:45:56 +00:00
lineid=$[lineid + 1]
FORCE_CONFIG_LINEID="${lineid}@${FIREHOL_CONFIG}"
2002-12-18 00:30:28 +00:00
printf "\n# > OK <\n"
fi
2002-12-18 23:36:07 +00:00
break
2002-12-18 00:30:28 +00:00
;;
esac
2002-12-18 23:36:07 +00:00
break
done
2002-12-17 20:47:34 +00:00
done
exit 0
fi
2002-12-23 14:39:19 +00:00
2003-02-20 22:32:56 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# MAIN PROCESSING - help wizard
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
2009-02-26 02:13:54 +00:00
if [ "${FIREHOL_MODE}" = "WIZARD" ]
2003-02-20 22:32:56 +00:00
then
2005-02-17 23:45:02 +00:00
# require commands for wizard mode
require_cmd ip
2012-05-17 20:00:07 +00:00
require_cmd ss
2005-02-17 23:45:02 +00:00
require_cmd date
require_cmd hostname
2003-02-20 22:32:56 +00:00
wizard_ask() {
2015-01-30 22:45:56 +00:00
local prompt="${1}" def="${2}" ans= c= t=
shift 2
2013-08-11 13:52:31 +00:00
echo >&2
2003-02-20 22:32:56 +00:00
while [ 1 = 1 ]
do
2003-02-22 03:41:16 +00:00
printf >&2 "%s [%s] > " "${prompt}" "${def}"
2003-02-20 22:32:56 +00:00
read
2015-01-30 22:45:56 +00:00
ans="${REPLY}"
2003-02-20 22:32:56 +00:00
test -z "${ans}" && ans="${def}"
2015-01-30 22:45:56 +00:00
c=0
2003-02-20 22:32:56 +00:00
while [ $c -le $# ]
do
2015-01-30 22:45:56 +00:00
eval t="\${${c}}"
2003-02-20 22:32:56 +00:00
test "${ans}" = "${t}" && break
c=$[c + 1]
done
test $c -le $# && return $c
2003-02-22 03:41:16 +00:00
printf >&2 "*** '${ans}' is not a valid answer. Pick one of "
2015-02-06 20:43:23 +00:00
printf >&2 "%s " "${@}"
2003-02-22 03:41:16 +00:00
echo >&2
echo >&2
2003-02-20 22:32:56 +00:00
done
return 0
}
2003-03-05 00:11:56 +00:00
ip_in_net() {
2015-01-30 22:45:56 +00:00
local ip="${1}" net="${2}"
shift 2
2003-03-05 00:11:56 +00:00
2003-03-16 22:13:30 +00:00
if [ -z "${ip}" -o -z "${net}" ]
then
return 1
fi
test "${net}" = "default" && net="0.0.0.0/0"
2003-04-08 00:12:02 +00:00
set -- `echo ${ip} | ${TR_CMD} './' ' '`
2015-01-30 22:45:56 +00:00
local i1=${1} i2=${2} i3=${3} i4=${4}
2003-03-05 00:11:56 +00:00
2003-04-08 00:12:02 +00:00
set -- `echo ${net} | ${TR_CMD} './' ' '`
2015-01-30 22:45:56 +00:00
local n1=${1} n2=${2} n3=${3} n4=${4} n5=${5:-32}
2003-03-05 00:11:56 +00:00
local i=$[i1*256*256*256 + i2*256*256 + i3*256 + i4]
local n=$[n1*256*256*256 + n2*256*256 + n3*256 + n4]
2003-03-16 22:13:30 +00:00
# echo "IP : '${i1}' . '${i2}' . '${i3}' . '${i4}'"
# echo "NET: '${n1}' . '${n2}' . '${n3}' . '${n4}' / '${n5}'"
2003-03-05 00:11:56 +00:00
2015-01-30 22:45:56 +00:00
local d=1 c=${n5}
2003-03-05 00:11:56 +00:00
while [ $c -lt 32 ]
do
c=$[c + 1]
d=$[d * 2]
done
local nm=$[n + d - 1]
2007-07-30 22:52:48 +00:00
printf "# INFO: Is ${ip} part of network ${net}? "
2003-03-05 00:11:56 +00:00
2003-03-16 22:13:30 +00:00
if [ ${i} -ge ${n} -a ${i} -le ${nm} ]
2003-03-05 00:11:56 +00:00
then
echo "yes"
return 0
else
echo "no"
return 1
fi
}
2003-03-16 22:13:30 +00:00
ip_is_net() {
2015-01-30 22:45:56 +00:00
local ip="${1}" net="${2}"
shift 2
2003-03-16 22:13:30 +00:00
if [ -z "${ip}" -o -z "${net}" ]
then
return 1
fi
test "${net}" = "default" && net="0.0.0.0/0"
2003-04-08 00:12:02 +00:00
set -- `echo ${ip} | ${TR_CMD} './' ' '`
2015-01-30 22:45:56 +00:00
local i1=${1} i2=${2} i3=${3} i4=${4} i5=${5:-32}
2003-03-16 22:13:30 +00:00
2003-04-08 00:12:02 +00:00
set -- `echo ${net} | ${TR_CMD} './' ' '`
2015-01-30 22:45:56 +00:00
local n1=${1} n2=${2} n3=${3} n4=${4} n5=${5:-32}
2003-03-16 22:13:30 +00:00
local i=$[i1*256*256*256 + i2*256*256 + i3*256 + i4]
local n=$[n1*256*256*256 + n2*256*256 + n3*256 + n4]
if [ ${i} -eq ${n} -a ${i5} -eq ${n5} ]
then
return 0
else
return 1
fi
}
ip2net() {
local ip="${1}"; shift
if [ -z "${ip}" ]
then
return 0
fi
if [ "${ip}" = "default" ]
then
echo "default"
return 0
fi
2003-04-08 00:12:02 +00:00
set -- `echo ${ip} | ${TR_CMD} './' ' '`
2015-01-30 22:45:56 +00:00
local i1=${1} i2=${2} i3=${3} i4=${4} i5=${5:-32}
2003-03-16 22:13:30 +00:00
2006-03-11 12:24:34 +00:00
if [ "${i5}" = "32" ]
then
echo ${i1}.${i2}.${i3}.${i4}
else
echo ${i1}.${i2}.${i3}.${i4}/${i5}
fi
2003-03-16 22:13:30 +00:00
}
ips2net() {
(
if [ "A${1}" = "A-" ]
then
while read ip
do
ip2net ${ip}
done
else
while [ ! -z "${1}" ]
do
ip2net ${1}
shift
done
fi
2003-04-08 00:12:02 +00:00
) | ${SORT_CMD} | ${UNIQ_CMD} | ${TR_CMD} "\n" " "
2003-03-16 22:13:30 +00:00
}
2003-02-22 03:41:16 +00:00
cd "${FIREHOL_DIR}"
2005-01-24 21:23:38 +00:00
"${MKDIR_CMD}" ports
"${MKDIR_CMD}" keys
2003-02-22 03:41:16 +00:00
cd ports
2005-01-24 21:23:38 +00:00
"${MKDIR_CMD}" tcp
"${MKDIR_CMD}" udp
2003-02-25 21:35:06 +00:00
2012-03-25 13:52:07 +00:00
emit_version >&2
2003-02-25 21:35:06 +00:00
2012-03-25 13:52:07 +00:00
"${CAT_CMD}" >&2 <<EOF
2003-02-25 21:35:06 +00:00
FireHOL will now try to figure out its configuration file on this system.
Please have all the services and network interfaces on this system running.
Your running firewall will not be stopped or altered.
You can re-run the same command with output redirection to get the config
to a file. Example:
EOF
2015-01-30 22:45:56 +00:00
echo >&2 "${PROGRAM_FILE} helpme >/tmp/firehol.conf"
2003-03-05 00:33:56 +00:00
echo >&2
echo >&2
2003-02-22 03:41:16 +00:00
echo >&2
echo >&2 "Building list of known services."
echo >&2 "Please wait..."
2003-04-08 00:12:02 +00:00
${CAT_CMD} /etc/services |\
${TR_CMD} '\t' ' ' |\
2003-10-05 22:58:57 +00:00
${SED_CMD} "s/ \+/ /g" >services
2003-04-08 00:12:02 +00:00
for c in `echo ${!server_*} | ${TR_CMD} ' ' '\n' | ${GREP_CMD} "_ports$"`
2003-02-22 03:41:16 +00:00
do
2003-04-08 00:12:02 +00:00
serv=`echo $c | ${SED_CMD} "s/server_//" | ${SED_CMD} "s/_ports//"`
2003-02-22 03:41:16 +00:00
eval "ret=\${$c}"
for x in ${ret}
do
2003-04-08 00:12:02 +00:00
proto=`echo $x | ${CUT_CMD} -d '/' -f 1`
port=`echo $x | ${CUT_CMD} -d '/' -f 2`
2003-02-22 03:41:16 +00:00
test ! -d "${proto}" && continue
2003-04-08 00:12:02 +00:00
nport=`${EGREP_CMD} "^${port}[[:space:]][0-9]+/${proto}" services | ${CUT_CMD} -d ' ' -f 2 | ${CUT_CMD} -d '/' -f 1`
2003-02-22 03:41:16 +00:00
test -z "${nport}" && nport="${port}"
echo "server ${serv}" >"${proto}/${nport}"
done
done
echo "server ftp" >tcp/21
echo "server nfs" >udp/2049
echo "client amanda" >udp/10080
echo "server dhcp" >udp/67
echo "server dhcp" >tcp/67
echo "client dhcp" >udp/68
echo "client dhcp" >tcp/68
echo "server emule" >tcp/4662
echo "server pptp" >tcp/1723
echo "server samba" >udp/137
echo "server samba" >udp/138
echo "server samba" >tcp/139
2003-02-20 22:32:56 +00:00
wizard_ask "Press RETURN to start." "continue" "continue"
2003-02-22 03:41:16 +00:00
echo >&2
echo >&2 "--- snip --- snip --- snip --- snip ---"
echo >&2
2003-07-20 22:14:28 +00:00
${CAT_CMD} <<EOF
2013-08-11 13:52:31 +00:00
#
# FireHOL configuration (autogenerated)
#
2007-07-30 22:52:48 +00:00
# This config will have the same effect as NO PROTECTION!
# Everything that found to be running, is allowed.
# YOU SHOULD NEVER USE THIS CONFIG AS-IS.
#
# Date: `${DATE_CMD}` on host `${HOSTNAME_CMD}`
#
# IMPORTANT:
# The TODOs bellow, are *YOUR* to-dos!
2003-02-25 21:35:06 +00:00
#
2007-07-30 22:52:48 +00:00
2003-02-25 21:35:06 +00:00
EOF
2003-02-22 03:41:16 +00:00
2003-03-05 00:11:56 +00:00
# globals for routing
set -a found_interfaces=
set -a found_ips=
set -a found_nets=
2003-03-05 22:06:51 +00:00
set -a found_excludes=
2003-03-03 21:51:04 +00:00
2003-03-05 18:23:57 +00:00
helpme_iface() {
2003-03-05 22:06:51 +00:00
local route="${1}"; shift
2003-03-05 18:23:57 +00:00
local i="${1}"; shift
local iface="${1}"; shift
local ifip="${1}"; shift
local ifnets="${1}"; shift
local ifreason="${1}"; shift
2003-03-06 08:18:49 +00:00
# one argument left: ifnets_excluded
2003-03-05 22:06:51 +00:00
if [ "${route}" = "route" ]
then
found_interfaces[$i]="${iface}"
found_ips[$i]="${ifip}"
found_nets[$i]="${ifnets}"
found_excludes[$i]="${1}"
fi
2003-03-05 18:23:57 +00:00
2003-03-16 22:13:30 +00:00
if [ "${ifnets}" = "default" ]
2003-03-06 08:18:49 +00:00
then
ifnets="not \"\${UNROUTABLE_IPS} ${1}\""
else
ifnets="\"${ifnets}\""
fi
2003-03-05 18:23:57 +00:00
# output the interface
echo
echo "# Interface No $i."
echo "# The purpose of this interface is to control the traffic"
if [ ! -z "${ifreason}" ]
then
echo "# ${ifreason}."
else
echo "# on the ${iface} interface with IP ${ifip} (net: ${ifnets})."
fi
2007-07-30 22:52:48 +00:00
2009-02-22 00:35:16 +00:00
echo "# TODO: Change \"if${i}\" to something with meaning to you."
2003-03-05 18:23:57 +00:00
echo "# TODO: Check the optional rule parameters (src/dst)."
2009-02-22 00:35:16 +00:00
echo "# Remove 'dst ${ifip}' if this is dynamically assigned."
2014-10-04 12:38:34 +00:00
echo "# To add IPv6, read http://firehol.org/upgrade/#config-version-6"
echo "interface4 ${iface} if${i} src ${ifnets} dst ${ifip}"
2003-03-05 18:23:57 +00:00
echo
echo " # The default policy is DROP. You can be more polite with REJECT."
echo " # Prefer to be polite on your own clients to prevent timeouts."
echo " policy drop"
echo
echo " # If you don't trust the clients behind ${iface} (net ${ifnets}),"
echo " # add something like this."
echo " # > protection strong"
echo
echo " # Here are the services listening on ${iface}."
echo " # TODO: Normally, you will have to remove those not needed."
(
local x=
local ports=
2012-05-17 20:00:07 +00:00
for x in `${SS_CMD} -tln | ${SED_CMD} "s|:::|\*:|g" | ${SED_CMD} "s|::ffff:||g" | ${EGREP_CMD} " (${ifip}|\*):[0-9]+" | ${CUT_CMD} -d ':' -f 2 | ${CUT_CMD} -d ' ' -f 1 | ${SORT_CMD} -n | ${UNIQ_CMD}`
2003-03-05 18:23:57 +00:00
do
if [ -f "tcp/${x}" ]
then
2003-04-08 00:12:02 +00:00
echo " `${CAT_CMD} tcp/${x}` accept"
2003-03-05 18:23:57 +00:00
else
ports="${ports} tcp/${x}"
fi
done
2012-05-17 20:00:07 +00:00
for x in `${SS_CMD} -uln | ${SED_CMD} "s|:::|\*:|g" | ${SED_CMD} "s|::ffff:||g" | ${EGREP_CMD} " (${ifip}|\*):[0-9]+" | ${CUT_CMD} -d ':' -f 2 | ${CUT_CMD} -d ' ' -f 1 | ${SORT_CMD} -n | ${UNIQ_CMD}`
2003-03-05 18:23:57 +00:00
do
if [ -f "udp/${x}" ]
then
2003-04-08 00:12:02 +00:00
echo " `${CAT_CMD} udp/${x}` accept"
2003-03-05 18:23:57 +00:00
else
ports="${ports} udp/${x}"
fi
done
2003-03-07 23:34:29 +00:00
echo " server ICMP accept"
2003-04-08 00:12:02 +00:00
echo "${ports}" | ${TR_CMD} " " "\n" | ${SORT_CMD} -n | ${UNIQ_CMD} | ${TR_CMD} "\n" " " >unknown.ports
) | ${SORT_CMD} | ${UNIQ_CMD}
2003-03-05 18:23:57 +00:00
echo
2007-07-30 22:52:48 +00:00
echo " # The following ${iface} services are not known by FireHOL:"
${CAT_CMD} unknown.ports | ${FOLD_CMD} -s -w 65 | ${SED_CMD} "s|^ *|\t# |"
2003-03-05 18:23:57 +00:00
echo
2007-07-30 22:52:48 +00:00
echo
echo " # Custom service definitions for the above unknown services."
local ts=
2009-02-22 00:35:16 +00:00
local tscount=0
2007-07-30 22:52:48 +00:00
for ts in `${CAT_CMD} unknown.ports`
do
2009-02-22 00:35:16 +00:00
local tscount=$[tscount + 1]
echo " server custom if${i}_${tscount} ${ts} any accept"
2007-07-30 22:52:48 +00:00
done
echo
2003-03-05 18:23:57 +00:00
echo " # The following means that this machine can REQUEST anything via ${iface}."
echo " # TODO: On production servers, avoid this and allow only the"
echo " # client services you really need."
echo " client all accept"
echo
}
2013-10-15 21:59:25 +00:00
interfaces=`${IP_CMD} link show | ${EGREP_CMD} "^[0-9A-Za-z]+:" | ${CUT_CMD} -d ':' -f 2 | ${SED_CMD} "s/^ //" | ${SED_CMD} "s/@[a-z0-9]*//" | ${GREP_CMD} -v "^lo$" | ${SORT_CMD} | ${UNIQ_CMD} | ${TR_CMD} "\n" " "`
2003-04-08 00:12:02 +00:00
gw_if=`${IP_CMD} route show | ${GREP_CMD} "^default" | ${SED_CMD} "s/dev /dev:/g" | ${TR_CMD} " " "\n" | ${GREP_CMD} "^dev:" | ${CUT_CMD} -d ':' -f 2`
gw_ip=`${IP_CMD} route show | ${GREP_CMD} "^default" | ${SED_CMD} "s/via /via:/g" | ${TR_CMD} " " "\n" | ${GREP_CMD} "^via:" | ${CUT_CMD} -d ':' -f 2 | ips2net -`
2003-03-05 18:23:57 +00:00
2003-02-25 21:35:06 +00:00
i=0
2003-02-20 22:32:56 +00:00
for iface in ${interfaces}
do
2007-07-30 22:52:48 +00:00
echo "# INFO: Processing interface '${iface}'"
ips=`${IP_CMD} addr show dev ${iface} | ${SED_CMD} "s/ \+/ /g" | ${GREP_CMD} "^ inet " | ${CUT_CMD} -d ' ' -f 3 | ${CUT_CMD} -d '/' -f 1 | ips2net -`
peer=`${IP_CMD} addr show dev ${iface} | ${SED_CMD} "s/ \+/ /g" | ${SED_CMD} "s/peer /peer:/g" | ${TR_CMD} " " "\n" | ${GREP_CMD} "^peer:" | ${CUT_CMD} -d ':' -f 2 | ips2net -`
2003-04-08 00:12:02 +00:00
nets=`${IP_CMD} route show dev ${iface} | ${CUT_CMD} -d ' ' -f 1 | ips2net -`
2003-02-20 22:32:56 +00:00
2003-03-03 21:51:04 +00:00
if [ -z "${ips}" -o -z "${nets}" ]
then
2003-03-05 00:11:56 +00:00
echo
2007-07-30 22:52:48 +00:00
echo "# IMPORTANT: "
2003-03-05 00:11:56 +00:00
echo "# Ignoring interface '${iface}' because does not have an IP or route."
echo
2003-03-03 21:51:04 +00:00
continue
fi
2003-03-05 00:11:56 +00:00
for ip in ${ips}
do
2007-07-30 22:52:48 +00:00
echo "# INFO: Processing IP ${ip} of interface '${iface}'"
2003-03-05 00:11:56 +00:00
2003-03-06 08:18:49 +00:00
ifreason=""
2003-03-05 22:06:51 +00:00
2003-03-05 00:11:56 +00:00
# find all the networks this IP can access directly
2003-03-16 22:13:30 +00:00
# or through its peer
netcount=0
2004-07-31 22:31:08 +00:00
ifnets=
ofnets=
2003-03-05 00:11:56 +00:00
for net in ${nets}
2003-02-22 03:41:16 +00:00
do
2003-03-16 22:13:30 +00:00
test "${net}" = "default" && continue
found=1
ip_in_net ${ip} ${net}
found=$?
if [ ${found} -gt 0 -a ! -z "${peer}" ]
2003-03-05 00:11:56 +00:00
then
2003-03-16 22:13:30 +00:00
ip_in_net ${peer} ${net}
found=$?
fi
if [ ${found} -eq 0 ]
then
2003-03-17 23:03:00 +00:00
# Add it to ifnets
2003-03-17 22:42:18 +00:00
f=0; ff=0
while [ $f -lt $netcount ]
do
if ip_in_net ${net} ${ifnets[$f]}
then
2003-03-17 23:03:00 +00:00
# Already satisfied
2003-03-17 22:42:18 +00:00
ff=1
elif ip_in_net ${ifnets[$f]} ${net}
then
2003-03-17 23:03:00 +00:00
# New one is superset of old
2003-03-17 22:42:18 +00:00
ff=1
ifnets[$f]=${net}
fi
f=$[f + 1]
done
if [ $ff -eq 0 ]
then
2003-03-17 23:03:00 +00:00
# Add it
2003-03-17 22:42:18 +00:00
netcount=$[netcount + 1]
2015-01-03 05:45:19 +00:00
ifnets=(${net} "${ifnets[@]}")
2003-03-17 22:42:18 +00:00
fi
2003-03-05 00:11:56 +00:00
else
2015-01-03 05:45:19 +00:00
ofnets=(${net} "${ofnets[@]}")
2003-03-05 00:11:56 +00:00
fi
done
# find all the networks this IP can access through gateways
if [ ! -z "${ofnets[*]}" ]
then
2015-01-03 05:45:19 +00:00
for net in "${ofnets[@]}"
2003-03-05 00:11:56 +00:00
do
2003-03-16 22:13:30 +00:00
test "${net}" = "default" && continue
2003-04-08 00:12:02 +00:00
nn=`echo "${net}" | ${CUT_CMD} -d "/" -f 1`
gw=`${IP_CMD} route show ${nn} dev ${iface} | ${EGREP_CMD} "^${nn}[[:space:]]+via[[:space:]][0-9\.]+" | ${CUT_CMD} -d ' ' -f 3 | ips2net -`
2003-03-05 00:11:56 +00:00
test -z "${gw}" && continue
2015-01-03 05:45:19 +00:00
for nn in "${ifnets[@]}"
2003-03-05 00:11:56 +00:00
do
2003-03-16 22:13:30 +00:00
test "${nn}" = "default" && continue
2003-03-05 00:11:56 +00:00
if ip_in_net ${gw} ${nn}
then
2007-07-30 22:52:48 +00:00
echo "# INFO: Route ${net} is accessed through ${gw}"
2003-03-17 22:42:18 +00:00
2003-03-17 23:03:00 +00:00
# Add it to ifnets
2003-03-17 22:42:18 +00:00
f=0; ff=0
while [ $f -lt $netcount ]
do
if ip_in_net ${net} ${ifnets[$f]}
then
2003-03-17 23:03:00 +00:00
# Already satisfied
2003-03-17 22:42:18 +00:00
ff=1
elif ip_in_net ${ifnets[$f]} ${net}
then
2003-03-17 23:03:00 +00:00
# New one is superset of old
2003-03-17 22:42:18 +00:00
ff=1
ifnets[$f]=${net}
fi
f=$[f + 1]
done
if [ $ff -eq 0 ]
then
2003-03-17 23:03:00 +00:00
# Add it
2003-03-17 22:42:18 +00:00
netcount=$[netcount + 1]
2015-01-03 05:45:19 +00:00
ifnets=(${net} "${ifnets[@]}")
2003-03-17 22:42:18 +00:00
fi
2003-03-05 00:11:56 +00:00
break
fi
done
done
fi
2003-03-16 22:13:30 +00:00
# Don't produce an interface if this is just a peer that is also the default gw
def_ignore_ifnets=0
if (test ${netcount} -eq 1 -a "${gw_if}" = "${iface}" && ip_is_net "${peer}" "${ifnets[*]}" && ip_is_net "${gw_ip}" "${peer}")
then
2007-07-30 22:52:48 +00:00
echo "# INFO: Skipping ${iface} peer ${ifnets[*]} only interface (default gateway)."
2003-03-16 22:13:30 +00:00
echo
def_ignore_ifnets=1
else
i=$[i + 1]
helpme_iface route $i "${iface}" "${ip}" "${ifnets[*]}" "${ifreason}"
fi
2003-03-05 00:11:56 +00:00
2003-03-05 18:23:57 +00:00
# Is this interface the default gateway too?
2003-03-16 22:13:30 +00:00
if [ "${gw_if}" = "${iface}" ]
2003-03-05 00:11:56 +00:00
then
2015-01-03 05:45:19 +00:00
for nn in "${ifnets[@]}"
2003-02-24 23:30:21 +00:00
do
2003-03-05 18:23:57 +00:00
if ip_in_net "${gw_ip}" ${nn}
2003-02-24 23:30:21 +00:00
then
2007-07-30 22:52:48 +00:00
echo "# INFO: Default gateway ${gw_ip} is part of network ${nn}"
2003-03-05 18:23:57 +00:00
i=$[i + 1]
2003-03-16 22:13:30 +00:00
helpme_iface route $i "${iface}" "${ip}" "default" "from/to unknown networks behind the default gateway ${gw_ip}" "`test ${def_ignore_ifnets} -eq 0 && echo "${ifnets[*]}"`"
2003-03-05 18:23:57 +00:00
break
2003-02-24 23:30:21 +00:00
fi
done
2003-03-05 18:23:57 +00:00
fi
2003-03-05 00:11:56 +00:00
done
2003-02-20 22:32:56 +00:00
done
2007-07-30 22:52:48 +00:00
2003-02-25 21:35:06 +00:00
echo
2003-03-05 22:06:51 +00:00
echo "# The above $i interfaces were found active at this moment."
2003-02-25 21:35:06 +00:00
echo "# Add more interfaces that can potentially be activated in the future."
echo "# FireHOL will not complain if you setup a firewall on an interface that is"
echo "# not active when you activate the firewall."
echo "# If you don't setup an interface, FireHOL will drop all traffic from or to"
echo "# this interface, if and when it becomes available."
echo "# Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)"
echo "# you can use the plus (+) character to match all of them (i.e. ppp+)."
echo
2003-04-08 00:12:02 +00:00
if [ "1" = "`${CAT_CMD} /proc/sys/net/ipv4/ip_forward`" ]
2003-02-22 03:41:16 +00:00
then
x=0
2003-03-05 00:11:56 +00:00
i=0
while [ $i -lt ${#found_interfaces[*]} ]
2003-02-22 03:41:16 +00:00
do
2003-03-05 00:11:56 +00:00
i=$[i + 1]
2003-02-24 23:30:21 +00:00
2003-03-05 00:11:56 +00:00
inface="${found_interfaces[$i]}"
src="${found_nets[$i]}"
2003-03-07 23:17:38 +00:00
case "${src}" in
2003-03-16 22:13:30 +00:00
"default")
2003-03-07 23:17:38 +00:00
src="not \"\${UNROUTABLE_IPS} ${found_excludes[$i]}\""
;;
*)
src="\"${src}\""
;;
esac
2003-03-05 00:11:56 +00:00
j=0
while [ $j -lt ${#found_interfaces[*]} ]
2003-02-22 03:41:16 +00:00
do
2003-03-05 00:11:56 +00:00
j=$[j + 1]
test $j -eq $i && continue
outface="${found_interfaces[$j]}"
dst="${found_nets[$j]}"
dst_ip="${found_ips[$j]}"
2003-03-07 23:12:15 +00:00
case "${dst}" in
2003-03-16 22:13:30 +00:00
"default")
2003-03-05 22:06:51 +00:00
dst="not \"\${UNROUTABLE_IPS} ${found_excludes[$j]}\""
2003-03-05 00:11:56 +00:00
;;
2003-03-07 23:12:15 +00:00
*)
dst="\"${dst}\""
;;
2003-03-05 00:11:56 +00:00
esac
2003-04-24 08:12:51 +00:00
# Make sure we are not routing to the same subnet
2003-04-23 20:42:26 +00:00
test "${inface}" = "${outface}" -a "${src}" = "${dst}" && continue
2003-04-24 08:12:51 +00:00
# Make sure this is not a duplicate router
key="`echo ${inface}/${src}-${outface}/${dst} | ${TR_CMD} "/ \\\$\\\"{}" "______"`"
test -f "${FIREHOL_DIR}/keys/${key}" && continue
2003-04-24 08:15:08 +00:00
${TOUCH_CMD} "${FIREHOL_DIR}/keys/${key}"
2003-04-24 08:12:51 +00:00
2003-04-23 20:42:26 +00:00
x=$[x + 1]
2014-10-04 12:38:34 +00:00
if [ $x -lt 10 ]
then
lx="0$x"
else
lx="$x"
fi
2003-04-23 20:42:26 +00:00
2003-03-05 00:11:56 +00:00
echo
echo "# Router No ${x}."
echo "# Clients on ${inface} (from ${src}) accessing servers on ${outface} (to ${dst})."
2014-10-04 12:38:34 +00:00
echo "# TODO: Change \"router${lx}\" to something with meaning to you."
2003-03-05 00:11:56 +00:00
echo "# TODO: Check the optional rule parameters (src/dst)."
2014-10-04 12:38:34 +00:00
echo "# To add IPv6, read http://firehol.org/upgrade/#config-version-6"
echo "router4 router${lx} inface ${inface} outface ${outface} src ${src} dst ${dst}"
2003-03-05 00:11:56 +00:00
echo
echo " # If you don't trust the clients on ${inface} (from ${src}), or"
echo " # if you want to protect the servers on ${outface} (to ${dst}),"
echo " # uncomment the following line."
echo " # > protection strong"
echo
echo " # To NAT client requests on the output of ${outface}, add this."
echo " # > masquerade"
echo " # Alternatively, you can SNAT them by placing this at the top of this config:"
echo " # > snat to ${dst_ip} outface ${outface} src ${src} dst ${dst}"
echo " # SNAT commands can be enhanced using 'proto', 'sport', 'dport', etc in order to"
echo " # NAT only some specific traffic."
echo
echo " # TODO: This will allow all traffic to pass."
echo " # If you remove it, no REQUEST will pass matching this traffic."
echo " route all accept"
echo
2003-02-22 03:41:16 +00:00
done
done
2003-04-23 20:42:26 +00:00
if [ ${x} -eq 0 ]
then
echo
echo
echo "# No router statements have been produced, because your server"
echo "# does not seem to need any."
echo
fi
2003-02-25 21:35:06 +00:00
else
echo
echo
2003-02-26 22:26:16 +00:00
echo "# No router statements have been produced, because your server"
2003-02-25 21:35:06 +00:00
echo "# is not configured for forwarding traffic."
echo
2003-02-22 03:41:16 +00:00
fi
2003-02-20 22:32:56 +00:00
exit 0
fi
2002-12-23 14:39:19 +00:00
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# MAIN PROCESSING
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
2010-04-06 22:23:16 +00:00
# make sure we are alone
firehol_concurrent_run_lock
2002-09-05 20:57:59 +00:00
# --- Initialization -----------------------------------------------------------
2015-02-02 20:54:11 +00:00
# let the config_line know our main configuration file
PROGRAM_CONFIG="${FIREHOL_CONFIG}"
progress "Saving active firewall to a temporary file"
2014-02-22 11:52:56 +00:00
if [ $ENABLE_IPV4 -eq 1 ]
then
2015-01-17 15:41:52 +00:00
fixed_save ${IPTABLES_SAVE_CMD} >${FIREHOL_SAVED}.new
2014-02-22 11:52:56 +00:00
status4=$?
else
status4=0
fi
if [ $ENABLE_IPV6 -eq 1 ]
then
2015-01-17 15:41:52 +00:00
fixed_save ${IP6TABLES_SAVE_CMD} >${FIREHOL_SAVED6}.new
2014-02-22 11:52:56 +00:00
status6=$?
else
status6=0
fi
2013-11-03 10:32:23 +00:00
if [ $status4 -eq 0 -a $status6 -eq 0 ]
2002-12-16 20:41:39 +00:00
then
2015-01-17 15:41:52 +00:00
test -f ${FIREHOL_SAVED}.new && mv ${FIREHOL_SAVED}.new ${FIREHOL_SAVED}
test -f ${FIREHOL_SAVED6}.new && mv ${FIREHOL_SAVED6}.new ${FIREHOL_SAVED6}
2015-02-02 20:54:11 +00:00
success # "Saving active firewall to a temporary file"
2002-12-16 20:41:39 +00:00
else
2013-11-03 10:32:23 +00:00
${RM_CMD} -f "${FIREHOL_SAVED}" "${FIREHOL_SAVED6}"
2015-02-02 20:54:11 +00:00
failure # "Saving active firewall to a temporary file"
2002-12-16 20:41:39 +00:00
exit 1
fi
2015-01-06 17:53:45 +00:00
declare -a FIREHOL_ARGS=("${FIREHOL_CONFIG}" "${FIREHOL_CONFIG_DIR}" "${FIREHOL_SERVICES_DIR}" "${@}")
if [ "${FIREHOL_MODE}" = "START" -a ${FIREHOL_RESTORE_INSTEAD_OF_START} -eq 1 ]
then
firehol_restore_last_activated_firewall
if [ $? -eq 0 ]
then
${RM_CMD} -f "${FIREHOL_SAVED}" "${FIREHOL_SAVED6}" >/dev/null 2>&1
FIREHOL_ACTIVATED_SUCCESSFULLY=1
exit 0
fi
2015-01-31 23:08:12 +00:00
# warning "Starting the firewall normally..."
2015-01-06 17:53:45 +00:00
fi
2002-12-16 20:41:39 +00:00
2003-01-22 20:54:05 +00:00
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2013-09-28 09:16:56 +00:00
# clear all chains
2013-09-28 09:03:57 +00:00
firehol_filter_chains=
2013-11-03 10:32:23 +00:00
firehol_filter6_chains=
2015-02-19 21:06:00 +00:00
prepare_firewall_for_activation() {
2013-09-28 09:03:57 +00:00
load_kernel_module ip_tables
load_kernel_module nf_conntrack
2014-10-18 07:15:47 +00:00
if [ $ENABLE_IPV6 -eq 1 ]
then
load_kernel_module ip6_tables
fi
2003-01-25 02:33:59 +00:00
2015-01-24 02:21:04 +00:00
for m in ${!FIREHOL_KERNEL_MODULES[*]}
2013-09-28 09:03:57 +00:00
do
2014-12-30 18:42:58 +00:00
postprocess -ne -ns load_kernel_module $m
2013-09-28 09:03:57 +00:00
done
2003-01-22 21:02:43 +00:00
2013-09-28 09:03:57 +00:00
# Find all tables supported
2015-01-30 22:45:56 +00:00
local t= tables= tables6= chains= c= policy=
2013-11-23 08:48:37 +00:00
if [ $ENABLE_IPV4 -eq 1 ]; then
2015-01-30 22:45:56 +00:00
tables=`${CAT_CMD} /proc/net/ip_tables_names`
2013-11-23 08:48:37 +00:00
for t in ${tables}
do
# Reset/empty this table.
${IPTABLES_CMD} -t "${t}" -F || exit 1
${IPTABLES_CMD} -t "${t}" -X || exit 1
${IPTABLES_CMD} -t "${t}" -Z || exit 1
2013-09-28 09:03:57 +00:00
2013-11-23 08:48:37 +00:00
# Find all default chains in this table.
2015-01-30 22:45:56 +00:00
chains=`${IPTABLES_CMD} -t "${t}" -nL | ${GREP_CMD} "^Chain " | ${CUT_CMD} -d ' ' -f 2`
2013-09-28 09:03:57 +00:00
2013-11-23 08:48:37 +00:00
# If this is the 'filter' table, remember the default chains.
# This will be used at the end to make it DROP all packets.
test "${t}" = "filter" && firehol_filter_chains="${chains}"
2013-09-28 09:03:57 +00:00
2013-11-23 08:48:37 +00:00
# Set the policy to ACCEPT on all default chains.
for c in ${chains}
do
2015-01-30 22:45:56 +00:00
policy=ACCEPT
2013-11-23 08:48:37 +00:00
if [ "${t}" = "filter" ]
then
eval "policy=\${FIREHOL_${c}_ACTIVATION_POLICY}"
fi
${IPTABLES_CMD} -t "${t}" -P "${c}" $policy || exit 1
done
2013-09-28 09:03:57 +00:00
done
2012-05-27 09:05:23 +00:00
2013-11-23 08:48:37 +00:00
# Allow existing traffic to continue:
# insert as the first rule in each chain, making it easy to
# undo once the firewall is completely established
if [ ${FIREHOL_FAST_ACTIVATION} -ne 1 -a \
"${FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT}" = "1" ]
then
${IPTABLES_CMD} -I INPUT 1 \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${IPTABLES_CMD} -I OUTPUT 1 \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${IPTABLES_CMD} -I FORWARD 1 \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
fi
fi
2013-11-03 10:32:23 +00:00
2013-11-23 08:48:37 +00:00
if [ $ENABLE_IPV6 -eq 1 ]; then
2015-01-30 22:45:56 +00:00
tables6=`${CAT_CMD} /proc/net/ip6_tables_names`
2013-11-23 08:48:37 +00:00
for t in ${tables6}
do
# Reset/empty this table.
${IP6TABLES_CMD} -t "${t}" -F || exit 1
${IP6TABLES_CMD} -t "${t}" -X || exit 1
${IP6TABLES_CMD} -t "${t}" -Z || exit 1
2013-11-03 10:32:23 +00:00
2013-11-23 08:48:37 +00:00
# Find all default chains in this table.
2015-01-30 22:45:56 +00:00
chains=`${IP6TABLES_CMD} -t "${t}" -nL | ${GREP_CMD} "^Chain " | ${CUT_CMD} -d ' ' -f 2`
2013-11-03 10:32:23 +00:00
2013-11-23 08:48:37 +00:00
# If this is the 'filter' table, remember the default chains.
# This will be used at the end to make it DROP all packets.
test "${t}" = "filter" && firehol_filter6_chains="${chains}"
# Set the policy to ACCEPT on all default chains.
for c in ${chains}
do
2015-01-30 22:45:56 +00:00
policy=ACCEPT
2013-11-23 08:48:37 +00:00
if [ "${t}" = "filter" ]
then
eval "policy=\${FIREHOL_${c}_ACTIVATION_POLICY}"
fi
${IP6TABLES_CMD} -t "${t}" -P "${c}" $policy || exit 1
done
2013-11-03 10:32:23 +00:00
done
2013-11-23 08:48:37 +00:00
# Allow existing traffic to continue
if [ ${FIREHOL_FAST_ACTIVATION} -ne 1 -a \
"${FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT}" = "1" ]
then
${IP6TABLES_CMD} -I INPUT 1 \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${IP6TABLES_CMD} -I OUTPUT 1 \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${IP6TABLES_CMD} -I FORWARD 1 \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
fi
2012-05-27 09:05:23 +00:00
fi
2013-09-28 09:03:57 +00:00
}
2003-06-18 21:44:52 +00:00
2013-09-28 09:16:56 +00:00
# drop everything
2015-02-19 21:06:00 +00:00
finalize_activated_firewall() {
2013-09-28 09:16:56 +00:00
# Make it drop everything on table 'filter'.
local c=
2013-11-23 08:48:37 +00:00
if [ $ENABLE_IPV4 -eq 1 ]; then
for c in ${firehol_filter_chains}
do
${IPTABLES_CMD} -t filter -P "${c}" DROP || exit 1
done
2012-05-27 09:05:23 +00:00
2013-11-23 08:48:37 +00:00
# Remove rules inserted which were to keep existing traffic
# alive during activation
if [ ${FIREHOL_FAST_ACTIVATION} -ne 1 -a \
"${FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT}" = "1" ]
then
2014-11-06 22:36:08 +00:00
${IPTABLES_CMD} -D INPUT \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${IPTABLES_CMD} -D OUTPUT \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${IPTABLES_CMD} -D FORWARD \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2013-11-23 08:48:37 +00:00
fi
fi
if [ $ENABLE_IPV6 -eq 1 ]; then
for c in ${firehol_filter6_chains}
do
${IP6TABLES_CMD} -t filter -P "${c}" DROP || exit 1
done
if [ ${FIREHOL_FAST_ACTIVATION} -ne 1 -a \
"${FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT}" = "1" ]
then
2014-11-06 22:36:08 +00:00
${IP6TABLES_CMD} -D INPUT \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${IP6TABLES_CMD} -D OUTPUT \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${IP6TABLES_CMD} -D FORWARD \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
2013-11-23 08:48:37 +00:00
fi
2012-05-27 09:05:23 +00:00
fi
2013-09-28 09:16:56 +00:00
}
2003-06-18 21:44:52 +00:00
2013-09-28 09:16:56 +00:00
# this will be run when the first iptables command get executed in pre-process mode.
# so that its commands are prepended to the other iptables commands of the firewall
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2015-02-19 21:06:00 +00:00
firewall_filtering_policy_common() {
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
local iptables_cmd="${1}"
2013-09-28 09:03:57 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
set_work_function "Applying ${iptables_cmd} firewall activation policy (options: FIREHOL_INPUT_ACTIVATION_POLICY FIREHOL_OUTPUT_ACTIVATION_POLICY FIREHOL_FORWARD_ACTIVATION_POLICY)"
2015-02-07 15:28:43 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
${iptables_cmd} -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"
${iptables_cmd} -t filter -P OUTPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
${iptables_cmd} -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"
2003-06-18 21:44:52 +00:00
2013-09-28 09:03:57 +00:00
# Accept everything in/out the loopback device.
2015-02-19 01:21:51 +00:00
if [ "${FIREHOL_TRUST_LOOPBACK}" = "1" -o "${FIREHOL_TRUST_LOOPBACK}" = "loose" ]
2013-09-28 09:03:57 +00:00
then
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
${iptables_cmd} -t filter -A INPUT -i lo -j ACCEPT
${iptables_cmd} -t filter -A OUTPUT -o lo -j ACCEPT
2015-02-19 01:21:51 +00:00
elif [ "${FIREHOL_TRUST_LOOPBACK}" = "strict" ]
then
set_work_function "Trusting ${iptables_cmd} lo (option: FIREHOL_TRUST_LOOPBACK)"
if running_ipv4
then
${iptables_cmd} -t filter -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
${iptables_cmd} -t filter -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
fi
if running_ipv6
then
${iptables_cmd} -t filter -A INPUT -i lo -s ::1 -d ::1 -j ACCEPT
${iptables_cmd} -t filter -A OUTPUT -o lo -s ::1 -d ::1 -j ACCEPT
fi
2013-09-28 09:03:57 +00:00
fi
2003-01-22 20:54:05 +00:00
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
if [ "${FIREHOL_RULESET_MODE}" = "optimal" ]
then
set_work_function "Accepting all ESTABLISHED connections at the beginning of the firewall"
${iptables_cmd} -t filter -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
${iptables_cmd} -t filter -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
${iptables_cmd} -t filter -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
fi
# RELATED should not be needed
# set_work_function "Accepting all RELATED connections at the beginning of the firewall"
#
# ${iptables_cmd} -t filter -A INPUT -m conntrack --ctstate RELATED -j ACCEPT
# ${iptables_cmd} -t filter -A OUTPUT -m conntrack --ctstate RELATED -j ACCEPT
# ${iptables_cmd} -t filter -A FORWARD -m conntrack --ctstate RELATED -j ACCEPT
2015-02-16 01:29:21 +00:00
if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
then
set_work_function "Silently droping TCP ACK+FIN packets (option: FIREHOL_DROP_ORPHAN_TCP_ACK_FIN)"
# Silently drop orphan TCP/ACK FIN packets
# before droping INVALID below, otherwise these will be logged as INVALID too
${iptables_cmd} -t filter -A INPUT -p tcp --tcp-flags ALL ACK,FIN -m conntrack --ctstate NEW,INVALID -j DROP
${iptables_cmd} -t filter -A OUTPUT -p tcp --tcp-flags ALL ACK,FIN -m conntrack --ctstate NEW,INVALID -j DROP
${iptables_cmd} -t filter -A FORWARD -p tcp --tcp-flags ALL ACK,FIN -m conntrack --ctstate NEW,INVALID -j DROP
fi
2013-09-28 09:03:57 +00:00
# Drop all invalid packets.
# Netfilter HOWTO suggests to DROP all INVALID packets.
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
if [ "${FIREHOL_DROP_INVALID}" = "1" -o "${FIREHOL_RULESET_MODE}" = "optimal" ]
2013-09-28 09:03:57 +00:00
then
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
set_work_function "Droping ${iptables_cmd} connection tracker INVALID packets (option: FIREHOL_DROP_INVALID)"
2015-02-19 01:21:51 +00:00
if [ ${FIREHOL_LOG_DROP_INVALID} -eq 1 ]
then
rule table filter chain INPUT state INVALID action DROP loglimit "INVALID IN"
rule table filter chain OUTPUT state INVALID action DROP loglimit "INVALID OUT"
rule table filter chain FORWARD state INVALID action DROP loglimit "INVALID PASS"
else
${iptables_cmd} -t filter -A INPUT -m conntrack --ctstate INVALID -j DROP
${iptables_cmd} -t filter -A OUTPUT -m conntrack --ctstate INVALID -j DROP
${iptables_cmd} -t filter -A FORWARD -m conntrack --ctstate INVALID -j DROP
fi
2013-11-03 17:44:18 +00:00
fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
if [ ! -z ${FIREHOL_GLOBAL_RPFILTER} ]
2013-11-03 17:44:18 +00:00
then
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
${iptables_cmd} -t raw -A PREROUTING -m rpfilter ${FIREHOL_GLOBAL_RPFILTER} -j DROP
2013-11-03 17:44:18 +00:00
fi
}
2015-02-19 21:06:00 +00:00
firewall_filtering_policy() {
local oldns="${FIREHOL_NS_CURR}"
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2015-02-19 21:06:00 +00:00
if [ ${ENABLE_IPV4} -eq 1 ]
then
FIREHOL_NS_CURR="ipv4"
firewall_filtering_policy_common iptables
fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2015-02-19 21:06:00 +00:00
if [ ${ENABLE_IPV6} -eq 1 ]
then
FIREHOL_NS_CURR="ipv6"
firewall_filtering_policy_common ip6tables
fi
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
2015-02-19 21:06:00 +00:00
FIREHOL_NS_CURR="${oldns}"
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 00:27:42 +00:00
}
2003-01-22 20:54:05 +00:00
2002-09-05 20:57:59 +00:00
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2015-02-02 20:54:11 +00:00
progress "Processing file '${FIREHOL_CONFIG}'"
2002-09-05 20:57:59 +00:00
ret=0
2015-01-30 22:45:56 +00:00
# check if the user has given any iptables commands directly.
2015-02-12 15:46:22 +00:00
i="${IPTABLES_CMD}"
if [ ! -z "${IP6TABLES_CMD}" ]
then
if [ -z "${i}" ]
then
i="${IP6TABLES_CMD}"
else
i="(${i}|${IP6TABLES_CMD})"
fi
fi
if [ ! -z "`${CAT_CMD} ${FIREHOL_CONFIG} | ${EGREP_CMD} "${i}"`" ]
2015-01-30 22:45:56 +00:00
then
echo >&2
echo >&2
echo >&2 "ERROR:"
echo >&2 "${FIREHOL_CONFIG} contains ${IPTABLES_CMD} or ${IP6TABLES_CMD} statements."
echo >&2
echo >&2 "Replace these statements iptables or ip6tables respectively,"
echo >&2 "without a path, so that FireHOL can execute these commands at"
echo >&2 "firewall activation."
echo >&2
echo >&2
exit 1
2013-11-23 08:48:37 +00:00
fi
2002-09-05 20:57:59 +00:00
# ------------------------------------------------------------------------------
# Run the configuration file.
2013-10-15 21:59:25 +00:00
if [ -n "$WAIT_FOR_IFACE" ]
then
for i in "$WAIT_FOR_IFACE"
do
wait_for_interface $i
done
fi
2002-09-05 20:57:59 +00:00
enable -n trap # Disable the trap buildin shell command.
enable -n exit # Disable the exit buildin shell command.
2015-01-30 22:45:56 +00:00
FORCE_CONFIG_LINEID=
2015-02-06 20:43:23 +00:00
{ source ${FIREHOL_CONFIG} "${@}"; } # Run the configuration as a normal script.
2013-03-23 10:06:42 +00:00
source_status=$?
[ $source_status -ne 0 ] && ret=$[ret + 1]
[ $source_status -ne 0 ] && FIREHOL_CLEAN_TMP=0
2015-01-30 22:45:56 +00:00
FORCE_CONFIG_LINEID="FIN"
LAST_CONFIG_LINE="${FORCE_CONFIG_LINEID}"
2015-02-19 21:06:00 +00:00
close_cmd || ret=$[ret + 1]
close_master || ret=$[ret + 1]
2002-09-05 20:57:59 +00:00
enable trap # Enable the trap buildin shell command.
enable exit # Enable the exit buildin shell command.
if [ ${work_error} -gt 0 -o $ret -gt 0 ]
then
2015-02-02 20:54:11 +00:00
failure # "Processing file '${FIREHOL_CONFIG}'"
2015-02-01 22:39:33 +00:00
echo >&2
2002-09-05 20:57:59 +00:00
echo >&2
echo >&2 "NOTICE: No changes made to your firewall."
exit 1
fi
2015-02-11 23:42:38 +00:00
test ${FIREHOL_ENABLE_SPINNER} -eq 1 && spinner_end
2015-02-26 00:35:41 +00:00
success "${FIREHOL_COMMAND_COUNTER} iptables rules" # "Processing file '${FIREHOL_CONFIG}'"
2002-09-05 20:57:59 +00:00
2002-12-16 20:41:39 +00:00
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2013-09-25 23:50:30 +00:00
if [ ${FIREHOL_FAST_ACTIVATION} -eq 1 ]
2002-09-05 20:57:59 +00:00
then
2015-01-31 00:59:27 +00:00
if [ ${FIREHOL_TRY} -eq 1 -a "$[FIREHOL_WAIT_USER_BEFORE_TRY]" -gt 60 ]
2015-01-31 00:53:34 +00:00
then
syslog info "Waiting user to try the new firewall."
echo >&2
echo >&2 "Your firewall is ready to be fast-activated..."
echo >&2 "If you don't continue, no changes will have been made to your firewall."
read >&2 -p "Activate the firewall? (just press enter to confirm or Control-C to stop) : " -t ${FIREHOL_WAIT_USER_BEFORE_TRY} -e || exit 1
2015-02-02 20:54:11 +00:00
echo >&2
2015-01-31 00:53:34 +00:00
fi
2013-09-25 23:50:30 +00:00
# construct the iptables-restore file from the splitted ones.
2015-02-19 01:21:51 +00:00
for n in table table6
2013-09-25 23:50:30 +00:00
do
2015-02-19 01:21:51 +00:00
case "${n}" in
table) out="${FIREHOL_OUTPUT}.fast" ;;
table6) out="${FIREHOL_OUTPUT}.fast6" ;;
esac
cd $FIREHOL_DIR/fast/${n}s || exit 1
for firehol_table in `ls`
do
case "${firehol_table}" in
raw) chains="PREROUTING OUTPUT" ;;
mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING" ;;
nat) chains="PREROUTING INPUT OUTPUT POSTROUTING" ;;
filter) chains="INPUT FORWARD OUTPUT" ;;
security) chains="INPUT FORWARD OUTPUT" ;;
*) chains= ;;
esac
2013-12-01 14:59:44 +00:00
echo "*${firehol_table}"
2015-02-19 01:21:51 +00:00
test -f $FIREHOL_DIR/fast/${n}.${firehol_table}.policy && ${CAT_CMD} $FIREHOL_DIR/fast/${n}.${firehol_table}.policy
test -f $FIREHOL_DIR/fast/${n}.${firehol_table}.chains && ${CAT_CMD} $FIREHOL_DIR/fast/${n}.${firehol_table}.chains
test -f $FIREHOL_DIR/fast/${n}.${firehol_table}.rules && ${CAT_CMD} $FIREHOL_DIR/fast/${n}.${firehol_table}.rules
if [ "${FIREHOL_FAST_ACTIVATION_CHAINS_TRACE}" = "1" ]
then
for c in ${chains}
do
#for s in NONE EXPECTED SEEN_REPLY ASSURED CONFIRMED
#do
# prepare_iptables_log_arg "${firehol_table}.${c}.status=${s}"
# echo "-I ${c} -m conntrack --ctstatus ${s} -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_IPTABLES_ARG[@]}"
#done
for s in INVALID UNTRACKED NEW ESTABLISHED RELATED SNAT DNAT
do
2015-02-19 21:06:00 +00:00
prepare_iptables_log_arg "${firehol_table}.${c}.${s}"
2015-02-19 01:21:51 +00:00
echo "-I ${c} -m conntrack --ctstate ${s} -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_IPTABLES_ARG[@]}"
done
done
fi
2013-12-01 14:59:44 +00:00
echo "COMMIT"
2015-02-19 01:21:51 +00:00
done >>"${out}"
2013-12-01 14:59:44 +00:00
done
2015-02-19 01:21:51 +00:00
2013-09-28 09:16:56 +00:00
if [ "${FIREHOL_MODE}" = "DEBUG" ]
then
2015-02-19 01:21:51 +00:00
if [ $ENABLE_IPV4 -eq 1 ]
then
echo
echo "# IPv4 Rules:"
${CAT_CMD} ${FIREHOL_OUTPUT}.fast
fi
if [ $ENABLE_IPV6 -eq 1 ]
then
echo
echo "# IPv6 Rules:"
${CAT_CMD} ${FIREHOL_OUTPUT}.fast6
fi
echo
echo "# Commands to execute:"
${CAT_CMD} ${FIREHOL_OUTPUT} | ${SED_CMD} -e "s|#.*$||g" | ${EGREP_CMD} -v "^ *$"
2013-09-28 09:16:56 +00:00
exit 1
fi
2015-01-31 23:08:12 +00:00
# apply the new ipsets
2015-02-01 22:16:33 +00:00
if [ ${ENABLE_IPSET} -eq 1 ]
then
ipsets_apply || exit 1
fi
2015-01-31 23:08:12 +00:00
2015-02-02 20:54:11 +00:00
progress "Fast activating new firewall"
2013-09-28 09:03:57 +00:00
2015-02-19 21:06:00 +00:00
prepare_firewall_for_activation
2013-09-25 23:50:30 +00:00
2013-10-19 11:09:19 +00:00
# execute any postprocessing commands
# in FAST_ACTIVATION the output file does not have any iptables commands
# it might have kernel modules management, activation of routing, etc.
2015-01-30 22:45:56 +00:00
file close 21
source "${FIREHOL_OUTPUT}" "${@}"
2013-09-25 23:50:30 +00:00
if [ $? -ne 0 ]
then
2013-10-19 11:09:19 +00:00
work_runtime_error=$[work_runtime_error+1]
2013-09-28 09:03:57 +00:00
else
2013-10-19 11:09:19 +00:00
# attempt to restore this firewall from the generated commands
2014-02-22 11:52:56 +00:00
if [ $ENABLE_IPV4 -eq 1 ]
then
${IPTABLES_RESTORE_CMD} <${FIREHOL_OUTPUT}.fast >${FIREHOL_OUTPUT}.log 2>&1
status4=$?
else
status4=0
fi
if [ $status4 -ne 0 ]
2013-10-19 11:09:19 +00:00
then
# it failed
runtime_error error "CANNOT APPLY IN FAST MODE" FIN "${IPTABLES_RESTORE_CMD}" "<${FIREHOL_OUTPUT}.fast"
2014-03-12 22:20:00 +00:00
2013-10-19 11:09:19 +00:00
work_runtime_error=$[work_runtime_error+1]
2014-03-12 22:20:00 +00:00
# find the line
echo >&2 "Offending line:"
line=`cat "${FIREHOL_OUTPUT}.log" | grep "Error occurred at line: " | cut -d ':' -f 2`
2014-03-13 23:13:28 +00:00
test -z "$line" && line=`cat "${FIREHOL_OUTPUT}.log" | grep "iptables-restore: line " | grep failed | cut -d ' ' -f 3`
2014-03-12 22:20:00 +00:00
${CAT_CMD} "${FIREHOL_OUTPUT}.fast" | ${HEAD_CMD} -n $line | ${TAIL_CMD} -n 1 >&2
echo >&2
2013-10-19 11:09:19 +00:00
# the rest of the script will restore the original firewall
else
2014-02-22 11:52:56 +00:00
if [ $ENABLE_IPV6 -eq 1 ]
then
${IP6TABLES_RESTORE_CMD} <${FIREHOL_OUTPUT}.fast6 >>${FIREHOL_OUTPUT}.log 2>&1
status6=$?
else
status6=0
fi
if [ $status6 -ne 0 ]
2013-12-01 14:59:44 +00:00
then
# it failed
runtime_error error "CANNOT APPLY IN FAST MODE" FIN "${IP6TABLES_RESTORE_CMD}" "<${FIREHOL_OUTPUT}.fast6"
work_runtime_error=$[work_runtime_error+1]
2014-03-12 22:20:00 +00:00
# find the line
echo >&2 "Offending line:"
line=`cat "${FIREHOL_OUTPUT}.log" | grep "Error occurred at line: " | cut -d ':' -f 2`
2014-03-13 23:13:28 +00:00
test -z "$line" && line=`cat "${FIREHOL_OUTPUT}.log" | grep "ip6tables-restore: line " | grep failed | cut -d ' ' -f 3`
2014-03-12 22:20:00 +00:00
${CAT_CMD} "${FIREHOL_OUTPUT}.fast6" | ${HEAD_CMD} -n $line | ${TAIL_CMD} -n 1 >&2
echo >&2
2013-12-01 14:59:44 +00:00
# the rest of the script will restore the original firewall
else
2015-02-19 21:06:00 +00:00
finalize_activated_firewall
2013-12-01 14:59:44 +00:00
fi
2013-10-19 11:09:19 +00:00
fi
2013-09-25 23:50:30 +00:00
fi
else
2013-09-28 09:16:56 +00:00
if [ "${FIREHOL_MODE}" = "DEBUG" ]
then
2015-01-30 22:45:56 +00:00
file close 21
2013-09-28 09:16:56 +00:00
${CAT_CMD} ${FIREHOL_OUTPUT}
exit 1
fi
2015-01-31 23:08:12 +00:00
# apply the new ipsets
2015-02-01 22:16:33 +00:00
if [ ${ENABLE_IPSET} -eq 1 ]
then
ipsets_apply || exit 1
fi
2015-01-31 23:08:12 +00:00
2013-09-25 23:50:30 +00:00
syslog info "Activating new firewall from ${FIREHOL_CONFIG} (translated to ${FIREHOL_COMMAND_COUNTER} iptables rules)."
2015-02-02 20:54:11 +00:00
progress "Activating new firewall (${FIREHOL_COMMAND_COUNTER} rules)"
2013-09-25 23:50:30 +00:00
2015-02-19 21:06:00 +00:00
prepare_firewall_for_activation
2013-09-25 23:50:30 +00:00
2015-01-30 22:45:56 +00:00
file close 21
2015-02-06 20:43:23 +00:00
source "${FIREHOL_OUTPUT}" "${@}"
2013-09-28 09:03:57 +00:00
if [ $? -ne 0 ]
then
work_runtime_error=$[work_runtime_error+1]
else
2015-02-19 21:06:00 +00:00
finalize_activated_firewall
2013-09-28 09:03:57 +00:00
fi
2002-09-05 20:57:59 +00:00
fi
2009-02-26 02:13:54 +00:00
if [ ${work_runtime_error} -gt 0 ]
2002-09-05 20:57:59 +00:00
then
2015-02-02 20:54:11 +00:00
failure # "Activating new firewall"
2009-02-26 02:13:54 +00:00
syslog err "Activation of new firewall failed."
# The trap will restore the firewall we saved above.
2002-10-31 15:31:52 +00:00
2015-01-06 17:53:45 +00:00
if [ ${FIREHOL_FAST_ACTIVATION} -eq 1 ]
then
echo >&2
echo >&2 "To get a more detailed report of the offending command,"
echo >&2 "you can quickly re-apply the same firewall with fast"
echo >&2 "activation disabled, like this:"
echo >&2
2015-01-30 22:45:56 +00:00
printf >&2 "${PROGRAM_FILE} nofast "
2015-01-06 17:53:45 +00:00
printf >&2 "%q " "${FIREHOL_ORIGINAL_ARGS[@]}"
printf >&2 "\n"
fi
2002-09-05 20:57:59 +00:00
exit 1
fi
2015-02-02 20:54:11 +00:00
success # "Activating new firewall (${FIREHOL_COMMAND_COUNTER} rules)"
2002-10-31 15:31:52 +00:00
if [ ${FIREHOL_TRY} -eq 1 ]
then
2009-02-26 02:13:54 +00:00
syslog info "Waiting user to commit the new firewall."
2002-10-31 15:31:52 +00:00
read -p "Keep the firewall? (type 'commit' to accept - 30 seconds timeout) : " -t 30 -e
ret=$?
2015-02-01 22:39:33 +00:00
echo >&2
2002-10-31 15:31:52 +00:00
if [ ! $ret -eq 0 -o ! "${REPLY}" = "commit" ]
then
2009-02-26 02:13:54 +00:00
syslog err "User did not confirm the new firewall."
2002-10-31 15:31:52 +00:00
# The trap will restore the firewall.
exit 1
else
2015-02-01 22:39:33 +00:00
echo >&2 "Successfull activation of FireHOL firewall."
2009-02-26 02:13:54 +00:00
syslog info "User committed new firewall."
2002-10-31 15:31:52 +00:00
fi
fi
# Remove the saved firewall, so that the trap will not restore it.
2015-01-06 17:53:45 +00:00
${RM_CMD} -f "${FIREHOL_SAVED}" "${FIREHOL_SAVED6}" >/dev/null 2>&1
2009-02-26 02:13:54 +00:00
FIREHOL_ACTIVATED_SUCCESSFULLY=1
2002-10-31 15:31:52 +00:00
2002-09-05 20:57:59 +00:00
2014-12-19 21:46:53 +00:00
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# last, keep a copy of the firewall we activated, on disk
2015-01-30 22:45:56 +00:00
file close 20
2014-12-30 18:42:58 +00:00
mv "${FIREHOL_DIR}/firewall_restore_commands.sh" "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh"
chown root:root "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh"
chmod 700 "${FIREHOL_SPOOL_DIR}/firewall_restore_commands.sh"
2014-12-19 21:46:53 +00:00
# keep track if we do ipv4
if [ $ENABLE_IPV4 -eq 1 ]
then
touch "${FIREHOL_SPOOL_DIR}/ipv4.enable"
chown root:root "${FIREHOL_SPOOL_DIR}/ipv4.enable"
chmod 600 "${FIREHOL_SPOOL_DIR}/ipv4.enable"
else
test -f "${FIREHOL_SPOOL_DIR}/ipv4.enable" && rm "${FIREHOL_SPOOL_DIR}/ipv4.enable"
fi
# keep track if we do ipv6
if [ $ENABLE_IPV6 -eq 1 ]
then
touch "${FIREHOL_SPOOL_DIR}/ipv6.enable"
chown root:root "${FIREHOL_SPOOL_DIR}/ipv6.enable"
chmod 600 "${FIREHOL_SPOOL_DIR}/ipv6.enable"
else
test -f "${FIREHOL_SPOOL_DIR}/ipv6.enable" && rm "${FIREHOL_SPOOL_DIR}/ipv6.enable"
fi
# save the rules to ${FIREHOL_SPOOL_DIR}
firehol_save_activated_firewall
2002-09-05 20:57:59 +00:00
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
if [ ${FIREHOL_SAVE} -eq 1 ]
then
2014-02-22 11:52:56 +00:00
if [ $ENABLE_IPV4 -eq 1 -a -z "${FIREHOL_AUTOSAVE}" ]
2003-03-14 20:36:52 +00:00
then
if [ -d "/etc/sysconfig" ]
then
2003-07-27 22:58:59 +00:00
# RedHat
2003-03-14 20:36:52 +00:00
FIREHOL_AUTOSAVE="/etc/sysconfig/iptables"
elif [ -d "/var/lib/iptables" ]
then
2003-07-27 22:58:59 +00:00
if [ -f /etc/conf.d/iptables ]
then
# Gentoo
IPTABLES_SAVE=
. /etc/conf.d/iptables
FIREHOL_AUTOSAVE="${IPTABLES_SAVE}"
fi
if [ -z "${FIREHOL_AUTOSAVE}" ]
then
# Debian
FIREHOL_AUTOSAVE="/var/lib/iptables/autosave"
fi
2003-03-14 20:36:52 +00:00
else
error "Cannot find where to save iptables file. Please set FIREHOL_AUTOSAVE."
2015-02-01 22:39:33 +00:00
echo >&2
2003-03-14 20:36:52 +00:00
exit 1
fi
fi
2014-02-22 11:52:56 +00:00
if [ $ENABLE_IPV6 -eq 1 -a -z "${FIREHOL_AUTOSAVE6}" ]
2013-11-03 17:43:40 +00:00
then
error "Cannot find where to save ip6tables file. Please set FIREHOL_AUTOSAVE6."
2015-02-01 22:39:33 +00:00
echo >&2
2013-11-03 17:43:40 +00:00
exit 1
fi
2003-03-14 20:36:52 +00:00
2014-02-22 11:52:56 +00:00
if [ $ENABLE_IPV4 -eq 1 ]
then
2015-02-02 20:54:11 +00:00
progress "Saving firewall to '${FIREHOL_AUTOSAVE}'"
2003-03-14 20:36:52 +00:00
2014-12-19 21:46:53 +00:00
cat "${FIREHOL_SPOOL_DIR}/ipv4.rules" >${FIREHOL_AUTOSAVE}
2014-02-22 11:52:56 +00:00
if [ ! $? -eq 0 ]
then
syslog err "Failed to save new firewall to '${FIREHOL_AUTOSAVE}'."
2015-02-02 20:54:11 +00:00
failure # "Saving firewall to '${FIREHOL_AUTOSAVE}'"
2014-02-22 11:52:56 +00:00
exit 1
fi
syslog info "New firewall saved to '${FIREHOL_AUTOSAVE}'."
2015-02-02 20:54:11 +00:00
success # "Saving firewall to '${FIREHOL_AUTOSAVE}'"
2003-01-06 00:41:10 +00:00
fi
2014-02-22 11:52:56 +00:00
if [ $ENABLE_IPV6 -eq 1 ]
then
2015-02-02 20:54:11 +00:00
progress "Saving IPv6 firewall to '${FIREHOL_AUTOSAVE6}'"
2003-01-06 00:41:10 +00:00
2014-12-19 21:46:53 +00:00
cat "${FIREHOL_SPOOL_DIR}/ipv6.rules" >${FIREHOL_AUTOSAVE6}
2014-02-22 11:52:56 +00:00
if [ ! $? -eq 0 ]
then
syslog err "Failed to save new IPv6 firewall to '${FIREHOL_AUTOSAVE6}'."
2015-02-02 20:54:11 +00:00
failure # "Saving IPv6 firewall to '${FIREHOL_AUTOSAVE6}'"
2014-02-22 11:52:56 +00:00
exit 1
fi
syslog info "New IPv6 firewall saved to '${FIREHOL_AUTOSAVE6}'."
2015-02-02 20:54:11 +00:00
success # "Saving IPv6 firewall to '${FIREHOL_AUTOSAVE6}'"
2013-11-03 17:43:40 +00:00
fi
2003-01-06 00:41:10 +00:00
exit 0
2002-09-05 20:57:59 +00:00
fi