mirror of
https://github.com/firehol/firehol.git
synced 2024-06-28 18:02:33 +00:00
added helper ipuntrap, to undo what iptrap does; keyword "except" does not accept negative expressions - added check in rule(); workaround for a bash bug that did not show all commands in explain mode; added some color and option -nc to disable colors; added some more info in various points for debug mode; debug mode was not generating comments - fixed it
This commit is contained in:
parent
daf7981da0
commit
3b8505f73d
@ -8,44 +8,56 @@ firehol-iptrap - dynamically put IP addresses in an ipset
|
||||
|
||||
# SYNOPSIS
|
||||
|
||||
{ iptrap | iptrap4 | iptrap6 } *type* *ipset* *timeout* [*rule-params*]...
|
||||
{ iptrap | iptrap4 | iptrap6 } *type* *ipset* *timeout* [*rule-params*] [ except [*rule-params*] ]...
|
||||
|
||||
{ ipuntrap | ipuntrap4 | ipuntrap6 } *type* *ipset* [*rule-params*] [ except [*rule-params*] ]...
|
||||
|
||||
# DESCRIPTION
|
||||
|
||||
|
||||
The `trap` puts the IP addresses of the matching packets to `ipset`. It does
|
||||
not affect the flow of traffic. It does not `ACCEPT`, `REJECT`, `DROP`
|
||||
packets or affect the firewall in any way.
|
||||
`iptrap` adds the IP addresses of the matching packets to `ipset`.
|
||||
|
||||
Type selects which of the IP addresses of the matching packets will be saved
|
||||
in the `ipset`. Type can be `src`, `dst`, `src,dst`, `dst,src`.
|
||||
`ipuntrap` deletes the IP adresses of the matching packets from `ipset`.
|
||||
|
||||
iptrap will create the `ipset` specified, if that ipset is not already
|
||||
Both helpers do not affect the flow of traffic. They does not `ACCEPT`,
|
||||
`REJECT`, `DROP` packets or affect the firewall in any way.
|
||||
|
||||
`type` selects which of the IP addresses of the matching packets will be used
|
||||
(added or removed from the ipset). `type` can be `src`, `dst`, `src,dst`,
|
||||
`dst,src`.
|
||||
|
||||
Both helpers will create the `ipset` specified, if that ipset is not already
|
||||
created by other statements. When the ipset is created by the `iptrap` helper,
|
||||
the ipset will not be reset (emptied) when the firewall is restarted.
|
||||
|
||||
`timeout` is the duration in seconds of the lifetime of each IP
|
||||
address in the ipset. Every matching packet will refresh this duration
|
||||
for the IP address in the ipset. The Linux kernel will automatically remove
|
||||
the IP from the ipset when this time expires. The user may monitor the
|
||||
remaining time for each IP, by running `ipset list NAME` (where `NAME` is
|
||||
the `ipset` parameter given in the `iptrap` command).
|
||||
`timeout` is required by `iptrap` and gives the duration in seconds of the
|
||||
lifetime of each IP address that is added to `ipset`. Every matching packet
|
||||
will refresh this duration for the IP address in the ipset.
|
||||
The Linux kernel will automatically remove the IP from the ipset when this
|
||||
time expires. The user may monitor the remaining time for each IP, by running
|
||||
`ipset list NAME` (where `NAME` is the `ipset` parameter given in the `iptrap`
|
||||
command).
|
||||
|
||||
The *rule-params* define a set of rule parameters to restrict
|
||||
the traffic that is matched to this service. See
|
||||
the traffic that is matched to this helper. See
|
||||
[firehol-params(5)][] for more details.
|
||||
|
||||
`iptrap` is hooked on PREROUTING so it is only useful for incoming traffic.
|
||||
`except` *rule-params* are used to exclude traffic, i.e. traffic that normally
|
||||
is matched by the first set of *rule-params*, will be excluded if matched by
|
||||
the second.
|
||||
|
||||
`iptrap` cannot setup both IPv4 and IPv6 traps with one call. The reason
|
||||
is that the `ipset` can either be IPv4 or IPv6.
|
||||
`iptrap` and `ipuntrap` are hooked on PREROUTING so it is only useful for
|
||||
incoming traffic.
|
||||
|
||||
`iptrap` and `ipuntrap` cannot setup both IPv4 and IPv6 traps with one call.
|
||||
The reason is that the `ipset` can either be IPv4 or IPv6.
|
||||
|
||||
|
||||
# EXAMPLES
|
||||
|
||||
~~~~
|
||||
iptrap4 src trap 3600 inface eth0 proto tcp dport 80 log "TRAPPED HTTP"
|
||||
ipuntrap4 src trap inface eth0 src ipset:trap proto tcp dport 80 log "UNTRAPPED HTTP"
|
||||
~~~~
|
||||
|
||||
# SEE ALSO
|
||||
|
223
sbin/firehol.in
223
sbin/firehol.in
@ -93,6 +93,37 @@ FIREHOL_DEFAULT_WORKING_DIRECTORY="${PWD}"
|
||||
# Make sure we don't get localized results
|
||||
export LC_ALL=C
|
||||
|
||||
if [ "z$1" = "z-nc" ]
|
||||
then
|
||||
shift
|
||||
else
|
||||
# Enable colors
|
||||
if [ $[$(tput colors 2>/dev/null)] -ge 8 ]
|
||||
then
|
||||
COLOR_RESET="\e[0m"
|
||||
COLOR_BLACK="\e[30m"
|
||||
COLOR_RED="\e[31m"
|
||||
COLOR_GREEN="\e[32m"
|
||||
COLOR_YELLOW="\e[33m"
|
||||
COLOR_BLUE="\e[34m"
|
||||
COLOR_PURPLE="\e[35m"
|
||||
COLOR_CYAN="\e[36m"
|
||||
COLOR_WHITE="\e[37m"
|
||||
COLOR_BGBLACK="\e[40m"
|
||||
COLOR_BGRED="\e[41m"
|
||||
COLOR_BGGREEN="\e[42m"
|
||||
COLOR_BGYELLOW="\e[43m"
|
||||
COLOR_BGBLUE="\e[44m"
|
||||
COLOR_BGPURPLE="\e[45m"
|
||||
COLOR_BGCYAN="\e[46m"
|
||||
COLOR_BGWHITE="\e[47m"
|
||||
COLOR_BOLD="\e[1m"
|
||||
COLOR_DIM="\e[2m"
|
||||
COLOR_UNDERLINED="\e[4m"
|
||||
COLOR_BLINK="\e[5m"
|
||||
COLOR_INVERTED="\e[7m"
|
||||
fi
|
||||
fi
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
@ -1080,36 +1111,9 @@ syslog() {
|
||||
return 0
|
||||
}
|
||||
|
||||
# Enable colors
|
||||
if [ $[$(tput colors 2>/dev/null)] -ge 8 ]
|
||||
then
|
||||
COLOR_RESET="\e[0m"
|
||||
COLOR_BLACK="\e[30m"
|
||||
COLOR_RED="\e[31m"
|
||||
COLOR_GREEN="\e[32m"
|
||||
COLOR_YELLOW="\e[33m"
|
||||
COLOR_BLUE="\e[34m"
|
||||
COLOR_PURPLE="\e[35m"
|
||||
COLOR_CYAN="\e[36m"
|
||||
COLOR_WHITE="\e[37m"
|
||||
COLOR_BGBLACK="\e[40m"
|
||||
COLOR_BGRED="\e[41m"
|
||||
COLOR_BGGREEN="\e[42m"
|
||||
COLOR_BGYELLOW="\e[43m"
|
||||
COLOR_BGBLUE="\e[44m"
|
||||
COLOR_BGPURPLE="\e[45m"
|
||||
COLOR_BGCYAN="\e[46m"
|
||||
COLOR_BGWHITE="\e[47m"
|
||||
COLOR_BOLD="\e[1m"
|
||||
COLOR_DIM="\e[2m"
|
||||
COLOR_UNDERLINED="\e[4m"
|
||||
COLOR_BLINK="\e[5m"
|
||||
COLOR_INVERTED="\e[7m"
|
||||
fi
|
||||
|
||||
declare -a FIREHOL_PROGRESS_MESSAGES=()
|
||||
progress() {
|
||||
printf >&2 "FireHOL: ${*}... "
|
||||
printf >&2 "${COLOR_GREEN}FireHOL:${COLOR_RESET} ${*}... "
|
||||
FIREHOL_PROGRESS_MESSAGES=("${*}" "${FIREHOL_PROGRESS_MESSAGES[@]}")
|
||||
syslog info "${*} started"
|
||||
}
|
||||
@ -1117,10 +1121,10 @@ progress() {
|
||||
success() {
|
||||
if [ ! -z "${1}" ]
|
||||
then
|
||||
echo >&2 " OK (${*})"
|
||||
echo >&2 -e "${COLOR_RESET}${COLOR_BGGREEN}${COLOR_BLACK}${COLOR_BOLD} OK ${COLOR_RESET} (${*})"
|
||||
syslog info "${FIREHOL_PROGRESS_MESSAGES[0]} succeeded with message: ${*}"
|
||||
else
|
||||
echo >&2 " OK"
|
||||
echo >&2 -e "${COLOR_RESET}${COLOR_BGGREEN}${COLOR_BLACK}${COLOR_BOLD} OK ${COLOR_RESET}"
|
||||
syslog info "${FIREHOL_PROGRESS_MESSAGES[0]} succeeded"
|
||||
fi
|
||||
unset FIREHOL_PROGRESS_MESSAGES[0]
|
||||
@ -1130,10 +1134,10 @@ success() {
|
||||
failure() {
|
||||
if [ ! -z "${1}" ]
|
||||
then
|
||||
echo >&2 " FAILED (${*})"
|
||||
echo >&2 -e "${COLOR_RESET}${COLOR_BGRED}${COLOR_WHITE}${COLOR_BOLD}${COLOR_BLINK} FAILED ${COLOR_RESET} (${*})"
|
||||
syslog err "${FIREHOL_PROGRESS_MESSAGES[0]} failed with message: ${*}"
|
||||
else
|
||||
echo >&2 " FAILED"
|
||||
echo >&2 -e "${COLOR_RESET}${COLOR_BGRED}${COLOR_WHITE}${COLOR_BOLD}${COLOR_BLINK} FAILED ${COLOR_RESET}"
|
||||
syslog err "${FIREHOL_PROGRESS_MESSAGES[0]} failed"
|
||||
fi
|
||||
unset FIREHOL_PROGRESS_MESSAGES[0]
|
||||
@ -3649,6 +3653,10 @@ blacklist() {
|
||||
while [ ! -z "${1}" ]
|
||||
do
|
||||
case "${1}" in
|
||||
src|SRC)
|
||||
shift
|
||||
;;
|
||||
|
||||
except|EXCEPT)
|
||||
shift
|
||||
break
|
||||
@ -3693,7 +3701,7 @@ blacklist() {
|
||||
iptables_both -t mangle -N "${chain}.in"
|
||||
|
||||
# add the excepted rules
|
||||
test ! -z "${1}" && ( rule table mangle chain "${chain}.in" in action RETURN "${@}" || return 1 )
|
||||
test ! -z "${1}" && ( rule nonot table mangle chain "${chain}.in" in action RETURN "${@}" || return 1 )
|
||||
|
||||
# add the accounting rules
|
||||
test ! -z "${accounting}" && ( iptables_both -t mangle -A "${chain}.in" -m nfacct --nfacct-name "${accounting}" || return 1 )
|
||||
@ -3760,6 +3768,12 @@ blacklist() {
|
||||
}
|
||||
|
||||
FIREHOL_IPTRAP_COUNTER=0
|
||||
|
||||
ipuntrap4() { ipv4 iptrap undo "${@}"; }
|
||||
ipuntrap6() { ipv6 iptrap undo "${@}"; }
|
||||
ipuntrap46() { both iptrap undo "${@}"; }
|
||||
ipuntrap() { iptrap undo "${@}"; }
|
||||
|
||||
iptrap4() { ipv4 iptrap "${@}"; }
|
||||
iptrap6() { ipv6 iptrap "${@}"; }
|
||||
iptrap46() { both iptrap "${@}"; }
|
||||
@ -3771,8 +3785,22 @@ iptrap() {
|
||||
require_work clear || ( error "${FUNCNAME} cannot be used in '${work_cmd}'. Put it before any '${work_cmd}' definition."; return 1 )
|
||||
running_both && error "${FUNCNAME} cannot be used in both IPv4 and IPv6. Please give use either iptrap4 or iptrap6." && return 1
|
||||
|
||||
local type="${1}" ipset="${2}" timeout="${3}" chain=
|
||||
local -a args=() logopts_arg=(log "TRAP")
|
||||
local undo=0 type= ipset= timeout= chain=
|
||||
local -a args=() logopts_arg=()
|
||||
|
||||
if [ "$1" = "undo" ]
|
||||
then
|
||||
undo=1
|
||||
type="${2}"
|
||||
ipset="${3}"
|
||||
logopts_arg=(log "UNTRAP")
|
||||
else
|
||||
undo=0
|
||||
type="${1}"
|
||||
ipset="${2}"
|
||||
timeout="${3}"
|
||||
logopts_arg=(log "TRAP")
|
||||
fi
|
||||
shift 3
|
||||
|
||||
if [ ${ENABLE_IPSET} -ne 1 ]
|
||||
@ -3823,10 +3851,17 @@ iptrap() {
|
||||
iptables_both -t mangle -N "${chain}"
|
||||
|
||||
# add the excepted rules
|
||||
test ! -z "${1}" && ( rule table mangle chain "${chain}" in action RETURN "${@}" || return 1 )
|
||||
test ! -z "${1}" && ( rule nonot table mangle chain "${chain}" in action RETURN "${@}" || return 1 )
|
||||
|
||||
# do the job
|
||||
iptables_both -t mangle -A "${chain}" -j SET --add-set ${ipset} ${type} --exist --timeout ${timeout}
|
||||
if [ ${undo} -eq 1 ]
|
||||
then
|
||||
# remove the ip
|
||||
iptables_both -t mangle -A "${chain}" -j SET --del-set ${ipset} ${type}
|
||||
else
|
||||
# add the ip
|
||||
iptables_both -t mangle -A "${chain}" -j SET --add-set ${ipset} ${type} --exist --timeout ${timeout}
|
||||
fi
|
||||
|
||||
# log and return
|
||||
rule table mangle chain "${chain}" in "${logopts_arg[@]}" action RETURN
|
||||
@ -4635,8 +4670,15 @@ postprocess() {
|
||||
esac
|
||||
done
|
||||
|
||||
test "${FIREHOL_MODE}" = "DEBUG" && check="debug"
|
||||
test "${FIREHOL_MODE}" = "EXPLAIN" && check="debug"
|
||||
if [ "${FIREHOL_MODE}" = "EXPLAIN" ]
|
||||
then
|
||||
printf "%q " "${@}"
|
||||
printf "\n"
|
||||
return 0
|
||||
elif [ "${FIREHOL_MODE}" = "DEBUG" ]
|
||||
then
|
||||
check="debug"
|
||||
fi
|
||||
|
||||
printf "%q " "${@}" >&21
|
||||
case "${check}" in
|
||||
@ -4655,14 +4697,6 @@ postprocess() {
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ "${FIREHOL_MODE}" = "EXPLAIN" ]
|
||||
then
|
||||
file close 21
|
||||
${CAT_CMD} "${FIREHOL_OUTPUT}"
|
||||
${RM_CMD} "${FIREHOL_OUTPUT}"
|
||||
file open 21 "${FIREHOL_OUTPUT}" w || exit 1
|
||||
fi
|
||||
|
||||
test $save -eq 1 && save_for_restore ${check} "${@}"
|
||||
|
||||
return 0
|
||||
@ -5342,6 +5376,8 @@ close_interface() {
|
||||
|
||||
set_work_function "Finilizing interface '${work_name}'"
|
||||
|
||||
set_work_function "Accepting all RELATED sockets in interface '${work_name}'"
|
||||
|
||||
# Accept all related traffic to the established connections
|
||||
rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
|
||||
rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
|
||||
@ -5350,6 +5386,7 @@ close_interface() {
|
||||
test -z "${work_policy}" && work_policy="${DEFAULT_INTERFACE_POLICY}"
|
||||
case "${work_policy}" in
|
||||
return|RETURN)
|
||||
set_work_function "Nothing to be done for policy RETURN of interface '${work_name}'"
|
||||
return 0
|
||||
;;
|
||||
|
||||
@ -5359,6 +5396,8 @@ close_interface() {
|
||||
*)
|
||||
if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
|
||||
then
|
||||
set_work_function "Silently droping TCP ACK+FIN packets of interface '${work_name}' (option: FIREHOL_DROP_ORPHAN_TCP_ACK_FIN)"
|
||||
|
||||
# Silently drop orphan TCP/ACK FIN packets
|
||||
rule chain "in_${work_name}" proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
|
||||
rule reverse chain "out_${work_name}" proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
|
||||
@ -5369,6 +5408,8 @@ close_interface() {
|
||||
;;
|
||||
esac
|
||||
|
||||
set_work_function "Applying default policy of ${work_policy} on interface '${work_name}'"
|
||||
|
||||
rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
|
||||
rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
|
||||
|
||||
@ -5388,6 +5429,8 @@ close_router() {
|
||||
|
||||
set_work_function "Finilizing router '${work_name}'"
|
||||
|
||||
set_work_function "Accepting all RELATED sockets in router '${work_name}'"
|
||||
|
||||
# Accept all related traffic to the established connections
|
||||
rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
|
||||
rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
|
||||
@ -5396,6 +5439,7 @@ close_router() {
|
||||
test -z "${work_policy}" && work_policy="${DEFAULT_ROUTER_POLICY}"
|
||||
case "${work_policy}" in
|
||||
return|RETURN)
|
||||
set_work_function "Nothing to be done for policy RETURN of router '${work_name}'"
|
||||
return 0
|
||||
;;
|
||||
|
||||
@ -5405,6 +5449,8 @@ close_router() {
|
||||
*)
|
||||
if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
|
||||
then
|
||||
set_work_function "Silently droping TCP ACK+FIN packets of router '${work_name}' (option: FIREHOL_DROP_ORPHAN_TCP_ACK_FIN)"
|
||||
|
||||
# Silently drop orphan TCP/ACK FIN packets
|
||||
rule chain "in_${work_name}" proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
|
||||
rule reverse chain "out_${work_name}" proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
|
||||
@ -5415,6 +5461,8 @@ close_router() {
|
||||
;;
|
||||
esac
|
||||
|
||||
set_work_function "Applying default policy of ${work_policy} on router '${work_name}'"
|
||||
|
||||
rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
|
||||
rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
|
||||
|
||||
@ -5433,10 +5481,14 @@ close_master() {
|
||||
|
||||
if [ ! "${MARKS_SAVERESTORE_STATEFUL_MASK}" = "0x00000000" ]
|
||||
then
|
||||
set_work_function "Restoring stateful permanent marks"
|
||||
|
||||
# copy CONNMARK to MARK at the top of mangle, on entry points
|
||||
iptables_both -t mangle -I OUTPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}
|
||||
iptables_both -t mangle -I PREROUTING 1 -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}
|
||||
|
||||
set_work_function "Saving stateful permanent marks"
|
||||
|
||||
# save MARK to CONNMARK at the end of mangle, on exit points
|
||||
iptables_both -t mangle -A INPUT -m conntrack --ctstate NEW -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}
|
||||
iptables_both -t mangle -A POSTROUTING -m conntrack --ctstate NEW -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATEFUL_MASK}
|
||||
@ -5444,15 +5496,21 @@ close_master() {
|
||||
|
||||
if [ ! "${MARKS_SAVERESTORE_STATELESS_MASK}" = "0x00000000" ]
|
||||
then
|
||||
set_work_function "Restoring stateless permanent marks"
|
||||
|
||||
# copy CONNMARK to MARK at the top of mangle, on entry points
|
||||
iptables_both -t mangle -I OUTPUT 1 -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
|
||||
iptables_both -t mangle -I PREROUTING 1 -j CONNMARK --restore-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
|
||||
|
||||
set_work_function "Saving stateless permanent marks"
|
||||
|
||||
# save MARK to CONNMARK at the end of mangle, on exit points
|
||||
iptables_both -t mangle -A INPUT -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
|
||||
iptables_both -t mangle -A POSTROUTING -j CONNMARK --save-mark --mask ${MARKS_SAVERESTORE_STATELESS_MASK}
|
||||
fi
|
||||
|
||||
set_work_function "Accepting all RELATED traffic to the ESTABLISHED connections"
|
||||
|
||||
# Accept all related traffic to the established connections
|
||||
rule chain INPUT state RELATED action ACCEPT || return 1
|
||||
rule chain OUTPUT state RELATED action ACCEPT || return 1
|
||||
@ -5460,12 +5518,16 @@ close_master() {
|
||||
|
||||
if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
|
||||
then
|
||||
set_work_function "Silently droping TCP ACK+FIN packets (option: FIREHOL_DROP_ORPHAN_TCP_ACK_FIN)"
|
||||
|
||||
# Silently drop orphan TCP/ACK FIN packets
|
||||
rule chain INPUT proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
|
||||
rule chain OUTPUT proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
|
||||
rule chain FORWARD proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
|
||||
fi
|
||||
|
||||
set_work_function "Setting default unmatched policy (options: UNMATCHED_INPUT_POLICY UNMATCHED_OUTPUT_POLICY UNMATCHED_ROUTER_POLICY)"
|
||||
|
||||
rule chain INPUT loglimit "IN-unknown" action ${UNMATCHED_INPUT_POLICY} || return 1
|
||||
rule chain OUTPUT loglimit "OUT-unknown" action ${UNMATCHED_OUTPUT_POLICY} || return 1
|
||||
rule chain FORWARD loglimit "PASS-unknown" action ${UNMATCHED_ROUTER_POLICY} || return 1
|
||||
@ -5569,6 +5631,8 @@ close_all_groups() {
|
||||
|
||||
FIREHOL_ACCEPT_CHAIN_COUNT=0
|
||||
rule_action_param() {
|
||||
# echo >&2 " >>> ${FUNCNAME}: ${*}"
|
||||
|
||||
local iptables_cmd="${1}" \
|
||||
action="${2}" \
|
||||
protocol="${3}" \
|
||||
@ -5792,7 +5856,7 @@ rule_action_param() {
|
||||
}
|
||||
|
||||
rule() {
|
||||
#echo >&2 "${FUNCNAME}: ${*}"
|
||||
# echo >&2 " >>> ${FUNCNAME}: ${*}"
|
||||
|
||||
# defining these local variables together speeds FireHOL up by 4%
|
||||
local failed=0 \
|
||||
@ -5832,6 +5896,9 @@ rule() {
|
||||
# if set to 1, log and loglimit are ignored.
|
||||
local nolog=0
|
||||
|
||||
# if set to 1, negative expressions will give an error
|
||||
local nonot=0
|
||||
|
||||
# if set to 1, detection algorithm about overwriting optional rule
|
||||
# parameters will take place.
|
||||
local softwarnings=1
|
||||
@ -5842,6 +5909,11 @@ rule() {
|
||||
while [ ! -z "${1}" ]
|
||||
do
|
||||
case "${1}" in
|
||||
nonot|NONOT)
|
||||
nonot=1
|
||||
shift
|
||||
;;
|
||||
|
||||
reverse|REVERSE)
|
||||
reverse=1
|
||||
shift
|
||||
@ -7084,6 +7156,12 @@ rule() {
|
||||
# ignore 'statenot', 'srctypenot', 'dsttypenot' since it is negated in the positive rules
|
||||
if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ]
|
||||
then
|
||||
if [ ${nonot} -eq 1 ]
|
||||
then
|
||||
error "Negative expressions are not allowed at this point."
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ ${action_is_chain} -eq 1 ]
|
||||
then
|
||||
# if the action is a chain name, then just add the negative
|
||||
@ -7354,8 +7432,8 @@ rule() {
|
||||
do
|
||||
iptables_both ${table} -A "${negative_chain}" -m dscp --dscp${dscptype} "${tdscp}" -j RETURN
|
||||
done
|
||||
dscp=any
|
||||
dscpnot=
|
||||
dscp=any
|
||||
fi
|
||||
|
||||
|
||||
@ -7746,7 +7824,7 @@ rule() {
|
||||
|
||||
warning() {
|
||||
echo >&2
|
||||
echo >&2 "WARNING: " "${@}"
|
||||
echo >&2 -e "${COLOR_YELLOW}WARNING${COLOR_RESET}: " "${@}"
|
||||
echo >&2
|
||||
|
||||
return 0
|
||||
@ -7754,13 +7832,13 @@ warning() {
|
||||
|
||||
softwarning() {
|
||||
echo >&2
|
||||
echo >&2 "--------------------------------------------------------------------------------"
|
||||
echo >&2 "WARNING"
|
||||
echo >&2 "WHEN : ${work_function}"
|
||||
echo >&2 "WHY :" "${@}"
|
||||
printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
|
||||
echo >&2 "MODE :" "${FIREHOL_NS_CURR}"
|
||||
echo >&2 "SOURCE : $(config_line)"
|
||||
echo >&2 -e "--------------------------------------------------------------------------------"
|
||||
echo >&2 -e "${COLOR_BOLD}${COLOR_YELLOW}WARNING${COLOR_RESET}"
|
||||
echo >&2 -e "WHEN : ${work_function}"
|
||||
echo >&2 -e "WHY : ${COLOR_BOLD}${COLOR_YELLOW}${@}${COLOR_RESET}"
|
||||
printf >&2 "COMMAND: ${COLOR_YELLOW}"; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
|
||||
echo >&2 -e "${COLOR_RESET}MODE :" "${FIREHOL_NS_CURR}"
|
||||
echo >&2 -e "SOURCE : $(config_line)"
|
||||
echo >&2
|
||||
|
||||
return 0
|
||||
@ -7778,13 +7856,13 @@ error() {
|
||||
|
||||
work_error=$[work_error + 1]
|
||||
echo >&2
|
||||
echo >&2 "--------------------------------------------------------------------------------"
|
||||
echo >&2 "ERROR #: ${work_error}"
|
||||
echo >&2 "WHEN : ${work_function}"
|
||||
echo >&2 "WHY :" "${@}"
|
||||
printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
|
||||
echo >&2 "MODE :" "${FIREHOL_NS_CURR}"
|
||||
echo >&2 "SOURCE : $(config_line)"
|
||||
echo >&2 -e "--------------------------------------------------------------------------------"
|
||||
echo >&2 -e "${COLOR_BOLD}${COLOR_BGRED}${COLOR_WHITE} ERROR ${COLOR_RESET}: # ${work_error}"
|
||||
echo >&2 -e "WHEN : ${work_function}"
|
||||
echo >&2 -e "WHY : ${COLOR_BGRED}${COLOR_WHITE} ${@} ${COLOR_RESET}"
|
||||
printf >&2 "COMMAND: ${COLOR_YELLOW}"; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
|
||||
echo >&2 -e "${COLOR_RESET}MODE :" "${FIREHOL_NS_CURR}"
|
||||
echo >&2 -e "SOURCE : $(config_line)"
|
||||
echo >&2
|
||||
|
||||
return 0
|
||||
@ -8356,7 +8434,6 @@ case "${arg}" in
|
||||
firewall_policy6_applied=1
|
||||
FIREHOL_FAST_ACTIVATION=0
|
||||
FIREHOL_MODE="EXPLAIN"
|
||||
FIREHOL_CONF_SHOW=1
|
||||
;;
|
||||
|
||||
helpme|wizard)
|
||||
@ -8570,7 +8647,6 @@ case "${arg}" in
|
||||
debug)
|
||||
test ! -z "${1}" && test ${1} != "--" && softwarning "Arguments after parameter '${arg}' are ignored."
|
||||
FIREHOL_MODE="DEBUG"
|
||||
FIREHOL_CONF_SHOW=1
|
||||
;;
|
||||
|
||||
ipset_update_from_file)
|
||||
@ -8912,6 +8988,8 @@ then
|
||||
fi
|
||||
fi
|
||||
|
||||
test "${FIREHOL_MODE}" = "DEBUG" && FIREHOL_CONF_SHOW=1
|
||||
|
||||
[ ${FIREHOL_FAST_ACTIVATION} -eq 0 ] && FIREHOL_LOG_ESCAPE=
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
@ -8947,9 +9025,10 @@ EOF
|
||||
|
||||
while [ 1 = 1 ]
|
||||
do
|
||||
read -p "# FireHOL [${work_cmd}:${work_name}] > " -e -r
|
||||
echo -en "${COLOR_RESET}#${COLOR_GREEN} FireHOL ${COLOR_RESET}[${COLOR_BOLD}${COLOR_BLUE}${work_cmd}${COLOR_RESET}:${COLOR_CYAN}${work_name}${COLOR_RESET}]"
|
||||
read -p " > " -e -r
|
||||
test -z "${REPLY}" && continue
|
||||
|
||||
|
||||
set_work_function -ne "Executing user input"
|
||||
|
||||
while [ 1 = 1 ]
|
||||
@ -9907,6 +9986,8 @@ firewall_policy_applied=0
|
||||
firewall_policy() {
|
||||
firewall_policy_applied=1
|
||||
|
||||
set_work_function "Applying IPv4 firewall activation policy (options: FIREHOL_INPUT_ACTIVATION_POLICY FIREHOL_OUTPUT_ACTIVATION_POLICY FIREHOL_FORWARD_ACTIVATION_POLICY)"
|
||||
|
||||
iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"
|
||||
iptables -t filter -P OUTPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
|
||||
iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"
|
||||
@ -9914,6 +9995,7 @@ firewall_policy() {
|
||||
# Accept everything in/out the loopback device.
|
||||
if [ "${FIREHOL_TRUST_LOOPBACK}" = "1" ]
|
||||
then
|
||||
set_work_function "Trusting IPv4 lo (option: FIREHOL_TRUST_LOOPBACK)"
|
||||
iptables -A INPUT -i lo -j ACCEPT
|
||||
iptables -A OUTPUT -o lo -j ACCEPT
|
||||
fi
|
||||
@ -9922,6 +10004,7 @@ firewall_policy() {
|
||||
# Netfilter HOWTO suggests to DROP all INVALID packets.
|
||||
if [ "${FIREHOL_DROP_INVALID}" = "1" ]
|
||||
then
|
||||
set_work_function "Droping IPv4 connection tracker INVALID packets (option: FIREHOL_DROP_INVALID)"
|
||||
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
@ -9932,6 +10015,8 @@ firewall_policy6_applied=0
|
||||
firewall_policy6() {
|
||||
firewall_policy6_applied=1
|
||||
|
||||
set_work_function "Applying IPv6 firewall activation policy (options: FIREHOL_INPUT_ACTIVATION_POLICY FIREHOL_OUTPUT_ACTIVATION_POLICY FIREHOL_FORWARD_ACTIVATION_POLICY)"
|
||||
|
||||
ip6tables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"
|
||||
ip6tables -t filter -P OUTPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
|
||||
ip6tables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"
|
||||
@ -9939,6 +10024,7 @@ firewall_policy6() {
|
||||
# Accept everything in/out the loopback device.
|
||||
if [ "${FIREHOL_TRUST_LOOPBACK}" = "1" ]
|
||||
then
|
||||
set_work_function "Trusting IPv4 lo (option: FIREHOL_TRUST_LOOPBACK)"
|
||||
ip6tables -A INPUT -i lo -j ACCEPT
|
||||
ip6tables -A OUTPUT -o lo -j ACCEPT
|
||||
fi
|
||||
@ -9947,6 +10033,7 @@ firewall_policy6() {
|
||||
# Netfilter HOWTO suggests to DROP all INVALID packets.
|
||||
if [ "${FIREHOL_DROP_INVALID}" = "1" ]
|
||||
then
|
||||
set_work_function "Droping IPv4 connection tracker INVALID packets (option: FIREHOL_DROP_INVALID)"
|
||||
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
|
||||
ip6tables -A FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
|
Loading…
Reference in New Issue
Block a user