sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-28 18:02:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added service NIS.

Browse Source 
Created by Carlos Rodrigues <crlf@users.sourceforge.net>
Feature Requests item #1050951 <https://sourceforge.net/tracker/?func=detail&atid=487695&aid=1050951&group_id=58425>

These rules work for client access only!

Pushing changes to slave servers won't work if these rules are active
somewhere between the master and its slaves, because it is impossible to
predict the ports where "yppush" will be listening on each push.

Pulling changes directly on the slaves will work, and could be improved
performance-wise if these rules are modified to open "fypxfrd". This wasn't
done because it doesn't make that much sense since pushing changes on the
master server is the most common, and recommended, way to replicate maps.
This commit is contained in:
ktsaou 2004-10-30 21:13:26 +00:00
parent 02a3dc1f29
commit 449040b6bd
3 changed files with 187 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
doc/create_services.sh
View File

@ -435,6 +435,39 @@ If you do this then you will have to define the the ports using the procedure de
"
service_nfs_example="client nfs accept <u>dst</u> <u>1.2.3.4</u>"
server_nis_ports="many"
client_nis_ports="500:65535"
service_nis_type="complex"
service_nis_notes="
The nis service queries the RPC service on the nis server host to find out the ports <b>ypserv</b> and <b>yppasswdd</b> are listening.
Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the
clients to be able to reach the server.
<p>
For this reason, the nis service requires that:
<ul>
<li>the firewall is restarted if the nis server is restarted</li>
<li>the nis server must be specified on all nis statements (only if it is not the localhost)</li>
</ul>
Since nis queries the remote RPC server, it is required to also be allowed to do so, by allowing the
<a href=\"#portmap\">portmap</a> service too. Take care, that this is allowed by the <b>running firewall</b>
when FireHOL tries to query the RPC server. So you might have to setup nis in two steps: First add the portmap
service and activate the firewall, then add the nis service and restart the firewall.
<p>
This service has been created by <a href=\"https://sourceforge.net/tracker/?func=detail&atid=487695&aid=1050951&group_id=58425\">Carlos Rodrigues</a>.
His comments regarding this implementation, are:
<p>
<b>These rules work for client access only!</b>
<p>
Pushing changes to slave servers won't work if these rules are active
somewhere between the master and its slaves, because it is impossible to
predict the ports where <b>yppush</b> will be listening on each push.
<p>
Pulling changes directly on the slaves will work, and could be improved
performance-wise if these rules are modified to open <b>fypxfrd</b>. This wasn't
done because it doesn't make that much sense since pushing changes on the
master server is the most common, and recommended, way to replicate maps.
"
service_nis_example="client nis accept <u>dst</u> <u>1.2.3.4</u>"
service_nxserver_notes="
Default ports used by NX server for connections without encryption.<br>
@ -885,7 +918,7 @@ cat <<"EOF"
<tr><td align=center valign=middle>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
</td><td align=center valign=middle>
<small>$Id: create_services.sh,v 1.48 2004/09/26 00:52:56 ktsaou Exp $</small>
<small>$Id: create_services.sh,v 1.49 2004/10/30 21:13:26 ktsaou Exp $</small>
<p>
<b>FireHOL</b>, a firewall for humans...<br>
&copy; Copyright 2003

48
doc/services.html
View File

@ -118,7 +118,7 @@ All the services defined by name in FireHOL are known to resolve in <a href="htt
<tr><td align=left valign=top><font color="gray" size=+1><b>N</td></tr>
<tr><td align=left valign=top><small>
<a href="#netbackup">netbackup</a>, <a href="#netbios_dgm">netbios_dgm</a>, <a href="#netbios_ns">netbios_ns</a>, <a href="#netbios_ssn">netbios_ssn</a>, <a href="#nfs">nfs</a>, <a href="#nntp">nntp</a>, <a href="#nntps">nntps</a>, <a href="#ntp">ntp</a>, <a href="#nxserver">nxserver</a></td></tr></table></td>
<a href="#netbackup">netbackup</a>, <a href="#netbios_dgm">netbios_dgm</a>, <a href="#netbios_ns">netbios_ns</a>, <a href="#netbios_ssn">netbios_ssn</a>, <a href="#nfs">nfs</a>, <a href="#nis">nis</a>, <a href="#nntp">nntp</a>, <a href="#nntps">nntps</a>, <a href="#ntp">ntp</a>, <a href="#nut">nut</a>, <a href="#nxserver">nxserver</a></td></tr></table></td>
</tr><tr>
<td width="25%" align=left valign=top>
@ -1366,6 +1366,25 @@ All the services defined by name in FireHOL are known to resolve in <a href="htt
</td>
</tr>
<tr bgcolor="#F0F0F0">
<td align="center" valign="top"><a name="nis"><b>nis</b></a></td>
<td align="center" valign="top">complex</td>
<td>
<table cellspacing=0 cellpadding=2 border=0>
<tr>
<td align=right valign=top nowrap><small><font color=gray>Server Ports</td><td>&nbsp;
<b>many</b>
</td></tr><tr><td align=right valign=top nowrap><small><font color=gray>Client Ports</td><td>&nbsp;
<b>500:65535</b>
</td></tr><tr><td align=right valign=top nowrap><small><font color=gray>Netfilter Modules</td><td>&nbsp;
</td></tr><tr><td align=right valign=top nowrap><small><font color=gray>Netfilter NAT Modules</td><td>&nbsp;
</td>
</tr>
<tr><td align=right valign=top nowrap><small><font color="gray">Notes</td><td>The nis service queries the RPC service on the nis server host to find out the ports <b>ypserv</b> and <b>yppasswdd</b> are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server. <p> For this reason, the nis service requires that: <ul> <li>the firewall is restarted if the nis server is restarted</li> <li>the nis server must be specified on all nis statements (only if it is not the localhost)</li> </ul> Since nis queries the remote RPC server, it is required to also be allowed to do so, by allowing the <a href="#portmap">portmap</a> service too. Take care, that this is allowed by the <b>running firewall</b> when FireHOL tries to query the RPC server. So you might have to setup nis in two steps: First add the portmap service and activate the firewall, then add the nis service and restart the firewall. <p> This service has been created by <a href="https://sourceforge.net/tracker/?func=detail&atid=487695&aid=1050951&group_id=58425">Carlos Rodrigues</a>. His comments regarding this implementation, are: <p> <b>These rules work for client access only!</b> <p> Pushing changes to slave servers won't work if these rules are active somewhere between the master and its slaves, because it is impossible to predict the ports where <b>yppush</b> will be listening on each push. <p> Pulling changes directly on the slaves will work, and could be improved performance-wise if these rules are modified to open <b>fypxfrd</b>. This wasn't done because it doesn't make that much sense since pushing changes on the master server is the most common, and recommended, way to replicate maps.<br>&nbsp;</td></tr>
<tr><td align=right valign=top nowrap><small><font color="gray">Example</td><td><b>client nis accept <u>dst</u> <u>1.2.3.4</u></b></td></tr>
</table>
</td>
</tr>
<tr >
<td align="center" valign="top"><a name="nntp"><b>nntp</b></a></td>
<td align="center" valign="top">simple</td>
<td>
@ -1384,7 +1403,7 @@ All the services defined by name in FireHOL are known to resolve in <a href="htt
</table>
</td>
</tr>
<tr >
<tr bgcolor="#F0F0F0">
<td align="center" valign="top"><a name="nntps"><b>nntps</b></a></td>
<td align="center" valign="top">simple</td>
<td>
@ -1403,7 +1422,7 @@ All the services defined by name in FireHOL are known to resolve in <a href="htt
</table>
</td>
</tr>
<tr bgcolor="#F0F0F0">
<tr >
<td align="center" valign="top"><a name="ntp"><b>ntp</b></a></td>
<td align="center" valign="top">simple</td>
<td>
@ -1426,6 +1445,27 @@ All the services defined by name in FireHOL are known to resolve in <a href="htt
</table>
</td>
</tr>
<tr bgcolor="#F0F0F0">
<td align="center" valign="top"><a name="nut"><b>nut</b></a></td>
<td align="center" valign="top">simple</td>
<td>
<table cellspacing=0 cellpadding=2 border=0>
<tr>
<td align=right valign=top nowrap><small><font color=gray>Server Ports</td><td>&nbsp;
<b>tcp/3493</b>
,
<b>udp/3493</b>
</td></tr><tr><td align=right valign=top nowrap><small><font color=gray>Client Ports</td><td>&nbsp;
<b>default</b>
</td></tr><tr><td align=right valign=top nowrap><small><font color=gray>Netfilter Modules</td><td>&nbsp;
</td></tr><tr><td align=right valign=top nowrap><small><font color=gray>Netfilter NAT Modules</td><td>&nbsp;
</td>
</tr>
<tr><td align=right valign=top nowrap><small><font color="gray">Notes</td><td><br>&nbsp;</td></tr>
<tr><td align=right valign=top nowrap><small><font color="gray">Example</td><td><b>server nut accept</b></td></tr>
</table>
</td>
</tr>
<tr >
<td align="center" valign="top"><a name="nxserver"><b>nxserver</b></a></td>
<td align="center" valign="top">simple</td>
@ -2309,7 +2349,7 @@ All the services defined by name in FireHOL are known to resolve in <a href="htt
<tr><td align=center valign=middle>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
</td><td align=center valign=middle>
<small>$Id: services.html,v 1.54 2004/10/08 22:30:55 ktsaou Exp $</small>
<small>$Id: services.html,v 1.55 2004/10/30 21:13:26 ktsaou Exp $</small>
<p>
<b>FireHOL</b>, a firewall for humans...<br>
&copy; Copyright 2003

114
firehol.sh
View File

@ -10,7 +10,7 @@
#
# config: /etc/firehol/firehol.conf
#
# $Id: firehol.sh,v 1.207 2004/10/28 23:03:06 ktsaou Exp $
# $Id: firehol.sh,v 1.208 2004/10/30 21:13:26 ktsaou Exp $
#
# Remember who you are.
@ -968,6 +968,110 @@ rules_nfs() {
}
# --- NIS ----------------------------------------------------------------------
# These rules work for client access only!
#
# Pushing changes to slave servers won't work if these rules are active
# somewhere between the master and its slaves, because it is impossible to
# predict the ports where "yppush" will be listening on each push.
#
# Pulling changes directly on the slaves will work, and could be improved
# performance-wise if these rules are modified to open "fypxfrd". This wasn't
# done because it doesn't make that much sense since pushing changes on the
# master server is the most common, and recommended, way to replicate maps.
#
# Created by Carlos Rodrigues <crlf@users.sourceforge.net>
# Feature Requests item #1050951 <https://sourceforge.net/tracker/?func=detail&atid=487695&aid=1050951&group_id=58425>
rules_nis() {
local mychain="${1}"; shift
local type="${1}"; shift
local in=in
local out=out
if [ "${type}" = "client" ]
then
in=out
out=in
fi
local client_ports="${DEFAULT_CLIENT_PORTS}"
if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
then
client_ports="${LOCAL_CLIENT_PORTS}"
fi
# ----------------------------------------------------------------------
# This command requires in the client or route subcommands,
# the first argument after the policy/action is a dst.
local action="${1}"; shift
local servers="localhost"
if [ "${type}" = "client" -o ! "${work_cmd}" = "interface" ]
then
case "${1}" in
dst|DST|destination|DESTINATION)
shift
local servers="${1}"
shift
;;
*)
error "Please re-phrase to: ${type} nis ${action} dst <NIS_SERVER> [other rules]"
return 1
;;
esac
fi
local x=
for x in ${servers}
do
local tmp="${FIREHOL_DIR}/firehol.rpcinfo.$$"
set_work_function "Getting RPC information from server '${x}'"
rpcinfo -p ${x} >"${tmp}"
if [ $? -gt 0 -o ! -s "${tmp}" ]
then
error "Cannot get rpcinfo from host '${x}' (using the previous firewall rules)"
${RM_CMD} -f "${tmp}"
return 1
fi
local server_ypserv_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " ypserv$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
local server_yppasswdd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " yppasswdd$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
test -z "${server_ypserv_ports}" && error "Cannot find ypserv ports for nis server '${x}'" && return 1
local dst=
if [ ! "${x}" = "localhost" ]
then
dst="dst ${x}"
fi
if [ ! -z "${server_yppasswd_ports}" ]
then
set_work_function "Processing yppasswd rules for server '${x}'"
rules_custom "${mychain}" "${type}" nis-yppasswd "${server_yppasswdd_ports}" "500:65535" "${action}" $dst "$@"
fi
set_work_function "Processing ypserv rules for server '${x}'"
rules_custom "${mychain}" "${type}" nis-ypserv "${server_ypserv_ports}" "500:65535" "${action}" $dst "$@"
${RM_CMD} -f "${tmp}"
echo >&2 ""
echo >&2 "WARNING:"
echo >&2 "This firewall must be restarted if NIS server ${x} is restarted!"
echo >&2 ""
done
return 0
}
# --- AMANDA -------------------------------------------------------------------
FIREHOL_AMANDA_PORTS="850:859"
@ -4562,7 +4666,7 @@ case "${arg}" in
else
${CAT_CMD} <<EOF
$Id: firehol.sh,v 1.207 2004/10/28 23:03:06 ktsaou Exp $
$Id: firehol.sh,v 1.208 2004/10/30 21:13:26 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
@ -4748,7 +4852,7 @@ then
${CAT_CMD} <<EOF
$Id: firehol.sh,v 1.207 2004/10/28 23:03:06 ktsaou Exp $
$Id: firehol.sh,v 1.208 2004/10/30 21:13:26 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
@ -5042,7 +5146,7 @@ then
${CAT_CMD} >&2 <<EOF
$Id: firehol.sh,v 1.207 2004/10/28 23:03:06 ktsaou Exp $
$Id: firehol.sh,v 1.208 2004/10/30 21:13:26 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
@ -5125,7 +5229,7 @@ EOF
echo "# "
${CAT_CMD} <<EOF
# $Id: firehol.sh,v 1.207 2004/10/28 23:03:06 ktsaou Exp $
# $Id: firehol.sh,v 1.208 2004/10/30 21:13:26 ktsaou Exp $
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
# FireHOL is distributed under GPL.
# Home Page: http://firehol.sourceforge.net