sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-28 18:02:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

The previous implementation of the "with" parameter was conflicting with

Browse Source 
negative expressions. Fixed.

Now each action (ACCEPT, REJECT, etc) can have each own optional rule
parameters. Currently only REJECT (with) and REDIRECT (to-port) have
such parameters.

Implemented the REDIRECT action (usefull in NAT).

Introduced a new concept in FireHOL: helpers

Helpers are functions that do some job for you, like a shortcut.

Implemented the transparent_squid helper.
This commit is contained in:
ktsaou 2003-01-06 16:13:34 +00:00
parent fd08102798
commit 8a0476e102
3 changed files with 236 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
ChangeLog
View File

@ -1,7 +1,7 @@
RCS file: /cvsroot/firehol/firehol/firehol.sh,v
Working file: firehol.sh
head: 1.61
head: 1.65
branch:
locks: strict
access list:
@ -9,9 +9,49 @@ symbolic names:
start: 1.1.1.1
vendor: 1.1.1
keyword substitution: kv
total revisions: 62; selected revisions: 62
total revisions: 66; selected revisions: 66
description:
----------------------------
revision 1.65
date: 2003/01/06 01:16:41; author: ktsaou; state: Exp; lines: +19 -3
I have added a not-to-be-documented command line argument:
gimme-the-services-defs
An application can choose to run FireHOL with this argument to have all
the service definitions FireHOL knows in the environment variables.
----------------------------
revision 1.64
date: 2003/01/06 00:41:10; author: ktsaou; state: Exp; lines: +736 -671
Changed the method with which the current command line was saved for the
error handler. The new way saved a fork() and gave some speed improvements.
Re-arranged the code so that the global variables and the services
definitions will be at the top of the file firehol.sh
Developed a work-around for a bug in iptables-save where:
! --uid-owner A
was saved as
--uid-owner !A
which was giving errors during restoration.
Unfortunatelly this made firehol saving the running firewall without the
use of /etc/init.d/iptables save.
The "save" argument to firehol saves the firewall to:
/etc/sysconfig/iptables
----------------------------
revision 1.63
date: 2003/01/05 20:03:07; author: ktsaou; state: Exp; lines: +29 -3
Added service ping
----------------------------
revision 1.62
date: 2003/01/03 23:34:37; author: ktsaou; state: Exp; lines: +16 -4
Added protocols as services: ICMP, AH, GRE, ESP
----------------------------
revision 1.61
date: 2003/01/01 04:32:48; author: ktsaou; state: Exp; lines: +6 -3
Added service: microsoft_ds

15
doc/commands.html
View File

@ -512,6 +512,7 @@
<H4>Description</H4>
<b>with</b> is used on action "REJECT" to offer control on the message to be returned to the sender. Using <b>with</b>
with any action, other than REJECT, will produce an error.<p>
This parameter must be the next one after the action <b>REJECT</b> to be recognized.<p>
<b>with</b> accepts all the arguments the <b>--reject-with</b> iptables expression accepts. For an updated list
of these messages type <b>iptables -j REJECT --help</b>. Bellow you can find the list my system accepts:
<p>
@ -643,13 +644,13 @@
All packets that reach the end of firewall in all three chains are logged (always, regardless of these settings).
You can control the frequency of this logging by altering the frequency <a href="#loglimit">loglimit</a> uses.
<p>
Default: <b>DEFAULT_INPUT_POLICY="DROP"</b><br>
Default: <b>DEFAULT_OUTPUT_POLICY="DROP"</b><br>
Default: <b>DEFAULT_FORWARD_POLICY="DROP"</b><br>
Default: <b>UNMATCHED_INPUT_POLICY="DROP"</b><br>
Default: <b>UNMATCHED_OUTPUT_POLICY="DROP"</b><br>
Default: <b>UNMATCHED_FORWARD_POLICY="DROP"</b><br>
<br>
Example: <b>DEFAULT_INPUT_POLICY="REJECT"</b><br>
Example: <b>DEFAULT_OUTPUT_POLICY="REJECT"</b><br>
Example: <b>DEFAULT_FORWARD_POLICY="REJECT"</b>
Example: <b>UNMATCHED_INPUT_POLICY="REJECT"</b><br>
Example: <b>UNMATCHED_OUTPUT_POLICY="REJECT"</b><br>
Example: <b>UNMATCHED_FORWARD_POLICY="REJECT"</b>
<p>
<hr noshade size=1 width="70%">
@ -739,7 +740,7 @@
<tr><td align=center valign=middle>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&amp;type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
</td><td align=center valign=middle>
<small>$Id: commands.html,v 1.9 2002/12/31 11:57:40 ktsaou Exp $</small>
<small>$Id: commands.html,v 1.10 2003/01/06 16:13:35 ktsaou Exp $</small>
<p>
<b>FireHOL</b>, a firewall for humans...<br>
&copy; Copyright 2002

279
firehol.sh
View File

@ -10,7 +10,7 @@
#
# config: /etc/firehol.conf
#
# $Id: firehol.sh,v 1.65 2003/01/06 01:16:41 ktsaou Exp $
# $Id: firehol.sh,v 1.66 2003/01/06 16:13:34 ktsaou Exp $
#
@ -978,6 +978,44 @@ then
fi
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
#
# HELPER FUNCTIONS BELLOW THIS POINT
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
# helper transparent_squid <squid_port> <squid_user>
transparent_squid_count=0
transparent_squid() {
work_realcmd=($FUNCNAME "$@")
local redirect="${1}"; shift
local user="${1}"; shift
test -z "${redirect}" && error "Squid port number is empty" && return 1
test -z "${user}" && error "Squid user not specified" && return 1
transparent_squid_count=$[transparent_squid_count + 1]
set_work_function "Setting up rules for catching routed web traffic"
create_chain nat "in_trsquid.${transparent_squid_count}" PREROUTING "$@" proto tcp dport http || return 1
rule table nat chain "in_trsquid.${transparent_squid_count}" proto tcp dport http action REDIRECT to-port ${redirect} || return 1
set_work_function "Setting up rules for catching outgoing web traffic"
create_chain nat "out_trsquid.${transparent_squid_count}" OUTPUT proto tcp dport http dst not "127.0.0.1" custom "-m owner ! --uid-owner ${user}" || return 1
rule table nat chain "out_trsquid.${transparent_squid_count}" proto tcp dport http action REDIRECT to-port ${redirect} || return 1
FIREHOL_NAT=1
return 0
}
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------
@ -1561,6 +1599,64 @@ close_master() {
# wrapper for iptables, producing multiple iptables commands based on its
# arguments. The rest of FireHOL is simply a "driver" for this function.
# rule_action_param() is a function - part of rule() - to create the final iptables cmd
# taking into account the "action_param" parameter of the action.
# rule_action_param() should only be used within rule() - no other place
rule_action_param() {
local action="${1}"; shift
local protocol="${1}"; shift
local -a action_param=
local count=0
while [ ! -z "${1}" -a ! "A${1}" = "A--" ]
do
action_param[$count]="${1}"
shift
count=$[count + 1]
done
local sep="${1}"; shift
if [ ! "A${sep}" = "A--" ]
then
error "Internal Error, in parsing action_param parameters ($FUNCNAME '${action}' '${protocol}' '${action_param[@]}' ${sep} $@)."
return 1
fi
# Do the rule
case "${action}" in
NONE)
return 0
;;
REJECT)
if [ "${action_param[1]}" = "auto" ]
then
if [ "${protocol}" = "tcp" -o "${protocol}" = "TCP" ]
then
action_param=("--reject-with" "tcp-reset")
else
unset action_param
fi
fi
;;
esac
if [ "${action_param[0]}" = "none" ]
then
unset action_param
fi
iptables "$@" -j "${action}" "${action_param[@]}"
local ret=$?
test $ret -gt 0 && failed=$[failed + 1]
return $ret
}
rule() {
local table="-t filter"
local chain=
@ -1608,8 +1704,6 @@ rule() {
local custom=
local with=
# If set to non-zero, this will enable the mechanism for
# handling ANDed negative expressions.
local have_a_not=0
@ -1857,13 +1951,57 @@ rule() {
action|ACTION)
action="${2}"
shift 2
unset action_param
local action_is_chain=0
case "${action}" in
accept|ACCEPT)
action="ACCEPT"
;;
deny|DENY|drop|DROP)
action="DROP"
;;
reject|REJECT)
action="REJECT"
if [ "${1}" = "with" ]
then
local -a action_param=("--reject-with" "${2}")
shift 2
else
local -a action_param=("--reject-with" "auto")
fi
;;
redirect|REDIRECT)
action="REDIRECT"
if [ "${1}" = "to-port" ]
then
local -a action_param=("--to-port" "${2}")
shift 2
fi
;;
return|RETURN)
action="RETURN"
;;
mirror|MIRROR)
action="MIRROR"
;;
none|NONE)
action="NONE"
;;
*)
chain_exists "${action}"
local action_is_chain=$?
;;
esac
;;
with|WITH)
with="${2}"
shift 2
;;
state|STATE)
shift
statenot=
@ -1885,50 +2023,26 @@ rule() {
esac
done
local action_is_chain=0
case "${action}" in
accept|ACCEPT)
action=ACCEPT
;;
deny|DENY)
action=DROP
;;
reject|REJECT)
action=REJECT
# If the user did not specified a rejection message,
# we have to be smart and produce a tcp-reset if the protocol
# is TCP and an ICMP port unreachable in all other cases.
# The special case here is the protocol "any".
# To accomplish the differentiation based on protocol we have
# to change the protocol "any" to "tcp any"
test -z "${with}" -a "${proto}" = "any" && proto="tcp any"
;;
drop|DROP)
action=DROP
;;
return|RETURN)
action=RETURN
;;
mirror|MIRROR)
action=MIRROR
;;
none|NONE)
action=NONE
;;
*)
chain_exists "${action}"
local action_is_chain=$?
;;
esac
# If the user did not specified a rejection message,
# we have to be smart and produce a tcp-reset if the protocol
# is TCP and an ICMP port unreachable in all other cases.
# The special case here is the protocol "any".
# To accomplish the differentiation based on protocol we have
# to change the protocol "any" to "tcp any"
test "${action}" = "REJECT" -a "${action_param[1]}" = "auto" -a "${proto}" = "any" && proto="tcp any"
# we cannot accept empty strings to a few parameters, since this
# will prevent us from generating a rule (due to nested BASH loops).
test -z "${inface}" && error "Cannot accept an empty 'inface'." && return 1
test -z "${outface}" && error "Cannot accept an empty 'outface'." && return 1
test -z "${src}" && error "Cannot accept an empty 'src'." && return 1
test -z "${dst}" && error "Cannot accept an empty 'dst'." && return 1
test -z "${sport}" && error "Cannot accept an empty 'sport'." && return 1
test -z "${dport}" && error "Cannot accept an empty 'dport'." && return 1
test -z "${proto}" && error "Cannot accept an empty 'proto'." && return 1
# ----------------------------------------------------------------------------------
@ -2049,7 +2163,23 @@ rule() {
# just make have the final action of the rule.
if [ ! -z "${negative_action}" ]
then
iptables ${table} -A "${negative_chain}" -j "${negative_action}"
local pr=
for pr in ${proto}
do
unset proto_arg
case ${pr} in
any|ANY)
;;
*)
local -a proto_arg=("-p" "${pr}")
;;
esac
rule_action_param "${negative_action}" "${pr}" "${action_param[@]}" -- ${table} -A "${negative_chain}" "${proto_arg[@]}"
unset action_param
done
fi
fi
@ -2057,17 +2187,6 @@ rule() {
# ----------------------------------------------------------------------------------
# Process the positive rules
# we cannot accept empty strings to a few parameters, since this
# will prevent us from generating a rule (due to nested BASH loops).
test -z "${inface}" && error "Cannot accept an empty 'inface'." && return 1
test -z "${outface}" && error "Cannot accept an empty 'outface'." && return 1
test -z "${src}" && error "Cannot accept an empty 'src'." && return 1
test -z "${dst}" && error "Cannot accept an empty 'dst'." && return 1
test -z "${sport}" && error "Cannot accept an empty 'sport'." && return 1
test -z "${dport}" && error "Cannot accept an empty 'dport'." && return 1
test -z "${proto}" && error "Cannot accept an empty 'proto'." && return 1
local pr=
for pr in ${proto}
do
@ -2197,33 +2316,7 @@ rule() {
;;
esac
# Do the rule
case "${action}" in
NONE)
;;
REJECT)
local with_arg=
if [ ! -z "${with}" ]
then
with_arg="--reject-with ${with}"
else
if [ "${pr}" = "tcp" -o "${pr}" = "TCP" ]
then
with_arg="--reject-with tcp-reset"
fi
fi
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -j "${action}" ${with_arg}
test $? -gt 0 && failed=$[failed + 1]
;;
*)
test ! -z "${with}" && error "Parameter 'with' cannot be used on action '${action}'."
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -j "${action}"
test $? -gt 0 && failed=$[failed + 1]
;;
esac
rule_action_param "${action}" "${pr}" "${action_param[@]}" -- ${table} -A "${chain}" "${basecmd[@]}" ${custom}
done
done
done
@ -2607,7 +2700,7 @@ case "${arg}" in
else
cat <<"EOF"
$Id: firehol.sh,v 1.65 2003/01/06 01:16:41 ktsaou Exp $
$Id: firehol.sh,v 1.66 2003/01/06 16:13:34 ktsaou Exp $
(C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
@ -2775,7 +2868,7 @@ then
cat <<"EOF"
$Id: firehol.sh,v 1.65 2003/01/06 01:16:41 ktsaou Exp $
$Id: firehol.sh,v 1.66 2003/01/06 16:13:34 ktsaou Exp $
(C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net