mirror of
https://github.com/firehol/firehol.git
synced 2024-06-30 19:02:21 +00:00
The previous implementation of the "with" parameter was conflicting with
negative expressions. Fixed. Now each action (ACCEPT, REJECT, etc) can have each own optional rule parameters. Currently only REJECT (with) and REDIRECT (to-port) have such parameters. Implemented the REDIRECT action (usefull in NAT). Introduced a new concept in FireHOL: helpers Helpers are functions that do some job for you, like a shortcut. Implemented the transparent_squid helper.
This commit is contained in:
parent
fd08102798
commit
8a0476e102
44
ChangeLog
44
ChangeLog
@ -1,7 +1,7 @@
|
||||
|
||||
RCS file: /cvsroot/firehol/firehol/firehol.sh,v
|
||||
Working file: firehol.sh
|
||||
head: 1.61
|
||||
head: 1.65
|
||||
branch:
|
||||
locks: strict
|
||||
access list:
|
||||
@ -9,9 +9,49 @@ symbolic names:
|
||||
start: 1.1.1.1
|
||||
vendor: 1.1.1
|
||||
keyword substitution: kv
|
||||
total revisions: 62; selected revisions: 62
|
||||
total revisions: 66; selected revisions: 66
|
||||
description:
|
||||
----------------------------
|
||||
revision 1.65
|
||||
date: 2003/01/06 01:16:41; author: ktsaou; state: Exp; lines: +19 -3
|
||||
I have added a not-to-be-documented command line argument:
|
||||
|
||||
gimme-the-services-defs
|
||||
|
||||
An application can choose to run FireHOL with this argument to have all
|
||||
the service definitions FireHOL knows in the environment variables.
|
||||
----------------------------
|
||||
revision 1.64
|
||||
date: 2003/01/06 00:41:10; author: ktsaou; state: Exp; lines: +736 -671
|
||||
Changed the method with which the current command line was saved for the
|
||||
error handler. The new way saved a fork() and gave some speed improvements.
|
||||
|
||||
Re-arranged the code so that the global variables and the services
|
||||
definitions will be at the top of the file firehol.sh
|
||||
|
||||
Developed a work-around for a bug in iptables-save where:
|
||||
|
||||
! --uid-owner A
|
||||
|
||||
was saved as
|
||||
|
||||
--uid-owner !A
|
||||
|
||||
which was giving errors during restoration.
|
||||
Unfortunatelly this made firehol saving the running firewall without the
|
||||
use of /etc/init.d/iptables save.
|
||||
The "save" argument to firehol saves the firewall to:
|
||||
|
||||
/etc/sysconfig/iptables
|
||||
----------------------------
|
||||
revision 1.63
|
||||
date: 2003/01/05 20:03:07; author: ktsaou; state: Exp; lines: +29 -3
|
||||
Added service ping
|
||||
----------------------------
|
||||
revision 1.62
|
||||
date: 2003/01/03 23:34:37; author: ktsaou; state: Exp; lines: +16 -4
|
||||
Added protocols as services: ICMP, AH, GRE, ESP
|
||||
----------------------------
|
||||
revision 1.61
|
||||
date: 2003/01/01 04:32:48; author: ktsaou; state: Exp; lines: +6 -3
|
||||
Added service: microsoft_ds
|
||||
|
@ -512,6 +512,7 @@
|
||||
<H4>Description</H4>
|
||||
<b>with</b> is used on action "REJECT" to offer control on the message to be returned to the sender. Using <b>with</b>
|
||||
with any action, other than REJECT, will produce an error.<p>
|
||||
This parameter must be the next one after the action <b>REJECT</b> to be recognized.<p>
|
||||
<b>with</b> accepts all the arguments the <b>--reject-with</b> iptables expression accepts. For an updated list
|
||||
of these messages type <b>iptables -j REJECT --help</b>. Bellow you can find the list my system accepts:
|
||||
<p>
|
||||
@ -643,13 +644,13 @@
|
||||
All packets that reach the end of firewall in all three chains are logged (always, regardless of these settings).
|
||||
You can control the frequency of this logging by altering the frequency <a href="#loglimit">loglimit</a> uses.
|
||||
<p>
|
||||
Default: <b>DEFAULT_INPUT_POLICY="DROP"</b><br>
|
||||
Default: <b>DEFAULT_OUTPUT_POLICY="DROP"</b><br>
|
||||
Default: <b>DEFAULT_FORWARD_POLICY="DROP"</b><br>
|
||||
Default: <b>UNMATCHED_INPUT_POLICY="DROP"</b><br>
|
||||
Default: <b>UNMATCHED_OUTPUT_POLICY="DROP"</b><br>
|
||||
Default: <b>UNMATCHED_FORWARD_POLICY="DROP"</b><br>
|
||||
<br>
|
||||
Example: <b>DEFAULT_INPUT_POLICY="REJECT"</b><br>
|
||||
Example: <b>DEFAULT_OUTPUT_POLICY="REJECT"</b><br>
|
||||
Example: <b>DEFAULT_FORWARD_POLICY="REJECT"</b>
|
||||
Example: <b>UNMATCHED_INPUT_POLICY="REJECT"</b><br>
|
||||
Example: <b>UNMATCHED_OUTPUT_POLICY="REJECT"</b><br>
|
||||
Example: <b>UNMATCHED_FORWARD_POLICY="REJECT"</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="70%">
|
||||
@ -739,7 +740,7 @@
|
||||
<tr><td align=center valign=middle>
|
||||
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
|
||||
</td><td align=center valign=middle>
|
||||
<small>$Id: commands.html,v 1.9 2002/12/31 11:57:40 ktsaou Exp $</small>
|
||||
<small>$Id: commands.html,v 1.10 2003/01/06 16:13:35 ktsaou Exp $</small>
|
||||
<p>
|
||||
<b>FireHOL</b>, a firewall for humans...<br>
|
||||
© Copyright 2002
|
||||
|
279
firehol.sh
279
firehol.sh
@ -10,7 +10,7 @@
|
||||
#
|
||||
# config: /etc/firehol.conf
|
||||
#
|
||||
# $Id: firehol.sh,v 1.65 2003/01/06 01:16:41 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.66 2003/01/06 16:13:34 ktsaou Exp $
|
||||
#
|
||||
|
||||
|
||||
@ -978,6 +978,44 @@ then
|
||||
fi
|
||||
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
# ------------------------------------------------------------------------------
|
||||
#
|
||||
# HELPER FUNCTIONS BELLOW THIS POINT
|
||||
#
|
||||
# ------------------------------------------------------------------------------
|
||||
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
# ------------------------------------------------------------------------------
|
||||
|
||||
# helper transparent_squid <squid_port> <squid_user>
|
||||
transparent_squid_count=0
|
||||
transparent_squid() {
|
||||
work_realcmd=($FUNCNAME "$@")
|
||||
|
||||
local redirect="${1}"; shift
|
||||
local user="${1}"; shift
|
||||
|
||||
test -z "${redirect}" && error "Squid port number is empty" && return 1
|
||||
test -z "${user}" && error "Squid user not specified" && return 1
|
||||
|
||||
|
||||
transparent_squid_count=$[transparent_squid_count + 1]
|
||||
|
||||
set_work_function "Setting up rules for catching routed web traffic"
|
||||
|
||||
create_chain nat "in_trsquid.${transparent_squid_count}" PREROUTING "$@" proto tcp dport http || return 1
|
||||
rule table nat chain "in_trsquid.${transparent_squid_count}" proto tcp dport http action REDIRECT to-port ${redirect} || return 1
|
||||
|
||||
set_work_function "Setting up rules for catching outgoing web traffic"
|
||||
create_chain nat "out_trsquid.${transparent_squid_count}" OUTPUT proto tcp dport http dst not "127.0.0.1" custom "-m owner ! --uid-owner ${user}" || return 1
|
||||
rule table nat chain "out_trsquid.${transparent_squid_count}" proto tcp dport http action REDIRECT to-port ${redirect} || return 1
|
||||
|
||||
FIREHOL_NAT=1
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
||||
# ------------------------------------------------------------------------------
|
||||
@ -1561,6 +1599,64 @@ close_master() {
|
||||
# wrapper for iptables, producing multiple iptables commands based on its
|
||||
# arguments. The rest of FireHOL is simply a "driver" for this function.
|
||||
|
||||
|
||||
# rule_action_param() is a function - part of rule() - to create the final iptables cmd
|
||||
# taking into account the "action_param" parameter of the action.
|
||||
|
||||
# rule_action_param() should only be used within rule() - no other place
|
||||
|
||||
rule_action_param() {
|
||||
local action="${1}"; shift
|
||||
local protocol="${1}"; shift
|
||||
local -a action_param=
|
||||
|
||||
local count=0
|
||||
while [ ! -z "${1}" -a ! "A${1}" = "A--" ]
|
||||
do
|
||||
action_param[$count]="${1}"
|
||||
shift
|
||||
|
||||
count=$[count + 1]
|
||||
done
|
||||
|
||||
local sep="${1}"; shift
|
||||
if [ ! "A${sep}" = "A--" ]
|
||||
then
|
||||
error "Internal Error, in parsing action_param parameters ($FUNCNAME '${action}' '${protocol}' '${action_param[@]}' ${sep} $@)."
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Do the rule
|
||||
case "${action}" in
|
||||
NONE)
|
||||
return 0
|
||||
;;
|
||||
|
||||
REJECT)
|
||||
if [ "${action_param[1]}" = "auto" ]
|
||||
then
|
||||
if [ "${protocol}" = "tcp" -o "${protocol}" = "TCP" ]
|
||||
then
|
||||
action_param=("--reject-with" "tcp-reset")
|
||||
else
|
||||
unset action_param
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ "${action_param[0]}" = "none" ]
|
||||
then
|
||||
unset action_param
|
||||
fi
|
||||
|
||||
iptables "$@" -j "${action}" "${action_param[@]}"
|
||||
local ret=$?
|
||||
test $ret -gt 0 && failed=$[failed + 1]
|
||||
|
||||
return $ret
|
||||
}
|
||||
|
||||
rule() {
|
||||
local table="-t filter"
|
||||
local chain=
|
||||
@ -1608,8 +1704,6 @@ rule() {
|
||||
|
||||
local custom=
|
||||
|
||||
local with=
|
||||
|
||||
# If set to non-zero, this will enable the mechanism for
|
||||
# handling ANDed negative expressions.
|
||||
local have_a_not=0
|
||||
@ -1857,13 +1951,57 @@ rule() {
|
||||
action|ACTION)
|
||||
action="${2}"
|
||||
shift 2
|
||||
|
||||
unset action_param
|
||||
local action_is_chain=0
|
||||
case "${action}" in
|
||||
accept|ACCEPT)
|
||||
action="ACCEPT"
|
||||
;;
|
||||
|
||||
deny|DENY|drop|DROP)
|
||||
action="DROP"
|
||||
;;
|
||||
|
||||
reject|REJECT)
|
||||
action="REJECT"
|
||||
if [ "${1}" = "with" ]
|
||||
then
|
||||
local -a action_param=("--reject-with" "${2}")
|
||||
shift 2
|
||||
else
|
||||
local -a action_param=("--reject-with" "auto")
|
||||
fi
|
||||
;;
|
||||
|
||||
redirect|REDIRECT)
|
||||
action="REDIRECT"
|
||||
if [ "${1}" = "to-port" ]
|
||||
then
|
||||
local -a action_param=("--to-port" "${2}")
|
||||
shift 2
|
||||
fi
|
||||
;;
|
||||
|
||||
return|RETURN)
|
||||
action="RETURN"
|
||||
;;
|
||||
|
||||
mirror|MIRROR)
|
||||
action="MIRROR"
|
||||
;;
|
||||
|
||||
none|NONE)
|
||||
action="NONE"
|
||||
;;
|
||||
|
||||
*)
|
||||
chain_exists "${action}"
|
||||
local action_is_chain=$?
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
|
||||
with|WITH)
|
||||
with="${2}"
|
||||
shift 2
|
||||
;;
|
||||
|
||||
state|STATE)
|
||||
shift
|
||||
statenot=
|
||||
@ -1885,50 +2023,26 @@ rule() {
|
||||
esac
|
||||
done
|
||||
|
||||
local action_is_chain=0
|
||||
case "${action}" in
|
||||
accept|ACCEPT)
|
||||
action=ACCEPT
|
||||
;;
|
||||
|
||||
deny|DENY)
|
||||
action=DROP
|
||||
;;
|
||||
|
||||
reject|REJECT)
|
||||
action=REJECT
|
||||
|
||||
# If the user did not specified a rejection message,
|
||||
# we have to be smart and produce a tcp-reset if the protocol
|
||||
# is TCP and an ICMP port unreachable in all other cases.
|
||||
# The special case here is the protocol "any".
|
||||
# To accomplish the differentiation based on protocol we have
|
||||
# to change the protocol "any" to "tcp any"
|
||||
|
||||
test -z "${with}" -a "${proto}" = "any" && proto="tcp any"
|
||||
;;
|
||||
|
||||
drop|DROP)
|
||||
action=DROP
|
||||
;;
|
||||
|
||||
return|RETURN)
|
||||
action=RETURN
|
||||
;;
|
||||
|
||||
mirror|MIRROR)
|
||||
action=MIRROR
|
||||
;;
|
||||
|
||||
none|NONE)
|
||||
action=NONE
|
||||
;;
|
||||
|
||||
*)
|
||||
chain_exists "${action}"
|
||||
local action_is_chain=$?
|
||||
;;
|
||||
esac
|
||||
|
||||
# If the user did not specified a rejection message,
|
||||
# we have to be smart and produce a tcp-reset if the protocol
|
||||
# is TCP and an ICMP port unreachable in all other cases.
|
||||
# The special case here is the protocol "any".
|
||||
# To accomplish the differentiation based on protocol we have
|
||||
# to change the protocol "any" to "tcp any"
|
||||
|
||||
test "${action}" = "REJECT" -a "${action_param[1]}" = "auto" -a "${proto}" = "any" && proto="tcp any"
|
||||
|
||||
|
||||
# we cannot accept empty strings to a few parameters, since this
|
||||
# will prevent us from generating a rule (due to nested BASH loops).
|
||||
test -z "${inface}" && error "Cannot accept an empty 'inface'." && return 1
|
||||
test -z "${outface}" && error "Cannot accept an empty 'outface'." && return 1
|
||||
test -z "${src}" && error "Cannot accept an empty 'src'." && return 1
|
||||
test -z "${dst}" && error "Cannot accept an empty 'dst'." && return 1
|
||||
test -z "${sport}" && error "Cannot accept an empty 'sport'." && return 1
|
||||
test -z "${dport}" && error "Cannot accept an empty 'dport'." && return 1
|
||||
test -z "${proto}" && error "Cannot accept an empty 'proto'." && return 1
|
||||
|
||||
|
||||
# ----------------------------------------------------------------------------------
|
||||
@ -2049,7 +2163,23 @@ rule() {
|
||||
# just make have the final action of the rule.
|
||||
if [ ! -z "${negative_action}" ]
|
||||
then
|
||||
iptables ${table} -A "${negative_chain}" -j "${negative_action}"
|
||||
local pr=
|
||||
for pr in ${proto}
|
||||
do
|
||||
unset proto_arg
|
||||
|
||||
case ${pr} in
|
||||
any|ANY)
|
||||
;;
|
||||
|
||||
*)
|
||||
local -a proto_arg=("-p" "${pr}")
|
||||
;;
|
||||
esac
|
||||
|
||||
rule_action_param "${negative_action}" "${pr}" "${action_param[@]}" -- ${table} -A "${negative_chain}" "${proto_arg[@]}"
|
||||
unset action_param
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -2057,17 +2187,6 @@ rule() {
|
||||
# ----------------------------------------------------------------------------------
|
||||
# Process the positive rules
|
||||
|
||||
# we cannot accept empty strings to a few parameters, since this
|
||||
# will prevent us from generating a rule (due to nested BASH loops).
|
||||
test -z "${inface}" && error "Cannot accept an empty 'inface'." && return 1
|
||||
test -z "${outface}" && error "Cannot accept an empty 'outface'." && return 1
|
||||
test -z "${src}" && error "Cannot accept an empty 'src'." && return 1
|
||||
test -z "${dst}" && error "Cannot accept an empty 'dst'." && return 1
|
||||
test -z "${sport}" && error "Cannot accept an empty 'sport'." && return 1
|
||||
test -z "${dport}" && error "Cannot accept an empty 'dport'." && return 1
|
||||
test -z "${proto}" && error "Cannot accept an empty 'proto'." && return 1
|
||||
|
||||
|
||||
local pr=
|
||||
for pr in ${proto}
|
||||
do
|
||||
@ -2197,33 +2316,7 @@ rule() {
|
||||
;;
|
||||
esac
|
||||
|
||||
# Do the rule
|
||||
case "${action}" in
|
||||
NONE)
|
||||
;;
|
||||
|
||||
REJECT)
|
||||
local with_arg=
|
||||
if [ ! -z "${with}" ]
|
||||
then
|
||||
with_arg="--reject-with ${with}"
|
||||
else
|
||||
if [ "${pr}" = "tcp" -o "${pr}" = "TCP" ]
|
||||
then
|
||||
with_arg="--reject-with tcp-reset"
|
||||
fi
|
||||
fi
|
||||
|
||||
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -j "${action}" ${with_arg}
|
||||
test $? -gt 0 && failed=$[failed + 1]
|
||||
;;
|
||||
|
||||
*)
|
||||
test ! -z "${with}" && error "Parameter 'with' cannot be used on action '${action}'."
|
||||
iptables ${table} -A "${chain}" "${basecmd[@]}" ${custom} -j "${action}"
|
||||
test $? -gt 0 && failed=$[failed + 1]
|
||||
;;
|
||||
esac
|
||||
rule_action_param "${action}" "${pr}" "${action_param[@]}" -- ${table} -A "${chain}" "${basecmd[@]}" ${custom}
|
||||
done
|
||||
done
|
||||
done
|
||||
@ -2607,7 +2700,7 @@ case "${arg}" in
|
||||
else
|
||||
|
||||
cat <<"EOF"
|
||||
$Id: firehol.sh,v 1.65 2003/01/06 01:16:41 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.66 2003/01/06 16:13:34 ktsaou Exp $
|
||||
(C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
|
||||
@ -2775,7 +2868,7 @@ then
|
||||
|
||||
cat <<"EOF"
|
||||
|
||||
$Id: firehol.sh,v 1.65 2003/01/06 01:16:41 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.66 2003/01/06 16:13:34 ktsaou Exp $
|
||||
(C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
|
Loading…
Reference in New Issue
Block a user