mirror of
https://github.com/firehol/firehol.git
synced 2024-06-28 18:02:33 +00:00
Added support for TARPIT.
Made 'policy' work for routers too.
This commit is contained in:
ktsaou
parent
aeb33a34dd
commit
a014af195b
2
.cvs
2
.cvs
@ -1,4 +1,4 @@
|
||||
#!/bin/sh
|
||||
|
||||
export CVS_RSH=ssh
|
||||
cvs -z3 -d:ext:ktsaou@cvs.sourceforge.net:/cvsroot/firehol "$@"
|
||||
cvs -z3 -d:ext:ktsaou@firehol.cvs.sourceforge.net:/cvsroot/firehol "$@"
|
||||
|
||||
@ -53,7 +53,7 @@ google_color_text = "000000";
|
||||
<li><a href="#subcommands">Sub-Commands</a>
|
||||
<ul>
|
||||
<li><a href="#policy">policy</a>, set the default action for unmatched packets of an
|
||||
<a href="#interface">interface</a>
|
||||
<a href="#interface">interface</a> or a <a href="#router">router</a>
|
||||
</li>
|
||||
<li><a href="#protection">protection</a>, add extra protections to
|
||||
<a href="#interface">interfaces</a> and <a href="#router">routers</a>
|
||||
@ -190,9 +190,11 @@ The optional rule parameters given to the primary commands are <b>indirectly</b>
|
||||
<a name="router"><h3><b>router</b> <font color="red"><name></font> <b>[optional rule parameters]</b></h3></a>
|
||||
<H4>Description</H4>
|
||||
The <b>router</b> command creates a firewall for the traffic passing through the host running the firewall.
|
||||
The only acceptable policy on all <b>router</b> commands is <b>return</b> and therefore the policy subcommand
|
||||
cannot be used on routers. This means that no packets are dropped in a router. Packets not matched by any
|
||||
<b>router</b> command will be dropped at the end of the firewall.
|
||||
The default policy on <b>router</b> commands is <b>return</b>. This means that by default no packets are dropped in a router.
|
||||
Packets not matched by any <b>router</b> command will be dropped at the end of the firewall.
|
||||
Change the default policy of a router only if you understand clearly what gets matched by the router statement. It is very common
|
||||
to have overlapping definitions of routers and changing this policy to anything other than the default may have strange results
|
||||
for your configuration. (Changing the policy on routers appeared in v1.248).
|
||||
<p>
|
||||
INPORTANT<br>
|
||||
Note that unlike ipchains, in <b>iptables</b> traffic passing through the firewall
|
||||
@ -1468,6 +1470,21 @@ about optional rule parameters that should not be used in certain commands.
|
||||
Example: <b>DEFAULT_INTERFACE_POLICY="REJECT"</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="DEFAULT_ROUTER_POLICY"><h3><b>DEFAULT_ROUTER_POLICY</b></h3></a>
|
||||
<H4>Description</H4>
|
||||
DEFAULT_ROUTER_POLICY controls the default action to be taken on traffic not matched by any rule within a router.
|
||||
Actually, this is a global setting for what <a href="#policy">policy</a> does for a <a href="#router">router</a>.
|
||||
<p>
|
||||
All packets that reach the end of a router are logged only if the action is <b>not</b> <a href="#return">return</a> or <a href="#accept">accept</a>.
|
||||
You can control the frequency of this logging by altering the frequency <a href="#loglimit">loglimit</a> uses.
|
||||
<p>
|
||||
Default: <b>DEFAULT_ROUTER_POLICY="RETURN"</b><br>
|
||||
<br>
|
||||
Example: <b>DEFAULT_ROUTER_POLICY="REJECT"</b>
|
||||
<p>
|
||||
|
||||
<hr noshade size=1 width="100%">
|
||||
|
||||
<a name="UNMATCHED_INPUT_POLICY"><h3><b>UNMATCHED_INPUT_POLICY</b></h3></a>
|
||||
@ -1697,7 +1714,7 @@ about optional rule parameters that should not be used in certain commands.
|
||||
<tr><td align=center valign=middle>
|
||||
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
|
||||
</td><td align=center valign=middle>
|
||||
<small>$Id: commands.html,v 1.66 2006/04/22 17:32:56 ktsaou Exp $</small>
|
||||
<small>$Id: commands.html,v 1.67 2006/06/05 17:25:33 ktsaou Exp $</small>
|
||||
<p>
|
||||
<b>FireHOL</b>, a firewall for humans...<br>
|
||||
© Copyright 2004
|
||||
|
||||
68
firehol.sh
68
firehol.sh
@ -10,7 +10,7 @@
|
||||
#
|
||||
# config: /etc/firehol/firehol.conf
|
||||
#
|
||||
# $Id: firehol.sh,v 1.247 2006/04/22 17:26:18 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.248 2006/06/05 17:25:33 ktsaou Exp $
|
||||
#
|
||||
|
||||
# Make sure only root can run us.
|
||||
@ -171,7 +171,7 @@ ${RENICE_CMD} 10 $$ >/dev/null 2>/dev/null
|
||||
# Find our minor version
|
||||
firehol_minor_version() {
|
||||
${CAT_CMD} <<"EOF" | ${CUT_CMD} -d ' ' -f 3 | ${CUT_CMD} -d '.' -f 2
|
||||
$Id: firehol.sh,v 1.247 2006/04/22 17:26:18 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.248 2006/06/05 17:25:33 ktsaou Exp $
|
||||
EOF
|
||||
}
|
||||
|
||||
@ -347,6 +347,11 @@ UNROUTABLE_IPS="${RESERVED_IPS} ${PRIVATE_IPS}"
|
||||
# policy interface subscommand.
|
||||
DEFAULT_INTERFACE_POLICY="DROP"
|
||||
|
||||
# The default policy for the router commands of the firewall.
|
||||
# This can be controlled on a per interface basis using the
|
||||
# policy interface subscommand.
|
||||
DEFAULT_ROUTER_POLICY="RETURN"
|
||||
|
||||
# Which is the filter table chains policy during firewall activation?
|
||||
FIREHOL_INPUT_ACTIVATION_POLICY="ACCEPT"
|
||||
FIREHOL_OUTPUT_ACTIVATION_POLICY="ACCEPT"
|
||||
@ -472,7 +477,7 @@ work_realcmd=("(unset)")
|
||||
work_name=
|
||||
work_inface=
|
||||
work_outface=
|
||||
work_policy="${DEFAULT_INTERFACE_POLICY}"
|
||||
work_policy=
|
||||
work_error=0
|
||||
work_function="Initializing"
|
||||
|
||||
@ -2458,9 +2463,9 @@ iptables() {
|
||||
policy() {
|
||||
work_realcmd_secondary ${FUNCNAME} "$@"
|
||||
|
||||
require_work set interface || return 1
|
||||
require_work set any || return 1
|
||||
|
||||
set_work_function "Setting interface '${work_inface}' (${work_name}) policy to ${1}"
|
||||
set_work_function "Setting policy of ${work_name} to ${1}"
|
||||
work_policy="$*"
|
||||
|
||||
return 0
|
||||
@ -2891,11 +2896,12 @@ close_cmd() {
|
||||
work_name=
|
||||
work_inface=
|
||||
work_outface=
|
||||
work_policy="${DEFAULT_INTERFACE_POLICY}"
|
||||
work_policy=
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# close_interface
|
||||
# WHY:
|
||||
@ -2908,6 +2914,12 @@ close_interface() {
|
||||
|
||||
set_work_function "Finilizing interface '${work_name}'"
|
||||
|
||||
# Accept all related traffic to the established connections
|
||||
rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
|
||||
rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
|
||||
|
||||
# make sure we have a policy
|
||||
test -z "${work_policy}" && work_policy="${DEFAULT_INTERFACE_POLICY}"
|
||||
case "${work_policy}" in
|
||||
return|RETURN)
|
||||
return 0
|
||||
@ -2916,16 +2928,12 @@ close_interface() {
|
||||
accept|ACCEPT)
|
||||
;;
|
||||
|
||||
*)
|
||||
*)
|
||||
local -a inlog=(loglimit "'IN-${work_name}'")
|
||||
local -a outlog=(loglimit "'OUT-${work_name}'")
|
||||
;;
|
||||
esac
|
||||
|
||||
# Accept all related traffic to the established connections
|
||||
rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
|
||||
rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
|
||||
|
||||
if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
|
||||
then
|
||||
# Silently drop orphan TCP/ACK FIN packets
|
||||
@ -2956,6 +2964,32 @@ close_router() {
|
||||
rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
|
||||
rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
|
||||
|
||||
# make sure we have a policy
|
||||
test -z "${work_policy}" && work_policy="${DEFAULT_ROUTER_POLICY}"
|
||||
case "${work_policy}" in
|
||||
return|RETURN)
|
||||
return 0
|
||||
;;
|
||||
|
||||
accept|ACCEPT)
|
||||
;;
|
||||
|
||||
*)
|
||||
local -a inlog=(loglimit "'PASS-${work_name}'")
|
||||
local -a outlog=(loglimit "'PASS-${work_name}'")
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
|
||||
then
|
||||
# Silently drop orphan TCP/ACK FIN packets
|
||||
rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
|
||||
rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
|
||||
fi
|
||||
|
||||
rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
|
||||
rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@ -3949,6 +3983,10 @@ rule() {
|
||||
fi
|
||||
;;
|
||||
|
||||
tarpit|TARPIT)
|
||||
action="TARPIT"
|
||||
;;
|
||||
|
||||
*)
|
||||
chain_exists "${action}"
|
||||
local action_is_chain=$?
|
||||
@ -5372,7 +5410,7 @@ case "${arg}" in
|
||||
else
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
$Id: firehol.sh,v 1.247 2006/04/22 17:26:18 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.248 2006/06/05 17:25:33 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
|
||||
@ -5558,7 +5596,7 @@ then
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
|
||||
$Id: firehol.sh,v 1.247 2006/04/22 17:26:18 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.248 2006/06/05 17:25:33 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -5864,7 +5902,7 @@ then
|
||||
|
||||
"${CAT_CMD}" >&2 <<EOF
|
||||
|
||||
$Id: firehol.sh,v 1.247 2006/04/22 17:26:18 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.248 2006/06/05 17:25:33 ktsaou Exp $
|
||||
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -5947,7 +5985,7 @@ EOF
|
||||
echo "# "
|
||||
|
||||
${CAT_CMD} <<EOF
|
||||
# $Id: firehol.sh,v 1.247 2006/04/22 17:26:18 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.248 2006/06/05 17:25:33 ktsaou Exp $
|
||||
# (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
|
||||
# FireHOL is distributed under GPL.
|
||||
# Home Page: http://firehol.sourceforge.net
|
||||
|
||||
Loading…
Reference in New Issue
Block a user