mirror of
https://github.com/firehol/firehol.git
synced 2024-06-28 18:02:33 +00:00
'panic' now prevent you from loosing the SSH you are issuing this command
by allowing the established connection specified in the environment variable SSH_CLIENT (only if it exists: it is lost if you su -, you should su without the minus). Also, the panic argument takes one optional argument. This can be an IP address in which case all established connections between the host and this IP will be allowed.
This commit is contained in:
ktsaou
parent
c28e6c041b
commit
ff8f6e8433
@ -54,6 +54,16 @@ FireHOL has been designed to be a startup service. As such, FireHOL accepts all
|
||||
by adding just one rule per table/chain to drop all traffic, because the default
|
||||
iptables scripts supplied by many systems (including RedHat 8) do not reset
|
||||
all the chains to ACCEPT when starting (FireHOL resets them correctly).
|
||||
<p>
|
||||
When activating panic mode, FireHOL checks for the existance of the SSH_CLIENT shell
|
||||
environment variable. If it find this, then panic mode will allow the established
|
||||
SSH connection specified in this variables to operate. Notice that in order for this
|
||||
to work, you should have <b>su</b> without the minus (-) sign, since <b>su -</b>
|
||||
overwrites the shell variables and therefore the SSH_CLIENT variable is lost.
|
||||
<p>
|
||||
Alternativelly, after the <b>panic</b> argument you can specify an IP address
|
||||
in which case all <u>established</u> connections between this IP address and the host
|
||||
in panic will be allowed.
|
||||
</td>
|
||||
</tr>
|
||||
<tr> <td bgcolor="#EEEEEE"><b>save</td>
|
||||
@ -189,7 +199,7 @@ its line number in the original configuration file.
|
||||
<tr><td align=center valign=middle>
|
||||
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=58425&type=5" width="210" height="62" border="0" alt="SourceForge Logo"></A>
|
||||
</td><td align=center valign=middle>
|
||||
<small>$Id: invoking.html,v 1.9 2003/03/14 20:59:09 ktsaou Exp $</small>
|
||||
<small>$Id: invoking.html,v 1.10 2003/03/15 00:59:28 ktsaou Exp $</small>
|
||||
<p>
|
||||
<b>FireHOL</b>, a firewall for humans...<br>
|
||||
© Copyright 2002
|
||||
|
||||
30
firehol.sh
30
firehol.sh
@ -10,7 +10,7 @@
|
||||
#
|
||||
# config: /etc/firehol.conf
|
||||
#
|
||||
# $Id: firehol.sh,v 1.112 2003/03/14 21:22:37 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.113 2003/03/15 00:59:27 ktsaou Exp $
|
||||
#
|
||||
FIREHOL_FILE="${0}"
|
||||
|
||||
@ -3148,6 +3148,20 @@ case "${arg}" in
|
||||
;;
|
||||
|
||||
panic)
|
||||
ssh_src=
|
||||
ssh_sport="0:65535"
|
||||
ssh_dport="0:65535"
|
||||
if [ ! -z "${SSH_CLIENT}" ]
|
||||
then
|
||||
set -- ${SSH_CLIENT}
|
||||
ssh_src="${1}"
|
||||
ssh_sport="${2}"
|
||||
ssh_dport="${3}"
|
||||
elif [ ! -z "${1}" ]
|
||||
then
|
||||
ssh_src="${1}"
|
||||
fi
|
||||
|
||||
echo -n $"FireHOL: Blocking all communications:"
|
||||
/sbin/modprobe ip_tables >/dev/null 2>&1
|
||||
tables=`cat /proc/net/ip_tables_names`
|
||||
@ -3162,6 +3176,12 @@ case "${arg}" in
|
||||
for c in ${chains}
|
||||
do
|
||||
/sbin/iptables -t "${t}" -P "${c}" ACCEPT
|
||||
|
||||
if [ ! -z "${ssh_src}" ]
|
||||
then
|
||||
/sbin/iptables -t "${t}" -A "${c}" -p tcp -s "${ssh_src}" --sport "${ssh_sport}" --dport "${ssh_dport}" -m state --state ESTABLISHED -j ACCEPT
|
||||
/sbin/iptables -t "${t}" -A "${c}" -p tcp -d "${ssh_src}" --dport "${ssh_sport}" --sport "${ssh_dport}" -m state --state ESTABLISHED -j ACCEPT
|
||||
fi
|
||||
/sbin/iptables -t "${t}" -A "${c}" -j DROP
|
||||
done
|
||||
done
|
||||
@ -3212,7 +3232,7 @@ case "${arg}" in
|
||||
else
|
||||
|
||||
cat <<"EOF"
|
||||
$Id: firehol.sh,v 1.112 2003/03/14 21:22:37 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.113 2003/03/15 00:59:27 ktsaou Exp $
|
||||
(C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
|
||||
@ -3395,7 +3415,7 @@ then
|
||||
|
||||
cat <<"EOF"
|
||||
|
||||
$Id: firehol.sh,v 1.112 2003/03/14 21:22:37 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.113 2003/03/15 00:59:27 ktsaou Exp $
|
||||
(C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -3603,7 +3623,7 @@ then
|
||||
|
||||
cat >&2 <<"EOF"
|
||||
|
||||
$Id: firehol.sh,v 1.112 2003/03/14 21:22:37 ktsaou Exp $
|
||||
$Id: firehol.sh,v 1.113 2003/03/15 00:59:27 ktsaou Exp $
|
||||
(C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
|
||||
FireHOL is distributed under GPL.
|
||||
Home Page: http://firehol.sourceforge.net
|
||||
@ -3696,7 +3716,7 @@ EOF
|
||||
echo "# "
|
||||
|
||||
cat <<"EOF"
|
||||
# $Id: firehol.sh,v 1.112 2003/03/14 21:22:37 ktsaou Exp $
|
||||
# $Id: firehol.sh,v 1.113 2003/03/15 00:59:27 ktsaou Exp $
|
||||
# (C) Copyright 2002, Costa Tsaousis <costa@tsaousis.gr>
|
||||
# FireHOL is distributed under GPL.
|
||||
# Home Page: http://firehol.sourceforge.net
|
||||
|
||||
Loading…
Reference in New Issue
Block a user