diff --git a/doc/invoking.html b/doc/invoking.html index 43f26e0..83053e5 100644 --- a/doc/invoking.html +++ b/doc/invoking.html @@ -54,6 +54,16 @@ FireHOL has been designed to be a startup service. As such, FireHOL accepts all by adding just one rule per table/chain to drop all traffic, because the default iptables scripts supplied by many systems (including RedHat 8) do not reset all the chains to ACCEPT when starting (FireHOL resets them correctly). +

+ When activating panic mode, FireHOL checks for the existance of the SSH_CLIENT shell + environment variable. If it find this, then panic mode will allow the established + SSH connection specified in this variables to operate. Notice that in order for this + to work, you should have su without the minus (-) sign, since su - + overwrites the shell variables and therefore the SSH_CLIENT variable is lost. +

+ Alternativelly, after the panic argument you can specify an IP address + in which case all established connections between this IP address and the host + in panic will be allowed. save @@ -189,7 +199,7 @@ its line number in the original configuration file. SourceForge Logo - $Id: invoking.html,v 1.9 2003/03/14 20:59:09 ktsaou Exp $ + $Id: invoking.html,v 1.10 2003/03/15 00:59:28 ktsaou Exp $

FireHOL, a firewall for humans...
© Copyright 2002 diff --git a/firehol.sh b/firehol.sh index e453415..42585e8 100755 --- a/firehol.sh +++ b/firehol.sh @@ -10,7 +10,7 @@ # # config: /etc/firehol.conf # -# $Id: firehol.sh,v 1.112 2003/03/14 21:22:37 ktsaou Exp $ +# $Id: firehol.sh,v 1.113 2003/03/15 00:59:27 ktsaou Exp $ # FIREHOL_FILE="${0}" @@ -3148,6 +3148,20 @@ case "${arg}" in ;; panic) + ssh_src= + ssh_sport="0:65535" + ssh_dport="0:65535" + if [ ! -z "${SSH_CLIENT}" ] + then + set -- ${SSH_CLIENT} + ssh_src="${1}" + ssh_sport="${2}" + ssh_dport="${3}" + elif [ ! -z "${1}" ] + then + ssh_src="${1}" + fi + echo -n $"FireHOL: Blocking all communications:" /sbin/modprobe ip_tables >/dev/null 2>&1 tables=`cat /proc/net/ip_tables_names` @@ -3162,6 +3176,12 @@ case "${arg}" in for c in ${chains} do /sbin/iptables -t "${t}" -P "${c}" ACCEPT + + if [ ! -z "${ssh_src}" ] + then + /sbin/iptables -t "${t}" -A "${c}" -p tcp -s "${ssh_src}" --sport "${ssh_sport}" --dport "${ssh_dport}" -m state --state ESTABLISHED -j ACCEPT + /sbin/iptables -t "${t}" -A "${c}" -p tcp -d "${ssh_src}" --dport "${ssh_sport}" --sport "${ssh_dport}" -m state --state ESTABLISHED -j ACCEPT + fi /sbin/iptables -t "${t}" -A "${c}" -j DROP done done @@ -3212,7 +3232,7 @@ case "${arg}" in else cat <<"EOF" -$Id: firehol.sh,v 1.112 2003/03/14 21:22:37 ktsaou Exp $ +$Id: firehol.sh,v 1.113 2003/03/15 00:59:27 ktsaou Exp $ (C) Copyright 2002, Costa Tsaousis FireHOL is distributed under GPL. @@ -3395,7 +3415,7 @@ then cat <<"EOF" -$Id: firehol.sh,v 1.112 2003/03/14 21:22:37 ktsaou Exp $ +$Id: firehol.sh,v 1.113 2003/03/15 00:59:27 ktsaou Exp $ (C) Copyright 2002, Costa Tsaousis FireHOL is distributed under GPL. Home Page: http://firehol.sourceforge.net @@ -3603,7 +3623,7 @@ then cat >&2 <<"EOF" -$Id: firehol.sh,v 1.112 2003/03/14 21:22:37 ktsaou Exp $ +$Id: firehol.sh,v 1.113 2003/03/15 00:59:27 ktsaou Exp $ (C) Copyright 2002, Costa Tsaousis FireHOL is distributed under GPL. Home Page: http://firehol.sourceforge.net @@ -3696,7 +3716,7 @@ EOF echo "# " cat <<"EOF" -# $Id: firehol.sh,v 1.112 2003/03/14 21:22:37 ktsaou Exp $ +# $Id: firehol.sh,v 1.113 2003/03/15 00:59:27 ktsaou Exp $ # (C) Copyright 2002, Costa Tsaousis # FireHOL is distributed under GPL. # Home Page: http://firehol.sourceforge.net