Costa Tsaousis (ktsaou)
112a21c445
added prototype for custom/admin/user supplied downloaders; fixed an issue with git commits
2015-11-10 22:15:58 +02:00
Philip Whineray
370a6616f4
Honour the config directory set by configure
...
Ensure that ipset_remove_all_tmp_sets() is defined before it can
be called in firehol_exit().
2015-11-10 18:35:12 +00:00
Philip Whineray
d2ec651cdc
Detect and use TAR_CMD
...
A couple of other programs replaced
Allow unconfigured programs to detect iprange in-situ
2015-11-10 07:26:59 +00:00
Costa Tsaousis (ktsaou)
f7c3f430fd
Merge branch 'master' of github.com:firehol/firehol
2015-11-10 01:50:38 +02:00
Costa Tsaousis (ktsaou)
41db726dfb
added ability to ask update for specific ipsets; added distribution, admin and user supplied ipsets; moved the current directory to a temporary place to prevent accidental damage or random files appearing in system locations
2015-11-10 01:50:33 +02:00
Philip Whineray
c031254067
Remove unused commands
...
Detect unused commands in script during pre-commit checks
Always use /sbin and /usr/sbin as part of autoconf detection
2015-11-09 20:52:11 +00:00
Philip Whineray
ee401fc813
Switch vnetbuild to common command detection
2015-11-09 07:39:05 +00:00
Costa Tsaousis (ktsaou)
740c738f29
made range printing, always print ranges
2015-11-09 09:33:05 +02:00
Philip Whineray
ea252883d8
Add perl script to detect plain command usage
...
Update scripts with the problems found
In firehol, moved the iptables() and ipset() helpers to before they are
used, since this is how the detection script learns they are not a problem.
2015-11-08 17:28:16 +00:00
Costa Tsaousis (ktsaou)
6a1dbc4db7
fixed a division by zero
2015-11-08 12:35:02 +02:00
Costa Tsaousis (ktsaou)
741d0d09a3
--enable-all does not enable certain ip lists; these can only be enabled manually
2015-11-08 09:26:26 +02:00
Costa Tsaousis (ktsaou)
c5e6026c61
modified to automatically support sane default for running as root or as user
2015-11-08 06:27:36 +02:00
Costa Tsaousis (ktsaou)
9d2b75bc9f
allow configuration variables to be set via environment
2015-11-08 05:11:51 +02:00
Costa Tsaousis (ktsaou)
f28122934e
isolated warning about WEB_DIR and LIB_DIR
2015-11-08 03:25:30 +02:00
Costa Tsaousis (ktsaou)
4b463218a7
allowed badips.com lists to be empty
2015-11-07 23:54:50 +02:00
Costa Tsaousis (ktsaou)
04e93f0b0d
prevent ipsets from being updated with zero IP count (it is allowed for all malware ipsets); added function for temporary settings per ipset; added history_statistics() to calculate min/max/avg update time, min/max entries and min/max IPs for the last 500 updates of ipsets
2015-11-07 23:46:31 +02:00
Costa Tsaousis (ktsaou)
05f91ad033
added min/max update duration calculation for all lists
2015-11-07 19:23:51 +02:00
Costa Tsaousis (ktsaou)
2c843be9a7
calculated the average update frequency of lists; support for the new dns progress bar of iprange
2015-11-07 18:56:21 +02:00
Costa Tsaousis (ktsaou)
9b4320a44c
disable dns progress bar by default
2015-11-07 18:55:47 +02:00
Costa Tsaousis (ktsaou)
c699a4cd91
moved RUN_DIR to /tmp because certain distros have very small /var/run tmpfs - /tmp is the proper place for temporary files
2015-11-07 15:26:04 +02:00
Costa Tsaousis (ktsaou)
4c9a7a2c2d
use iprange DNS resolv instead of the host command; use iprange binary format for the history log of aggregated ipsets
2015-11-07 15:05:53 +02:00
Costa Tsaousis (ktsaou)
a59e485d22
Merge branch 'master' of github.com:firehol/firehol
2015-11-07 13:24:24 +02:00
Phil Whineray
0dac5317fb
Detect and use pthreads when building iprange
2015-11-07 06:50:36 +00:00
Costa Tsaousis
c608bc3c22
update-ipsets now uses the async DNS resolver of iprange
2015-11-07 04:38:29 +02:00
Costa Tsaousis (ktsaou)
25249ad1f8
added options to silent dns errors and hide the progress bar
2015-11-07 04:06:04 +02:00
Costa Tsaousis (ktsaou)
d590fef00c
added asynchronous DNS resolver - now it needs to be build with -lpthread
2015-11-07 03:45:09 +02:00
Costa Tsaousis (ktsaou)
2f3a825dda
added async dns resolution - still in progress, so it is disabled, make with CFLAGS=-DASYNC_RESOLVER to enable for testing
2015-11-06 03:00:37 +02:00
Costa Tsaousis (ktsaou)
213a28571d
moved hostname resolution to a separate function
2015-11-06 01:22:52 +02:00
Costa Tsaousis (ktsaou)
c021d69c91
better handling of erroneus lines in input files; 30% faster printing of IP addresses; support for DNS resolution of hostnames in input files
2015-11-06 01:08:34 +02:00
Costa Tsaousis (ktsaou)
94d4b7eb73
added more packetmail lists
2015-11-05 01:33:16 +02:00
Costa Tsaousis (ktsaou)
dd91db096c
fix for optional and possibly missing commands
2015-11-05 00:16:22 +02:00
Costa Tsaousis (ktsaou)
5f9c83ce48
cleanup of required commands; cleanup of log formatting; some better error handling
2015-11-05 00:10:07 +02:00
Costa Tsaousis (ktsaou)
f2cc8ead49
fixes after the external command management to make it operational again
2015-11-04 01:32:44 +02:00
Costa Tsaousis (ktsaou)
4ce16f3319
added errors in *-next parameters when no file is given before the *-next parameter
2015-11-04 01:32:14 +02:00
Phil Whineray
dfa1664df0
Merge branch 'master' into update-ipsets-commands
...
Conflicts:
sbin/update-ipsets.in
2015-11-02 07:52:12 +00:00
Costa Tsaousis (ktsaou)
83ee676c91
fixed various issues and improved significantly the download manager and the logging
2015-11-02 08:46:46 +02:00
Costa Tsaousis (ktsaou)
3aea86defa
increased the timeouts a bit to prevent download errors
2015-11-02 00:54:15 +02:00
Costa Tsaousis (ktsaou)
81462ae4b9
fixed a bug that did not update the geolocation maps for ipsets that have not been updated, in --rebuild mode
2015-11-02 00:35:49 +02:00
Costa Tsaousis (ktsaou)
44acb44d97
it now exposes start time and consecutive errors to json files
2015-11-01 23:10:11 +02:00
Costa Tsaousis (ktsaou)
6dd27e1863
fixed the merge() function to support other maintainers too; made cleantalk use the new merge() function.
2015-11-01 22:48:28 +02:00
Phil Whineray
e27d0e205b
Replace explicit commands with detected variables
2015-11-01 17:53:23 +00:00
Phil Whineray
b1aa3cd788
Merge branch 'master' into update-ipsets-commands
...
Conflicts:
sbin/update-ipsets.in
2015-11-01 17:52:02 +00:00
Costa Tsaousis (ktsaou)
deedc579b0
added cleantalk lists
2015-10-31 23:52:50 +02:00
Phil Whineray
1e5fa7befa
Merge branch 'master' into update-ipsets-commands
2015-10-31 14:54:47 +00:00
Costa Tsaousis (ktsaou)
677be3c307
updated firehol lists
2015-10-31 16:28:24 +02:00
Phil Whineray
1ea9a58bd4
Convert update-ipsets to new command system
2015-10-31 12:29:25 +00:00
Costa Tsaousis (ktsaou)
1f70cb606f
added asynchronous hostname resolver based on adnshost, added hphosts lists (resolved from hostnames)
2015-10-31 13:02:40 +02:00
Costa Tsaousis (ktsaou)
e9f137cd94
fixed a bug that resulted in duplicate routing table entries (added -u to a sort)
2015-10-31 11:45:48 +02:00
Costa Tsaousis (ktsaou)
31723d0dc4
fixed a bug where a request to print single IPs containing the IP 255.255.255.255 resulted in printing all 4 billion IPv4 IPs possible
2015-10-31 11:44:14 +02:00
Costa Tsaousis (ktsaou)
94ffc784ec
added Cyber Threat Alliance Cryptowall
2015-10-31 04:11:55 +02:00
Costa Tsaousis (ktsaou)
ff46d12ac0
added ipblacklistcloud, graphiclineweb, chaosreigns, nullsecure
2015-10-31 01:29:51 +02:00
Phil Whineray
0de62875fc
Check for missing $ on commands in pre-commit
...
Tidied up common behaviour into a function
Updated TPUT_CMD where it was missing the $
2015-10-30 22:18:57 +00:00
Phil Whineray
0ff50524b9
Update link-balancer to use detected commands
2015-10-30 20:39:58 +00:00
Phil Whineray
1ad836d854
Remove root requirement for unittests
...
Significant workaround added for 0440 permissions on /proc/net/ip_tables_names
2015-10-30 20:38:12 +00:00
Phil Whineray
11b112498f
Add RMMOD_CMD and SLEEP_CMD for FireQOS
2015-10-30 07:53:18 +00:00
Phil Whineray
f27eec2e91
Do not call version routine until we have SED_CMD
...
Fix typo in case for version extraction
Extend kcov usage
2015-10-28 20:34:01 +00:00
Phil Whineray
73d531d340
Use require_cmd as expected now
2015-10-27 22:06:34 +00:00
Phil Whineray
881dc95ff4
Force full detection of AWK path
2015-10-27 21:55:27 +00:00
Phil Whineray
e723f3ba19
fireqos now has same command detection as firehol
...
Update pre-commit script to detect entries missing from configure script
Update unittest to run fireqos without a PATH set
Update unittest with a view to running code coverage check
2015-10-27 21:35:21 +00:00
Phil Whineray
9449e984d6
Added WC_CMD to command table
...
Also, updated pre-commit script to ensure all used commands are
present in the table.
2015-10-27 13:03:05 +00:00
Phil Whineray
070430762d
Fixup commands not using _CMD variables
...
Also fix remaining problems around autodetection
Both were exposed by the new unittest strategy
2015-10-26 22:36:00 +00:00
Phil Whineray
4e1bf97891
Only update PATH whilst detecting commands
...
Update the unit tests so that an empty path is given. Highlight any
command failures (i.e. not using the special variables) that are
emitted.
2015-10-26 22:35:17 +00:00
Phil Whineray
f652298849
Resolve uname discrepancy
2015-10-26 07:11:44 +00:00
Phil Whineray
8ef0c9a984
Include options for commands, where required
...
Put back uname - it is currently used before the variable is set up
2015-10-25 08:51:24 +00:00
Phil Whineray
ab2259f49b
Fix possible quoting problem and introduce test
2015-10-25 08:10:32 +00:00
Phil Whineray
c76f7626a2
Use UNAME_CMD when finding kernel version
2015-10-25 07:34:16 +00:00
Phil Whineray
41e3065cdc
Always return TTY to sane defaults
2015-10-25 07:33:42 +00:00
Phil Whineray
e6c887acf5
Use efficient alternative to extract command path
2015-10-25 07:31:31 +00:00
Phil Whineray
d63e61c3c3
Validate that all commands exist and can execute
...
We will output a message indicating what can be done if this occurs
2015-10-23 13:56:05 +01:00
Costa Tsaousis (ktsaou)
f0c2da8736
fix to remove a space that was appended on all commands detected; added a check to make sure the autoconf configured commands still exist; #82
2015-10-22 22:19:17 +03:00
Phil Whineray
1de06a4dbf
Allow configure script to set default AUTOSAVE
2015-10-21 20:44:17 +01:00
Phil Whineray
08425eaac0
Rework command detection routines
...
Process is now table-driven and has the following features:
- Honours the value set in /etc/firehol/firehol-defaults.conf, if any
- Uses the value set by autoconf, if any
- Autodetects in preferred order, allowing optional parameters as needed
This takes out all the special cases. Commands that are only sometimes
required are detected up front but still only checked when needed.
Also:
- allow detection/preinstall of iprange
- only emit iprange command warnings when it would be used
- restore tty settings when Ctrl-C hit (echo is disabled otherwise)
2015-10-21 20:44:17 +01:00
Sander Ruitenbeek
1f2c8fadee
Fixed interface oneliner to snip out NONE after interface name (ex. sit0NONE).
2015-10-20 22:32:52 +02:00
Phil Whineray
a28a459c8f
Install update-ipsets script as with others
2015-10-18 12:05:23 +01:00
Phil Whineray
5b40aec1ad
Compile and install iprange to /sbin
...
Added option --disable-iprange to avoid it
2015-10-18 11:17:39 +01:00
Costa Tsaousis (ktsaou)
297811db63
max/ceil % is now relative to parent's ceiling rate (it was by mistake to parent's base rate); added warning if a class takes priority outside the valid ranges of HTB (0-7); switched default colors from blue to green
2015-10-03 01:40:16 +03:00
Costa Tsaousis (ktsaou)
49b5ff3664
when a table was already up to date but other depend on it, it was failing. fix for issue #78
2015-08-02 17:38:55 +03:00
Costa Tsaousis (ktsaou)
d95a06a922
fix for issue #77
2015-08-02 17:03:53 +03:00
Phil Whineray
0cb697d218
Add IPv6 support to vnetbuild and update example
2015-07-29 20:13:44 +01:00
Costa Tsaousis (ktsaou)
0b751c5db6
fixed bug in action sockets_suspects_trap and ipset_apply
2015-07-05 02:48:13 +03:00
Costa Tsaousis (ktsaou)
c7468eeeb9
rewrote the ipsets functionality so that: a) it optimizes netsets with iprange if present, b) it adapts the maxelem parameter for the updated ipset so that updating ipsets with big incremental updates does not fail, c) maintains compatibility with older ipset versions; side-effect: calling an ipset update without restarting the firewall now only support ipsets that are used in firehol.conf; if iprange is present, processing of ipsets is a lot faster
2015-06-15 02:33:08 +03:00
Costa Tsaousis
64bc7e62be
added support for adapting ipsets maxelem when updating an ipset
2015-06-13 06:52:14 +03:00
Costa Tsaousis (ktsaou)
27b1751eb8
save in ipsets.conf the types and options of ipsets
2015-06-07 16:22:03 +03:00
Costa Tsaousis (ktsaou)
c9340661ff
prevented a backup of all the ipsets in memory - because it takes too long when the system has many ipsets installed
2015-05-23 19:04:19 +03:00
Costa Tsaousis (ktsaou)
cc705b5818
added log() and loglimit() helpers to allow logging from ipsets globally
2015-05-20 02:03:58 +03:00
Phil Whineray
2d1351b279
Remove all reference to awk
2015-05-02 14:28:56 +01:00
Phil Whineray
4557d36cac
Remove final use of awk
2015-05-02 14:28:56 +01:00
philwhineray
d0307dacb4
Merge pull request #70 from ktsaou/vnetbuild
...
Add vnetbuild
2015-04-26 19:24:23 +01:00
Costa Tsaousis (ktsaou)
cbe68661a8
added wrappers for rawmark() and custommark()
2015-04-25 13:27:32 +03:00
Costa Tsaousis (ktsaou)
a4f6a1a6c4
tproxy uses markdef() to allocate a mark; marks.conf is now saved only after successful firewall activation
2015-04-25 13:27:10 +03:00
Costa Tsaousis (ktsaou)
bad5465f6a
ipset add support for comma as an IP separator
2015-04-25 13:03:07 +03:00
Phil Whineray
54db4b39c4
Add vnetbuild
2015-04-25 09:22:58 +01:00
Costa Tsaousis (ktsaou)
ee9bdb4535
disabled spinner in explain mode
2015-04-25 01:20:41 +03:00
Costa Tsaousis (ktsaou)
665538ca24
allowed to define multiple "except" rules in statements that accept this keyword
2015-04-25 01:16:35 +03:00
Costa Tsaousis (ktsaou)
53cdfc6b1d
fix for older versions of ipset
2015-04-24 21:31:32 +03:00
Costa Tsaousis (ktsaou)
2a8547d47d
fix for older versions of ipset
2015-04-24 21:01:40 +03:00
Costa Tsaousis (ktsaou)
2647833260
fix for older versions of ipset
2015-04-24 20:57:20 +03:00
Costa Tsaousis (ktsaou)
323c25d320
fix for older versions of ipset
2015-04-24 20:56:24 +03:00
Costa Tsaousis (ktsaou)
d806def4ee
fix for older versions of ipset
2015-04-24 20:55:04 +03:00
Costa Tsaousis (ktsaou)
503c76f0be
ipset support for older machines: just set IPSET_RESTORE_SUPPORTS_FLUSH_SWAP_DESTROY=0; rule() now generates NAT rules with a protocol if a port has been specified
2015-04-24 20:39:09 +03:00
Costa Tsaousis (ktsaou)
16e9b715a4
fix for ERROR columns on some tc versions
2015-04-21 21:42:05 +03:00
Costa Tsaousis (ktsaou)
8e7b3a14eb
added the ability to stop QoS on a specific device - just append the device name to the stop command #32
2015-04-16 22:32:58 +03:00
Costa Tsaousis (ktsaou)
f06c272d74
fix for emerging_block ipset
2015-04-02 06:35:42 +03:00
Costa Tsaousis (ktsaou)
d614fd7558
made STOP mode exit successfully; added support for restore option when specifying a filename on the command line
2015-03-23 17:19:49 +02:00
Costa Tsaousis (ktsaou)
18de85ffc8
services all and any are now simple services. service all now has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN
2015-03-13 11:59:51 +02:00
Costa Tsaousis (ktsaou)
d505ab0850
accept RELATED TCP ACK,RST packets on interface,router,master close() so that REJECT action works
2015-03-11 22:52:16 +02:00
Costa Tsaousis (ktsaou)
f1cde4907b
pptp and sip added to ALL_SHOULD_ALSO_RUN to make "client all accept" work as expected
2015-03-08 19:11:43 +02:00
Costa Tsaousis (ktsaou)
e71c129c9d
optimized simple_service()
2015-03-08 19:09:14 +02:00
Phil Whineray
c7824f2659
Ensure empty firewall works
...
Initialise a namespace even before we do anything so we still get
policy and dropped packet logging applied.
2015-03-05 07:29:55 +00:00
Costa Tsaousis (ktsaou)
a674e0967d
cleanup and added back interface_default_class since it is needed for inheritance
2015-03-03 02:25:50 +02:00
Costa Tsaousis (ktsaou)
4b20d2d6d0
FIREQOS_INTERFACE_DEFAULT_CLASSID=8000 it seems the maximum is 9999
2015-03-02 23:29:20 +02:00
Costa Tsaousis (ktsaou)
fd8ac38739
added FIREQOS_INTERFACE_DEFAULT_CLASSID FIREQOS_MATCHES_STEP; some cleanup
2015-03-02 23:15:46 +02:00
Costa Tsaousis (ktsaou)
5670ea91d0
added state NEW to masquerade
2015-03-02 00:38:31 +02:00
Costa Tsaousis (ktsaou)
02c334649e
reversed last commit - iptables does not allow inface in nat.POSTROUTING
2015-03-01 23:59:35 +02:00
Costa Tsaousis (ktsaou)
9d844c7785
allowed inface in SNAT and MASQUERADE
2015-03-01 23:53:46 +02:00
Phil Whineray
6f500b7269
Ensure ipv4 and ipv6 are used at the right time
2015-03-01 09:05:15 +00:00
Costa Tsaousis (ktsaou)
9bdf6d89d6
ENABLE_IPV4 and ENABLE_IPv6 can now be set in firehol.conf; fixed a bug where close_master() was not closing the firewall properly for both IPv4 and IPv6 - it was closing the same IPvX of the last interface or router - this bug seems to be there since the inclusion of IPv6 support
2015-03-01 04:16:16 +02:00
Costa Tsaousis (ktsaou)
d2984e6198
added action type "sockets_suspects_trap" as a shortcut to create TRAP_AND_DROP or TRAP_AND_REJECT type actions; removed -! from ipset options - they make ipset ignore the action without error - this option is only needed for "restore".
2015-02-28 00:31:32 +02:00
Costa Tsaousis (ktsaou)
7c5a213b7a
iptrap now creates the trap if it is not already created
2015-02-26 23:10:47 +02:00
Costa Tsaousis (ktsaou)
84c880439f
do not attempt to set net.netfilter.nf_conntrack_helper=1 if /proc/sys/net/netfilter/nf_conntrack_helper is not available to eliminate the warning all kernels prior to 3.5
2015-02-26 14:30:50 +02:00
Costa Tsaousis (ktsaou)
c173c79c8e
nat_helper now supports balancing multiple IPs or ports on all NAT modes (snat, dnat, redirect), using round robbin or weighted distribution of requests; fixed an issue of certain failure conditions where the error was generated in a subshell; ipsets now add values ignoring duplicates; FireHOL now reports and final number of iptables rules generated
2015-02-26 02:35:41 +02:00
Costa Tsaousis (ktsaou)
c90249fd78
first attempt to make synproxy work with dynamic IP; added options FIREHOL_SYNPROXY_EXCLUDE_OWNER which once set to 1 will enable matching synproxy packets with owner - it will require "src not" though; made it drop invalid TCP ACK packets from server to client; made synproxy marking a little bit strictier by matching SYN packet
2015-02-23 09:34:05 +02:00
Costa Tsaousis (ktsaou)
e7cf10dbd5
re-wrote multiport support - now it does its best to combine multiports in groups in order to minimize the generated statements
2015-02-23 08:08:00 +02:00
Costa Tsaousis (ktsaou)
a7c4287561
should check for "any" not just empty
2015-02-23 06:10:44 +02:00
Costa Tsaousis (ktsaou)
c1d46bec40
added protected parameters to the first action taken - before it was forced for double branching without reason
2015-02-23 06:02:28 +02:00
Costa Tsaousis (ktsaou)
8dde88092d
fixed log comments on non-fast activation; required protocol on all actions there are custom matches given
2015-02-23 05:49:52 +02:00
Costa Tsaousis (ktsaou)
6110512dcf
fixed monitor mode - it was not executing the commands because it was running with debug enabled
2015-02-22 08:10:25 +02:00
Costa Tsaousis (ktsaou)
6977473de1
fixed typo of the last commit
2015-02-22 07:42:37 +02:00
Costa Tsaousis (ktsaou)
f7f1437d57
allowed outface in synproxy
2015-02-22 07:35:29 +02:00
Costa Tsaousis (ktsaou)
6bb642b901
all NAT helpers support keyword "at" to specify the chain to be attached
2015-02-22 03:51:41 +02:00
Costa Tsaousis (ktsaou)
c8720f3d7d
was ignoring fallback gateways
2015-02-21 06:24:47 +02:00
Costa Tsaousis (ktsaou)
063abbb284
traceroute6 replaced with traceroute -6
2015-02-21 02:16:03 +02:00
Costa Tsaousis (ktsaou)
8459d75f71
synproxy: enable lo routing only when it is necessary; synproxy: on custom actions in INPUT, ACCEPT the SYN packet on filter.OUTPUT and apply the custom action only on filter.INPUT to ensure the custom action is only applied once.
2015-02-20 16:04:46 +02:00
Costa Tsaousis (ktsaou)
bd9d711462
fixed comments in synproxy
2015-02-20 02:07:54 +02:00
Costa Tsaousis (ktsaou)
fbfa90f727
added more blocking chains for synproxy; re-arranged arguments to allow user requested logging of packets
2015-02-20 01:37:52 +02:00
Costa Tsaousis (ktsaou)
b03c9a3e9b
secured synproxy; synproxy now matches synproxy-to-server packets as strictly as possible and does not allow the packets to flow in the NAT table; added -m iprange support in rule() (will be used for IP-IP expressions); support for port ranged using -; limited -m multiport usage to 7 ports (it allows 15, but half of them if they are ranges); renamed activation and finalization functions for better understanding; moved several postprocess commands to close_master() so that the generated statements appear in debug mode.
2015-02-19 23:06:00 +02:00
Costa Tsaousis (ktsaou)
38420c500f
test for stderr, not stdout to enable colors
2015-02-19 03:22:33 +02:00
Costa Tsaousis (ktsaou)
48d0cb9846
synproxy done. it works in all scenarios tested. The way synproxy works, it interacts with transparent proxy, so misuse of the synproxy could allow an attacker to reach a transparent proxy on the same machine - we have to find a solution to isolate synproxy from the rest of the system
2015-02-19 03:21:51 +02:00
Costa Tsaousis (ktsaou)
0b36bbf278
synproxy now works on DNATed servers - still missing REDIRECTed onces
2015-02-16 03:29:21 +02:00
Costa Tsaousis (ktsaou)
e2401cef38
synproxy final touches
2015-02-15 23:39:33 +02:00
Costa Tsaousis (ktsaou)
422c450b07
fixed src/dst mixes #58 ; synproxy helper is now operational
2015-02-15 23:00:36 +02:00
Costa Tsaousis (ktsaou)
13cf138f29
internal variables xxx_IPS can be used to define both ipv4 and ipv6 IPs; #58
2015-02-15 21:29:58 +02:00
Costa Tsaousis (ktsaou)
b083d6fa3c
disable colors on non-terminals
2015-02-15 21:20:59 +02:00
Costa Tsaousis (ktsaou)
2e8e223f6b
fixed hashsize redirection to file
2015-02-15 20:44:20 +02:00
Costa Tsaousis (ktsaou)
fdda26f144
added synproxy helper - untested yet; FIREHOL_CONNTRACK_LOOSE_MATCHING to make conntrack use strictier matching on packets (required for synproxy); FIREHOL_CONNTRACK_MAX to set the max connections the connection tracker will support; FIREHOL_CONNTRACK_HASHSIZE to set the max hashsize the connection tracker will use; FIREHOL_TCP_SYN_COOKIES to control if tcp is using cookies (required for synproxy); FIREHOL_TCP_TIMESTAMPS to control if tcp is using timestamps (required for synproxy); unified all helpers that accept the chain to be attached to support multiple chains and shorter names (in, out, pre, post, pass); made blacklist() and iptrap() helpers to work on filter (were on mangle - they should work after synproxy which is only in filter); re-wrote tos() tosfix() and dscp() to avoid branching and to support the new way of expressing chains; added SYNPROXY target in rule(); rule() now support inserting also rules in chains (required by synproxy); INVALID and ACK+FIN drops are back in filter table (required by synproxy)
2015-02-15 20:30:34 +02:00
Phil Whineray
55343b9a7f
Add link-balancer to generated output
2015-02-15 17:35:06 +00:00
Costa Tsaousis (ktsaou)
07922d6915
removed FIREHOL_DEFAULT_CT_HELPERS and FIREHOL_AUTO_CT_HELPERS and added FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT which takes 3 values: kernel, firehol or manual
2015-02-15 12:55:11 +02:00
Costa Tsaousis (ktsaou)
543bef172f
warning about FIREHOL_DEFAULT_CT_HELPERS=1 usage when using cthelper()
2015-02-15 12:19:43 +02:00
Costa Tsaousis (ktsaou)
6b6a0f0780
support for cthelper bidirectional match
2015-02-15 11:55:09 +02:00
Costa Tsaousis (ktsaou)
6d08565ff8
added mms helper back
2015-02-15 11:20:22 +02:00
Costa Tsaousis (ktsaou)
bf7e8bb276
added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this);
...
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
2015-02-15 02:27:42 +02:00
Costa Tsaousis (ktsaou)
0d59384b1a
optimized server/client statements branching - controled with FIREHOL_CHAIN_PER_SERVICE option - implemented with chain aliases so that all services still work without change; optimized nat and transparent_proxy branching; added support in rule() for actions that require a protocol (like REDIRECT); disabled spinner on non-terminals; added cstatus command line option to show the connection tracker status; status now also shows the raw table and the active ipsets; now the generated rules at 20-30% less due to less branching
2015-02-13 02:43:38 +02:00
Costa Tsaousis (ktsaou)
c8b6a86d01
removed pid sid cmd matches since they are not supported anymore; updated params man page - still incomplete though
2015-02-12 23:02:13 +02:00
Costa Tsaousis (ktsaou)
5ac3263d72
renamed iplimit to connlimit - iplimit no longer exists; preferred to put negative src/dst ipsets in possibly available negative branch
2015-02-12 22:23:00 +02:00
Costa Tsaousis (ktsaou)
ed972f3358
removed a push/pop namespace for rules(), seems to be a left-over from when src/dst IPs where validated
2015-02-12 20:53:41 +02:00
Costa Tsaousis (ktsaou)
6a892ee6d2
default option for ipset options to support older ipset versions; fix when setting ENABLE_IPVx=0 to firehol-defaults that was giving errors
2015-02-12 17:46:22 +02:00
Costa Tsaousis (ktsaou)
6bda3e6f7a
forgot to add ${custom} to constrains check
2015-02-12 03:10:18 +02:00
Costa Tsaousis (ktsaou)
c4e0ef630e
infinite loop on contrains branching
2015-02-12 02:13:27 +02:00
Costa Tsaousis (ktsaou)
9592c4b35a
left a log line uncommented
2015-02-12 01:49:07 +02:00
Costa Tsaousis (ktsaou)
407a366633
another re-write of rule(): a lot more optimized iptables rules generation, less branching, less generation of logging statements, more accurate positive and negative rules matching; added an optional progress spinner - off by default
2015-02-12 01:42:38 +02:00
Costa Tsaousis (ktsaou)
9546af275e
fixed line wrapping in explain mode
2015-02-11 14:15:06 +02:00
Costa Tsaousis (ktsaou)
c7fba06f5e
now iptrap can use any type of ipset (added option "method"), action supports ipuntrap, src/dst matching with ipset does not increment the ipset counters if present
2015-02-11 00:26:11 +02:00
Costa Tsaousis (ktsaou)
67b28c62dc
fix for the last commit
2015-02-09 23:25:23 +02:00
Costa Tsaousis (ktsaou)
0465b2fd1c
added command line option "reset-ipsets" to reset the dynamic ipsets created by firehol; separated ipset options used by iptrap when timeout and counters is used; added checks to make sure that an iptrap generated ipset is not used with both timeout and counters options
2015-02-09 23:18:49 +02:00
Costa Tsaousis (ktsaou)
8a7d3092a1
added options "timeout" and "counters" to iptrap. These control what will happen with packets already in the ipset: if the timeout will be reset at every packet, or the packet and bytes counters will be updated; they are mutualy exclusive
2015-02-09 22:28:35 +02:00
Costa Tsaousis (ktsaou)
e02968e112
added ipset optional rule parameter and SET action in rule()
2015-02-08 22:59:41 +02:00
Costa Tsaousis (ktsaou)
cf8b510095
removed from iptrap the functionality to create actions; now the action helper can create a list of action with logic in them; updated docs
2015-02-08 14:42:35 +02:00
Costa Tsaousis (ktsaou)
a58365d6f5
iptrap helper can accept an action other than RETURN, can apply its rules in multiple table with the table keyword and can just create a chain without linking it with the define_action keyword
2015-02-08 12:19:51 +02:00
Costa Tsaousis (ktsaou)
1a80afc8c8
blacklist and iptrap except rules now accept negative expressions too; firehol explain now has a history
2015-02-08 10:44:00 +02:00
Costa Tsaousis (ktsaou)
3b8505f73d
added helper ipuntrap, to undo what iptrap does; keyword "except" does not accept negative expressions - added check in rule(); workaround for a bash bug that did not show all commands in explain mode; added some color and option -nc to disable colors; added some more info in various points for debug mode; debug mode was not generating comments - fixed it
2015-02-07 17:28:43 +02:00
Costa Tsaousis (ktsaou)
daf7981da0
added IPTRAP_DEFAULT_IPSET_OPTIONS in defaults to control the ipset options used by iptrap
2015-02-07 12:18:13 +02:00
Costa Tsaousis (ktsaou)
c4ca4630ab
fix for allowing UNROUTABLE_IPS and the rest of internal ip set in ipset
2015-02-07 12:01:40 +02:00
Costa Tsaousis (ktsaou)
c98e6aa29c
cleanup and optimizations in rule()
2015-02-07 08:46:46 +02:00
Costa Tsaousis (ktsaou)
70ead41283
blacklist helper, different log message for input and output
2015-02-07 02:57:14 +02:00
Costa Tsaousis (ktsaou)
4b8b805c43
blacklist helper: added support for accounting and excepted rules, i.e. rules that match a whitelist
2015-02-06 23:50:28 +02:00
Costa Tsaousis (ktsaou)
f8e953f061
iptrap generated ipsets do not loose their values when the firewall is restarted
2015-02-06 22:43:23 +02:00
Costa Tsaousis (ktsaou)
68f52a99f9
modified iptrap helper to create the ipset if not already created, and do not alter the traffic, just trap the IP; it also supports src,dst and dst,src sets
2015-02-06 11:12:30 +02:00
Costa Tsaousis (ktsaou)
90f46d6269
first commit for iptrap helper; made SIP service use both TCP and UDP; blacklist helper now is applied on PREROUTING mangle, before anything else.
2015-02-06 02:57:06 +02:00
Costa Tsaousis (ktsaou)
16b1a55c48
blacklist helper now accepts log text and inface to apply the blacklist to; it is re-written to use use rule() instead of plain iptables commands; updated man page
2015-02-06 01:08:15 +02:00
Costa Tsaousis (ktsaou)
955cde92be
better cleanup and printout of differences reporting
2015-02-05 22:36:29 +02:00
Costa Tsaousis (ktsaou)
edb3413005
fixed ipsets update from files when obsolete files in /var/spool/firehol for the same ipset prevent an update
2015-02-05 02:24:56 +02:00
Costa Tsaousis (ktsaou)
c541723e32
prevent double cleanup of ipset temporary sets
2015-02-05 00:45:17 +02:00
Costa Tsaousis (ktsaou)
9f9a73a688
fixed ipset ipv6 support; better cleanup when ipset is interrupted by user
2015-02-05 00:05:13 +02:00
Costa Tsaousis (ktsaou)
72d4ce4c5c
missed a failure message in the last commit
2015-02-04 00:37:59 +02:00
Costa Tsaousis (ktsaou)
e27364b059
missed a failure message in the last commit
2015-02-04 00:36:55 +02:00
Costa Tsaousis (ktsaou)
79286f97f7
existing ipsets are updated by adding a temporary set and once finished adding, swapping it with the real ipset and removing the temporary one
2015-02-04 00:33:17 +02:00
Costa Tsaousis (ktsaou)
e81282ccb6
fix for iptables log comments with space in them in fast activation mode; #54
2015-02-03 21:21:01 +02:00
Costa Tsaousis (ktsaou)
4448133896
fix for when negative src/dst for both ipv4 and ipv6 appear on the same statement #55
2015-02-03 20:39:25 +02:00
Costa Tsaousis (ktsaou)
808e33a4a1
fixed a type as per #53
2015-02-03 20:18:44 +02:00
Costa Tsaousis (ktsaou)
16849f1463
fix to detecting if snat, dnat, redirect have set a protocol
2015-02-03 12:31:57 +02:00
Costa Tsaousis (ktsaou)
6ef9d4f2a4
added custom-in and custom-out optional rule parameters, as requested in #53 ; keep in mind that these rules cannot be used in helpers, only in interface, router, group with, server, client, route; For routers, the general rule is that: custom-in is applied on traffic from inface and custom-out on the opposite direction
2015-02-03 01:36:15 +02:00
Costa Tsaousis (ktsaou)
7c11a26a1b
added options random and persistent for snat, dnat and redirect helpers
2015-02-02 23:59:49 +02:00
Costa Tsaousis (ktsaou)
cdaf280e53
added to-ports and random option for masquerade helper
2015-02-02 23:28:35 +02:00
Costa Tsaousis (ktsaou)
85056a0079
removed obsolete code; made it log to syslog all progress steps and detect configuration files that may be included from the main config file
2015-02-02 22:54:11 +02:00
Costa Tsaousis (ktsaou)
a7be46d9f7
console output cleanup; all messages sent to stderr
2015-02-02 00:39:33 +02:00
Costa Tsaousis (ktsaou)
e05aaee4d9
ipset code cleanup
2015-02-02 00:16:33 +02:00
Costa Tsaousis (ktsaou)
93dfc2b217
fix for ipset compatibility
2015-02-01 23:06:48 +02:00
Costa Tsaousis (ktsaou)
c963110764
support for older versions of ipset
2015-02-01 22:51:13 +02:00
Costa Tsaousis (ktsaou)
cbd07447f7
added ipv4, ipv6 and ipv46 shortcuts for helpers
2015-02-01 21:20:14 +02:00
Costa Tsaousis (ktsaou)
f840b5d7ee
added shortcuts "default" and "classic" to markdef
2015-02-01 20:39:26 +02:00
Costa Tsaousis (ktsaou)
cd50ca58ae
blacklist now logs dropped packets
2015-02-01 17:17:34 +02:00
Costa Tsaousis (ktsaou)
0366bd1909
properly match the whole ipset collection name when running with ipset_update_from_file and save the updated statements for restoration in /var/spool/firehol
2015-02-01 16:22:12 +02:00
Costa Tsaousis (ktsaou)
7b8167d3c9
firehol now accepts command line parameter "ipset_update_from_file"; example in wiki: https://github.com/ktsaou/firehol/wiki/FireHOL-support-for-ipset
2015-02-01 07:15:10 +02:00
Costa Tsaousis (ktsaou)
64913be3ca
changed syntax of ipset to comply with ipset
2015-02-01 06:09:17 +02:00
Costa Tsaousis (ktsaou)
c15e5e76fe
extended ipset option file to grep only ips (ipfile) or only nets (netfile)
2015-02-01 04:18:02 +02:00
Costa Tsaousis (ktsaou)
1fdf21c109
added ipset helper to initialize ipset. It is a full wrapper around the ipset command. The key difference is that it accepts is list of IPs at the "ipset create" line, or the keyword "file" to load ips from a file.
2015-02-01 01:08:12 +02:00
Costa Tsaousis (ktsaou)
6c98852f4f
added support for ipset matches in src dst and blacklist(); to use it, instead of any IP just use "ipset:NAME" where NAME is the name of the ipset; ipsets can coexist with IPs, example: server smtp accept src 1.2.3.4,ipset:GOODSMTP,ipset:BESTSMTP,5.6.7.8
2015-01-31 19:25:19 +02:00
Costa Tsaousis (ktsaou)
1fd3844b41
Check for BASH version 4 or later; properly handle response codes of configuration file sourcing
2015-01-31 17:02:43 +02:00
Costa Tsaousis (ktsaou)
e5def6100b
do not return error if a rules statements generated no rules - it breaks sourcing of config file if the last rule statement generates no rules
2015-01-31 15:38:12 +02:00
Costa Tsaousis (ktsaou)
1eef048246
10% faster again... the basecmd declaration in rule() was responsible for most of it...
2015-01-31 14:35:25 +02:00
Costa Tsaousis (ktsaou)
073349954a
fix for last commit; FIREHOL_WAIT_USER_BEFORE_TRY is only used when the firewall is tried
2015-01-31 02:59:27 +02:00
Costa Tsaousis (ktsaou)
1c9867d877
added option FIREHOL_WAIT_USER_BEFORE_TRY=600 to wait for user confirmation before fast-activation
2015-01-31 02:53:34 +02:00
Costa Tsaousis (ktsaou)
34d313f971
now it traces properly includes of config files from within config files, and reports proper line numbers and source files; now it detects if it runs on a color terminal
2015-01-31 00:50:04 +02:00
Costa Tsaousis (ktsaou)
0f1e2bf4ea
now it traces properly includes of config files from within config files, and reports proper line numbers and source files; now it detects if it runs on a color terminal
2015-01-31 00:49:28 +02:00
Costa Tsaousis (ktsaou)
f4e4b4c764
now it traces properly includes of config files from within config files, and reports proper line numbers and source files; fixed a typo in rule(); moved defaults file generation after the config dir has been created; firehol is 25-30% faster in preprocessing compared to the previous commit - re-arranged almost all local variables (this only accounts for 4% increase in preprocessing speed); improved error handling when fast activation is disabled (30% faster activation with fast activation disabled)
2015-01-31 00:45:56 +02:00
Costa Tsaousis (ktsaou)
46923899eb
fix for bidirectional class groups
2015-01-26 00:49:14 +02:00
Costa Tsaousis (ktsaou)
6c17cb4d88
debug mode now does not run the rules (like firehol); stdout gives the generated statements, stderr gives user messages (like firehol); re-wrote rate2bps()
2015-01-26 00:12:26 +02:00
Costa Tsaousis (ktsaou)
d97174df3c
fix for empty FIREQOS_CONNMARK_RESTORE; #49
2015-01-25 20:30:52 +02:00
Costa Tsaousis (ktsaou)
dc9f031ec9
FIREQOS_CONNMARK_RESTORE can get only one value: act_connmark; added warning if mark matches are used on input interfaces without a connmark restoration policy; #49
2015-01-25 20:28:53 +02:00
Costa Tsaousis (ktsaou)
d53e42bb0f
connmark options can be specified as per #49
2015-01-25 18:01:24 +02:00
Costa Tsaousis (ktsaou)
4f2b99298a
marks can now be stateful/stateless and temporary/permanent as per #50
2015-01-25 17:59:28 +02:00
Costa Tsaousis (ktsaou)
55e445e033
experimental connmark save/restore - disabled by default - set FIREQOS_ENABLE_CONNMARK_SAVE_RESTORE=1 to enable - #49
2015-01-25 15:03:18 +02:00
box@home root
816e2a54ea
check for external commands availability; added some colors on output
2015-01-25 00:34:34 +02:00
box@home root
3bc1fc81fa
check for rm command availability
2015-01-25 00:34:01 +02:00
Costa Tsaousis (ktsaou)
21b187a5d0
Merge branch 'master' of github.com:ktsaou/firehol
2015-01-24 22:11:24 +02:00
Costa Tsaousis (ktsaou)
1952feb160
support for comma as a list separator; optimizations for fireqos
2015-01-24 21:46:38 +02:00
Phil Whineray
17b85843c7
Account for work_error not incremented in subshell
2015-01-24 16:58:57 +00:00
Phil Whineray
0945acdf86
Clean up errors when applying a missing mark
...
Stop logger from breaking if our message has e.g. -arg in it
Return from mark helpers if there was an error and no result from mark_value()
2015-01-24 16:44:15 +00:00
Costa Tsaousis (ktsaou)
2488287e5b
centralized mark value calculation and error handling for all tools
2015-01-24 17:32:23 +02:00
Costa Tsaousis (ktsaou)
7f7045003f
removed peek_namespace, fixed pop_namespace #45
2015-01-24 13:17:20 +02:00
Costa Tsaousis (ktsaou)
d688b97365
fixed namespace pop #45
2015-01-24 13:06:43 +02:00
Costa Tsaousis (ktsaou)
91f6732e4a
allowed multiple marks for each mark match #47
2015-01-24 12:31:25 +02:00
Costa Tsaousis (ktsaou)
538e8b7b9a
optimized firehol; gained 43% speed increased compared to the previous version; there are still a few optimizations to be made that will contribute probably another 10%; still everything is in BASH; #45
2015-01-24 04:21:04 +02:00
Costa Tsaousis (ktsaou)
b0b3659399
workaround what seems to be an associative array bash bug
2015-01-23 23:47:40 +02:00
Costa Tsaousis (ktsaou)
44cabf981b
added check to detect re-definition of a mark type
2015-01-23 00:42:30 +02:00
Costa Tsaousis (ktsaou)
519b7b05b3
moved marks.conf into firehol-defaults.conf; added support for custom defined marks using the custommark firehol helper and the match with the same name; #23
2015-01-23 00:34:22 +02:00
Costa Tsaousis (ktsaou)
89bca91217
made TPROXY helper use the maximum usermark instead of a fixed one #25 #23
2015-01-22 23:09:18 +02:00
Costa Tsaousis (ktsaou)
76267346c0
convert marks to hex, in order to match ip rule output
2015-01-22 22:35:19 +02:00
Costa Tsaousis (ktsaou)
0657b76213
bitmasked marks
2015-01-19 21:28:55 +02:00
Costa Tsaousis (ktsaou)
57947e2e51
bitmasked marks
2015-01-19 21:28:48 +02:00
Costa Tsaousis (ktsaou)
c4558a45e6
bitmasked marks
2015-01-19 21:28:43 +02:00
Costa Tsaousis (ktsaou)
07fde44784
fix for EXPLAIN mode
2015-01-18 21:38:38 +02:00
Costa Tsaousis (ktsaou)
1a6877cc32
added fallback in parsing; fixed firehol.conf command reference in help
2015-01-17 20:08:03 +02:00
Costa Tsaousis (ktsaou)
b00045da3b
added help, version, example file generation; add policy command to influence ipv4 and ipv6 for all rules; made it handle Control-C; added fallback gateway management
2015-01-17 18:29:29 +02:00
Costa Tsaousis (ktsaou)
73f0863478
fixed recursion at exit
2015-01-17 18:26:41 +02:00
Costa Tsaousis (ktsaou)
64003397ba
fixed recursion at exit
2015-01-17 18:26:35 +02:00
Costa Tsaousis (ktsaou)
48317ba7d7
made it properly handle Control-C by trapping INT
2015-01-17 17:42:33 +02:00
Costa Tsaousis (ktsaou)
dad17607a0
firehol may not restore a IPv6 firewall at exit, if it was running only in IPv6 mode; made it properly handle Control-C by trapping INT
2015-01-17 17:41:52 +02:00
Costa Tsaousis (ktsaou)
b24021a3d7
logger fix
2015-01-17 04:19:48 +02:00
Costa Tsaousis (ktsaou)
cee756488b
as before
2015-01-17 04:17:56 +02:00
Costa Tsaousis (ktsaou)
2b5cbc222c
was not processing rules when a gatewat was unavailable
2015-01-17 04:15:39 +02:00
Costa Tsaousis (ktsaou)
ffd3916c3e
was not setting IPvX when the gateway was unvailable
2015-01-17 04:12:13 +02:00
Costa Tsaousis (ktsaou)
7a41b2a36f
LinkBalancer initial commit
2015-01-17 02:06:50 +02:00
Costa Tsaousis (ktsaou)
dc65bd4b97
fix for issue #43
2015-01-10 21:50:20 +02:00
Costa Tsaousis (ktsaou)
617a80ccea
fixed a minor bug that was creating an empty .conf files in /var/run/fireqos
2015-01-09 02:44:10 +02:00
Costa Tsaousis (ktsaou)
8e6af3ae24
system-wide defaults file /etc/firehol/firehol-defaults.conf; added option to make start behave like restore if the config files are not changed; restoration of last firewall now takes into account all files in /etc/firehol and /etc/firehol/services and also the command line arguments that may have been passed to firehol.conf; stop does not save the running firewall anymore (it could lead to an endless loop of activating the wrong firewall again and again); added option "nofast" to command line args to quickly try to activate a firewall without fast activation; fast activation is now enabled by default; silent drop of orphan TCP ACK,FIN is enabled by default; various other minor fixes
2015-01-06 19:53:45 +02:00
Costa Tsaousis (ktsaou)
7417f01bcc
Merge branch 'master' of github.com:ktsaou/firehol
2015-01-04 02:25:18 +02:00
box@home root
dfdc5819cc
accounting warning moved on first use of an accounting rule.
2015-01-04 02:24:42 +02:00
Phil Whineray
98855eaa30
Fix chain-exists logic in: with recent/knock/limit
...
Typo from switching to an associative array. We need to create
the chain first time through, when the value is empty.
2015-01-03 13:44:27 +00:00
Costa Tsaousis (ktsaou)
c9ed9c746f
added support for accounting using NFACCT, to use it just add 'accounting [name]' to any statement (even interfaces, NAT, server, client, etc), where [name] is a name to be given to the accounting object, then when the firewall is running use '/usr/sbin/nfacct list' to get the counters; converted unique chain management from files to associative bash arrays; added 'local' to a large number of rules that where missing; fixed error handling of the restore feature; made 'debug' mode aware of the ipv4 and ipv6
2015-01-03 07:45:19 +02:00
Costa Tsaousis (ktsaou)
5451641021
better support for restoring postprocessed commands - any kind of command, not just kernel modules
2014-12-30 20:42:58 +02:00
Costa Tsaousis (ktsaou)
b10a8622cb
Now it always saves the activated firewall to /var/spool/firehol and can quickly restore it at boot with the restore argument. Also, when calling stop is saves the firewall again, with their packet and bytes counters, so that when restored it continues where it left. So at boot it should be called with "restore" and at shutdown it should be called with "stop"
2014-12-19 23:46:53 +02:00
Costa Tsaousis (ktsaou)
a4dba2b212
fixed physin/physout to specify new iptables options --physdev-is-bridged in routers, --physdev-is-in at the input of interfaces, --physdev-is-out at the output of interfaces
2014-11-19 01:50:47 +02:00
Costa Tsaousis (ktsaou)
e190008f98
fixed srcmac/dstmac for ipv6
2014-11-15 19:57:25 +02:00
Phil Whineray
521e8c142d
Delete activation rules by spec not number
...
Fixes #41
The assumption that the rules added to allow established connections
during activation will always be first is wrong for configs with
iptables -I statements.
2014-11-06 22:36:08 +00:00
Phil Whineray
09748049ee
Prevent all IPv6 actions after initial disable
2014-10-18 08:15:47 +01:00
Phil Whineray
ca07e978f8
Detect non-IPv6 hosts
2014-10-18 08:04:12 +01:00
Phil Whineray
6dd351f5cc
Fix "accept with limit"
...
Chain names were created too long and only the first of IPv4 or IPv6
2014-10-15 17:11:03 +01:00
Phil Whineray
a6a5e55c41
Create functional helpme output
...
Includes pointers to the IPv6 upgrade documentation
Fixes issue #35
2014-10-04 13:38:34 +01:00
Phil Whineray
5fecbb9591
Remove redundant firehol_wget and wget_cmd helpers
...
They were used by ecn_shame only, which was removed some time back since
the list is no longer available.
Thanks to Jerome Benoit
2014-10-04 10:54:32 +01:00
Phil Whineray
1f0db36baf
Use mktemp for temporary directories during RPC
...
Slightly safer than random numbers because it can never conflict
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
da7b96e7ab
Don't delete and recreate the temporary directory
...
mktemp already ensured it was unique as part of creating it
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
87f8827e75
Treat mktemp like other required commands
...
Add it to configure script and use the which_cmd to detect at runtime.
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
8b8e5c9761
Silence module detection warning when not loading
...
The warning says that we will always load the modules, even though we
will honour the variable which says never to do so.
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
e14e118532
Update copyright strings
...
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
box@home root
6bad95950f
added srcmac dstmac matches
2014-08-17 18:30:50 +03:00
Phil Whineray
e8c70871c5
Do not fix source ports for DHCPv6
...
Some servers do not use them, and the RFC allows this.
http://lists.firehol.org/pipermail/firehol-support/2014-July/002824.html
http://www.ietf.org/rfc/rfc3315.txt
2014-07-27 12:07:59 +01:00
Phil Whineray
edd7dace10
Explain that ICMPv6 ND/RD packets are untracked
2014-07-27 11:25:02 +01:00
Costa Tsaousis (ktsaou)
4939c52d1b
added warning as suggested in #29
2014-06-11 22:52:57 +03:00
Costa Tsaousis (ktsaou)
7d95733f60
fixed mixed ipv4 and ipv6 matches that were generating match priorities above 0xffff
2014-06-09 11:13:35 +03:00
Phil Whineray
f741b4b422
Ensure dst4 and dst6 work in interface
...
src4 and src6 are already OK
2014-06-07 17:26:31 +01:00
Costa Tsaousis (ktsaou)
cb43b72381
added /sbin:/usr/sbin to system path to solve an issue with pppd ip-up scripts; now automatic numbering continues giving class priorities after the manual priority given
2014-05-04 14:56:05 +03:00
Costa Tsaousis (ktsaou)
989a6067e7
added the option to limit each match to a specific rate; this required support for police and estimator in filters
2014-04-11 00:29:33 +03:00
Costa Tsaousis (ktsaou)
e323bd501f
reworked tproxy parameters parsing for issue #25
2014-03-25 23:42:13 +02:00
Costa Tsaousis (ktsaou)
ef153a80d0
tproxy support. beta. may not work. fixed issue #25
2014-03-25 23:13:20 +02:00
Costa Tsaousis (ktsaou)
471da265b3
link the interface name with the configuration name in /var/run/fireqos/
2014-03-25 20:18:56 +02:00
Costa Tsaousis (ktsaou)
e238a22cc6
for bi-directional interfaces, it appends -in or -out to interface name automatically
2014-03-15 16:36:05 +02:00
Costa Tsaousis (ktsaou)
2c3ac70691
full bidirectional interface support, including firehol like services
2014-03-15 16:13:59 +02:00
Costa Tsaousis (ktsaou)
c732df28a6
added warning if MARK and CONNMARK are used together, for issue #23
2014-03-14 01:31:44 +02:00
Costa Tsaousis (ktsaou)
46955f9eb4
added support for failed lines detection for issue #22 , improved connmark for issue #23
2014-03-14 01:13:28 +02:00
Costa Tsaousis (ktsaou)
83a084e9c1
another connmark fix for issue #23
2014-03-13 03:08:34 +02:00
Costa Tsaousis (ktsaou)
e51a46a140
another connmark fix for issue #23
2014-03-13 02:35:12 +02:00
Costa Tsaousis (ktsaou)
54cfeaeaae
connmark fix for issue #23
2014-03-13 01:46:50 +02:00
Costa Tsaousis (ktsaou)
fe40dbc5bc
fixes issues #22 and #23
2014-03-13 00:20:00 +02:00
Phil Whineray
37536fdfa9
Implement low-resolution timer
...
Embedded OpenWRT does not support sub-second dates or sleeps
2014-02-22 11:58:50 +00:00
Phil Whineray
1d317690a8
Allow insmod as an alternate to modprobe
...
Only insmod is available on embedded OpenWRT
2014-02-22 11:58:43 +00:00
Phil Whineray
750da174ca
Fix IPv4-only save/restore and fastactivation
...
These were still trying to run, despite the commands not being available
2014-02-22 11:54:39 +00:00
Phil Whineray
40fde76a78
Fix firehol save
...
Was trying to save to temporary location, not the specified one.
Error introduced in df50d6cb29b9a716a40d99918de46cb0e899e42a.
2014-02-22 08:44:26 +00:00
Phil Whineray
95b3e66836
Use IPv4 only unless config version is set as 6
2014-02-09 18:11:39 +00:00
Phil Whineray
bb19f5500a
Fix line numbering for new commands
2014-02-03 22:58:10 +00:00