sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-28 18:02:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,748 Commits 5 Branches 37 Tags 5.2 MiB
master
Commit Graph

637 Commits

Author SHA1 Message Date
Costa Tsaousis (ktsaou)
112a21c445 added prototype for custom/admin/user supplied downloaders; fixed an issue with git commits 2015-11-10 22:15:58 +02:00
Philip Whineray
370a6616f4 Honour the config directory set by configure 
Ensure that ipset_remove_all_tmp_sets() is defined before it can
be called in firehol_exit().
 2015-11-10 18:35:12 +00:00
Philip Whineray
d2ec651cdc Detect and use TAR_CMD 
A couple of other programs replaced
Allow unconfigured programs to detect iprange in-situ
 2015-11-10 07:26:59 +00:00
Costa Tsaousis (ktsaou)
f7c3f430fd Merge branch 'master' of github.com:firehol/firehol 2015-11-10 01:50:38 +02:00
Costa Tsaousis (ktsaou)
41db726dfb added ability to ask update for specific ipsets; added distribution, admin and user supplied ipsets; moved the current directory to a temporary place to prevent accidental damage or random files appearing in system locations 2015-11-10 01:50:33 +02:00
Philip Whineray
c031254067 Remove unused commands 
Detect unused commands in script during pre-commit checks
Always use /sbin and /usr/sbin as part of autoconf detection
 2015-11-09 20:52:11 +00:00
Philip Whineray
ee401fc813 Switch vnetbuild to common command detection 2015-11-09 07:39:05 +00:00
Costa Tsaousis (ktsaou)
740c738f29 made range printing, always print ranges 2015-11-09 09:33:05 +02:00
Philip Whineray
ea252883d8 Add perl script to detect plain command usage 
Update scripts with the problems found
In firehol, moved the iptables() and ipset() helpers to before they are

used, since this is how the detection script learns they are not a problem.
 2015-11-08 17:28:16 +00:00
Costa Tsaousis (ktsaou)
6a1dbc4db7 fixed a division by zero 2015-11-08 12:35:02 +02:00
Costa Tsaousis (ktsaou)
741d0d09a3 --enable-all does not enable certain ip lists; these can only be enabled manually 2015-11-08 09:26:26 +02:00
Costa Tsaousis (ktsaou)
c5e6026c61 modified to automatically support sane default for running as root or as user 2015-11-08 06:27:36 +02:00
Costa Tsaousis (ktsaou)
9d2b75bc9f allow configuration variables to be set via environment 2015-11-08 05:11:51 +02:00
Costa Tsaousis (ktsaou)
f28122934e isolated warning about WEB_DIR and LIB_DIR 2015-11-08 03:25:30 +02:00
Costa Tsaousis (ktsaou)
4b463218a7 allowed badips.com lists to be empty 2015-11-07 23:54:50 +02:00
Costa Tsaousis (ktsaou)
04e93f0b0d prevent ipsets from being updated with zero IP count (it is allowed for all malware ipsets); added function for temporary settings per ipset; added history_statistics() to calculate min/max/avg update time, min/max entries and min/max IPs for the last 500 updates of ipsets 2015-11-07 23:46:31 +02:00
Costa Tsaousis (ktsaou)
05f91ad033 added min/max update duration calculation for all lists 2015-11-07 19:23:51 +02:00
Costa Tsaousis (ktsaou)
2c843be9a7 calculated the average update frequency of lists; support for the new dns progress bar of iprange 2015-11-07 18:56:21 +02:00
Costa Tsaousis (ktsaou)
9b4320a44c disable dns progress bar by default 2015-11-07 18:55:47 +02:00
Costa Tsaousis (ktsaou)
c699a4cd91 moved RUN_DIR to /tmp because certain distros have very small /var/run tmpfs - /tmp is the proper place for temporary files 2015-11-07 15:26:04 +02:00
Costa Tsaousis (ktsaou)
4c9a7a2c2d use iprange DNS resolv instead of the host command; use iprange binary format for the history log of aggregated ipsets 2015-11-07 15:05:53 +02:00
Costa Tsaousis (ktsaou)
a59e485d22 Merge branch 'master' of github.com:firehol/firehol 2015-11-07 13:24:24 +02:00
Phil Whineray
0dac5317fb Detect and use pthreads when building iprange 2015-11-07 06:50:36 +00:00
Costa Tsaousis
c608bc3c22 update-ipsets now uses the async DNS resolver of iprange 2015-11-07 04:38:29 +02:00
Costa Tsaousis (ktsaou)
25249ad1f8 added options to silent dns errors and hide the progress bar 2015-11-07 04:06:04 +02:00
Costa Tsaousis (ktsaou)
d590fef00c added asynchronous DNS resolver - now it needs to be build with -lpthread 2015-11-07 03:45:09 +02:00
Costa Tsaousis (ktsaou)
2f3a825dda added async dns resolution - still in progress, so it is disabled, make with CFLAGS=-DASYNC_RESOLVER to enable for testing 2015-11-06 03:00:37 +02:00
Costa Tsaousis (ktsaou)
213a28571d moved hostname resolution to a separate function 2015-11-06 01:22:52 +02:00
Costa Tsaousis (ktsaou)
c021d69c91 better handling of erroneus lines in input files; 30% faster printing of IP addresses; support for DNS resolution of hostnames in input files 2015-11-06 01:08:34 +02:00
Costa Tsaousis (ktsaou)
94d4b7eb73 added more packetmail lists 2015-11-05 01:33:16 +02:00
Costa Tsaousis (ktsaou)
dd91db096c fix for optional and possibly missing commands 2015-11-05 00:16:22 +02:00
Costa Tsaousis (ktsaou)
5f9c83ce48 cleanup of required commands; cleanup of log formatting; some better error handling 2015-11-05 00:10:07 +02:00
Costa Tsaousis (ktsaou)
f2cc8ead49 fixes after the external command management to make it operational again 2015-11-04 01:32:44 +02:00
Costa Tsaousis (ktsaou)
4ce16f3319 added errors in *-next parameters when no file is given before the *-next parameter 2015-11-04 01:32:14 +02:00
Phil Whineray
dfa1664df0 Merge branch 'master' into update-ipsets-commands 
Conflicts:
	sbin/update-ipsets.in
 2015-11-02 07:52:12 +00:00
Costa Tsaousis (ktsaou)
83ee676c91 fixed various issues and improved significantly the download manager and the logging 2015-11-02 08:46:46 +02:00
Costa Tsaousis (ktsaou)
3aea86defa increased the timeouts a bit to prevent download errors 2015-11-02 00:54:15 +02:00
Costa Tsaousis (ktsaou)
81462ae4b9 fixed a bug that did not update the geolocation maps for ipsets that have not been updated, in --rebuild mode 2015-11-02 00:35:49 +02:00
Costa Tsaousis (ktsaou)
44acb44d97 it now exposes start time and consecutive errors to json files 2015-11-01 23:10:11 +02:00
Costa Tsaousis (ktsaou)
6dd27e1863 fixed the merge() function to support other maintainers too; made cleantalk use the new merge() function. 2015-11-01 22:48:28 +02:00
Phil Whineray
e27d0e205b Replace explicit commands with detected variables 2015-11-01 17:53:23 +00:00
Phil Whineray
b1aa3cd788 Merge branch 'master' into update-ipsets-commands 
Conflicts:
	sbin/update-ipsets.in
 2015-11-01 17:52:02 +00:00
Costa Tsaousis (ktsaou)
deedc579b0 added cleantalk lists 2015-10-31 23:52:50 +02:00
Phil Whineray
1e5fa7befa Merge branch 'master' into update-ipsets-commands 2015-10-31 14:54:47 +00:00
Costa Tsaousis (ktsaou)
677be3c307 updated firehol lists 2015-10-31 16:28:24 +02:00
Phil Whineray
1ea9a58bd4 Convert update-ipsets to new command system 2015-10-31 12:29:25 +00:00
Costa Tsaousis (ktsaou)
1f70cb606f added asynchronous hostname resolver based on adnshost, added hphosts lists (resolved from hostnames) 2015-10-31 13:02:40 +02:00
Costa Tsaousis (ktsaou)
e9f137cd94 fixed a bug that resulted in duplicate routing table entries (added -u to a sort) 2015-10-31 11:45:48 +02:00
Costa Tsaousis (ktsaou)
31723d0dc4 fixed a bug where a request to print single IPs containing the IP 255.255.255.255 resulted in printing all 4 billion IPv4 IPs possible 2015-10-31 11:44:14 +02:00
Costa Tsaousis (ktsaou)
94ffc784ec added Cyber Threat Alliance Cryptowall 2015-10-31 04:11:55 +02:00
Costa Tsaousis (ktsaou)
ff46d12ac0 added ipblacklistcloud, graphiclineweb, chaosreigns, nullsecure 2015-10-31 01:29:51 +02:00
Phil Whineray
0de62875fc Check for missing $ on commands in pre-commit 
Tidied up common behaviour into a function
Updated TPUT_CMD where it was missing the $
 2015-10-30 22:18:57 +00:00
Phil Whineray
0ff50524b9 Update link-balancer to use detected commands 2015-10-30 20:39:58 +00:00
Phil Whineray
1ad836d854 Remove root requirement for unittests 
Significant workaround added for 0440 permissions on /proc/net/ip_tables_names
 2015-10-30 20:38:12 +00:00
Phil Whineray
11b112498f Add RMMOD_CMD and SLEEP_CMD for FireQOS 2015-10-30 07:53:18 +00:00
Phil Whineray
f27eec2e91 Do not call version routine until we have SED_CMD 
Fix typo in case for version extraction
Extend kcov usage
 2015-10-28 20:34:01 +00:00
Phil Whineray
73d531d340 Use require_cmd as expected now 2015-10-27 22:06:34 +00:00
Phil Whineray
881dc95ff4 Force full detection of AWK path 2015-10-27 21:55:27 +00:00
Phil Whineray
e723f3ba19 fireqos now has same command detection as firehol 
Update pre-commit script to detect entries missing from configure script
Update unittest to run fireqos without a PATH set
Update unittest with a view to running code coverage check
 2015-10-27 21:35:21 +00:00
Phil Whineray
9449e984d6 Added WC_CMD to command table 
Also, updated pre-commit script to ensure all used commands are
present in the table.
 2015-10-27 13:03:05 +00:00
Phil Whineray
070430762d Fixup commands not using _CMD variables 
Also fix remaining problems around autodetection
Both were exposed by the new unittest strategy
 2015-10-26 22:36:00 +00:00
Phil Whineray
4e1bf97891 Only update PATH whilst detecting commands 
Update the unit tests so that an empty path is given. Highlight any
command failures (i.e. not using the special variables) that are
emitted.
 2015-10-26 22:35:17 +00:00
Phil Whineray
f652298849 Resolve uname discrepancy 2015-10-26 07:11:44 +00:00
Phil Whineray
8ef0c9a984 Include options for commands, where required 
Put back uname - it is currently used before the variable is set up
 2015-10-25 08:51:24 +00:00
Phil Whineray
ab2259f49b Fix possible quoting problem and introduce test 2015-10-25 08:10:32 +00:00
Phil Whineray
c76f7626a2 Use UNAME_CMD when finding kernel version 2015-10-25 07:34:16 +00:00
Phil Whineray
41e3065cdc Always return TTY to sane defaults 2015-10-25 07:33:42 +00:00
Phil Whineray
e6c887acf5 Use efficient alternative to extract command path 2015-10-25 07:31:31 +00:00
Phil Whineray
d63e61c3c3 Validate that all commands exist and can execute 
We will output a message indicating what can be done if this occurs
 2015-10-23 13:56:05 +01:00
Costa Tsaousis (ktsaou)
f0c2da8736 fix to remove a space that was appended on all commands detected; added a check to make sure the autoconf configured commands still exist; #82 2015-10-22 22:19:17 +03:00
Phil Whineray
1de06a4dbf Allow configure script to set default AUTOSAVE 2015-10-21 20:44:17 +01:00
Phil Whineray
08425eaac0 Rework command detection routines 
Process is now table-driven and has the following features:
- Honours the value set in /etc/firehol/firehol-defaults.conf, if any
- Uses the value set by autoconf, if any
- Autodetects in preferred order, allowing optional parameters as needed

This takes out all the special cases. Commands that are only sometimes
required are detected up front but still only checked when needed.

Also:
- allow detection/preinstall of iprange
- only emit iprange command warnings when it would be used
- restore tty settings when Ctrl-C hit (echo is disabled otherwise)
 2015-10-21 20:44:17 +01:00
Sander Ruitenbeek
1f2c8fadee Fixed interface oneliner to snip out NONE after interface name (ex. sit0NONE). 2015-10-20 22:32:52 +02:00
Phil Whineray
a28a459c8f Install update-ipsets script as with others 2015-10-18 12:05:23 +01:00
Phil Whineray
5b40aec1ad Compile and install iprange to /sbin 
Added option --disable-iprange to avoid it
 2015-10-18 11:17:39 +01:00
Costa Tsaousis (ktsaou)
297811db63 max/ceil % is now relative to parent's ceiling rate (it was by mistake to parent's base rate); added warning if a class takes priority outside the valid ranges of HTB (0-7); switched default colors from blue to green 2015-10-03 01:40:16 +03:00
Costa Tsaousis (ktsaou)
49b5ff3664 when a table was already up to date but other depend on it, it was failing. fix for issue #78 2015-08-02 17:38:55 +03:00
Costa Tsaousis (ktsaou)
d95a06a922 fix for issue #77 2015-08-02 17:03:53 +03:00
Phil Whineray
0cb697d218 Add IPv6 support to vnetbuild and update example 2015-07-29 20:13:44 +01:00
Costa Tsaousis (ktsaou)
0b751c5db6 fixed bug in action sockets_suspects_trap and ipset_apply 2015-07-05 02:48:13 +03:00
Costa Tsaousis (ktsaou)
c7468eeeb9 rewrote the ipsets functionality so that: a) it optimizes netsets with iprange if present, b) it adapts the maxelem parameter for the updated ipset so that updating ipsets with big incremental updates does not fail, c) maintains compatibility with older ipset versions; side-effect: calling an ipset update without restarting the firewall now only support ipsets that are used in firehol.conf; if iprange is present, processing of ipsets is a lot faster 2015-06-15 02:33:08 +03:00
Costa Tsaousis
64bc7e62be added support for adapting ipsets maxelem when updating an ipset 2015-06-13 06:52:14 +03:00
Costa Tsaousis (ktsaou)
27b1751eb8 save in ipsets.conf the types and options of ipsets 2015-06-07 16:22:03 +03:00
Costa Tsaousis (ktsaou)
c9340661ff prevented a backup of all the ipsets in memory - because it takes too long when the system has many ipsets installed 2015-05-23 19:04:19 +03:00
Costa Tsaousis (ktsaou)
cc705b5818 added log() and loglimit() helpers to allow logging from ipsets globally 2015-05-20 02:03:58 +03:00
Phil Whineray
2d1351b279 Remove all reference to awk 2015-05-02 14:28:56 +01:00
Phil Whineray
4557d36cac Remove final use of awk 2015-05-02 14:28:56 +01:00
philwhineray
d0307dacb4 Merge pull request #70 from ktsaou/vnetbuild 
Add vnetbuild
 2015-04-26 19:24:23 +01:00
Costa Tsaousis (ktsaou)
cbe68661a8 added wrappers for rawmark() and custommark() 2015-04-25 13:27:32 +03:00
Costa Tsaousis (ktsaou)
a4f6a1a6c4 tproxy uses markdef() to allocate a mark; marks.conf is now saved only after successful firewall activation 2015-04-25 13:27:10 +03:00
Costa Tsaousis (ktsaou)
bad5465f6a ipset add support for comma as an IP separator 2015-04-25 13:03:07 +03:00
Phil Whineray
54db4b39c4 Add vnetbuild 2015-04-25 09:22:58 +01:00
Costa Tsaousis (ktsaou)
ee9bdb4535 disabled spinner in explain mode 2015-04-25 01:20:41 +03:00
Costa Tsaousis (ktsaou)
665538ca24 allowed to define multiple "except" rules in statements that accept this keyword 2015-04-25 01:16:35 +03:00
Costa Tsaousis (ktsaou)
53cdfc6b1d fix for older versions of ipset 2015-04-24 21:31:32 +03:00
Costa Tsaousis (ktsaou)
2a8547d47d fix for older versions of ipset 2015-04-24 21:01:40 +03:00
Costa Tsaousis (ktsaou)
2647833260 fix for older versions of ipset 2015-04-24 20:57:20 +03:00
Costa Tsaousis (ktsaou)
323c25d320 fix for older versions of ipset 2015-04-24 20:56:24 +03:00
Costa Tsaousis (ktsaou)
d806def4ee fix for older versions of ipset 2015-04-24 20:55:04 +03:00
Costa Tsaousis (ktsaou)
503c76f0be ipset support for older machines: just set IPSET_RESTORE_SUPPORTS_FLUSH_SWAP_DESTROY=0; rule() now generates NAT rules with a protocol if a port has been specified 2015-04-24 20:39:09 +03:00
Costa Tsaousis (ktsaou)
16e9b715a4 fix for ERROR columns on some tc versions 2015-04-21 21:42:05 +03:00
Costa Tsaousis (ktsaou)
8e7b3a14eb added the ability to stop QoS on a specific device - just append the device name to the stop command #32 2015-04-16 22:32:58 +03:00
Costa Tsaousis (ktsaou)
f06c272d74 fix for emerging_block ipset 2015-04-02 06:35:42 +03:00
Costa Tsaousis (ktsaou)
d614fd7558 made STOP mode exit successfully; added support for restore option when specifying a filename on the command line 2015-03-23 17:19:49 +02:00
Costa Tsaousis (ktsaou)
18de85ffc8 services all and any are now simple services. service all now has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN 2015-03-13 11:59:51 +02:00
Costa Tsaousis (ktsaou)
d505ab0850 accept RELATED TCP ACK,RST packets on interface,router,master close() so that REJECT action works 2015-03-11 22:52:16 +02:00
Costa Tsaousis (ktsaou)
f1cde4907b pptp and sip added to ALL_SHOULD_ALSO_RUN to make "client all accept" work as expected 2015-03-08 19:11:43 +02:00
Costa Tsaousis (ktsaou)
e71c129c9d optimized simple_service() 2015-03-08 19:09:14 +02:00
Phil Whineray
c7824f2659 Ensure empty firewall works 
Initialise a namespace even before we do anything so we still get
policy and dropped packet logging applied.
 2015-03-05 07:29:55 +00:00
Costa Tsaousis (ktsaou)
a674e0967d cleanup and added back interface_default_class since it is needed for inheritance 2015-03-03 02:25:50 +02:00
Costa Tsaousis (ktsaou)
4b20d2d6d0 FIREQOS_INTERFACE_DEFAULT_CLASSID=8000 it seems the maximum is 9999 2015-03-02 23:29:20 +02:00
Costa Tsaousis (ktsaou)
fd8ac38739 added FIREQOS_INTERFACE_DEFAULT_CLASSID FIREQOS_MATCHES_STEP; some cleanup 2015-03-02 23:15:46 +02:00
Costa Tsaousis (ktsaou)
5670ea91d0 added state NEW to masquerade 2015-03-02 00:38:31 +02:00
Costa Tsaousis (ktsaou)
02c334649e reversed last commit - iptables does not allow inface in nat.POSTROUTING 2015-03-01 23:59:35 +02:00
Costa Tsaousis (ktsaou)
9d844c7785 allowed inface in SNAT and MASQUERADE 2015-03-01 23:53:46 +02:00
Phil Whineray
6f500b7269 Ensure ipv4 and ipv6 are used at the right time 2015-03-01 09:05:15 +00:00
Costa Tsaousis (ktsaou)
9bdf6d89d6 ENABLE_IPV4 and ENABLE_IPv6 can now be set in firehol.conf; fixed a bug where close_master() was not closing the firewall properly for both IPv4 and IPv6 - it was closing the same IPvX of the last interface or router - this bug seems to be there since the inclusion of IPv6 support 2015-03-01 04:16:16 +02:00
Costa Tsaousis (ktsaou)
d2984e6198 added action type "sockets_suspects_trap" as a shortcut to create TRAP_AND_DROP or TRAP_AND_REJECT type actions; removed -! from ipset options - they make ipset ignore the action without error - this option is only needed for "restore". 2015-02-28 00:31:32 +02:00
Costa Tsaousis (ktsaou)
7c5a213b7a iptrap now creates the trap if it is not already created 2015-02-26 23:10:47 +02:00
Costa Tsaousis (ktsaou)
84c880439f do not attempt to set net.netfilter.nf_conntrack_helper=1 if /proc/sys/net/netfilter/nf_conntrack_helper is not available to eliminate the warning all kernels prior to 3.5 2015-02-26 14:30:50 +02:00
Costa Tsaousis (ktsaou)
c173c79c8e nat_helper now supports balancing multiple IPs or ports on all NAT modes (snat, dnat, redirect), using round robbin or weighted distribution of requests; fixed an issue of certain failure conditions where the error was generated in a subshell; ipsets now add values ignoring duplicates; FireHOL now reports and final number of iptables rules generated 2015-02-26 02:35:41 +02:00
Costa Tsaousis (ktsaou)
c90249fd78 first attempt to make synproxy work with dynamic IP; added options FIREHOL_SYNPROXY_EXCLUDE_OWNER which once set to 1 will enable matching synproxy packets with owner - it will require "src not" though; made it drop invalid TCP ACK packets from server to client; made synproxy marking a little bit strictier by matching SYN packet 2015-02-23 09:34:05 +02:00
Costa Tsaousis (ktsaou)
e7cf10dbd5 re-wrote multiport support - now it does its best to combine multiports in groups in order to minimize the generated statements 2015-02-23 08:08:00 +02:00
Costa Tsaousis (ktsaou)
a7c4287561 should check for "any" not just empty 2015-02-23 06:10:44 +02:00
Costa Tsaousis (ktsaou)
c1d46bec40 added protected parameters to the first action taken - before it was forced for double branching without reason 2015-02-23 06:02:28 +02:00
Costa Tsaousis (ktsaou)
8dde88092d fixed log comments on non-fast activation; required protocol on all actions there are custom matches given 2015-02-23 05:49:52 +02:00
Costa Tsaousis (ktsaou)
6110512dcf fixed monitor mode - it was not executing the commands because it was running with debug enabled 2015-02-22 08:10:25 +02:00
Costa Tsaousis (ktsaou)
6977473de1 fixed typo of the last commit 2015-02-22 07:42:37 +02:00
Costa Tsaousis (ktsaou)
f7f1437d57 allowed outface in synproxy 2015-02-22 07:35:29 +02:00
Costa Tsaousis (ktsaou)
6bb642b901 all NAT helpers support keyword "at" to specify the chain to be attached 2015-02-22 03:51:41 +02:00
Costa Tsaousis (ktsaou)
c8720f3d7d was ignoring fallback gateways 2015-02-21 06:24:47 +02:00
Costa Tsaousis (ktsaou)
063abbb284 traceroute6 replaced with traceroute -6 2015-02-21 02:16:03 +02:00
Costa Tsaousis (ktsaou)
8459d75f71 synproxy: enable lo routing only when it is necessary; synproxy: on custom actions in INPUT, ACCEPT the SYN packet on filter.OUTPUT and apply the custom action only on filter.INPUT to ensure the custom action is only applied once. 2015-02-20 16:04:46 +02:00
Costa Tsaousis (ktsaou)
bd9d711462 fixed comments in synproxy 2015-02-20 02:07:54 +02:00
Costa Tsaousis (ktsaou)
fbfa90f727 added more blocking chains for synproxy; re-arranged arguments to allow user requested logging of packets 2015-02-20 01:37:52 +02:00
Costa Tsaousis (ktsaou)
b03c9a3e9b secured synproxy; synproxy now matches synproxy-to-server packets as strictly as possible and does not allow the packets to flow in the NAT table; added -m iprange support in rule() (will be used for IP-IP expressions); support for port ranged using -; limited -m multiport usage to 7 ports (it allows 15, but half of them if they are ranges); renamed activation and finalization functions for better understanding; moved several postprocess commands to close_master() so that the generated statements appear in debug mode. 2015-02-19 23:06:00 +02:00
Costa Tsaousis (ktsaou)
38420c500f test for stderr, not stdout to enable colors 2015-02-19 03:22:33 +02:00
Costa Tsaousis (ktsaou)
48d0cb9846 synproxy done. it works in all scenarios tested. The way synproxy works, it interacts with transparent proxy, so misuse of the synproxy could allow an attacker to reach a transparent proxy on the same machine - we have to find a solution to isolate synproxy from the rest of the system 2015-02-19 03:21:51 +02:00
Costa Tsaousis (ktsaou)
0b36bbf278 synproxy now works on DNATed servers - still missing REDIRECTed onces 2015-02-16 03:29:21 +02:00
Costa Tsaousis (ktsaou)
e2401cef38 synproxy final touches 2015-02-15 23:39:33 +02:00
Costa Tsaousis (ktsaou)
422c450b07 fixed src/dst mixes #58; synproxy helper is now operational 2015-02-15 23:00:36 +02:00
Costa Tsaousis (ktsaou)
13cf138f29 internal variables xxx_IPS can be used to define both ipv4 and ipv6 IPs; #58 2015-02-15 21:29:58 +02:00
Costa Tsaousis (ktsaou)
b083d6fa3c disable colors on non-terminals 2015-02-15 21:20:59 +02:00
Costa Tsaousis (ktsaou)
2e8e223f6b fixed hashsize redirection to file 2015-02-15 20:44:20 +02:00
Costa Tsaousis (ktsaou)
fdda26f144 added synproxy helper - untested yet; FIREHOL_CONNTRACK_LOOSE_MATCHING to make conntrack use strictier matching on packets (required for synproxy); FIREHOL_CONNTRACK_MAX to set the max connections the connection tracker will support; FIREHOL_CONNTRACK_HASHSIZE to set the max hashsize the connection tracker will use; FIREHOL_TCP_SYN_COOKIES to control if tcp is using cookies (required for synproxy); FIREHOL_TCP_TIMESTAMPS to control if tcp is using timestamps (required for synproxy); unified all helpers that accept the chain to be attached to support multiple chains and shorter names (in, out, pre, post, pass); made blacklist() and iptrap() helpers to work on filter (were on mangle - they should work after synproxy which is only in filter); re-wrote tos() tosfix() and dscp() to avoid branching and to support the new way of expressing chains; added SYNPROXY target in rule(); rule() now support inserting also rules in chains (required by synproxy); INVALID and ACK+FIN drops are back in filter table (required by synproxy) 2015-02-15 20:30:34 +02:00
Phil Whineray
55343b9a7f Add link-balancer to generated output 2015-02-15 17:35:06 +00:00
Costa Tsaousis (ktsaou)
07922d6915 removed FIREHOL_DEFAULT_CT_HELPERS and FIREHOL_AUTO_CT_HELPERS and added FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT which takes 3 values: kernel, firehol or manual 2015-02-15 12:55:11 +02:00
Costa Tsaousis (ktsaou)
543bef172f warning about FIREHOL_DEFAULT_CT_HELPERS=1 usage when using cthelper() 2015-02-15 12:19:43 +02:00
Costa Tsaousis (ktsaou)
6b6a0f0780 support for cthelper bidirectional match 2015-02-15 11:55:09 +02:00
Costa Tsaousis (ktsaou)
6d08565ff8 added mms helper back 2015-02-15 11:20:22 +02:00
Costa Tsaousis (ktsaou)
bf7e8bb276 added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this); 
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
 2015-02-15 02:27:42 +02:00
Costa Tsaousis (ktsaou)
0d59384b1a optimized server/client statements branching - controled with FIREHOL_CHAIN_PER_SERVICE option - implemented with chain aliases so that all services still work without change; optimized nat and transparent_proxy branching; added support in rule() for actions that require a protocol (like REDIRECT); disabled spinner on non-terminals; added cstatus command line option to show the connection tracker status; status now also shows the raw table and the active ipsets; now the generated rules at 20-30% less due to less branching 2015-02-13 02:43:38 +02:00
Costa Tsaousis (ktsaou)
c8b6a86d01 removed pid sid cmd matches since they are not supported anymore; updated params man page - still incomplete though 2015-02-12 23:02:13 +02:00
Costa Tsaousis (ktsaou)
5ac3263d72 renamed iplimit to connlimit - iplimit no longer exists; preferred to put negative src/dst ipsets in possibly available negative branch 2015-02-12 22:23:00 +02:00
Costa Tsaousis (ktsaou)
ed972f3358 removed a push/pop namespace for rules(), seems to be a left-over from when src/dst IPs where validated 2015-02-12 20:53:41 +02:00
Costa Tsaousis (ktsaou)
6a892ee6d2 default option for ipset options to support older ipset versions; fix when setting ENABLE_IPVx=0 to firehol-defaults that was giving errors 2015-02-12 17:46:22 +02:00
Costa Tsaousis (ktsaou)
6bda3e6f7a forgot to add ${custom} to constrains check 2015-02-12 03:10:18 +02:00
Costa Tsaousis (ktsaou)
c4e0ef630e infinite loop on contrains branching 2015-02-12 02:13:27 +02:00
Costa Tsaousis (ktsaou)
9592c4b35a left a log line uncommented 2015-02-12 01:49:07 +02:00
Costa Tsaousis (ktsaou)
407a366633 another re-write of rule(): a lot more optimized iptables rules generation, less branching, less generation of logging statements, more accurate positive and negative rules matching; added an optional progress spinner - off by default 2015-02-12 01:42:38 +02:00
Costa Tsaousis (ktsaou)
9546af275e fixed line wrapping in explain mode 2015-02-11 14:15:06 +02:00
Costa Tsaousis (ktsaou)
c7fba06f5e now iptrap can use any type of ipset (added option "method"), action supports ipuntrap, src/dst matching with ipset does not increment the ipset counters if present 2015-02-11 00:26:11 +02:00
Costa Tsaousis (ktsaou)
67b28c62dc fix for the last commit 2015-02-09 23:25:23 +02:00
Costa Tsaousis (ktsaou)
0465b2fd1c added command line option "reset-ipsets" to reset the dynamic ipsets created by firehol; separated ipset options used by iptrap when timeout and counters is used; added checks to make sure that an iptrap generated ipset is not used with both timeout and counters options 2015-02-09 23:18:49 +02:00
Costa Tsaousis (ktsaou)
8a7d3092a1 added options "timeout" and "counters" to iptrap. These control what will happen with packets already in the ipset: if the timeout will be reset at every packet, or the packet and bytes counters will be updated; they are mutualy exclusive 2015-02-09 22:28:35 +02:00
Costa Tsaousis (ktsaou)
e02968e112 added ipset optional rule parameter and SET action in rule() 2015-02-08 22:59:41 +02:00
Costa Tsaousis (ktsaou)
cf8b510095 removed from iptrap the functionality to create actions; now the action helper can create a list of action with logic in them; updated docs 2015-02-08 14:42:35 +02:00
Costa Tsaousis (ktsaou)
a58365d6f5 iptrap helper can accept an action other than RETURN, can apply its rules in multiple table with the table keyword and can just create a chain without linking it with the define_action keyword 2015-02-08 12:19:51 +02:00
Costa Tsaousis (ktsaou)
1a80afc8c8 blacklist and iptrap except rules now accept negative expressions too; firehol explain now has a history 2015-02-08 10:44:00 +02:00
Costa Tsaousis (ktsaou)
3b8505f73d added helper ipuntrap, to undo what iptrap does; keyword "except" does not accept negative expressions - added check in rule(); workaround for a bash bug that did not show all commands in explain mode; added some color and option -nc to disable colors; added some more info in various points for debug mode; debug mode was not generating comments - fixed it 2015-02-07 17:28:43 +02:00
Costa Tsaousis (ktsaou)
daf7981da0 added IPTRAP_DEFAULT_IPSET_OPTIONS in defaults to control the ipset options used by iptrap 2015-02-07 12:18:13 +02:00
Costa Tsaousis (ktsaou)
c4ca4630ab fix for allowing UNROUTABLE_IPS and the rest of internal ip set in ipset 2015-02-07 12:01:40 +02:00
Costa Tsaousis (ktsaou)
c98e6aa29c cleanup and optimizations in rule() 2015-02-07 08:46:46 +02:00
Costa Tsaousis (ktsaou)
70ead41283 blacklist helper, different log message for input and output 2015-02-07 02:57:14 +02:00
Costa Tsaousis (ktsaou)
4b8b805c43 blacklist helper: added support for accounting and excepted rules, i.e. rules that match a whitelist 2015-02-06 23:50:28 +02:00
Costa Tsaousis (ktsaou)
f8e953f061 iptrap generated ipsets do not loose their values when the firewall is restarted 2015-02-06 22:43:23 +02:00
Costa Tsaousis (ktsaou)
68f52a99f9 modified iptrap helper to create the ipset if not already created, and do not alter the traffic, just trap the IP; it also supports src,dst and dst,src sets 2015-02-06 11:12:30 +02:00
Costa Tsaousis (ktsaou)
90f46d6269 first commit for iptrap helper; made SIP service use both TCP and UDP; blacklist helper now is applied on PREROUTING mangle, before anything else. 2015-02-06 02:57:06 +02:00
Costa Tsaousis (ktsaou)
16b1a55c48 blacklist helper now accepts log text and inface to apply the blacklist to; it is re-written to use use rule() instead of plain iptables commands; updated man page 2015-02-06 01:08:15 +02:00
Costa Tsaousis (ktsaou)
955cde92be better cleanup and printout of differences reporting 2015-02-05 22:36:29 +02:00
Costa Tsaousis (ktsaou)
edb3413005 fixed ipsets update from files when obsolete files in /var/spool/firehol for the same ipset prevent an update 2015-02-05 02:24:56 +02:00
Costa Tsaousis (ktsaou)
c541723e32 prevent double cleanup of ipset temporary sets 2015-02-05 00:45:17 +02:00
Costa Tsaousis (ktsaou)
9f9a73a688 fixed ipset ipv6 support; better cleanup when ipset is interrupted by user 2015-02-05 00:05:13 +02:00
Costa Tsaousis (ktsaou)
72d4ce4c5c missed a failure message in the last commit 2015-02-04 00:37:59 +02:00
Costa Tsaousis (ktsaou)
e27364b059 missed a failure message in the last commit 2015-02-04 00:36:55 +02:00
Costa Tsaousis (ktsaou)
79286f97f7 existing ipsets are updated by adding a temporary set and once finished adding, swapping it with the real ipset and removing the temporary one 2015-02-04 00:33:17 +02:00
Costa Tsaousis (ktsaou)
e81282ccb6 fix for iptables log comments with space in them in fast activation mode; #54 2015-02-03 21:21:01 +02:00
Costa Tsaousis (ktsaou)
4448133896 fix for when negative src/dst for both ipv4 and ipv6 appear on the same statement #55 2015-02-03 20:39:25 +02:00
Costa Tsaousis (ktsaou)
808e33a4a1 fixed a type as per #53 2015-02-03 20:18:44 +02:00
Costa Tsaousis (ktsaou)
16849f1463 fix to detecting if snat, dnat, redirect have set a protocol 2015-02-03 12:31:57 +02:00
Costa Tsaousis (ktsaou)
6ef9d4f2a4 added custom-in and custom-out optional rule parameters, as requested in #53; keep in mind that these rules cannot be used in helpers, only in interface, router, group with, server, client, route; For routers, the general rule is that: custom-in is applied on traffic from inface and custom-out on the opposite direction 2015-02-03 01:36:15 +02:00
Costa Tsaousis (ktsaou)
7c11a26a1b added options random and persistent for snat, dnat and redirect helpers 2015-02-02 23:59:49 +02:00
Costa Tsaousis (ktsaou)
cdaf280e53 added to-ports and random option for masquerade helper 2015-02-02 23:28:35 +02:00
Costa Tsaousis (ktsaou)
85056a0079 removed obsolete code; made it log to syslog all progress steps and detect configuration files that may be included from the main config file 2015-02-02 22:54:11 +02:00
Costa Tsaousis (ktsaou)
a7be46d9f7 console output cleanup; all messages sent to stderr 2015-02-02 00:39:33 +02:00
Costa Tsaousis (ktsaou)
e05aaee4d9 ipset code cleanup 2015-02-02 00:16:33 +02:00
Costa Tsaousis (ktsaou)
93dfc2b217 fix for ipset compatibility 2015-02-01 23:06:48 +02:00
Costa Tsaousis (ktsaou)
c963110764 support for older versions of ipset 2015-02-01 22:51:13 +02:00
Costa Tsaousis (ktsaou)
cbd07447f7 added ipv4, ipv6 and ipv46 shortcuts for helpers 2015-02-01 21:20:14 +02:00
Costa Tsaousis (ktsaou)
f840b5d7ee added shortcuts "default" and "classic" to markdef 2015-02-01 20:39:26 +02:00
Costa Tsaousis (ktsaou)
cd50ca58ae blacklist now logs dropped packets 2015-02-01 17:17:34 +02:00
Costa Tsaousis (ktsaou)
0366bd1909 properly match the whole ipset collection name when running with ipset_update_from_file and save the updated statements for restoration in /var/spool/firehol 2015-02-01 16:22:12 +02:00
Costa Tsaousis (ktsaou)
7b8167d3c9 firehol now accepts command line parameter "ipset_update_from_file"; example in wiki: https://github.com/ktsaou/firehol/wiki/FireHOL-support-for-ipset 2015-02-01 07:15:10 +02:00
Costa Tsaousis (ktsaou)
64913be3ca changed syntax of ipset to comply with ipset 2015-02-01 06:09:17 +02:00
Costa Tsaousis (ktsaou)
c15e5e76fe extended ipset option file to grep only ips (ipfile) or only nets (netfile) 2015-02-01 04:18:02 +02:00
Costa Tsaousis (ktsaou)
1fdf21c109 added ipset helper to initialize ipset. It is a full wrapper around the ipset command. The key difference is that it accepts is list of IPs at the "ipset create" line, or the keyword "file" to load ips from a file. 2015-02-01 01:08:12 +02:00
Costa Tsaousis (ktsaou)
6c98852f4f added support for ipset matches in src dst and blacklist(); to use it, instead of any IP just use "ipset:NAME" where NAME is the name of the ipset; ipsets can coexist with IPs, example: server smtp accept src 1.2.3.4,ipset:GOODSMTP,ipset:BESTSMTP,5.6.7.8 2015-01-31 19:25:19 +02:00
Costa Tsaousis (ktsaou)
1fd3844b41 Check for BASH version 4 or later; properly handle response codes of configuration file sourcing 2015-01-31 17:02:43 +02:00
Costa Tsaousis (ktsaou)
e5def6100b do not return error if a rules statements generated no rules - it breaks sourcing of config file if the last rule statement generates no rules 2015-01-31 15:38:12 +02:00
Costa Tsaousis (ktsaou)
1eef048246 10% faster again... the basecmd declaration in rule() was responsible for most of it... 2015-01-31 14:35:25 +02:00
Costa Tsaousis (ktsaou)
073349954a fix for last commit; FIREHOL_WAIT_USER_BEFORE_TRY is only used when the firewall is tried 2015-01-31 02:59:27 +02:00
Costa Tsaousis (ktsaou)
1c9867d877 added option FIREHOL_WAIT_USER_BEFORE_TRY=600 to wait for user confirmation before fast-activation 2015-01-31 02:53:34 +02:00
Costa Tsaousis (ktsaou)
34d313f971 now it traces properly includes of config files from within config files, and reports proper line numbers and source files; now it detects if it runs on a color terminal 2015-01-31 00:50:04 +02:00
Costa Tsaousis (ktsaou)
0f1e2bf4ea now it traces properly includes of config files from within config files, and reports proper line numbers and source files; now it detects if it runs on a color terminal 2015-01-31 00:49:28 +02:00
Costa Tsaousis (ktsaou)
f4e4b4c764 now it traces properly includes of config files from within config files, and reports proper line numbers and source files; fixed a typo in rule(); moved defaults file generation after the config dir has been created; firehol is 25-30% faster in preprocessing compared to the previous commit - re-arranged almost all local variables (this only accounts for 4% increase in preprocessing speed); improved error handling when fast activation is disabled (30% faster activation with fast activation disabled) 2015-01-31 00:45:56 +02:00
Costa Tsaousis (ktsaou)
46923899eb fix for bidirectional class groups 2015-01-26 00:49:14 +02:00
Costa Tsaousis (ktsaou)
6c17cb4d88 debug mode now does not run the rules (like firehol); stdout gives the generated statements, stderr gives user messages (like firehol); re-wrote rate2bps() 2015-01-26 00:12:26 +02:00
Costa Tsaousis (ktsaou)
d97174df3c fix for empty FIREQOS_CONNMARK_RESTORE; #49 2015-01-25 20:30:52 +02:00
Costa Tsaousis (ktsaou)
dc9f031ec9 FIREQOS_CONNMARK_RESTORE can get only one value: act_connmark; added warning if mark matches are used on input interfaces without a connmark restoration policy; #49 2015-01-25 20:28:53 +02:00
Costa Tsaousis (ktsaou)
d53e42bb0f connmark options can be specified as per #49 2015-01-25 18:01:24 +02:00
Costa Tsaousis (ktsaou)
4f2b99298a marks can now be stateful/stateless and temporary/permanent as per #50 2015-01-25 17:59:28 +02:00
Costa Tsaousis (ktsaou)
55e445e033 experimental connmark save/restore - disabled by default - set FIREQOS_ENABLE_CONNMARK_SAVE_RESTORE=1 to enable - #49 2015-01-25 15:03:18 +02:00
box@home root
816e2a54ea check for external commands availability; added some colors on output 2015-01-25 00:34:34 +02:00
box@home root
3bc1fc81fa check for rm command availability 2015-01-25 00:34:01 +02:00
Costa Tsaousis (ktsaou)
21b187a5d0 Merge branch 'master' of github.com:ktsaou/firehol 2015-01-24 22:11:24 +02:00
Costa Tsaousis (ktsaou)
1952feb160 support for comma as a list separator; optimizations for fireqos 2015-01-24 21:46:38 +02:00
Phil Whineray
17b85843c7 Account for work_error not incremented in subshell 2015-01-24 16:58:57 +00:00
Phil Whineray
0945acdf86 Clean up errors when applying a missing mark 
Stop logger from breaking if our message has e.g. -arg in it
Return from mark helpers if there was an error and no result from mark_value()
 2015-01-24 16:44:15 +00:00
Costa Tsaousis (ktsaou)
2488287e5b centralized mark value calculation and error handling for all tools 2015-01-24 17:32:23 +02:00
Costa Tsaousis (ktsaou)
7f7045003f removed peek_namespace, fixed pop_namespace #45 2015-01-24 13:17:20 +02:00
Costa Tsaousis (ktsaou)
d688b97365 fixed namespace pop #45 2015-01-24 13:06:43 +02:00
Costa Tsaousis (ktsaou)
91f6732e4a allowed multiple marks for each mark match #47 2015-01-24 12:31:25 +02:00
Costa Tsaousis (ktsaou)
538e8b7b9a optimized firehol; gained 43% speed increased compared to the previous version; there are still a few optimizations to be made that will contribute probably another 10%; still everything is in BASH; #45 2015-01-24 04:21:04 +02:00
Costa Tsaousis (ktsaou)
b0b3659399 workaround what seems to be an associative array bash bug 2015-01-23 23:47:40 +02:00
Costa Tsaousis (ktsaou)
44cabf981b added check to detect re-definition of a mark type 2015-01-23 00:42:30 +02:00
Costa Tsaousis (ktsaou)
519b7b05b3 moved marks.conf into firehol-defaults.conf; added support for custom defined marks using the custommark firehol helper and the match with the same name; #23 2015-01-23 00:34:22 +02:00
Costa Tsaousis (ktsaou)
89bca91217 made TPROXY helper use the maximum usermark instead of a fixed one #25 #23 2015-01-22 23:09:18 +02:00
Costa Tsaousis (ktsaou)
76267346c0 convert marks to hex, in order to match ip rule output 2015-01-22 22:35:19 +02:00
Costa Tsaousis (ktsaou)
0657b76213 bitmasked marks 2015-01-19 21:28:55 +02:00
Costa Tsaousis (ktsaou)
57947e2e51 bitmasked marks 2015-01-19 21:28:48 +02:00
Costa Tsaousis (ktsaou)
c4558a45e6 bitmasked marks 2015-01-19 21:28:43 +02:00
Costa Tsaousis (ktsaou)
07fde44784 fix for EXPLAIN mode 2015-01-18 21:38:38 +02:00
Costa Tsaousis (ktsaou)
1a6877cc32 added fallback in parsing; fixed firehol.conf command reference in help 2015-01-17 20:08:03 +02:00
Costa Tsaousis (ktsaou)
b00045da3b added help, version, example file generation; add policy command to influence ipv4 and ipv6 for all rules; made it handle Control-C; added fallback gateway management 2015-01-17 18:29:29 +02:00
Costa Tsaousis (ktsaou)
73f0863478 fixed recursion at exit 2015-01-17 18:26:41 +02:00
Costa Tsaousis (ktsaou)
64003397ba fixed recursion at exit 2015-01-17 18:26:35 +02:00
Costa Tsaousis (ktsaou)
48317ba7d7 made it properly handle Control-C by trapping INT 2015-01-17 17:42:33 +02:00
Costa Tsaousis (ktsaou)
dad17607a0 firehol may not restore a IPv6 firewall at exit, if it was running only in IPv6 mode; made it properly handle Control-C by trapping INT 2015-01-17 17:41:52 +02:00
Costa Tsaousis (ktsaou)
b24021a3d7 logger fix 2015-01-17 04:19:48 +02:00
Costa Tsaousis (ktsaou)
cee756488b as before 2015-01-17 04:17:56 +02:00
Costa Tsaousis (ktsaou)
2b5cbc222c was not processing rules when a gatewat was unavailable 2015-01-17 04:15:39 +02:00
Costa Tsaousis (ktsaou)
ffd3916c3e was not setting IPvX when the gateway was unvailable 2015-01-17 04:12:13 +02:00
Costa Tsaousis (ktsaou)
7a41b2a36f LinkBalancer initial commit 2015-01-17 02:06:50 +02:00
Costa Tsaousis (ktsaou)
dc65bd4b97 fix for issue #43 2015-01-10 21:50:20 +02:00
Costa Tsaousis (ktsaou)
617a80ccea fixed a minor bug that was creating an empty .conf files in /var/run/fireqos 2015-01-09 02:44:10 +02:00
Costa Tsaousis (ktsaou)
8e6af3ae24 system-wide defaults file /etc/firehol/firehol-defaults.conf; added option to make start behave like restore if the config files are not changed; restoration of last firewall now takes into account all files in /etc/firehol and /etc/firehol/services and also the command line arguments that may have been passed to firehol.conf; stop does not save the running firewall anymore (it could lead to an endless loop of activating the wrong firewall again and again); added option "nofast" to command line args to quickly try to activate a firewall without fast activation; fast activation is now enabled by default; silent drop of orphan TCP ACK,FIN is enabled by default; various other minor fixes 2015-01-06 19:53:45 +02:00
Costa Tsaousis (ktsaou)
7417f01bcc Merge branch 'master' of github.com:ktsaou/firehol 2015-01-04 02:25:18 +02:00
box@home root
dfdc5819cc accounting warning moved on first use of an accounting rule. 2015-01-04 02:24:42 +02:00
Phil Whineray
98855eaa30 Fix chain-exists logic in: with recent/knock/limit 
Typo from switching to an associative array. We need to create
the chain first time through, when the value is empty.
 2015-01-03 13:44:27 +00:00
Costa Tsaousis (ktsaou)
c9ed9c746f added support for accounting using NFACCT, to use it just add 'accounting [name]' to any statement (even interfaces, NAT, server, client, etc), where [name] is a name to be given to the accounting object, then when the firewall is running use '/usr/sbin/nfacct list' to get the counters; converted unique chain management from files to associative bash arrays; added 'local' to a large number of rules that where missing; fixed error handling of the restore feature; made 'debug' mode aware of the ipv4 and ipv6 2015-01-03 07:45:19 +02:00
Costa Tsaousis (ktsaou)
5451641021 better support for restoring postprocessed commands - any kind of command, not just kernel modules 2014-12-30 20:42:58 +02:00
Costa Tsaousis (ktsaou)
b10a8622cb Now it always saves the activated firewall to /var/spool/firehol and can quickly restore it at boot with the restore argument. Also, when calling stop is saves the firewall again, with their packet and bytes counters, so that when restored it continues where it left. So at boot it should be called with "restore" and at shutdown it should be called with "stop" 2014-12-19 23:46:53 +02:00
Costa Tsaousis (ktsaou)
a4dba2b212 fixed physin/physout to specify new iptables options --physdev-is-bridged in routers, --physdev-is-in at the input of interfaces, --physdev-is-out at the output of interfaces 2014-11-19 01:50:47 +02:00
Costa Tsaousis (ktsaou)
e190008f98 fixed srcmac/dstmac for ipv6 2014-11-15 19:57:25 +02:00
Phil Whineray
521e8c142d Delete activation rules by spec not number 
Fixes #41

The assumption that the rules added to allow established connections
during activation will always be first is wrong for configs with
iptables -I statements.
 2014-11-06 22:36:08 +00:00
Phil Whineray
09748049ee Prevent all IPv6 actions after initial disable 2014-10-18 08:15:47 +01:00
Phil Whineray
ca07e978f8 Detect non-IPv6 hosts 2014-10-18 08:04:12 +01:00
Phil Whineray
6dd351f5cc Fix "accept with limit" 
Chain names were created too long and only the first of IPv4 or IPv6
 2014-10-15 17:11:03 +01:00
Phil Whineray
a6a5e55c41 Create functional helpme output 
Includes pointers to the IPv6 upgrade documentation

Fixes issue #35
 2014-10-04 13:38:34 +01:00
Phil Whineray
5fecbb9591 Remove redundant firehol_wget and wget_cmd helpers 
They were used by ecn_shame only, which was removed some time back since
the list is no longer available.

Thanks to Jerome Benoit
 2014-10-04 10:54:32 +01:00
Phil Whineray
1f0db36baf Use mktemp for temporary directories during RPC 
Slightly safer than random numbers because it can never conflict

Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
da7b96e7ab Don't delete and recreate the temporary directory 
mktemp already ensured it was unique as part of creating it

Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
87f8827e75 Treat mktemp like other required commands 
Add it to configure script and use the which_cmd to detect at runtime.

Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
8b8e5c9761 Silence module detection warning when not loading 
The warning says that we will always load the modules, even though we
will honour the variable which says never to do so.

Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
e14e118532 Update copyright strings 
Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
box@home root
6bad95950f added srcmac dstmac matches 2014-08-17 18:30:50 +03:00
Phil Whineray
e8c70871c5 Do not fix source ports for DHCPv6 
Some servers do not use them, and the RFC allows this.

http://lists.firehol.org/pipermail/firehol-support/2014-July/002824.html
http://www.ietf.org/rfc/rfc3315.txt
 2014-07-27 12:07:59 +01:00
Phil Whineray
edd7dace10 Explain that ICMPv6 ND/RD packets are untracked 2014-07-27 11:25:02 +01:00
Costa Tsaousis (ktsaou)
4939c52d1b added warning as suggested in #29 2014-06-11 22:52:57 +03:00
Costa Tsaousis (ktsaou)
7d95733f60 fixed mixed ipv4 and ipv6 matches that were generating match priorities above 0xffff 2014-06-09 11:13:35 +03:00
Phil Whineray
f741b4b422 Ensure dst4 and dst6 work in interface 
src4 and src6 are already OK
 2014-06-07 17:26:31 +01:00
Costa Tsaousis (ktsaou)
cb43b72381 added /sbin:/usr/sbin to system path to solve an issue with pppd ip-up scripts; now automatic numbering continues giving class priorities after the manual priority given 2014-05-04 14:56:05 +03:00
Costa Tsaousis (ktsaou)
989a6067e7 added the option to limit each match to a specific rate; this required support for police and estimator in filters 2014-04-11 00:29:33 +03:00
Costa Tsaousis (ktsaou)
e323bd501f reworked tproxy parameters parsing for issue #25 2014-03-25 23:42:13 +02:00
Costa Tsaousis (ktsaou)
ef153a80d0 tproxy support. beta. may not work. fixed issue #25 2014-03-25 23:13:20 +02:00
Costa Tsaousis (ktsaou)
471da265b3 link the interface name with the configuration name in /var/run/fireqos/ 2014-03-25 20:18:56 +02:00
Costa Tsaousis (ktsaou)
e238a22cc6 for bi-directional interfaces, it appends -in or -out to interface name automatically 2014-03-15 16:36:05 +02:00
Costa Tsaousis (ktsaou)
2c3ac70691 full bidirectional interface support, including firehol like services 2014-03-15 16:13:59 +02:00
Costa Tsaousis (ktsaou)
c732df28a6 added warning if MARK and CONNMARK are used together, for issue #23 2014-03-14 01:31:44 +02:00
Costa Tsaousis (ktsaou)
46955f9eb4 added support for failed lines detection for issue #22, improved connmark for issue #23 2014-03-14 01:13:28 +02:00
Costa Tsaousis (ktsaou)
83a084e9c1 another connmark fix for issue #23 2014-03-13 03:08:34 +02:00
Costa Tsaousis (ktsaou)
e51a46a140 another connmark fix for issue #23 2014-03-13 02:35:12 +02:00
Costa Tsaousis (ktsaou)
54cfeaeaae connmark fix for issue #23 2014-03-13 01:46:50 +02:00
Costa Tsaousis (ktsaou)
fe40dbc5bc fixes issues #22 and #23 2014-03-13 00:20:00 +02:00
Phil Whineray
37536fdfa9 Implement low-resolution timer 
Embedded OpenWRT does not support sub-second dates or sleeps
 2014-02-22 11:58:50 +00:00
Phil Whineray
1d317690a8 Allow insmod as an alternate to modprobe 
Only insmod is available on embedded OpenWRT
 2014-02-22 11:58:43 +00:00
Phil Whineray
750da174ca Fix IPv4-only save/restore and fastactivation 
These were still trying to run, despite the commands not being available
 2014-02-22 11:54:39 +00:00
Phil Whineray
40fde76a78 Fix firehol save 
Was trying to save to temporary location, not the specified one.
Error introduced in df50d6cb29b9a716a40d99918de46cb0e899e42a.
 2014-02-22 08:44:26 +00:00
Phil Whineray
95b3e66836 Use IPv4 only unless config version is set as 6 2014-02-09 18:11:39 +00:00
Phil Whineray
bb19f5500a Fix line numbering for new commands 2014-02-03 22:58:10 +00:00