to allow other developers test the functionality before optimizing all the
rules to use groups.
To use grouping, within an interface or router write:
group with [optional rule parameters]
server x accept
server y accept
group end
This will generate a much more optimized version of:
server "x y" accept [optional rule parameters]
by applying all the optional rule parameters once (instead of once per
service).
Added a lot of information to the generated iptables command line to
debug both the commands generated and what FireHOL did.
Fixed a bug in kernel module management: check_kernel_module() was supposed
to be a runtime function, but accidentaly I had it generating commands
to be run later - which of course were not run.
The default is now not to drop invalid packets globaly, but to drop them
as part of the protection statement (i.e. protection invalid). The default
full/strong/all protections include the invalid match.
To enable invalid packets dropping globaly (the previous behaviour) one
can give:
FIREHOL_DROP_INVALID=1
at the top of the configuration file.
v1.134 but it was producing rules for both input and output packets.
Now, it produces mac rules only for packets comming in the firewall
(interfaces and routers).
http://www.vergenet.net/linux/aggregate/
The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path.
(aggregate-flim is the name of this program when installed on Gentoo)
(request goes to broadcast address) but the server responds from
its own IP address. This makes the server samba accept statement
drop the server reply.
Bellow is a hack, that allows a linux samba server to respond
correctly, as it allows new outgoing connections from the well
known netbios-ns port to the clients high ports.
For clients and routers this hack is not applied because it
would be a huge security hole.
> The firehol system defines the 'cups' protocol as:
>
> server_cups_ports="tcp/631"
> client_cups_ports="default"
>
> This isn't a complete definition - CUPS also has an internal printer
> browsing protocol that operates over UDP, on port 631.
>
> The following definition is more correct:
>
> server_cups_ports="tcp/631 udp/631"
> client_cups_ports="default 631"
header part of /etc/init.d/iptables (of redhat 7.2). This header
just checked the kernel version and made a check on whether ipchains
was running. If any of the above was faulty (kernel version less than
2.3 or ipchains loaded into the kernel) it was exiting silently.
Although I still keep this logic, now FireHOL will print a warning
instead of just exiting silently.
Abstract from the documentation:
mark <NUMBER> <WHERE> [optional rule parameters]
The mark helper marks the traffic with a specific mark NUMBER
that can be matched by traffic shapping tools for controlling the
traffic.
Parameters
* NUMBER is a number to mark the packets with.
* WHERE tells FireHOL where to search for the specific traffic
to be marked.
Currently, WHERE can be one of the build-in iptables chains
attached to table mangle. (for example: INPUT, FORWARD, OUTPUT,
PREROUTING, POSTROUTING - case does matter here).
* optional rule parameters is a set of rules that allow further
restriction of the traffic that gets matched by this rule.
See Optional Rules Parameters for more information.
Example 1: mark 1 OUTPUT
will mark with 1 all packets send by the local machine.
Example 2: mark 2 FORWARD
will mark with 2 all packets passing through the local machine.
Example 3: mark 3 FORWARD proto tcp dport 25 dst 1.1.1.1 src 2.2.2.2
will match with 3 all packets sent by 2.2.2.2, passing through the
local machine and targeting port TCP/25 of host 1.1.1.1.
Abstract from the documentation:
blacklist [option] <IP>
The blacklist helper creates a blacklist for the IP addresses given.
It supports two modes of operation based on the option given (or the
absence of it).
The option can be:
* one of the words them, him, her, it, this, these, input in which
case it will generate a unidirectional statefull blacklist,
meaning that you will be able to ask (initiate connections)
anything from them, but they will not be able to ask (initiate
connections) anything from you or the remote hosts you protect
(routing).
* one of the words all, full or ommitted (no option given), in
which case FireHOL will create bidirectional stateless rules
that will DROP all traffic comming in from these IPs and will
REJECT all traffic going to them.
The blacklist helper affects both interfaces and routers.
Example 1: blacklist this 195.97.5.202
Example 2: blacklist full 195.97.5.202
Suggested by: Mikkel Schubert