Phil Whineray
|
2d1351b279
|
Remove all reference to awk
|
2015-05-02 14:28:56 +01:00 |
|
Phil Whineray
|
4557d36cac
|
Remove final use of awk
|
2015-05-02 14:28:56 +01:00 |
|
philwhineray
|
d0307dacb4
|
Merge pull request #70 from ktsaou/vnetbuild
Add vnetbuild
|
2015-04-26 19:24:23 +01:00 |
|
Costa Tsaousis (ktsaou)
|
cbe68661a8
|
added wrappers for rawmark() and custommark()
|
2015-04-25 13:27:32 +03:00 |
|
Costa Tsaousis (ktsaou)
|
a4f6a1a6c4
|
tproxy uses markdef() to allocate a mark; marks.conf is now saved only after successful firewall activation
|
2015-04-25 13:27:10 +03:00 |
|
Costa Tsaousis (ktsaou)
|
bad5465f6a
|
ipset add support for comma as an IP separator
|
2015-04-25 13:03:07 +03:00 |
|
Phil Whineray
|
54db4b39c4
|
Add vnetbuild
|
2015-04-25 09:22:58 +01:00 |
|
Costa Tsaousis (ktsaou)
|
ee9bdb4535
|
disabled spinner in explain mode
|
2015-04-25 01:20:41 +03:00 |
|
Costa Tsaousis (ktsaou)
|
665538ca24
|
allowed to define multiple "except" rules in statements that accept this keyword
|
2015-04-25 01:16:35 +03:00 |
|
Costa Tsaousis (ktsaou)
|
53cdfc6b1d
|
fix for older versions of ipset
|
2015-04-24 21:31:32 +03:00 |
|
Costa Tsaousis (ktsaou)
|
2a8547d47d
|
fix for older versions of ipset
|
2015-04-24 21:01:40 +03:00 |
|
Costa Tsaousis (ktsaou)
|
2647833260
|
fix for older versions of ipset
|
2015-04-24 20:57:20 +03:00 |
|
Costa Tsaousis (ktsaou)
|
323c25d320
|
fix for older versions of ipset
|
2015-04-24 20:56:24 +03:00 |
|
Costa Tsaousis (ktsaou)
|
d806def4ee
|
fix for older versions of ipset
|
2015-04-24 20:55:04 +03:00 |
|
Costa Tsaousis (ktsaou)
|
503c76f0be
|
ipset support for older machines: just set IPSET_RESTORE_SUPPORTS_FLUSH_SWAP_DESTROY=0; rule() now generates NAT rules with a protocol if a port has been specified
|
2015-04-24 20:39:09 +03:00 |
|
Costa Tsaousis (ktsaou)
|
16e9b715a4
|
fix for ERROR columns on some tc versions
|
2015-04-21 21:42:05 +03:00 |
|
Costa Tsaousis (ktsaou)
|
8e7b3a14eb
|
added the ability to stop QoS on a specific device - just append the device name to the stop command #32
|
2015-04-16 22:32:58 +03:00 |
|
Costa Tsaousis (ktsaou)
|
f06c272d74
|
fix for emerging_block ipset
|
2015-04-02 06:35:42 +03:00 |
|
Costa Tsaousis (ktsaou)
|
d614fd7558
|
made STOP mode exit successfully; added support for restore option when specifying a filename on the command line
|
2015-03-23 17:19:49 +02:00 |
|
Costa Tsaousis (ktsaou)
|
18de85ffc8
|
services all and any are now simple services. service all now has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN
|
2015-03-13 11:59:51 +02:00 |
|
Costa Tsaousis (ktsaou)
|
d505ab0850
|
accept RELATED TCP ACK,RST packets on interface,router,master close() so that REJECT action works
|
2015-03-11 22:52:16 +02:00 |
|
Costa Tsaousis (ktsaou)
|
f1cde4907b
|
pptp and sip added to ALL_SHOULD_ALSO_RUN to make "client all accept" work as expected
|
2015-03-08 19:11:43 +02:00 |
|
Costa Tsaousis (ktsaou)
|
e71c129c9d
|
optimized simple_service()
|
2015-03-08 19:09:14 +02:00 |
|
Phil Whineray
|
c7824f2659
|
Ensure empty firewall works
Initialise a namespace even before we do anything so we still get
policy and dropped packet logging applied.
|
2015-03-05 07:29:55 +00:00 |
|
Costa Tsaousis (ktsaou)
|
a674e0967d
|
cleanup and added back interface_default_class since it is needed for inheritance
|
2015-03-03 02:25:50 +02:00 |
|
Costa Tsaousis (ktsaou)
|
4b20d2d6d0
|
FIREQOS_INTERFACE_DEFAULT_CLASSID=8000 it seems the maximum is 9999
|
2015-03-02 23:29:20 +02:00 |
|
Costa Tsaousis (ktsaou)
|
fd8ac38739
|
added FIREQOS_INTERFACE_DEFAULT_CLASSID FIREQOS_MATCHES_STEP; some cleanup
|
2015-03-02 23:15:46 +02:00 |
|
Costa Tsaousis (ktsaou)
|
5670ea91d0
|
added state NEW to masquerade
|
2015-03-02 00:38:31 +02:00 |
|
Costa Tsaousis (ktsaou)
|
02c334649e
|
reversed last commit - iptables does not allow inface in nat.POSTROUTING
|
2015-03-01 23:59:35 +02:00 |
|
Costa Tsaousis (ktsaou)
|
9d844c7785
|
allowed inface in SNAT and MASQUERADE
|
2015-03-01 23:53:46 +02:00 |
|
Phil Whineray
|
6f500b7269
|
Ensure ipv4 and ipv6 are used at the right time
|
2015-03-01 09:05:15 +00:00 |
|
Costa Tsaousis (ktsaou)
|
9bdf6d89d6
|
ENABLE_IPV4 and ENABLE_IPv6 can now be set in firehol.conf; fixed a bug where close_master() was not closing the firewall properly for both IPv4 and IPv6 - it was closing the same IPvX of the last interface or router - this bug seems to be there since the inclusion of IPv6 support
|
2015-03-01 04:16:16 +02:00 |
|
Costa Tsaousis (ktsaou)
|
d2984e6198
|
added action type "sockets_suspects_trap" as a shortcut to create TRAP_AND_DROP or TRAP_AND_REJECT type actions; removed -! from ipset options - they make ipset ignore the action without error - this option is only needed for "restore".
|
2015-02-28 00:31:32 +02:00 |
|
Costa Tsaousis (ktsaou)
|
7c5a213b7a
|
iptrap now creates the trap if it is not already created
|
2015-02-26 23:10:47 +02:00 |
|
Costa Tsaousis (ktsaou)
|
84c880439f
|
do not attempt to set net.netfilter.nf_conntrack_helper=1 if /proc/sys/net/netfilter/nf_conntrack_helper is not available to eliminate the warning all kernels prior to 3.5
|
2015-02-26 14:30:50 +02:00 |
|
Costa Tsaousis (ktsaou)
|
c173c79c8e
|
nat_helper now supports balancing multiple IPs or ports on all NAT modes (snat, dnat, redirect), using round robbin or weighted distribution of requests; fixed an issue of certain failure conditions where the error was generated in a subshell; ipsets now add values ignoring duplicates; FireHOL now reports and final number of iptables rules generated
|
2015-02-26 02:35:41 +02:00 |
|
Costa Tsaousis (ktsaou)
|
c90249fd78
|
first attempt to make synproxy work with dynamic IP; added options FIREHOL_SYNPROXY_EXCLUDE_OWNER which once set to 1 will enable matching synproxy packets with owner - it will require "src not" though; made it drop invalid TCP ACK packets from server to client; made synproxy marking a little bit strictier by matching SYN packet
|
2015-02-23 09:34:05 +02:00 |
|
Costa Tsaousis (ktsaou)
|
e7cf10dbd5
|
re-wrote multiport support - now it does its best to combine multiports in groups in order to minimize the generated statements
|
2015-02-23 08:08:00 +02:00 |
|
Costa Tsaousis (ktsaou)
|
a7c4287561
|
should check for "any" not just empty
|
2015-02-23 06:10:44 +02:00 |
|
Costa Tsaousis (ktsaou)
|
c1d46bec40
|
added protected parameters to the first action taken - before it was forced for double branching without reason
|
2015-02-23 06:02:28 +02:00 |
|
Costa Tsaousis (ktsaou)
|
8dde88092d
|
fixed log comments on non-fast activation; required protocol on all actions there are custom matches given
|
2015-02-23 05:49:52 +02:00 |
|
Costa Tsaousis (ktsaou)
|
6110512dcf
|
fixed monitor mode - it was not executing the commands because it was running with debug enabled
|
2015-02-22 08:10:25 +02:00 |
|
Costa Tsaousis (ktsaou)
|
6977473de1
|
fixed typo of the last commit
|
2015-02-22 07:42:37 +02:00 |
|
Costa Tsaousis (ktsaou)
|
f7f1437d57
|
allowed outface in synproxy
|
2015-02-22 07:35:29 +02:00 |
|
Costa Tsaousis (ktsaou)
|
6bb642b901
|
all NAT helpers support keyword "at" to specify the chain to be attached
|
2015-02-22 03:51:41 +02:00 |
|
Costa Tsaousis (ktsaou)
|
c8720f3d7d
|
was ignoring fallback gateways
|
2015-02-21 06:24:47 +02:00 |
|
Costa Tsaousis (ktsaou)
|
063abbb284
|
traceroute6 replaced with traceroute -6
|
2015-02-21 02:16:03 +02:00 |
|
Costa Tsaousis (ktsaou)
|
8459d75f71
|
synproxy: enable lo routing only when it is necessary; synproxy: on custom actions in INPUT, ACCEPT the SYN packet on filter.OUTPUT and apply the custom action only on filter.INPUT to ensure the custom action is only applied once.
|
2015-02-20 16:04:46 +02:00 |
|
Costa Tsaousis (ktsaou)
|
bd9d711462
|
fixed comments in synproxy
|
2015-02-20 02:07:54 +02:00 |
|
Costa Tsaousis (ktsaou)
|
fbfa90f727
|
added more blocking chains for synproxy; re-arranged arguments to allow user requested logging of packets
|
2015-02-20 01:37:52 +02:00 |
|