sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-30 19:02:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,011 Commits 5 Branches 37 Tags 5.2 MiB
2d1351b279
Commit Graph

302 Commits

Author SHA1 Message Date
Phil Whineray
2d1351b279 Remove all reference to awk 2015-05-02 14:28:56 +01:00
Phil Whineray
4557d36cac Remove final use of awk 2015-05-02 14:28:56 +01:00
philwhineray
d0307dacb4 Merge pull request #70 from ktsaou/vnetbuild 
Add vnetbuild
 2015-04-26 19:24:23 +01:00
Costa Tsaousis (ktsaou)
cbe68661a8 added wrappers for rawmark() and custommark() 2015-04-25 13:27:32 +03:00
Costa Tsaousis (ktsaou)
a4f6a1a6c4 tproxy uses markdef() to allocate a mark; marks.conf is now saved only after successful firewall activation 2015-04-25 13:27:10 +03:00
Costa Tsaousis (ktsaou)
bad5465f6a ipset add support for comma as an IP separator 2015-04-25 13:03:07 +03:00
Phil Whineray
54db4b39c4 Add vnetbuild 2015-04-25 09:22:58 +01:00
Costa Tsaousis (ktsaou)
ee9bdb4535 disabled spinner in explain mode 2015-04-25 01:20:41 +03:00
Costa Tsaousis (ktsaou)
665538ca24 allowed to define multiple "except" rules in statements that accept this keyword 2015-04-25 01:16:35 +03:00
Costa Tsaousis (ktsaou)
53cdfc6b1d fix for older versions of ipset 2015-04-24 21:31:32 +03:00
Costa Tsaousis (ktsaou)
2a8547d47d fix for older versions of ipset 2015-04-24 21:01:40 +03:00
Costa Tsaousis (ktsaou)
2647833260 fix for older versions of ipset 2015-04-24 20:57:20 +03:00
Costa Tsaousis (ktsaou)
323c25d320 fix for older versions of ipset 2015-04-24 20:56:24 +03:00
Costa Tsaousis (ktsaou)
d806def4ee fix for older versions of ipset 2015-04-24 20:55:04 +03:00
Costa Tsaousis (ktsaou)
503c76f0be ipset support for older machines: just set IPSET_RESTORE_SUPPORTS_FLUSH_SWAP_DESTROY=0; rule() now generates NAT rules with a protocol if a port has been specified 2015-04-24 20:39:09 +03:00
Costa Tsaousis (ktsaou)
16e9b715a4 fix for ERROR columns on some tc versions 2015-04-21 21:42:05 +03:00
Costa Tsaousis (ktsaou)
8e7b3a14eb added the ability to stop QoS on a specific device - just append the device name to the stop command #32 2015-04-16 22:32:58 +03:00
Costa Tsaousis (ktsaou)
f06c272d74 fix for emerging_block ipset 2015-04-02 06:35:42 +03:00
Costa Tsaousis (ktsaou)
d614fd7558 made STOP mode exit successfully; added support for restore option when specifying a filename on the command line 2015-03-23 17:19:49 +02:00
Costa Tsaousis (ktsaou)
18de85ffc8 services all and any are now simple services. service all now has multiple helpers, thus eliminating the need for ALL_SHOULD_ALSO_RUN 2015-03-13 11:59:51 +02:00
Costa Tsaousis (ktsaou)
d505ab0850 accept RELATED TCP ACK,RST packets on interface,router,master close() so that REJECT action works 2015-03-11 22:52:16 +02:00
Costa Tsaousis (ktsaou)
f1cde4907b pptp and sip added to ALL_SHOULD_ALSO_RUN to make "client all accept" work as expected 2015-03-08 19:11:43 +02:00
Costa Tsaousis (ktsaou)
e71c129c9d optimized simple_service() 2015-03-08 19:09:14 +02:00
Phil Whineray
c7824f2659 Ensure empty firewall works 
Initialise a namespace even before we do anything so we still get
policy and dropped packet logging applied.
 2015-03-05 07:29:55 +00:00
Costa Tsaousis (ktsaou)
a674e0967d cleanup and added back interface_default_class since it is needed for inheritance 2015-03-03 02:25:50 +02:00
Costa Tsaousis (ktsaou)
4b20d2d6d0 FIREQOS_INTERFACE_DEFAULT_CLASSID=8000 it seems the maximum is 9999 2015-03-02 23:29:20 +02:00
Costa Tsaousis (ktsaou)
fd8ac38739 added FIREQOS_INTERFACE_DEFAULT_CLASSID FIREQOS_MATCHES_STEP; some cleanup 2015-03-02 23:15:46 +02:00
Costa Tsaousis (ktsaou)
5670ea91d0 added state NEW to masquerade 2015-03-02 00:38:31 +02:00
Costa Tsaousis (ktsaou)
02c334649e reversed last commit - iptables does not allow inface in nat.POSTROUTING 2015-03-01 23:59:35 +02:00
Costa Tsaousis (ktsaou)
9d844c7785 allowed inface in SNAT and MASQUERADE 2015-03-01 23:53:46 +02:00
Phil Whineray
6f500b7269 Ensure ipv4 and ipv6 are used at the right time 2015-03-01 09:05:15 +00:00
Costa Tsaousis (ktsaou)
9bdf6d89d6 ENABLE_IPV4 and ENABLE_IPv6 can now be set in firehol.conf; fixed a bug where close_master() was not closing the firewall properly for both IPv4 and IPv6 - it was closing the same IPvX of the last interface or router - this bug seems to be there since the inclusion of IPv6 support 2015-03-01 04:16:16 +02:00
Costa Tsaousis (ktsaou)
d2984e6198 added action type "sockets_suspects_trap" as a shortcut to create TRAP_AND_DROP or TRAP_AND_REJECT type actions; removed -! from ipset options - they make ipset ignore the action without error - this option is only needed for "restore". 2015-02-28 00:31:32 +02:00
Costa Tsaousis (ktsaou)
7c5a213b7a iptrap now creates the trap if it is not already created 2015-02-26 23:10:47 +02:00
Costa Tsaousis (ktsaou)
84c880439f do not attempt to set net.netfilter.nf_conntrack_helper=1 if /proc/sys/net/netfilter/nf_conntrack_helper is not available to eliminate the warning all kernels prior to 3.5 2015-02-26 14:30:50 +02:00
Costa Tsaousis (ktsaou)
c173c79c8e nat_helper now supports balancing multiple IPs or ports on all NAT modes (snat, dnat, redirect), using round robbin or weighted distribution of requests; fixed an issue of certain failure conditions where the error was generated in a subshell; ipsets now add values ignoring duplicates; FireHOL now reports and final number of iptables rules generated 2015-02-26 02:35:41 +02:00
Costa Tsaousis (ktsaou)
c90249fd78 first attempt to make synproxy work with dynamic IP; added options FIREHOL_SYNPROXY_EXCLUDE_OWNER which once set to 1 will enable matching synproxy packets with owner - it will require "src not" though; made it drop invalid TCP ACK packets from server to client; made synproxy marking a little bit strictier by matching SYN packet 2015-02-23 09:34:05 +02:00
Costa Tsaousis (ktsaou)
e7cf10dbd5 re-wrote multiport support - now it does its best to combine multiports in groups in order to minimize the generated statements 2015-02-23 08:08:00 +02:00
Costa Tsaousis (ktsaou)
a7c4287561 should check for "any" not just empty 2015-02-23 06:10:44 +02:00
Costa Tsaousis (ktsaou)
c1d46bec40 added protected parameters to the first action taken - before it was forced for double branching without reason 2015-02-23 06:02:28 +02:00
Costa Tsaousis (ktsaou)
8dde88092d fixed log comments on non-fast activation; required protocol on all actions there are custom matches given 2015-02-23 05:49:52 +02:00
Costa Tsaousis (ktsaou)
6110512dcf fixed monitor mode - it was not executing the commands because it was running with debug enabled 2015-02-22 08:10:25 +02:00
Costa Tsaousis (ktsaou)
6977473de1 fixed typo of the last commit 2015-02-22 07:42:37 +02:00
Costa Tsaousis (ktsaou)
f7f1437d57 allowed outface in synproxy 2015-02-22 07:35:29 +02:00
Costa Tsaousis (ktsaou)
6bb642b901 all NAT helpers support keyword "at" to specify the chain to be attached 2015-02-22 03:51:41 +02:00
Costa Tsaousis (ktsaou)
c8720f3d7d was ignoring fallback gateways 2015-02-21 06:24:47 +02:00
Costa Tsaousis (ktsaou)
063abbb284 traceroute6 replaced with traceroute -6 2015-02-21 02:16:03 +02:00
Costa Tsaousis (ktsaou)
8459d75f71 synproxy: enable lo routing only when it is necessary; synproxy: on custom actions in INPUT, ACCEPT the SYN packet on filter.OUTPUT and apply the custom action only on filter.INPUT to ensure the custom action is only applied once. 2015-02-20 16:04:46 +02:00
Costa Tsaousis (ktsaou)
bd9d711462 fixed comments in synproxy 2015-02-20 02:07:54 +02:00
Costa Tsaousis (ktsaou)
fbfa90f727 added more blocking chains for synproxy; re-arranged arguments to allow user requested logging of packets 2015-02-20 01:37:52 +02:00