The problem is in array variables.
For some reason, an empty array member in BASH 3.1 produces no iptables
arguments, but in BASH 3.2 an empty array member produces an empty iptables
argument which breaks iptables.
When FireHOL has created the
$FIREHOL_SPOOL_DIR, it then runs chown and chmod on
the $FIREHOL_CONFIG_DIR. This looks like a
cut-n-paste error, since it at that point makes more
sense to chown/chmod $FIREHOL_SPOOL_DIR.
Example:
server smtp accept with recent NAME SECONDS HITS
where
NAME is a name for this RECENT match
SECONDS is a number, or empty ("")
HITS is a number, or empty ("")
Check:
iptables -m recent --help
for more information.
config file, it makes FireHOL drop all packets that appear as NEW
connections to the connection tracker but they are TCP and have ACK and FIN
set.
This should eliminate the logs that appear in a few busy environments where
the iptables connection tracker removes entries from its table when it
sees the FIN and therefore the ACK,FIN is considered a NEW connection.
See also https://sourceforge.net/tracker/?func=detail&atid=487693&aid=1326811&group_id=58425
inserting a rule with a -s which matched requests but did not match the
replies.
Now, the default is to allow established connections for knock and only
control NEW connections via knockd.
Added support for integration with knockd (http://www.zeroflux.org/knock/)
This integration comes as part of the ACCEPT action:
accept [with knock <name>]
The optional parameter 'with knock' allows easy integration with knockd,
a server that allows you to control access to services, by sending certain
packets to "knock" the door, before the door is open for service.
This parameter accepts just a name. This name is used to build a special
chain knock_<name> which will contain no rules, so that the traffic entering
this chain will just return back and continue to match against the other
rules until the end of the firewall.
As an example, lets say that you want to allow https traffic based on a knock.
In FireHOL you write:
server https accept with knock hidden
and you configure knockd so that it runs:
iptables -A knock_hidden -s %IP% -j ACCEPT
to enable the https service (notice that there is no need to match anything
else than the IP. FireHOL already matches everything needed for its rules
to work), and:
iptables -D knock_hidden -s %IP% -j ACCEPT
to disable this service for the given IP.
tos - to set the TOS of packets
dscp - to set the DSCP field of packets (both raw and class)
Added optional rule parameters:
tos - to match the TOS of packets
mark - to match the MARK ID of packets
dscp - to match the DSCP field of packets (both raw and class)
Added the following actions to the rule() function:
dscp
The rule() function already had support for TOS and MARK.
Created by Carlos Rodrigues <crlf@users.sourceforge.net>
Feature Requests item #1050951 <https://sourceforge.net/tracker/?func=detail&atid=487695&aid=1050951&group_id=58425>
These rules work for client access only!
Pushing changes to slave servers won't work if these rules are active
somewhere between the master and its slaves, because it is impossible to
predict the ports where "yppush" will be listening on each push.
Pulling changes directly on the slaves will work, and could be improved
performance-wise if these rules are modified to open "fypxfrd". This wasn't
done because it doesn't make that much sense since pushing changes on the
master server is the most common, and recommended, way to replicate maps.
/etc/firehol/services
This directory may contain files ending with .conf. Example: imap.conf
Each file should *start* with a line like this:
#FHVER: 1
This must be the FIRST line of the file.
The number 1 is the FIREHOL_SERVICES_API version number. If the API within
FireHOL changes, FireHOL will refuse to load all those services files that
their API version number does not match.
