Extended kernel modules handling to simple services too.
Simple services can now have:
require_myservice_modules="module"
require_myservice_nat_modules="module"
in order to have these modules installed if and when "myservice" is
used.
Added the "masquerade" interfaces subcommand, that gives a shortcut to
masquerade on the output of an interface.
FireHOL, now have a separate rule to match all RELATED sockets on all
chains. This is always added at the top of the firewall.
FireHOL, now DROPs all INVALID packets, as suggested by the iptables
HOW-TO.
Various other minor enhancements.
operation.
After suggestions by Fco.Felix Belmonte (ffelix@gescosoft.com),
I have added:
a) RESERVED_IPS, PRIVATE_IPS, MULTICAST_IPS and UNROUTABLE_IPS
You can use the above in SRC (not) parameters to match them.
The use of UNROUTABLE_IPS is suggested for cases where an interface is
exclusivelly public.
b) kernel module requirements per complex service and for the
configuration file as a whole.
Now you can use:
# one line for each module, somewhere in your config file
require_kernel_module <kernel_module>
to have FireHOL require some kernel module to succesfully complete
the firewall configuration.
As an option for those running NAT, you can use:
FIREHOL_NAT=1 # put this at the top of your config file
to make the complex services require also the NAT modules for the
services they implement.
Finally, I have added a get-iana.sh script that produces one BASH
statement for RESERVED_IPS.
By default, when multiple instances of interfaces/ports/addresses exist
FireHOL produces one rule for each instance. However when negative
expressions were defined the previous approach was producing ORed iptables
statements instead of ANDed statements.
The new code, now produces linked lists of iptables chains for all negative
expressions so that only if ALL the negative are matched, one rule for each
positive expression will be produced.
Example: interface eth0 myname src "1.1.1.1 2.2.2.2"
This will correctly produce two indepedent rules, one for each IP address.
But:
interface eth0 myname src NOT "1.1.1.1 2.2.2.2"
was incorrectly producing two indepedent rules. Now the later statement
produces a linked list that first matches that the source of the packets
is not 1.1.1.1, in which case it forwards the packets to the second chain
in the lists that confirms that the packets are not comming from 2.2.2.2,
which finally sends the packets to their destination to be checked if they
are comming from eth0.
Note: I don't know the overhead of this linked list thing. I hope iptables
is fast enough...
UNMATCHED_INPUT_POLICY=
UNMATCHED_OUTPUT_POLICY=
UNMATCHED_ROUTER_POLICY=
and removed DEFAULT_ROUTER_POLICY since iptables accepts only DROP and ACCEPT.
To control what will happen to unmatched packets just set the above variables
in /etc/firehol.conf
Note that in any case (e.g. UMATCHED_ROUTER_POLICY=ACCEPT) the packets will
still be logged to syslog.
Made also various aesthetic changes in the code.
Rules programmers can now include their service names in the
ALL_SHOULD_ALSO_RUN variable and the "all" service will run them
automatically.
DNS over TCP is stateful but over UDP is now not stateful. This will not bother your syslog if your DNS server fails to reply within the stateful UDP timeout of iptables.
Added service rsync.
Added service vmwareauth.
Added service vmwareweb.
Added DEFAULT_ROUTER_POLICY to control how firehol handles its routing.
Fixed a bug where firehol script arguments were not passed to /etc/init.d/iptables.
Increased version number to 5.
Made it work on non RedHat systems.
client/server/route now accept many services on the same line.
Other minor fixes and enhancements.
Verified NFS operation.