an error and where not producing any iptables statements.
This was happening because FireHOL relies on nested BASH loops, and bash
does not loop with empty iterations...
(i.e. optimum) quality of iptables firewall.
Now, instead of the linked-list that was created for negative expressions,
we match all positive expressions before the negatives and all the
negatives are together in one chain.
This also fixed possible performance problems due to the large number
of chains and rules that the packets had to traverse in order to get
matched (or not matched).
The fact that now positive rules are matched before negatives has also the
benefit that not all traffic has to be matched against the negatives. Now,
first we select what might be good for a rule, and then we check if this
breaks the negative expressions.
Last, this made the iptables firewall much more clear and human readable.
They treat it as cat >>EOF and thus they do variable substitution on the
text.
Now, FireHOL uses cat >>EOF but the text has been escaped in order to avoid
variable substitution.
The problem has been reported by Florian Thiel <thiel@ksan.de>.
order to handle quoted arguments accurately.
Fixed a bug in postprocessing error handler that did not present the
command line that produced the error.
Fixed iptables generation to support quoted arguments.
Made chain names shorter.
Every single element in the firehol config now gets its own chain.
Previously, the same services (e.g. smtp servers) were implemented using
only one pair of chains.
Enhanced the error handler of logical and syntactical error. Now it says
were and why an error has occured.
a. Fixed service IRC to work on TCP instead of UDP.
b. Added services: UUCP, VNC, WEBCACHE, IMAPS, IKE.
Also fixed the home-router.conf example (it was outdated).
Any allows the administrator to define any stateful rule to match services
that cannot have source and destination ports, such as unusual protocols,
etc.
Syntax: type any name action [optional rule parameters]
type: server/client/route
name: the name for the service (used for the chain)
action: accept, reject, etc.
Added service: multicast
Multicast allows the administrator to match packets with destination
224.0.0.0/8 in both directions (input/output).
that when used it activates the firewall and waits 30 seconds for the
administrator to type 'commit' in order to keep the firewall active.
If the administrator does not write 'commit' or the timeout passes, FireHOL
restores the previous firewall.
Also, if you break (Ctrl-C) FireHOL while activating the new firewall,
FireHOL will restore the old firewall.
protections.
Made the core of FireHOL operate on multiple tables (not assuming the
rules refer to the 'filter' table). This will allow FireHOL to support
all kinds of NAT chains in the future.
(The old 'route' subcommand is an alias for the 'server' subcommand -
within a router).
Protection can be reversed on routers to match outface instead of inface.
Masquerade can be used in interfaces, routers (matches outface - but can
be reverse(ed) to match inface) or as a primary command with all the
interfaces to be masqueraded in an argument.
Extended kernel modules handling to simple services too.
Simple services can now have:
require_myservice_modules="module"
require_myservice_nat_modules="module"
in order to have these modules installed if and when "myservice" is
used.
Added the "masquerade" interfaces subcommand, that gives a shortcut to
masquerade on the output of an interface.
FireHOL, now have a separate rule to match all RELATED sockets on all
chains. This is always added at the top of the firewall.
FireHOL, now DROPs all INVALID packets, as suggested by the iptables
HOW-TO.
Various other minor enhancements.
operation.
After suggestions by Fco.Felix Belmonte (ffelix@gescosoft.com),
I have added:
a) RESERVED_IPS, PRIVATE_IPS, MULTICAST_IPS and UNROUTABLE_IPS
You can use the above in SRC (not) parameters to match them.
The use of UNROUTABLE_IPS is suggested for cases where an interface is
exclusivelly public.
b) kernel module requirements per complex service and for the
configuration file as a whole.
Now you can use:
# one line for each module, somewhere in your config file
require_kernel_module <kernel_module>
to have FireHOL require some kernel module to succesfully complete
the firewall configuration.
As an option for those running NAT, you can use:
FIREHOL_NAT=1 # put this at the top of your config file
to make the complex services require also the NAT modules for the
services they implement.
Finally, I have added a get-iana.sh script that produces one BASH
statement for RESERVED_IPS.
By default, when multiple instances of interfaces/ports/addresses exist
FireHOL produces one rule for each instance. However when negative
expressions were defined the previous approach was producing ORed iptables
statements instead of ANDed statements.
The new code, now produces linked lists of iptables chains for all negative
expressions so that only if ALL the negative are matched, one rule for each
positive expression will be produced.
Example: interface eth0 myname src "1.1.1.1 2.2.2.2"
This will correctly produce two indepedent rules, one for each IP address.
But:
interface eth0 myname src NOT "1.1.1.1 2.2.2.2"
was incorrectly producing two indepedent rules. Now the later statement
produces a linked list that first matches that the source of the packets
is not 1.1.1.1, in which case it forwards the packets to the second chain
in the lists that confirms that the packets are not comming from 2.2.2.2,
which finally sends the packets to their destination to be checked if they
are comming from eth0.
Note: I don't know the overhead of this linked list thing. I hope iptables
is fast enough...
UNMATCHED_INPUT_POLICY=
UNMATCHED_OUTPUT_POLICY=
UNMATCHED_ROUTER_POLICY=
and removed DEFAULT_ROUTER_POLICY since iptables accepts only DROP and ACCEPT.
To control what will happen to unmatched packets just set the above variables
in /etc/firehol.conf
Note that in any case (e.g. UMATCHED_ROUTER_POLICY=ACCEPT) the packets will
still be logged to syslog.
Made also various aesthetic changes in the code.
Rules programmers can now include their service names in the
ALL_SHOULD_ALSO_RUN variable and the "all" service will run them
automatically.
DNS over TCP is stateful but over UDP is now not stateful. This will not bother your syslog if your DNS server fails to reply within the stateful UDP timeout of iptables.
Added service rsync.
Added service vmwareauth.
Added service vmwareweb.
Added DEFAULT_ROUTER_POLICY to control how firehol handles its routing.
Fixed a bug where firehol script arguments were not passed to /etc/init.d/iptables.
Increased version number to 5.
Made it work on non RedHat systems.
client/server/route now accept many services on the same line.
Other minor fixes and enhancements.
Verified NFS operation.