sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-30 19:02:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
943 Commits 5 Branches 37 Tags 5.2 MiB
93fbffa34e
Commit Graph

197 Commits

Author SHA1 Message Date
Costa Tsaousis (ktsaou)
7c5a213b7a iptrap now creates the trap if it is not already created 2015-02-26 23:10:47 +02:00
Costa Tsaousis (ktsaou)
84c880439f do not attempt to set net.netfilter.nf_conntrack_helper=1 if /proc/sys/net/netfilter/nf_conntrack_helper is not available to eliminate the warning all kernels prior to 3.5 2015-02-26 14:30:50 +02:00
Costa Tsaousis (ktsaou)
c173c79c8e nat_helper now supports balancing multiple IPs or ports on all NAT modes (snat, dnat, redirect), using round robbin or weighted distribution of requests; fixed an issue of certain failure conditions where the error was generated in a subshell; ipsets now add values ignoring duplicates; FireHOL now reports and final number of iptables rules generated 2015-02-26 02:35:41 +02:00
Costa Tsaousis (ktsaou)
c90249fd78 first attempt to make synproxy work with dynamic IP; added options FIREHOL_SYNPROXY_EXCLUDE_OWNER which once set to 1 will enable matching synproxy packets with owner - it will require "src not" though; made it drop invalid TCP ACK packets from server to client; made synproxy marking a little bit strictier by matching SYN packet 2015-02-23 09:34:05 +02:00
Costa Tsaousis (ktsaou)
e7cf10dbd5 re-wrote multiport support - now it does its best to combine multiports in groups in order to minimize the generated statements 2015-02-23 08:08:00 +02:00
Costa Tsaousis (ktsaou)
a7c4287561 should check for "any" not just empty 2015-02-23 06:10:44 +02:00
Costa Tsaousis (ktsaou)
c1d46bec40 added protected parameters to the first action taken - before it was forced for double branching without reason 2015-02-23 06:02:28 +02:00
Costa Tsaousis (ktsaou)
8dde88092d fixed log comments on non-fast activation; required protocol on all actions there are custom matches given 2015-02-23 05:49:52 +02:00
Costa Tsaousis (ktsaou)
6977473de1 fixed typo of the last commit 2015-02-22 07:42:37 +02:00
Costa Tsaousis (ktsaou)
f7f1437d57 allowed outface in synproxy 2015-02-22 07:35:29 +02:00
Costa Tsaousis (ktsaou)
6bb642b901 all NAT helpers support keyword "at" to specify the chain to be attached 2015-02-22 03:51:41 +02:00
Costa Tsaousis (ktsaou)
8459d75f71 synproxy: enable lo routing only when it is necessary; synproxy: on custom actions in INPUT, ACCEPT the SYN packet on filter.OUTPUT and apply the custom action only on filter.INPUT to ensure the custom action is only applied once. 2015-02-20 16:04:46 +02:00
Costa Tsaousis (ktsaou)
bd9d711462 fixed comments in synproxy 2015-02-20 02:07:54 +02:00
Costa Tsaousis (ktsaou)
fbfa90f727 added more blocking chains for synproxy; re-arranged arguments to allow user requested logging of packets 2015-02-20 01:37:52 +02:00
Costa Tsaousis (ktsaou)
b03c9a3e9b secured synproxy; synproxy now matches synproxy-to-server packets as strictly as possible and does not allow the packets to flow in the NAT table; added -m iprange support in rule() (will be used for IP-IP expressions); support for port ranged using -; limited -m multiport usage to 7 ports (it allows 15, but half of them if they are ranges); renamed activation and finalization functions for better understanding; moved several postprocess commands to close_master() so that the generated statements appear in debug mode. 2015-02-19 23:06:00 +02:00
Costa Tsaousis (ktsaou)
48d0cb9846 synproxy done. it works in all scenarios tested. The way synproxy works, it interacts with transparent proxy, so misuse of the synproxy could allow an attacker to reach a transparent proxy on the same machine - we have to find a solution to isolate synproxy from the rest of the system 2015-02-19 03:21:51 +02:00
Costa Tsaousis (ktsaou)
0b36bbf278 synproxy now works on DNATed servers - still missing REDIRECTed onces 2015-02-16 03:29:21 +02:00
Costa Tsaousis (ktsaou)
e2401cef38 synproxy final touches 2015-02-15 23:39:33 +02:00
Costa Tsaousis (ktsaou)
422c450b07 fixed src/dst mixes #58; synproxy helper is now operational 2015-02-15 23:00:36 +02:00
Costa Tsaousis (ktsaou)
13cf138f29 internal variables xxx_IPS can be used to define both ipv4 and ipv6 IPs; #58 2015-02-15 21:29:58 +02:00
Costa Tsaousis (ktsaou)
b083d6fa3c disable colors on non-terminals 2015-02-15 21:20:59 +02:00
Costa Tsaousis (ktsaou)
2e8e223f6b fixed hashsize redirection to file 2015-02-15 20:44:20 +02:00
Costa Tsaousis (ktsaou)
fdda26f144 added synproxy helper - untested yet; FIREHOL_CONNTRACK_LOOSE_MATCHING to make conntrack use strictier matching on packets (required for synproxy); FIREHOL_CONNTRACK_MAX to set the max connections the connection tracker will support; FIREHOL_CONNTRACK_HASHSIZE to set the max hashsize the connection tracker will use; FIREHOL_TCP_SYN_COOKIES to control if tcp is using cookies (required for synproxy); FIREHOL_TCP_TIMESTAMPS to control if tcp is using timestamps (required for synproxy); unified all helpers that accept the chain to be attached to support multiple chains and shorter names (in, out, pre, post, pass); made blacklist() and iptrap() helpers to work on filter (were on mangle - they should work after synproxy which is only in filter); re-wrote tos() tosfix() and dscp() to avoid branching and to support the new way of expressing chains; added SYNPROXY target in rule(); rule() now support inserting also rules in chains (required by synproxy); INVALID and ACK+FIN drops are back in filter table (required by synproxy) 2015-02-15 20:30:34 +02:00
Costa Tsaousis (ktsaou)
07922d6915 removed FIREHOL_DEFAULT_CT_HELPERS and FIREHOL_AUTO_CT_HELPERS and added FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT which takes 3 values: kernel, firehol or manual 2015-02-15 12:55:11 +02:00
Costa Tsaousis (ktsaou)
543bef172f warning about FIREHOL_DEFAULT_CT_HELPERS=1 usage when using cthelper() 2015-02-15 12:19:43 +02:00
Costa Tsaousis (ktsaou)
6b6a0f0780 support for cthelper bidirectional match 2015-02-15 11:55:09 +02:00
Costa Tsaousis (ktsaou)
6d08565ff8 added mms helper back 2015-02-15 11:20:22 +02:00
Costa Tsaousis (ktsaou)
bf7e8bb276 added option FIREHOL_SUPPORT_MULTIPORT to control if firehol will use the multiport module, when possible (also re-wrote custom_function() to take advantage is this); 
added option FIREHOL_PROTECTED_MATCHES to control if firehol will try treat sevaral matches (limit, connlimit, ipset, helpers) as expensive compared to chain jump;
added option FIREHOL_RULESET_MODE with values "optimal" and "accurate"; in "accurate" mode works like before, in "optimal" it accepts all ESTABLISHED sockets and filters only based on NEW sockets (this is handled almost entirely
by rule());
added option FIREHOL_DEFAULT_CT_HELPERS to enable or disable kernel automatic helper assignment (should be disabled for security);
added option FIREHOL_AUTO_CT_HELPERS to enable or disable FireHOL controlled automatic helper assignment (which also configures kernel helpers to use custom ports using the -j CT action on the raw table). This option reconstructs
parts of the packet filtering flows in the raw table to enable the helpers for the specific flows needed to support the specific firewall. Wrote a flow inheritance systems that keeps track of inface, outface, src and dst of
interfaces, routers and groups and is able to re-construct the flows in the raw (or any) table once needed.;
added option FIREHOL_GLOBAL_RPFILTER to apply reverse path filtering using the -m rpfilter module of iptables in the raw table.;
FIREHOL_DROP_INVALID=1 is now the default (and disabled the relative protection when this is set) and is also assumed to be enabled when FIREHOL_RULESET_MODE="optimal", It is also applied in mangle instead of filter to prevent
unecessary traversal of the mangle table.;
added cthelper firehol helper to configure iptables helpers usage (in case FIREHOL_AUTO_CT_HELPERS=0);
changed the way RELATED packets are accepted: previously all RELATED packets were accepted at the end of each interface, router and globaly; now only ICMP (and ICMPv6) RELATED packets are accepted at these places; RELATED packets
from the conntrack helpers are only accepted by the RELATED matches generated at the specific place they are used.;
FIREHOL_DROP_ORPHAN_TCP_ACK_FIN is now applied (when enabled) at the beginning of the firewall, not the end. It is also placed in the mangle table, not the filter.;
fixed a bug in rule() when both ipv4 and ipv6 src/dst where given;
fixed a bug in rule() when logging and accounting was applied before all the matches were made;
fixed a bug in rule() when it was incorrectly adding unecessary protocol matches (was not reseting require_protocol_with_action);
added helper match in rule();
added CT action in rule();
rule() can now create up to a double branch in cases where it is needed;
simple_service() is now caching service definitions, for gaining some extra speed;
added command line options "optimal" and "accurate" to quickly set FIREHOL_RULESET_MODE to the relative option;
unified firewall_policy() for both ipv4 and ipv6;
 2015-02-15 02:27:42 +02:00
Costa Tsaousis (ktsaou)
0d59384b1a optimized server/client statements branching - controled with FIREHOL_CHAIN_PER_SERVICE option - implemented with chain aliases so that all services still work without change; optimized nat and transparent_proxy branching; added support in rule() for actions that require a protocol (like REDIRECT); disabled spinner on non-terminals; added cstatus command line option to show the connection tracker status; status now also shows the raw table and the active ipsets; now the generated rules at 20-30% less due to less branching 2015-02-13 02:43:38 +02:00
Costa Tsaousis (ktsaou)
c8b6a86d01 removed pid sid cmd matches since they are not supported anymore; updated params man page - still incomplete though 2015-02-12 23:02:13 +02:00
Costa Tsaousis (ktsaou)
5ac3263d72 renamed iplimit to connlimit - iplimit no longer exists; preferred to put negative src/dst ipsets in possibly available negative branch 2015-02-12 22:23:00 +02:00
Costa Tsaousis (ktsaou)
ed972f3358 removed a push/pop namespace for rules(), seems to be a left-over from when src/dst IPs where validated 2015-02-12 20:53:41 +02:00
Costa Tsaousis (ktsaou)
6a892ee6d2 default option for ipset options to support older ipset versions; fix when setting ENABLE_IPVx=0 to firehol-defaults that was giving errors 2015-02-12 17:46:22 +02:00
Costa Tsaousis (ktsaou)
6bda3e6f7a forgot to add ${custom} to constrains check 2015-02-12 03:10:18 +02:00
Costa Tsaousis (ktsaou)
c4e0ef630e infinite loop on contrains branching 2015-02-12 02:13:27 +02:00
Costa Tsaousis (ktsaou)
9592c4b35a left a log line uncommented 2015-02-12 01:49:07 +02:00
Costa Tsaousis (ktsaou)
407a366633 another re-write of rule(): a lot more optimized iptables rules generation, less branching, less generation of logging statements, more accurate positive and negative rules matching; added an optional progress spinner - off by default 2015-02-12 01:42:38 +02:00
Costa Tsaousis (ktsaou)
9546af275e fixed line wrapping in explain mode 2015-02-11 14:15:06 +02:00
Costa Tsaousis (ktsaou)
c7fba06f5e now iptrap can use any type of ipset (added option "method"), action supports ipuntrap, src/dst matching with ipset does not increment the ipset counters if present 2015-02-11 00:26:11 +02:00
Costa Tsaousis (ktsaou)
67b28c62dc fix for the last commit 2015-02-09 23:25:23 +02:00
Costa Tsaousis (ktsaou)
0465b2fd1c added command line option "reset-ipsets" to reset the dynamic ipsets created by firehol; separated ipset options used by iptrap when timeout and counters is used; added checks to make sure that an iptrap generated ipset is not used with both timeout and counters options 2015-02-09 23:18:49 +02:00
Costa Tsaousis (ktsaou)
8a7d3092a1 added options "timeout" and "counters" to iptrap. These control what will happen with packets already in the ipset: if the timeout will be reset at every packet, or the packet and bytes counters will be updated; they are mutualy exclusive 2015-02-09 22:28:35 +02:00
Costa Tsaousis (ktsaou)
e02968e112 added ipset optional rule parameter and SET action in rule() 2015-02-08 22:59:41 +02:00
Costa Tsaousis (ktsaou)
cf8b510095 removed from iptrap the functionality to create actions; now the action helper can create a list of action with logic in them; updated docs 2015-02-08 14:42:35 +02:00
Costa Tsaousis (ktsaou)
a58365d6f5 iptrap helper can accept an action other than RETURN, can apply its rules in multiple table with the table keyword and can just create a chain without linking it with the define_action keyword 2015-02-08 12:19:51 +02:00
Costa Tsaousis (ktsaou)
1a80afc8c8 blacklist and iptrap except rules now accept negative expressions too; firehol explain now has a history 2015-02-08 10:44:00 +02:00
Costa Tsaousis (ktsaou)
3b8505f73d added helper ipuntrap, to undo what iptrap does; keyword "except" does not accept negative expressions - added check in rule(); workaround for a bash bug that did not show all commands in explain mode; added some color and option -nc to disable colors; added some more info in various points for debug mode; debug mode was not generating comments - fixed it 2015-02-07 17:28:43 +02:00
Costa Tsaousis (ktsaou)
daf7981da0 added IPTRAP_DEFAULT_IPSET_OPTIONS in defaults to control the ipset options used by iptrap 2015-02-07 12:18:13 +02:00
Costa Tsaousis (ktsaou)
c4ca4630ab fix for allowing UNROUTABLE_IPS and the rest of internal ip set in ipset 2015-02-07 12:01:40 +02:00
Costa Tsaousis (ktsaou)
c98e6aa29c cleanup and optimizations in rule() 2015-02-07 08:46:46 +02:00