Costa Tsaousis (ktsaou)
|
f8e953f061
|
iptrap generated ipsets do not loose their values when the firewall is restarted
|
2015-02-06 22:43:23 +02:00 |
|
Costa Tsaousis (ktsaou)
|
68f52a99f9
|
modified iptrap helper to create the ipset if not already created, and do not alter the traffic, just trap the IP; it also supports src,dst and dst,src sets
|
2015-02-06 11:12:30 +02:00 |
|
Costa Tsaousis (ktsaou)
|
90f46d6269
|
first commit for iptrap helper; made SIP service use both TCP and UDP; blacklist helper now is applied on PREROUTING mangle, before anything else.
|
2015-02-06 02:57:06 +02:00 |
|
Costa Tsaousis (ktsaou)
|
16b1a55c48
|
blacklist helper now accepts log text and inface to apply the blacklist to; it is re-written to use use rule() instead of plain iptables commands; updated man page
|
2015-02-06 01:08:15 +02:00 |
|
Costa Tsaousis (ktsaou)
|
955cde92be
|
better cleanup and printout of differences reporting
|
2015-02-05 22:36:29 +02:00 |
|
Costa Tsaousis (ktsaou)
|
edb3413005
|
fixed ipsets update from files when obsolete files in /var/spool/firehol for the same ipset prevent an update
|
2015-02-05 02:24:56 +02:00 |
|
Costa Tsaousis (ktsaou)
|
c541723e32
|
prevent double cleanup of ipset temporary sets
|
2015-02-05 00:45:17 +02:00 |
|
Costa Tsaousis (ktsaou)
|
9f9a73a688
|
fixed ipset ipv6 support; better cleanup when ipset is interrupted by user
|
2015-02-05 00:05:13 +02:00 |
|
Costa Tsaousis (ktsaou)
|
72d4ce4c5c
|
missed a failure message in the last commit
|
2015-02-04 00:37:59 +02:00 |
|
Costa Tsaousis (ktsaou)
|
e27364b059
|
missed a failure message in the last commit
|
2015-02-04 00:36:55 +02:00 |
|
Costa Tsaousis (ktsaou)
|
79286f97f7
|
existing ipsets are updated by adding a temporary set and once finished adding, swapping it with the real ipset and removing the temporary one
|
2015-02-04 00:33:17 +02:00 |
|
Costa Tsaousis (ktsaou)
|
e81282ccb6
|
fix for iptables log comments with space in them in fast activation mode; #54
|
2015-02-03 21:21:01 +02:00 |
|
Costa Tsaousis (ktsaou)
|
4448133896
|
fix for when negative src/dst for both ipv4 and ipv6 appear on the same statement #55
|
2015-02-03 20:39:25 +02:00 |
|
Costa Tsaousis (ktsaou)
|
808e33a4a1
|
fixed a type as per #53
|
2015-02-03 20:18:44 +02:00 |
|
Costa Tsaousis (ktsaou)
|
16849f1463
|
fix to detecting if snat, dnat, redirect have set a protocol
|
2015-02-03 12:31:57 +02:00 |
|
Costa Tsaousis (ktsaou)
|
6ef9d4f2a4
|
added custom-in and custom-out optional rule parameters, as requested in #53; keep in mind that these rules cannot be used in helpers, only in interface, router, group with, server, client, route; For routers, the general rule is that: custom-in is applied on traffic from inface and custom-out on the opposite direction
|
2015-02-03 01:36:15 +02:00 |
|
Costa Tsaousis (ktsaou)
|
7c11a26a1b
|
added options random and persistent for snat, dnat and redirect helpers
|
2015-02-02 23:59:49 +02:00 |
|
Costa Tsaousis (ktsaou)
|
cdaf280e53
|
added to-ports and random option for masquerade helper
|
2015-02-02 23:28:35 +02:00 |
|
Costa Tsaousis (ktsaou)
|
85056a0079
|
removed obsolete code; made it log to syslog all progress steps and detect configuration files that may be included from the main config file
|
2015-02-02 22:54:11 +02:00 |
|
Costa Tsaousis (ktsaou)
|
a7be46d9f7
|
console output cleanup; all messages sent to stderr
|
2015-02-02 00:39:33 +02:00 |
|
Costa Tsaousis (ktsaou)
|
e05aaee4d9
|
ipset code cleanup
|
2015-02-02 00:16:33 +02:00 |
|
Costa Tsaousis (ktsaou)
|
93dfc2b217
|
fix for ipset compatibility
|
2015-02-01 23:06:48 +02:00 |
|
Costa Tsaousis (ktsaou)
|
c963110764
|
support for older versions of ipset
|
2015-02-01 22:51:13 +02:00 |
|
Costa Tsaousis (ktsaou)
|
cbd07447f7
|
added ipv4, ipv6 and ipv46 shortcuts for helpers
|
2015-02-01 21:20:14 +02:00 |
|
Costa Tsaousis (ktsaou)
|
f840b5d7ee
|
added shortcuts "default" and "classic" to markdef
|
2015-02-01 20:39:26 +02:00 |
|
Costa Tsaousis (ktsaou)
|
cd50ca58ae
|
blacklist now logs dropped packets
|
2015-02-01 17:17:34 +02:00 |
|
Costa Tsaousis (ktsaou)
|
0366bd1909
|
properly match the whole ipset collection name when running with ipset_update_from_file and save the updated statements for restoration in /var/spool/firehol
|
2015-02-01 16:22:12 +02:00 |
|
Costa Tsaousis (ktsaou)
|
7b8167d3c9
|
firehol now accepts command line parameter "ipset_update_from_file"; example in wiki: https://github.com/ktsaou/firehol/wiki/FireHOL-support-for-ipset
|
2015-02-01 07:15:10 +02:00 |
|
Costa Tsaousis (ktsaou)
|
64913be3ca
|
changed syntax of ipset to comply with ipset
|
2015-02-01 06:09:17 +02:00 |
|
Costa Tsaousis (ktsaou)
|
c15e5e76fe
|
extended ipset option file to grep only ips (ipfile) or only nets (netfile)
|
2015-02-01 04:18:02 +02:00 |
|
Costa Tsaousis (ktsaou)
|
1fdf21c109
|
added ipset helper to initialize ipset. It is a full wrapper around the ipset command. The key difference is that it accepts is list of IPs at the "ipset create" line, or the keyword "file" to load ips from a file.
|
2015-02-01 01:08:12 +02:00 |
|
Costa Tsaousis (ktsaou)
|
6c98852f4f
|
added support for ipset matches in src dst and blacklist(); to use it, instead of any IP just use "ipset:NAME" where NAME is the name of the ipset; ipsets can coexist with IPs, example: server smtp accept src 1.2.3.4,ipset:GOODSMTP,ipset:BESTSMTP,5.6.7.8
|
2015-01-31 19:25:19 +02:00 |
|
Costa Tsaousis (ktsaou)
|
1fd3844b41
|
Check for BASH version 4 or later; properly handle response codes of configuration file sourcing
|
2015-01-31 17:02:43 +02:00 |
|
Costa Tsaousis (ktsaou)
|
1eef048246
|
10% faster again... the basecmd declaration in rule() was responsible for most of it...
|
2015-01-31 14:35:25 +02:00 |
|
Costa Tsaousis (ktsaou)
|
073349954a
|
fix for last commit; FIREHOL_WAIT_USER_BEFORE_TRY is only used when the firewall is tried
|
2015-01-31 02:59:27 +02:00 |
|
Costa Tsaousis (ktsaou)
|
1c9867d877
|
added option FIREHOL_WAIT_USER_BEFORE_TRY=600 to wait for user confirmation before fast-activation
|
2015-01-31 02:53:34 +02:00 |
|
Costa Tsaousis (ktsaou)
|
f4e4b4c764
|
now it traces properly includes of config files from within config files, and reports proper line numbers and source files; fixed a typo in rule(); moved defaults file generation after the config dir has been created; firehol is 25-30% faster in preprocessing compared to the previous commit - re-arranged almost all local variables (this only accounts for 4% increase in preprocessing speed); improved error handling when fast activation is disabled (30% faster activation with fast activation disabled)
|
2015-01-31 00:45:56 +02:00 |
|
Costa Tsaousis (ktsaou)
|
4f2b99298a
|
marks can now be stateful/stateless and temporary/permanent as per #50
|
2015-01-25 17:59:28 +02:00 |
|
Costa Tsaousis (ktsaou)
|
21b187a5d0
|
Merge branch 'master' of github.com:ktsaou/firehol
|
2015-01-24 22:11:24 +02:00 |
|
Costa Tsaousis (ktsaou)
|
1952feb160
|
support for comma as a list separator; optimizations for fireqos
|
2015-01-24 21:46:38 +02:00 |
|
Phil Whineray
|
17b85843c7
|
Account for work_error not incremented in subshell
|
2015-01-24 16:58:57 +00:00 |
|
Phil Whineray
|
0945acdf86
|
Clean up errors when applying a missing mark
Stop logger from breaking if our message has e.g. -arg in it
Return from mark helpers if there was an error and no result from mark_value()
|
2015-01-24 16:44:15 +00:00 |
|
Costa Tsaousis (ktsaou)
|
2488287e5b
|
centralized mark value calculation and error handling for all tools
|
2015-01-24 17:32:23 +02:00 |
|
Costa Tsaousis (ktsaou)
|
7f7045003f
|
removed peek_namespace, fixed pop_namespace #45
|
2015-01-24 13:17:20 +02:00 |
|
Costa Tsaousis (ktsaou)
|
d688b97365
|
fixed namespace pop #45
|
2015-01-24 13:06:43 +02:00 |
|
Costa Tsaousis (ktsaou)
|
91f6732e4a
|
allowed multiple marks for each mark match #47
|
2015-01-24 12:31:25 +02:00 |
|
Costa Tsaousis (ktsaou)
|
538e8b7b9a
|
optimized firehol; gained 43% speed increased compared to the previous version; there are still a few optimizations to be made that will contribute probably another 10%; still everything is in BASH; #45
|
2015-01-24 04:21:04 +02:00 |
|
Costa Tsaousis (ktsaou)
|
b0b3659399
|
workaround what seems to be an associative array bash bug
|
2015-01-23 23:47:40 +02:00 |
|
Costa Tsaousis (ktsaou)
|
44cabf981b
|
added check to detect re-definition of a mark type
|
2015-01-23 00:42:30 +02:00 |
|
Costa Tsaousis (ktsaou)
|
519b7b05b3
|
moved marks.conf into firehol-defaults.conf; added support for custom defined marks using the custommark firehol helper and the match with the same name; #23
|
2015-01-23 00:34:22 +02:00 |
|