145 Commits

Author	SHA1	Message	Date
Costa Tsaousis (ktsaou)	f8e953f061	iptrap generated ipsets do not loose their values when the firewall is restarted	2015-02-06 22:43:23 +02:00
Costa Tsaousis (ktsaou)	68f52a99f9	modified iptrap helper to create the ipset if not already created, and do not alter the traffic, just trap the IP; it also supports src,dst and dst,src sets	2015-02-06 11:12:30 +02:00
Costa Tsaousis (ktsaou)	90f46d6269	first commit for iptrap helper; made SIP service use both TCP and UDP; blacklist helper now is applied on PREROUTING mangle, before anything else.	2015-02-06 02:57:06 +02:00
Costa Tsaousis (ktsaou)	16b1a55c48	blacklist helper now accepts log text and inface to apply the blacklist to; it is re-written to use use rule() instead of plain iptables commands; updated man page	2015-02-06 01:08:15 +02:00
Costa Tsaousis (ktsaou)	955cde92be	better cleanup and printout of differences reporting	2015-02-05 22:36:29 +02:00
Costa Tsaousis (ktsaou)	edb3413005	fixed ipsets update from files when obsolete files in /var/spool/firehol for the same ipset prevent an update	2015-02-05 02:24:56 +02:00
Costa Tsaousis (ktsaou)	c541723e32	prevent double cleanup of ipset temporary sets	2015-02-05 00:45:17 +02:00
Costa Tsaousis (ktsaou)	9f9a73a688	fixed ipset ipv6 support; better cleanup when ipset is interrupted by user	2015-02-05 00:05:13 +02:00
Costa Tsaousis (ktsaou)	72d4ce4c5c	missed a failure message in the last commit	2015-02-04 00:37:59 +02:00
Costa Tsaousis (ktsaou)	e27364b059	missed a failure message in the last commit	2015-02-04 00:36:55 +02:00
Costa Tsaousis (ktsaou)	79286f97f7	existing ipsets are updated by adding a temporary set and once finished adding, swapping it with the real ipset and removing the temporary one	2015-02-04 00:33:17 +02:00
Costa Tsaousis (ktsaou)	e81282ccb6	fix for iptables log comments with space in them in fast activation mode; #54	2015-02-03 21:21:01 +02:00
Costa Tsaousis (ktsaou)	4448133896	fix for when negative src/dst for both ipv4 and ipv6 appear on the same statement #55	2015-02-03 20:39:25 +02:00
Costa Tsaousis (ktsaou)	808e33a4a1	fixed a type as per #53	2015-02-03 20:18:44 +02:00
Costa Tsaousis (ktsaou)	16849f1463	fix to detecting if snat, dnat, redirect have set a protocol	2015-02-03 12:31:57 +02:00
Costa Tsaousis (ktsaou)	6ef9d4f2a4	added custom-in and custom-out optional rule parameters, as requested in #53; keep in mind that these rules cannot be used in helpers, only in interface, router, group with, server, client, route; For routers, the general rule is that: custom-in is applied on traffic from inface and custom-out on the opposite direction	2015-02-03 01:36:15 +02:00
Costa Tsaousis (ktsaou)	7c11a26a1b	added options random and persistent for snat, dnat and redirect helpers	2015-02-02 23:59:49 +02:00
Costa Tsaousis (ktsaou)	cdaf280e53	added to-ports and random option for masquerade helper	2015-02-02 23:28:35 +02:00
Costa Tsaousis (ktsaou)	85056a0079	removed obsolete code; made it log to syslog all progress steps and detect configuration files that may be included from the main config file	2015-02-02 22:54:11 +02:00
Costa Tsaousis (ktsaou)	a7be46d9f7	console output cleanup; all messages sent to stderr	2015-02-02 00:39:33 +02:00
Costa Tsaousis (ktsaou)	e05aaee4d9	ipset code cleanup	2015-02-02 00:16:33 +02:00
Costa Tsaousis (ktsaou)	93dfc2b217	fix for ipset compatibility	2015-02-01 23:06:48 +02:00
Costa Tsaousis (ktsaou)	c963110764	support for older versions of ipset	2015-02-01 22:51:13 +02:00
Costa Tsaousis (ktsaou)	cbd07447f7	added ipv4, ipv6 and ipv46 shortcuts for helpers	2015-02-01 21:20:14 +02:00
Costa Tsaousis (ktsaou)	f840b5d7ee	added shortcuts "default" and "classic" to markdef	2015-02-01 20:39:26 +02:00
Costa Tsaousis (ktsaou)	cd50ca58ae	blacklist now logs dropped packets	2015-02-01 17:17:34 +02:00
Costa Tsaousis (ktsaou)	0366bd1909	properly match the whole ipset collection name when running with ipset_update_from_file and save the updated statements for restoration in /var/spool/firehol	2015-02-01 16:22:12 +02:00
Costa Tsaousis (ktsaou)	7b8167d3c9	firehol now accepts command line parameter "ipset_update_from_file"; example in wiki: https://github.com/ktsaou/firehol/wiki/FireHOL-support-for-ipset	2015-02-01 07:15:10 +02:00
Costa Tsaousis (ktsaou)	64913be3ca	changed syntax of ipset to comply with ipset	2015-02-01 06:09:17 +02:00
Costa Tsaousis (ktsaou)	c15e5e76fe	extended ipset option file to grep only ips (ipfile) or only nets (netfile)	2015-02-01 04:18:02 +02:00
Costa Tsaousis (ktsaou)	1fdf21c109	added ipset helper to initialize ipset. It is a full wrapper around the ipset command. The key difference is that it accepts is list of IPs at the "ipset create" line, or the keyword "file" to load ips from a file.	2015-02-01 01:08:12 +02:00
Costa Tsaousis (ktsaou)	6c98852f4f	added support for ipset matches in src dst and blacklist(); to use it, instead of any IP just use "ipset:NAME" where NAME is the name of the ipset; ipsets can coexist with IPs, example: server smtp accept src 1.2.3.4,ipset:GOODSMTP,ipset:BESTSMTP,5.6.7.8	2015-01-31 19:25:19 +02:00
Costa Tsaousis (ktsaou)	1fd3844b41	Check for BASH version 4 or later; properly handle response codes of configuration file sourcing	2015-01-31 17:02:43 +02:00
Costa Tsaousis (ktsaou)	1eef048246	10% faster again... the basecmd declaration in rule() was responsible for most of it...	2015-01-31 14:35:25 +02:00
Costa Tsaousis (ktsaou)	073349954a	fix for last commit; FIREHOL_WAIT_USER_BEFORE_TRY is only used when the firewall is tried	2015-01-31 02:59:27 +02:00
Costa Tsaousis (ktsaou)	1c9867d877	added option FIREHOL_WAIT_USER_BEFORE_TRY=600 to wait for user confirmation before fast-activation	2015-01-31 02:53:34 +02:00
Costa Tsaousis (ktsaou)	f4e4b4c764	now it traces properly includes of config files from within config files, and reports proper line numbers and source files; fixed a typo in rule(); moved defaults file generation after the config dir has been created; firehol is 25-30% faster in preprocessing compared to the previous commit - re-arranged almost all local variables (this only accounts for 4% increase in preprocessing speed); improved error handling when fast activation is disabled (30% faster activation with fast activation disabled)	2015-01-31 00:45:56 +02:00
Costa Tsaousis (ktsaou)	4f2b99298a	marks can now be stateful/stateless and temporary/permanent as per #50	2015-01-25 17:59:28 +02:00
Costa Tsaousis (ktsaou)	21b187a5d0	Merge branch 'master' of github.com:ktsaou/firehol	2015-01-24 22:11:24 +02:00
Costa Tsaousis (ktsaou)	1952feb160	support for comma as a list separator; optimizations for fireqos	2015-01-24 21:46:38 +02:00
Phil Whineray	17b85843c7	Account for work_error not incremented in subshell	2015-01-24 16:58:57 +00:00
Phil Whineray	0945acdf86	Clean up errors when applying a missing mark ... Stop logger from breaking if our message has e.g. -arg in it Return from mark helpers if there was an error and no result from mark_value()	2015-01-24 16:44:15 +00:00
Costa Tsaousis (ktsaou)	2488287e5b	centralized mark value calculation and error handling for all tools	2015-01-24 17:32:23 +02:00
Costa Tsaousis (ktsaou)	7f7045003f	removed peek_namespace, fixed pop_namespace #45	2015-01-24 13:17:20 +02:00
Costa Tsaousis (ktsaou)	d688b97365	fixed namespace pop #45	2015-01-24 13:06:43 +02:00
Costa Tsaousis (ktsaou)	91f6732e4a	allowed multiple marks for each mark match #47	2015-01-24 12:31:25 +02:00
Costa Tsaousis (ktsaou)	538e8b7b9a	optimized firehol; gained 43% speed increased compared to the previous version; there are still a few optimizations to be made that will contribute probably another 10%; still everything is in BASH; #45	2015-01-24 04:21:04 +02:00
Costa Tsaousis (ktsaou)	b0b3659399	workaround what seems to be an associative array bash bug	2015-01-23 23:47:40 +02:00
Costa Tsaousis (ktsaou)	44cabf981b	added check to detect re-definition of a mark type	2015-01-23 00:42:30 +02:00
Costa Tsaousis (ktsaou)	519b7b05b3	moved marks.conf into firehol-defaults.conf; added support for custom defined marks using the custommark firehol helper and the match with the same name; #23	2015-01-23 00:34:22 +02:00