Costa Tsaousis (ktsaou)
cdaf280e53
added to-ports and random option for masquerade helper
2015-02-02 23:28:35 +02:00
Costa Tsaousis (ktsaou)
85056a0079
removed obsolete code; made it log to syslog all progress steps and detect configuration files that may be included from the main config file
2015-02-02 22:54:11 +02:00
Costa Tsaousis (ktsaou)
a7be46d9f7
console output cleanup; all messages sent to stderr
2015-02-02 00:39:33 +02:00
Costa Tsaousis (ktsaou)
e05aaee4d9
ipset code cleanup
2015-02-02 00:16:33 +02:00
Costa Tsaousis (ktsaou)
93dfc2b217
fix for ipset compatibility
2015-02-01 23:06:48 +02:00
Costa Tsaousis (ktsaou)
c963110764
support for older versions of ipset
2015-02-01 22:51:13 +02:00
Costa Tsaousis (ktsaou)
cbd07447f7
added ipv4, ipv6 and ipv46 shortcuts for helpers
2015-02-01 21:20:14 +02:00
Costa Tsaousis (ktsaou)
f840b5d7ee
added shortcuts "default" and "classic" to markdef
2015-02-01 20:39:26 +02:00
Costa Tsaousis (ktsaou)
cd50ca58ae
blacklist now logs dropped packets
2015-02-01 17:17:34 +02:00
Costa Tsaousis (ktsaou)
0366bd1909
properly match the whole ipset collection name when running with ipset_update_from_file and save the updated statements for restoration in /var/spool/firehol
2015-02-01 16:22:12 +02:00
Costa Tsaousis (ktsaou)
7b8167d3c9
firehol now accepts command line parameter "ipset_update_from_file"; example in wiki: https://github.com/ktsaou/firehol/wiki/FireHOL-support-for-ipset
2015-02-01 07:15:10 +02:00
Costa Tsaousis (ktsaou)
64913be3ca
changed syntax of ipset to comply with ipset
2015-02-01 06:09:17 +02:00
Costa Tsaousis (ktsaou)
c15e5e76fe
extended ipset option file to grep only ips (ipfile) or only nets (netfile)
2015-02-01 04:18:02 +02:00
Costa Tsaousis (ktsaou)
1fdf21c109
added ipset helper to initialize ipset. It is a full wrapper around the ipset command. The key difference is that it accepts is list of IPs at the "ipset create" line, or the keyword "file" to load ips from a file.
2015-02-01 01:08:12 +02:00
Costa Tsaousis (ktsaou)
6c98852f4f
added support for ipset matches in src dst and blacklist(); to use it, instead of any IP just use "ipset:NAME" where NAME is the name of the ipset; ipsets can coexist with IPs, example: server smtp accept src 1.2.3.4,ipset:GOODSMTP,ipset:BESTSMTP,5.6.7.8
2015-01-31 19:25:19 +02:00
Costa Tsaousis (ktsaou)
1fd3844b41
Check for BASH version 4 or later; properly handle response codes of configuration file sourcing
2015-01-31 17:02:43 +02:00
Costa Tsaousis (ktsaou)
1eef048246
10% faster again... the basecmd declaration in rule() was responsible for most of it...
2015-01-31 14:35:25 +02:00
Costa Tsaousis (ktsaou)
073349954a
fix for last commit; FIREHOL_WAIT_USER_BEFORE_TRY is only used when the firewall is tried
2015-01-31 02:59:27 +02:00
Costa Tsaousis (ktsaou)
1c9867d877
added option FIREHOL_WAIT_USER_BEFORE_TRY=600 to wait for user confirmation before fast-activation
2015-01-31 02:53:34 +02:00
Costa Tsaousis (ktsaou)
f4e4b4c764
now it traces properly includes of config files from within config files, and reports proper line numbers and source files; fixed a typo in rule(); moved defaults file generation after the config dir has been created; firehol is 25-30% faster in preprocessing compared to the previous commit - re-arranged almost all local variables (this only accounts for 4% increase in preprocessing speed); improved error handling when fast activation is disabled (30% faster activation with fast activation disabled)
2015-01-31 00:45:56 +02:00
Costa Tsaousis (ktsaou)
4f2b99298a
marks can now be stateful/stateless and temporary/permanent as per #50
2015-01-25 17:59:28 +02:00
Costa Tsaousis (ktsaou)
21b187a5d0
Merge branch 'master' of github.com:ktsaou/firehol
2015-01-24 22:11:24 +02:00
Costa Tsaousis (ktsaou)
1952feb160
support for comma as a list separator; optimizations for fireqos
2015-01-24 21:46:38 +02:00
Phil Whineray
17b85843c7
Account for work_error not incremented in subshell
2015-01-24 16:58:57 +00:00
Phil Whineray
0945acdf86
Clean up errors when applying a missing mark
...
Stop logger from breaking if our message has e.g. -arg in it
Return from mark helpers if there was an error and no result from mark_value()
2015-01-24 16:44:15 +00:00
Costa Tsaousis (ktsaou)
2488287e5b
centralized mark value calculation and error handling for all tools
2015-01-24 17:32:23 +02:00
Costa Tsaousis (ktsaou)
7f7045003f
removed peek_namespace, fixed pop_namespace #45
2015-01-24 13:17:20 +02:00
Costa Tsaousis (ktsaou)
d688b97365
fixed namespace pop #45
2015-01-24 13:06:43 +02:00
Costa Tsaousis (ktsaou)
91f6732e4a
allowed multiple marks for each mark match #47
2015-01-24 12:31:25 +02:00
Costa Tsaousis (ktsaou)
538e8b7b9a
optimized firehol; gained 43% speed increased compared to the previous version; there are still a few optimizations to be made that will contribute probably another 10%; still everything is in BASH; #45
2015-01-24 04:21:04 +02:00
Costa Tsaousis (ktsaou)
b0b3659399
workaround what seems to be an associative array bash bug
2015-01-23 23:47:40 +02:00
Costa Tsaousis (ktsaou)
44cabf981b
added check to detect re-definition of a mark type
2015-01-23 00:42:30 +02:00
Costa Tsaousis (ktsaou)
519b7b05b3
moved marks.conf into firehol-defaults.conf; added support for custom defined marks using the custommark firehol helper and the match with the same name; #23
2015-01-23 00:34:22 +02:00
Costa Tsaousis (ktsaou)
89bca91217
made TPROXY helper use the maximum usermark instead of a fixed one #25 #23
2015-01-22 23:09:18 +02:00
Costa Tsaousis (ktsaou)
c4558a45e6
bitmasked marks
2015-01-19 21:28:43 +02:00
Costa Tsaousis (ktsaou)
07fde44784
fix for EXPLAIN mode
2015-01-18 21:38:38 +02:00
Costa Tsaousis (ktsaou)
64003397ba
fixed recursion at exit
2015-01-17 18:26:35 +02:00
Costa Tsaousis (ktsaou)
dad17607a0
firehol may not restore a IPv6 firewall at exit, if it was running only in IPv6 mode; made it properly handle Control-C by trapping INT
2015-01-17 17:41:52 +02:00
Costa Tsaousis (ktsaou)
dc65bd4b97
fix for issue #43
2015-01-10 21:50:20 +02:00
Costa Tsaousis (ktsaou)
8e6af3ae24
system-wide defaults file /etc/firehol/firehol-defaults.conf; added option to make start behave like restore if the config files are not changed; restoration of last firewall now takes into account all files in /etc/firehol and /etc/firehol/services and also the command line arguments that may have been passed to firehol.conf; stop does not save the running firewall anymore (it could lead to an endless loop of activating the wrong firewall again and again); added option "nofast" to command line args to quickly try to activate a firewall without fast activation; fast activation is now enabled by default; silent drop of orphan TCP ACK,FIN is enabled by default; various other minor fixes
2015-01-06 19:53:45 +02:00
Costa Tsaousis (ktsaou)
7417f01bcc
Merge branch 'master' of github.com:ktsaou/firehol
2015-01-04 02:25:18 +02:00
box@home root
dfdc5819cc
accounting warning moved on first use of an accounting rule.
2015-01-04 02:24:42 +02:00
Phil Whineray
98855eaa30
Fix chain-exists logic in: with recent/knock/limit
...
Typo from switching to an associative array. We need to create
the chain first time through, when the value is empty.
2015-01-03 13:44:27 +00:00
Costa Tsaousis (ktsaou)
c9ed9c746f
added support for accounting using NFACCT, to use it just add 'accounting [name]' to any statement (even interfaces, NAT, server, client, etc), where [name] is a name to be given to the accounting object, then when the firewall is running use '/usr/sbin/nfacct list' to get the counters; converted unique chain management from files to associative bash arrays; added 'local' to a large number of rules that where missing; fixed error handling of the restore feature; made 'debug' mode aware of the ipv4 and ipv6
2015-01-03 07:45:19 +02:00
Costa Tsaousis (ktsaou)
5451641021
better support for restoring postprocessed commands - any kind of command, not just kernel modules
2014-12-30 20:42:58 +02:00
Costa Tsaousis (ktsaou)
b10a8622cb
Now it always saves the activated firewall to /var/spool/firehol and can quickly restore it at boot with the restore argument. Also, when calling stop is saves the firewall again, with their packet and bytes counters, so that when restored it continues where it left. So at boot it should be called with "restore" and at shutdown it should be called with "stop"
2014-12-19 23:46:53 +02:00
Costa Tsaousis (ktsaou)
a4dba2b212
fixed physin/physout to specify new iptables options --physdev-is-bridged in routers, --physdev-is-in at the input of interfaces, --physdev-is-out at the output of interfaces
2014-11-19 01:50:47 +02:00
Phil Whineray
521e8c142d
Delete activation rules by spec not number
...
Fixes #41
The assumption that the rules added to allow established connections
during activation will always be first is wrong for configs with
iptables -I statements.
2014-11-06 22:36:08 +00:00
Phil Whineray
09748049ee
Prevent all IPv6 actions after initial disable
2014-10-18 08:15:47 +01:00
Phil Whineray
ca07e978f8
Detect non-IPv6 hosts
2014-10-18 08:04:12 +01:00