sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-30 19:02:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
844 Commits 5 Branches 37 Tags 5.2 MiB
cdaf280e53
Commit Graph

128 Commits

Author SHA1 Message Date
Costa Tsaousis (ktsaou)
cdaf280e53 added to-ports and random option for masquerade helper 2015-02-02 23:28:35 +02:00
Costa Tsaousis (ktsaou)
85056a0079 removed obsolete code; made it log to syslog all progress steps and detect configuration files that may be included from the main config file 2015-02-02 22:54:11 +02:00
Costa Tsaousis (ktsaou)
a7be46d9f7 console output cleanup; all messages sent to stderr 2015-02-02 00:39:33 +02:00
Costa Tsaousis (ktsaou)
e05aaee4d9 ipset code cleanup 2015-02-02 00:16:33 +02:00
Costa Tsaousis (ktsaou)
93dfc2b217 fix for ipset compatibility 2015-02-01 23:06:48 +02:00
Costa Tsaousis (ktsaou)
c963110764 support for older versions of ipset 2015-02-01 22:51:13 +02:00
Costa Tsaousis (ktsaou)
cbd07447f7 added ipv4, ipv6 and ipv46 shortcuts for helpers 2015-02-01 21:20:14 +02:00
Costa Tsaousis (ktsaou)
f840b5d7ee added shortcuts "default" and "classic" to markdef 2015-02-01 20:39:26 +02:00
Costa Tsaousis (ktsaou)
cd50ca58ae blacklist now logs dropped packets 2015-02-01 17:17:34 +02:00
Costa Tsaousis (ktsaou)
0366bd1909 properly match the whole ipset collection name when running with ipset_update_from_file and save the updated statements for restoration in /var/spool/firehol 2015-02-01 16:22:12 +02:00
Costa Tsaousis (ktsaou)
7b8167d3c9 firehol now accepts command line parameter "ipset_update_from_file"; example in wiki: https://github.com/ktsaou/firehol/wiki/FireHOL-support-for-ipset 2015-02-01 07:15:10 +02:00
Costa Tsaousis (ktsaou)
64913be3ca changed syntax of ipset to comply with ipset 2015-02-01 06:09:17 +02:00
Costa Tsaousis (ktsaou)
c15e5e76fe extended ipset option file to grep only ips (ipfile) or only nets (netfile) 2015-02-01 04:18:02 +02:00
Costa Tsaousis (ktsaou)
1fdf21c109 added ipset helper to initialize ipset. It is a full wrapper around the ipset command. The key difference is that it accepts is list of IPs at the "ipset create" line, or the keyword "file" to load ips from a file. 2015-02-01 01:08:12 +02:00
Costa Tsaousis (ktsaou)
6c98852f4f added support for ipset matches in src dst and blacklist(); to use it, instead of any IP just use "ipset:NAME" where NAME is the name of the ipset; ipsets can coexist with IPs, example: server smtp accept src 1.2.3.4,ipset:GOODSMTP,ipset:BESTSMTP,5.6.7.8 2015-01-31 19:25:19 +02:00
Costa Tsaousis (ktsaou)
1fd3844b41 Check for BASH version 4 or later; properly handle response codes of configuration file sourcing 2015-01-31 17:02:43 +02:00
Costa Tsaousis (ktsaou)
1eef048246 10% faster again... the basecmd declaration in rule() was responsible for most of it... 2015-01-31 14:35:25 +02:00
Costa Tsaousis (ktsaou)
073349954a fix for last commit; FIREHOL_WAIT_USER_BEFORE_TRY is only used when the firewall is tried 2015-01-31 02:59:27 +02:00
Costa Tsaousis (ktsaou)
1c9867d877 added option FIREHOL_WAIT_USER_BEFORE_TRY=600 to wait for user confirmation before fast-activation 2015-01-31 02:53:34 +02:00
Costa Tsaousis (ktsaou)
f4e4b4c764 now it traces properly includes of config files from within config files, and reports proper line numbers and source files; fixed a typo in rule(); moved defaults file generation after the config dir has been created; firehol is 25-30% faster in preprocessing compared to the previous commit - re-arranged almost all local variables (this only accounts for 4% increase in preprocessing speed); improved error handling when fast activation is disabled (30% faster activation with fast activation disabled) 2015-01-31 00:45:56 +02:00
Costa Tsaousis (ktsaou)
4f2b99298a marks can now be stateful/stateless and temporary/permanent as per #50 2015-01-25 17:59:28 +02:00
Costa Tsaousis (ktsaou)
21b187a5d0 Merge branch 'master' of github.com:ktsaou/firehol 2015-01-24 22:11:24 +02:00
Costa Tsaousis (ktsaou)
1952feb160 support for comma as a list separator; optimizations for fireqos 2015-01-24 21:46:38 +02:00
Phil Whineray
17b85843c7 Account for work_error not incremented in subshell 2015-01-24 16:58:57 +00:00
Phil Whineray
0945acdf86 Clean up errors when applying a missing mark 
Stop logger from breaking if our message has e.g. -arg in it
Return from mark helpers if there was an error and no result from mark_value()
 2015-01-24 16:44:15 +00:00
Costa Tsaousis (ktsaou)
2488287e5b centralized mark value calculation and error handling for all tools 2015-01-24 17:32:23 +02:00
Costa Tsaousis (ktsaou)
7f7045003f removed peek_namespace, fixed pop_namespace #45 2015-01-24 13:17:20 +02:00
Costa Tsaousis (ktsaou)
d688b97365 fixed namespace pop #45 2015-01-24 13:06:43 +02:00
Costa Tsaousis (ktsaou)
91f6732e4a allowed multiple marks for each mark match #47 2015-01-24 12:31:25 +02:00
Costa Tsaousis (ktsaou)
538e8b7b9a optimized firehol; gained 43% speed increased compared to the previous version; there are still a few optimizations to be made that will contribute probably another 10%; still everything is in BASH; #45 2015-01-24 04:21:04 +02:00
Costa Tsaousis (ktsaou)
b0b3659399 workaround what seems to be an associative array bash bug 2015-01-23 23:47:40 +02:00
Costa Tsaousis (ktsaou)
44cabf981b added check to detect re-definition of a mark type 2015-01-23 00:42:30 +02:00
Costa Tsaousis (ktsaou)
519b7b05b3 moved marks.conf into firehol-defaults.conf; added support for custom defined marks using the custommark firehol helper and the match with the same name; #23 2015-01-23 00:34:22 +02:00
Costa Tsaousis (ktsaou)
89bca91217 made TPROXY helper use the maximum usermark instead of a fixed one #25 #23 2015-01-22 23:09:18 +02:00
Costa Tsaousis (ktsaou)
c4558a45e6 bitmasked marks 2015-01-19 21:28:43 +02:00
Costa Tsaousis (ktsaou)
07fde44784 fix for EXPLAIN mode 2015-01-18 21:38:38 +02:00
Costa Tsaousis (ktsaou)
64003397ba fixed recursion at exit 2015-01-17 18:26:35 +02:00
Costa Tsaousis (ktsaou)
dad17607a0 firehol may not restore a IPv6 firewall at exit, if it was running only in IPv6 mode; made it properly handle Control-C by trapping INT 2015-01-17 17:41:52 +02:00
Costa Tsaousis (ktsaou)
dc65bd4b97 fix for issue #43 2015-01-10 21:50:20 +02:00
Costa Tsaousis (ktsaou)
8e6af3ae24 system-wide defaults file /etc/firehol/firehol-defaults.conf; added option to make start behave like restore if the config files are not changed; restoration of last firewall now takes into account all files in /etc/firehol and /etc/firehol/services and also the command line arguments that may have been passed to firehol.conf; stop does not save the running firewall anymore (it could lead to an endless loop of activating the wrong firewall again and again); added option "nofast" to command line args to quickly try to activate a firewall without fast activation; fast activation is now enabled by default; silent drop of orphan TCP ACK,FIN is enabled by default; various other minor fixes 2015-01-06 19:53:45 +02:00
Costa Tsaousis (ktsaou)
7417f01bcc Merge branch 'master' of github.com:ktsaou/firehol 2015-01-04 02:25:18 +02:00
box@home root
dfdc5819cc accounting warning moved on first use of an accounting rule. 2015-01-04 02:24:42 +02:00
Phil Whineray
98855eaa30 Fix chain-exists logic in: with recent/knock/limit 
Typo from switching to an associative array. We need to create
the chain first time through, when the value is empty.
 2015-01-03 13:44:27 +00:00
Costa Tsaousis (ktsaou)
c9ed9c746f added support for accounting using NFACCT, to use it just add 'accounting [name]' to any statement (even interfaces, NAT, server, client, etc), where [name] is a name to be given to the accounting object, then when the firewall is running use '/usr/sbin/nfacct list' to get the counters; converted unique chain management from files to associative bash arrays; added 'local' to a large number of rules that where missing; fixed error handling of the restore feature; made 'debug' mode aware of the ipv4 and ipv6 2015-01-03 07:45:19 +02:00
Costa Tsaousis (ktsaou)
5451641021 better support for restoring postprocessed commands - any kind of command, not just kernel modules 2014-12-30 20:42:58 +02:00
Costa Tsaousis (ktsaou)
b10a8622cb Now it always saves the activated firewall to /var/spool/firehol and can quickly restore it at boot with the restore argument. Also, when calling stop is saves the firewall again, with their packet and bytes counters, so that when restored it continues where it left. So at boot it should be called with "restore" and at shutdown it should be called with "stop" 2014-12-19 23:46:53 +02:00
Costa Tsaousis (ktsaou)
a4dba2b212 fixed physin/physout to specify new iptables options --physdev-is-bridged in routers, --physdev-is-in at the input of interfaces, --physdev-is-out at the output of interfaces 2014-11-19 01:50:47 +02:00
Phil Whineray
521e8c142d Delete activation rules by spec not number 
Fixes #41

The assumption that the rules added to allow established connections
during activation will always be first is wrong for configs with
iptables -I statements.
 2014-11-06 22:36:08 +00:00
Phil Whineray
09748049ee Prevent all IPv6 actions after initial disable 2014-10-18 08:15:47 +01:00
Phil Whineray
ca07e978f8 Detect non-IPv6 hosts 2014-10-18 08:04:12 +01:00