Phil Whineray
da7b96e7ab
Don't delete and recreate the temporary directory
...
mktemp already ensured it was unique as part of creating it
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
87f8827e75
Treat mktemp like other required commands
...
Add it to configure script and use the which_cmd to detect at runtime.
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
8b8e5c9761
Silence module detection warning when not loading
...
The warning says that we will always load the modules, even though we
will honour the variable which says never to do so.
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
e14e118532
Update copyright strings
...
Thanks to Jerome Benoit
2014-10-04 10:45:45 +01:00
Phil Whineray
e8c70871c5
Do not fix source ports for DHCPv6
...
Some servers do not use them, and the RFC allows this.
http://lists.firehol.org/pipermail/firehol-support/2014-July/002824.html
http://www.ietf.org/rfc/rfc3315.txt
2014-07-27 12:07:59 +01:00
Phil Whineray
edd7dace10
Explain that ICMPv6 ND/RD packets are untracked
2014-07-27 11:25:02 +01:00
Phil Whineray
f741b4b422
Ensure dst4 and dst6 work in interface
...
src4 and src6 are already OK
2014-06-07 17:26:31 +01:00
Costa Tsaousis (ktsaou)
e323bd501f
reworked tproxy parameters parsing for issue #25
2014-03-25 23:42:13 +02:00
Costa Tsaousis (ktsaou)
ef153a80d0
tproxy support. beta. may not work. fixed issue #25
2014-03-25 23:13:20 +02:00
Costa Tsaousis (ktsaou)
c732df28a6
added warning if MARK and CONNMARK are used together, for issue #23
2014-03-14 01:31:44 +02:00
Costa Tsaousis (ktsaou)
46955f9eb4
added support for failed lines detection for issue #22 , improved connmark for issue #23
2014-03-14 01:13:28 +02:00
Costa Tsaousis (ktsaou)
83a084e9c1
another connmark fix for issue #23
2014-03-13 03:08:34 +02:00
Costa Tsaousis (ktsaou)
e51a46a140
another connmark fix for issue #23
2014-03-13 02:35:12 +02:00
Costa Tsaousis (ktsaou)
54cfeaeaae
connmark fix for issue #23
2014-03-13 01:46:50 +02:00
Costa Tsaousis (ktsaou)
fe40dbc5bc
fixes issues #22 and #23
2014-03-13 00:20:00 +02:00
Phil Whineray
750da174ca
Fix IPv4-only save/restore and fastactivation
...
These were still trying to run, despite the commands not being available
2014-02-22 11:54:39 +00:00
Phil Whineray
40fde76a78
Fix firehol save
...
Was trying to save to temporary location, not the specified one.
Error introduced in df50d6cb29b9a716a40d99918de46cb0e899e42a.
2014-02-22 08:44:26 +00:00
Phil Whineray
95b3e66836
Use IPv4 only unless config version is set as 6
2014-02-09 18:11:39 +00:00
Phil Whineray
bb19f5500a
Fix line numbering for new commands
2014-02-03 22:58:10 +00:00
Phil Whineray
097ae80b91
Apply ipv4/ipv6 to whole group
2014-02-03 22:56:56 +00:00
Phil Whineray
43c27203eb
Add helpers for interface and router
...
interface4, interface6, interface46
router4, router6, router46
2013-12-01 19:57:57 +00:00
Phil Whineray
6a25798e2b
Added DHCPv6 service
2013-12-01 17:56:34 +00:00
Phil Whineray
90f158887c
Update line-numbering to work with any awk
2013-12-01 17:16:41 +00:00
Phil Whineray
25d693dc86
Enable fast activation for IPv6
2013-12-01 14:59:44 +00:00
Phil Whineray
35c2a0443a
Finalise setup of internal IP variables
...
We IPv4 we look for for files named:
MULTICAST_IPV4 but will use MULTICAST_IPS if it is all their is
PRIVATE_IPV4 but will use PRIVATE_IPS if it is all their is
RESERVED_IPV4 but will use RESERVED_IPS if it is all their is
For IPv6 we look for files named:
MULTICAST_IPV6
RESERVED_IPV6
PRIVATE_IPV6
Within a configuration the variables can be used as:
router src4 not "$PRIVATE_IPV4" src6 not "$PRIVATE_IPV6"
or using the equivalent 'special variable' which expands according to need:
router src not "$PRIVATE_IPS"
2013-11-24 11:09:46 +00:00
Phil Whineray
a7a42b33a9
Do not lose negative src/dst when in both mode
2013-11-23 10:44:16 +00:00
Phil Whineray
8386193c90
Force ping rules to use correct versions of icmp
2013-11-23 09:58:19 +00:00
Phil Whineray
d69b02df24
Evaluate ip lists at time of extraction
2013-11-23 09:00:59 +00:00
Phil Whineray
44bcff7577
Allow multiple functions to be used at once
2013-11-23 09:00:59 +00:00
Phil Whineray
d65d0dd256
Allow IPv4 and IPv6 in one src/dst using functions
...
The same function will be evaluated in both ipv4 and ipv6 context. It
should be defined to return appropriate values at the appropriate time.
2013-11-23 09:00:58 +00:00
Phil Whineray
c259ad8e7c
Work with only IPv4 or IPv6 where necessary
...
Disables the other if the commands are not available or do now work.
2013-11-23 08:48:37 +00:00
Phil Whineray
127f00c03b
Add various icmpv6 cases
...
ICMPv6 is highly integral to IPv6 but the various types and ways that
they need to be used make them complex. We add a set of functions and
recommended how to use them in the manual.
2013-11-17 09:33:29 +00:00
Phil Whineray
ea0e4363d3
Include icmpv6 as a service
2013-11-16 15:49:16 +00:00
Phil Whineray
7f4b7975f0
Add notes on client ports
2013-11-16 15:33:24 +00:00
Phil Whineray
374650305c
Use MULTICAST_IPS for the multicast service
2013-11-16 15:32:12 +00:00
Phil Whineray
874d9e8084
Reset namespace stack entering an interface/router
...
Fix error handling when an illegal change is detected
Distinguish between ipv4 and ipv6 chains we created
2013-11-10 14:00:13 +00:00
Phil Whineray
62a969547a
Allow independent setting of ipv4 and ipv6 src/dst
2013-11-10 12:40:28 +00:00
Phil Whineray
ed8e75ece3
Prevent arbitrary namespace switches
...
For instance, creating an ipv4 rule in an ipv6 interface must be prevented
Also, cache the current namespace to improve performance
2013-11-10 12:38:37 +00:00
Phil Whineray
8e63720554
Make rule_action_param() ip(6)tables use explicit
2013-11-10 11:35:00 +00:00
Phil Whineray
fc717a28d9
Split processing for IPv4 and IPv6 addresses
2013-11-10 11:28:23 +00:00
Phil Whineray
9d3c3c9e6d
Move all single-value options outside rules loop
2013-11-10 10:58:00 +00:00
Phil Whineray
6612b20897
Fix both dynamic counters
2013-11-05 07:36:55 +00:00
Phil Whineray
419569a294
Another small fix
2013-11-05 07:36:55 +00:00
Phil Whineray
96287be98b
Use ip6tables or iptables according to namespace
2013-11-05 07:36:55 +00:00
Phil Whineray
df50d6cb29
Fixes to saving files
2013-11-05 07:36:16 +00:00
Phil Whineray
c2b57c7701
Initial IPv6 work
...
Save and restore ip6tables as well as iptables state
Stop, status and panic apply to IPv6 as well as IPv4
Start will create an empty IPv6 firewall with policy applied
2013-11-05 07:36:16 +00:00
Phil Whineray
0204a8ecde
Make FIREHOL_FAST_ACTIVATION environment-settable
...
Especially useful when running comparison tests
2013-11-02 10:18:31 +00:00
Phil Whineray
5a82954aae
Use flock(1) instead of lockfile(1)
...
- Introduces a dependency on util-linux (rather than procmail)
- Exit immediately if we cannot create lockfile when using flock
2013-11-02 09:59:53 +00:00
Phil Whineray
6a544f8c0e
Improve worst-case error handling
...
- When the generated script fails but we don't know why
we now leave the temporary files behind
- Ensure execution happens in current shell context so we don't
lose variables defined as part of the configuration
Conflicts:
sbin/firehol.in
2013-11-01 13:26:13 +00:00
Phil Whineray
8ee20457ee
Use FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT
...
In non fast-activation mode and if set to 1 (the default), will emit
temporary rules to allow established traffic to continue even when
the activation policy is DENY. The temporary rules are deleted when
the firewall is complete.
2013-10-29 22:14:23 +00:00