sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-30 19:02:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
757 Commits 5 Branches 37 Tags 5.2 MiB
da7b96e7ab
Commit Graph

74 Commits

Author SHA1 Message Date
Phil Whineray
da7b96e7ab Don't delete and recreate the temporary directory 
mktemp already ensured it was unique as part of creating it

Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
87f8827e75 Treat mktemp like other required commands 
Add it to configure script and use the which_cmd to detect at runtime.

Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
8b8e5c9761 Silence module detection warning when not loading 
The warning says that we will always load the modules, even though we
will honour the variable which says never to do so.

Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
e14e118532 Update copyright strings 
Thanks to Jerome Benoit
 2014-10-04 10:45:45 +01:00
Phil Whineray
e8c70871c5 Do not fix source ports for DHCPv6 
Some servers do not use them, and the RFC allows this.

http://lists.firehol.org/pipermail/firehol-support/2014-July/002824.html
http://www.ietf.org/rfc/rfc3315.txt
 2014-07-27 12:07:59 +01:00
Phil Whineray
edd7dace10 Explain that ICMPv6 ND/RD packets are untracked 2014-07-27 11:25:02 +01:00
Phil Whineray
f741b4b422 Ensure dst4 and dst6 work in interface 
src4 and src6 are already OK
 2014-06-07 17:26:31 +01:00
Costa Tsaousis (ktsaou)
e323bd501f reworked tproxy parameters parsing for issue #25 2014-03-25 23:42:13 +02:00
Costa Tsaousis (ktsaou)
ef153a80d0 tproxy support. beta. may not work. fixed issue #25 2014-03-25 23:13:20 +02:00
Costa Tsaousis (ktsaou)
c732df28a6 added warning if MARK and CONNMARK are used together, for issue #23 2014-03-14 01:31:44 +02:00
Costa Tsaousis (ktsaou)
46955f9eb4 added support for failed lines detection for issue #22, improved connmark for issue #23 2014-03-14 01:13:28 +02:00
Costa Tsaousis (ktsaou)
83a084e9c1 another connmark fix for issue #23 2014-03-13 03:08:34 +02:00
Costa Tsaousis (ktsaou)
e51a46a140 another connmark fix for issue #23 2014-03-13 02:35:12 +02:00
Costa Tsaousis (ktsaou)
54cfeaeaae connmark fix for issue #23 2014-03-13 01:46:50 +02:00
Costa Tsaousis (ktsaou)
fe40dbc5bc fixes issues #22 and #23 2014-03-13 00:20:00 +02:00
Phil Whineray
750da174ca Fix IPv4-only save/restore and fastactivation 
These were still trying to run, despite the commands not being available
 2014-02-22 11:54:39 +00:00
Phil Whineray
40fde76a78 Fix firehol save 
Was trying to save to temporary location, not the specified one.
Error introduced in df50d6cb29b9a716a40d99918de46cb0e899e42a.
 2014-02-22 08:44:26 +00:00
Phil Whineray
95b3e66836 Use IPv4 only unless config version is set as 6 2014-02-09 18:11:39 +00:00
Phil Whineray
bb19f5500a Fix line numbering for new commands 2014-02-03 22:58:10 +00:00
Phil Whineray
097ae80b91 Apply ipv4/ipv6 to whole group 2014-02-03 22:56:56 +00:00
Phil Whineray
43c27203eb Add helpers for interface and router 
interface4, interface6, interface46
router4, router6, router46
 2013-12-01 19:57:57 +00:00
Phil Whineray
6a25798e2b Added DHCPv6 service 2013-12-01 17:56:34 +00:00
Phil Whineray
90f158887c Update line-numbering to work with any awk 2013-12-01 17:16:41 +00:00
Phil Whineray
25d693dc86 Enable fast activation for IPv6 2013-12-01 14:59:44 +00:00
Phil Whineray
35c2a0443a Finalise setup of internal IP variables 
We IPv4 we look for for files named:
  MULTICAST_IPV4 but will use MULTICAST_IPS if it is all their is
  PRIVATE_IPV4 but will use PRIVATE_IPS if it is all their is
  RESERVED_IPV4 but will use RESERVED_IPS if it is all their is

For IPv6 we look for files named:
  MULTICAST_IPV6
  RESERVED_IPV6
  PRIVATE_IPV6

Within a configuration the variables can be used as:
  router src4 not "$PRIVATE_IPV4" src6 not "$PRIVATE_IPV6"

or using the equivalent 'special variable' which expands according to need:
  router src not "$PRIVATE_IPS"
 2013-11-24 11:09:46 +00:00
Phil Whineray
a7a42b33a9 Do not lose negative src/dst when in both mode 2013-11-23 10:44:16 +00:00
Phil Whineray
8386193c90 Force ping rules to use correct versions of icmp 2013-11-23 09:58:19 +00:00
Phil Whineray
d69b02df24 Evaluate ip lists at time of extraction 2013-11-23 09:00:59 +00:00
Phil Whineray
44bcff7577 Allow multiple functions to be used at once 2013-11-23 09:00:59 +00:00
Phil Whineray
d65d0dd256 Allow IPv4 and IPv6 in one src/dst using functions 
The same function will be evaluated in both ipv4 and ipv6 context. It
should be defined to return appropriate values at the appropriate time.
 2013-11-23 09:00:58 +00:00
Phil Whineray
c259ad8e7c Work with only IPv4 or IPv6 where necessary 
Disables the other if the commands are not available or do now work.
 2013-11-23 08:48:37 +00:00
Phil Whineray
127f00c03b Add various icmpv6 cases 
ICMPv6 is highly integral to IPv6 but the various types and ways that
they need to be used make them complex. We add a set of functions and
recommended how to use them in the manual.
 2013-11-17 09:33:29 +00:00
Phil Whineray
ea0e4363d3 Include icmpv6 as a service 2013-11-16 15:49:16 +00:00
Phil Whineray
7f4b7975f0 Add notes on client ports 2013-11-16 15:33:24 +00:00
Phil Whineray
374650305c Use MULTICAST_IPS for the multicast service 2013-11-16 15:32:12 +00:00
Phil Whineray
874d9e8084 Reset namespace stack entering an interface/router 
Fix error handling when an illegal change is detected
Distinguish between ipv4 and ipv6 chains we created
 2013-11-10 14:00:13 +00:00
Phil Whineray
62a969547a Allow independent setting of ipv4 and ipv6 src/dst 2013-11-10 12:40:28 +00:00
Phil Whineray
ed8e75ece3 Prevent arbitrary namespace switches 
For instance, creating an ipv4 rule in an ipv6 interface must be prevented
Also, cache the current namespace to improve performance
 2013-11-10 12:38:37 +00:00
Phil Whineray
8e63720554 Make rule_action_param() ip(6)tables use explicit 2013-11-10 11:35:00 +00:00
Phil Whineray
fc717a28d9 Split processing for IPv4 and IPv6 addresses 2013-11-10 11:28:23 +00:00
Phil Whineray
9d3c3c9e6d Move all single-value options outside rules loop 2013-11-10 10:58:00 +00:00
Phil Whineray
6612b20897 Fix both dynamic counters 2013-11-05 07:36:55 +00:00
Phil Whineray
419569a294 Another small fix 2013-11-05 07:36:55 +00:00
Phil Whineray
96287be98b Use ip6tables or iptables according to namespace 2013-11-05 07:36:55 +00:00
Phil Whineray
df50d6cb29 Fixes to saving files 2013-11-05 07:36:16 +00:00
Phil Whineray
c2b57c7701 Initial IPv6 work 
Save and restore ip6tables as well as iptables state
Stop, status and panic apply to IPv6 as well as IPv4
Start will create an empty IPv6 firewall with policy applied
 2013-11-05 07:36:16 +00:00
Phil Whineray
0204a8ecde Make FIREHOL_FAST_ACTIVATION environment-settable 
Especially useful when running comparison tests
 2013-11-02 10:18:31 +00:00
Phil Whineray
5a82954aae Use flock(1) instead of lockfile(1) 
- Introduces a dependency on util-linux (rather than procmail)
- Exit immediately if we cannot create lockfile when using flock
 2013-11-02 09:59:53 +00:00
Phil Whineray
6a544f8c0e Improve worst-case error handling 
- When the generated script fails but we don't know why
   we now leave the temporary files behind
 - Ensure execution happens in current shell context so we don't
   lose variables defined as part of the configuration

Conflicts:
	sbin/firehol.in
 2013-11-01 13:26:13 +00:00
Phil Whineray
8ee20457ee Use FIREHOL_ESTABLISHED_ACTIVATION_ACCEPT 
In non fast-activation mode and if set to 1 (the default), will emit
temporary rules to allow established traffic to continue even when
the activation policy is DENY. The temporary rules are deleted when
the firewall is complete.
 2013-10-29 22:14:23 +00:00