FireHOL uses the lockfile command, if it finds it, allowing to detect
stale locks if 600 seconds have been passed since the last lock.
The lock file is /var/run/firehol.lck
This allows to consider as simple all the services which rely on a kernel
netfilter module.
Converted the following services to simple:
amanda, ftp, pptp, tftp
Updated the following simple services to use kernel modules:
h323, GRE, sip
Added classify helper for traffic shapping without marks.
Added connmark helper for statefull connection marking to assist the
routing decision (i.e. multiple upstream providers).
allow client connections from any possible port, because when natted, these
services will me remapped to client ports bellow 1024 without any
restriction on the port range.
in that order, for a pager.
FireHOL will now correctly use 'zcat', 'gzcat' or 'gzip' for uncompressing
/proc/config.gz, and it will ignore /proc/config.gz if it cannot
find any of these commands (with a warning).
There was a case, where an attacker could use firehol to execute a custom
script, if it was saved at a location where the kernel config file is
expected by firehol, and /proc/config, /proc/config.gz did not exist.
FireHOL now greps the kernel config file for the information it needs, so
this threat has been eliminated.
Updated the line number management of the configuration file, using the
latest user commands offered by firehol.
There is still one issue unsolved: When there are routes to specific nets
befind a gateway, FireHOL checks if the IP of the host or the gateway are
inside the networks routed through the gateway. This is wrong. In several
cases, the network behind a gateway will not include the IP of the gateway
or the IP of the interface the firehol host routes this traffic via.
However, there seems to be no easy solution to this. For PPP interfaces the
IP of the PPP concentrator is included in the IPs that are reported by
'ip route show dev ppp0' as the networks behind this device.
May be the 'scope' paramater of the routing table should be used to exclude
'scope link' routes. If 'scope link' routes are ommitted, the resulting set
could be used to identify the routes behind a router.
firehol 'save' now saves also the required kernel modules to restore the
firewall at /var/spool/firehol/last_save_modules.sh.
This is executable already and can be called from boot scripts to load
the kernel modules required when restoring the firewall with:
iptables-restore
action [chain <name> <action>]
The action helper creates an iptables chain which can be used to control the
action of other firewall rules during runtime.
For example, you can setup the custom action ACT1, which by default is ACCEPT,
but under certain cases it can be changed to DROP, REJECT or RETURN without
restarting the firewall.
The first argument must always be the word 'chain', for the moment.
name can be any chain name accepted by iptables.
It is suggested to keep it between 5 to 10 letters.
action can be any action supported by FireHOL, although ony ACCEPT,
REJECT, DROP, RETURN may have any meaning under this use.
Example 1:
At the top of firehol.conf, create the action ACT1:
action chain ACT1 accept
later, in interfaces and routers, create rules that use the ACT1 action:
server smtp ACT1
client imap ACT1
Please note that actions created this way are case sensitive.
At some point, and while the firewall is running, the action ACT1 can be
changed to DROP, with this linux command (this is not FireHOL specific):
iptables -t filter -I ACT1 -j DROP
The above command inserts (-I) the new action DROP above the default
action ACCEPT, and therefore all the traffic matching the FireHOL rules that
have the action ACT1 will now be dropped.
To return to the default action (ACCEPT), run the following linux command:
iptables -t filter -D ACT1 -j DROP
This command deletes (-D) the DROP action that was inserted above the
default action. If you delete all actions in the chain ACT1, the default
action will be RETURN, in which case all rules with action ACT1 will be
nutralized (it will be the same as they were not specified at all in
firehol.conf).
Example 2:
action chain "ACT1 ACT2 ACT3" accept chain "ACT4 ACT5 ACT6" drop
will create 6 actions, ACT1, ACT2, ACT3 with ACCEPT, and
ACT4, ACT5, ACT6 with DROP.
RESERVED_IPS
PRIVATE_IPS
MULTICAST_IPS
UNROUTABLE_IPS
in files under the same name in /etc/firehol/.
Only RESERVED_IPS is mandatory (firehol will complain if it is not there,
but it will still work without it), and is also the only file that firehol
checks how old is it. If it is 90+ days old, firehol will complain again.
Changed the supplied get-iana.sh script to generate the RESERVED_IPS file.
FireHOL also instructs the user to use this script if the file is missing
or is too old.
