diff -Nur firehol-1.226/firehol.sh firehol-1.226.new/firehol.sh
--- firehol-1.226/firehol.sh 2006-12-29 23:48:19.000000000 +0100
+++ firehol-1.226.new/firehol.sh 2006-12-29 23:49:40.000000000 +0100
@@ -74,13 +74,16 @@
return 0
}
-# Check for a command during runtime.
-# Currently the following commands are required only when needed:
-#
-# wget or curl (either is fine)
-# gzcat
-#
+# command on demand support.
require_cmd() {
+ local block=1
+ if [ "a$1" = "a-n" ]
+ then
+ local block=0
+ shift
+ fi
+
+ # if one is found, return success
for x in $1
do
eval var=`echo ${x} | tr 'a-z' 'A-Z'`_CMD
@@ -92,21 +95,56 @@
fi
done
+ if [ $block -eq 1 ]
+ then
+ echo >&2
+ echo >&2 "ERROR: THE REQUESTED FEATURE REQUIRES THESE PROGRAMS:"
+ echo >&2
+ echo >&2 " $*"
+ echo >&2
+ echo >&2 " You have requested the use of an optional FireHOL"
+ echo >&2 " feature that requires certain external programs"
+ echo >&2 " to be installed in the running system."
+ echo >&2
+ echo >&2 " Please consult your Linux distribution manual to"
+ echo >&2 " install the package(s) that provide these external"
+ echo >&2 " programs and retry."
+ echo >&2
+ echo >&2 " Note that you need an operational 'which' command"
+ echo >&2 " for FireHOL to find all the external programs it"
+ echo >&2 " needs. Check it yourself. Run:"
+ echo >&2
+ for x in $1
+ do
+ echo >&2 " which $x"
+ done
+
+ exit 1
+ fi
+
return 1
}
+# Currently the following commands are required only when needed.
+# (i.e. Command on Demand)
+#
+# wget or curl (either is fine)
+# gzcat
+# ip
+# netstat
+# egrep
+# date
+# hostname
+
+# Commands that are mandatory for FireHOL operation:
which_cmd CAT_CMD cat
which_cmd CUT_CMD cut
which_cmd CHOWN_CMD chown
which_cmd CHMOD_CMD chmod
-which_cmd DATE_CMD date
-which_cmd EGREP_CMD egrep
which_cmd EXPR_CMD expr
which_cmd GAWK_CMD gawk
which_cmd GREP_CMD grep
which_cmd HEAD_CMD head
-which_cmd HOSTNAME_CMD hostname
-which_cmd IP_CMD ip
which_cmd IPTABLES_CMD iptables
which_cmd IPTABLES_SAVE_CMD iptables-save
which_cmd LESS_CMD less
@@ -114,7 +152,6 @@
which_cmd MKDIR_CMD mkdir
which_cmd MV_CMD mv
which_cmd MODPROBE_CMD modprobe
-which_cmd NETSTAT_CMD netstat
which_cmd RENICE_CMD renice
which_cmd RM_CMD rm
which_cmd SED_CMD sed
@@ -170,6 +207,9 @@
FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh"
FIREHOL_TMP="${FIREHOL_DIR}/firehol-tmp.sh"
+FIREHOL_LOCK_DIR="/var/lock/subsys"
+test ! -d "${FIREHOL_LOCK_DIR}" && FIREHOL_LOCK_DIR="/var/lock"
+
FIREHOL_SPOOL_DIR="/var/spool/firehol"
# The default configuration file
@@ -209,6 +249,7 @@
# Run our exit even if we don't call exit.
trap firehol_exit EXIT
+trap firehol_exit SIGHUP
# ------------------------------------------------------------------------------
@@ -267,8 +308,8 @@
if [ ! -d "${FIREHOL_SPOOL_DIR}" ]
then
"${MKDIR_CMD}" "${FIREHOL_SPOOL_DIR}" || exit 1
- "${CHOWN_CMD}" root:root "${FIREHOL_CONFIG_DIR}" || exit 1
- "${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}" || exit 1
+ "${CHOWN_CMD}" root:root "${FIREHOL_SPOOL_DIR}" || exit 1
+ "${CHMOD_CMD}" 700 "${FIREHOL_SPOOL_DIR}" || exit 1
fi
@@ -280,7 +321,7 @@
# Optimized (CIDR) by Marc 'HE' Brockschmidt <marc@marcbrockschmidt.de>
# Further optimized and reduced by http://www.vergenet.net/linux/aggregate/
# The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path.
-RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7 76.0.0.0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4"
+RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 42.0.0.0/8 92.0.0.0/6 100.0.0.0/6 104.0.0.0/5 112.0.0.0/5 120.0.0.0/8 127.0.0.0/8 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4 "
# Private IPv4 address space
# Suggested by Fco.Felix Belmonte <ffelix@gescosoft.com>
@@ -306,6 +347,11 @@
# policy interface subscommand.
DEFAULT_INTERFACE_POLICY="DROP"
+# The default policy for the router commands of the firewall.
+# This can be controlled on a per interface basis using the
+# policy interface subscommand.
+DEFAULT_ROUTER_POLICY="RETURN"
+
# Which is the filter table chains policy during firewall activation?
FIREHOL_INPUT_ACTIVATION_POLICY="ACCEPT"
FIREHOL_OUTPUT_ACTIVATION_POLICY="ACCEPT"
@@ -329,6 +375,10 @@
FIREHOL_LOG_MODE="LOG"
FIREHOL_LOG_FREQUENCY="1/second"
FIREHOL_LOG_BURST="5"
+FIREHOL_LOG_PREFIX=""
+
+# If enabled, FireHOL will silently drop orphan TCP packets with ACK,FIN set.
+FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=0
# The client ports to be used for "default" client ports when the
# client specified is a foreign host.
@@ -427,7 +477,7 @@
work_name=
work_inface=
work_outface=
-work_policy="${DEFAULT_INTERFACE_POLICY}"
+work_policy=
work_error=0
work_function="Initializing"
@@ -618,6 +668,9 @@
server_microsoft_ds_ports="tcp/445"
client_microsoft_ds_ports="default"
+server_ms_ds_ports="tcp/445"
+client_ms_ds_ports="default"
+
server_mms_ports="tcp/1755 udp/1755"
client_mms_ports="default"
require_mms_modules="ip_conntrack_mms"
@@ -666,6 +719,9 @@
server_oracle_ports="tcp/1521"
client_oracle_ports="default"
+server_OSPF_ports="89/any"
+client_OSPF_ports="any"
+
server_pop3_ports="tcp/110"
client_pop3_ports="default"
@@ -708,7 +764,7 @@
client_rtp_ports="any"
server_sip_ports="udp/5060"
-client_sip_ports="default"
+client_sip_ports="5060 default"
server_socks_ports="tcp/1080 udp/1080"
client_socks_ports="default"
@@ -769,7 +825,7 @@
server_vmwareauth_ports="tcp/903"
client_vmwareauth_ports="default"
-server_vmwareweb_ports="tcp/8222"
+server_vmwareweb_ports="tcp/8222 tcp/8333"
client_vmwareweb_ports="default"
server_vnc_ports="tcp/5900:5903"
@@ -1090,10 +1146,12 @@
local server_rquotad_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " rquotad$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
local server_mountd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " mountd$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
local server_lockd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nlockmgr$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
+ local server_statd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " status$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
local server_nfsd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nfs$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
test -z "${server_mountd_ports}" && error "Cannot find mountd ports for nfs server '${x}'" && return 1
test -z "${server_lockd_ports}" && error "Cannot find lockd ports for nfs server '${x}'" && return 1
+ test -z "${server_statd_ports}" && error "Cannot find statd ports for nfs server '${x}'" && return 1
test -z "${server_nfsd_ports}" && error "Cannot find nfsd ports for nfs server '${x}'" && return 1
local dst=
@@ -1113,6 +1171,9 @@
set_work_function "Processing lockd rules for server '${x}'"
rules_custom "${mychain}" "${type}" nfs-lockd "${server_lockd_ports}" "500:65535" "${action}" $dst "$@"
+
+ set_work_function "Processing statd rules for server '${x}'"
+ rules_custom "${mychain}" "${type}" nfs-statd "${server_statd_ports}" "500:65535" "${action}" $dst "$@"
set_work_function "Processing nfsd rules for server '${x}'"
rules_custom "${mychain}" "${type}" nfs-nfsd "${server_nfsd_ports}" "500:65535" "${action}" $dst "$@"
@@ -1798,7 +1859,7 @@
firehol_wget() {
local url="${1}"
- require_cmd wget curl || error "Cannot find 'wget' or 'curl' in the path."
+ require_cmd wget curl
if [ ! -z "${WGET_CMD}" ]
then
@@ -2407,9 +2468,9 @@
policy() {
work_realcmd_secondary ${FUNCNAME} "$@"
- require_work set interface || return 1
+ require_work set any || return 1
- set_work_function "Setting interface '${work_inface}' (${work_name}) policy to ${1}"
+ set_work_function "Setting policy of ${work_name} to ${1}"
work_policy="$*"
return 0
@@ -2482,6 +2543,11 @@
return 0
;;
+ bad-packets|BAD-PACKETS)
+ protection ${reverse} "invalid fragments new-tcp-w/o-syn malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}"
+ return $?
+ ;;
+
strong|STRONG|full|FULL|all|ALL)
protection ${reverse} "invalid fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}"
return $?
@@ -2529,6 +2595,16 @@
rule in chain "${mychain}" loglimit "SYN FLOOD" action drop || return 1
;;
+ all-floods|ALL-FLOODS)
+ local mychain="${pre}_${work_name}_allflood"
+ create_chain filter "${mychain}" "${in}_${work_name}" in state NEW || return 1
+
+ set_work_function "Generating rules to be protected from ALL floods on '${prface}' for ${work_cmd} '${work_name}'"
+
+ rule in chain "${mychain}" limit "${rate}" "${burst}" action return || return 1
+ rule in chain "${mychain}" loglimit "ALL FLOOD" action drop || return 1
+ ;;
+
malformed-xmas|MALFORMED-XMAS)
local mychain="${pre}_${work_name}_malxmas"
create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--tcp-flags ALL ALL" || return 1
@@ -2589,7 +2665,7 @@
# kernel modules.
# optionaly require command gzcat
-require_cmd gzcat
+require_cmd -n gzcat
KERNEL_CONFIG=
if [ -f "/proc/config" ]
@@ -2632,6 +2708,7 @@
echo >&2 " all kernel modules for the services used, without"
echo >&2 " being able to detect failures."
echo >&2 " "
+ sleep 2
fi
# activation-phase command to check for the existance of
@@ -2824,11 +2901,12 @@
work_name=
work_inface=
work_outface=
- work_policy="${DEFAULT_INTERFACE_POLICY}"
+ work_policy=
return 0
}
+
# ------------------------------------------------------------------------------
# close_interface
# WHY:
@@ -2841,6 +2919,12 @@
set_work_function "Finilizing interface '${work_name}'"
+ # Accept all related traffic to the established connections
+ rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
+ rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
+
+ # make sure we have a policy
+ test -z "${work_policy}" && work_policy="${DEFAULT_INTERFACE_POLICY}"
case "${work_policy}" in
return|RETURN)
return 0
@@ -2849,15 +2933,18 @@
accept|ACCEPT)
;;
- *)
+ *)
local -a inlog=(loglimit "'IN-${work_name}'")
local -a outlog=(loglimit "'OUT-${work_name}'")
;;
esac
- # Accept all related traffic to the established connections
- rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
- rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
+ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
+ then
+ # Silently drop orphan TCP/ACK FIN packets
+ rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+ rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+ fi
rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
@@ -2882,6 +2969,32 @@
rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
+ # make sure we have a policy
+ test -z "${work_policy}" && work_policy="${DEFAULT_ROUTER_POLICY}"
+ case "${work_policy}" in
+ return|RETURN)
+ return 0
+ ;;
+
+ accept|ACCEPT)
+ ;;
+
+ *)
+ local -a inlog=(loglimit "'PASS-${work_name}'")
+ local -a outlog=(loglimit "'PASS-${work_name}'")
+ ;;
+ esac
+
+ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
+ then
+ # Silently drop orphan TCP/ACK FIN packets
+ rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+ rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+ fi
+
+ rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
+ rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
+
return 0
}
@@ -2900,6 +3013,14 @@
rule chain OUTPUT state RELATED action ACCEPT || return 1
rule chain FORWARD state RELATED action ACCEPT || return 1
+ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
+ then
+ # Silently drop orphan TCP/ACK FIN packets
+ rule chain INPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+ rule chain OUTPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+ rule chain FORWARD state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
+ fi
+
rule chain INPUT loglimit "IN-unknown" action ${UNMATCHED_INPUT_POLICY} || return 1
rule chain OUTPUT loglimit "OUT-unknown" action ${UNMATCHED_OUTPUT_POLICY} || return 1
rule chain FORWARD loglimit "PASS-unknown" action ${UNMATCHED_ROUTER_POLICY} || return 1
@@ -3055,7 +3176,7 @@
# to pass.
if [ "${do_accept_limit}" = "1" ]
then
- local accept_limit_chain="`echo "ACCEPT ${freq} ${burst} ${overflow}" | tr " /." "___"`"
+ local accept_limit_chain="`echo "ACCEPT LIMIT ${freq} ${burst} ${overflow}" | tr " /." "___"`"
# does the chain we need already exist?
if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_limit_chain}" ]
@@ -3075,9 +3196,9 @@
local -a logopts_arg=()
if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
then
- local -a logopts_arg=("--ulog-prefix='OVERFLOW:'")
+ local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'")
else
- local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='OVERFLOW:'")
+ local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'")
fi
iptables ${table} -A "${accept_limit_chain}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}"
@@ -3096,6 +3217,62 @@
fi
;;
+ "recent")
+ # limit NEW connections to the specified rate
+ local name="${action_param[1]}"
+ local seconds="${action_param[2]}"
+ local hits="${action_param[3]}"
+
+ # unset the action_param, so that if this rule does not include NEW connections,
+ # we will not append anything to the generated iptables statements.
+ local -a action_param=()
+
+ # find is this rule matches NEW connections
+ local has_new=`echo "${state}" | grep -i NEW`
+ local do_accept_recent=0
+ if [ -z "${statenot}" ]
+ then
+ test ! -z "${has_new}" && local do_accept_recent=1
+ else
+ test -z "${has_new}" && local do_accept_recent=1
+ fi
+
+ # we have a match for NEW connections.
+ # redirect the traffic to a new chain, which will control
+ # the NEW connections while allowing all the other traffic
+ # to pass.
+ if [ "${do_accept_recent}" = "1" ]
+ then
+ local accept_recent_chain="`echo "ACCEPT RECENT $name $seconds $hits" | tr " /." "___"`"
+
+ # does the chain we need already exist?
+ if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}" ]
+ then
+ # the chain does not exist. create it.
+ iptables ${table} -N "${accept_recent_chain}"
+ touch "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}"
+
+ # first, if the traffic is not a NEW connection, allow it.
+ # doing this first will speed up normal traffic.
+ iptables ${table} -A "${accept_recent_chain}" -m state ! --state NEW -j ACCEPT
+
+ # accept NEW connections within the given limits.
+ iptables ${table} -A "${accept_recent_chain}" -m recent --set --name "${name}"
+
+ local t1=
+ test ! -z $seconds && local t1="--seconds ${seconds}"
+ local t2=
+ test ! -z $hits && local t2="--hitcount ${hits}"
+
+ iptables ${table} -A "${accept_recent_chain}" -m recent --update ${t1} ${t2} --name "${name}" -j RETURN
+ iptables ${table} -A "${accept_recent_chain}" -j ACCEPT
+ fi
+
+ # send the rule to be generated to this chain
+ local action=${accept_recent_chain}
+ fi
+ ;;
+
'knock')
# the name of the knock
local name="knock_${action_param[1]}"
@@ -3175,6 +3352,12 @@
local dst=any
local dstnot=
+ local srctype=
+ local srctypenot=
+
+ local dsttype=
+ local dsttypenot=
+
local sport=any
local sportnot=
@@ -3397,7 +3580,7 @@
if [ "${1}" = "not" -o "${1}" = "NOT" ]
then
shift
- macnot="!"
+ test ${nomac} -eq 0 && macnot="!"
fi
test ${softwarnings} -eq 1 -a ! "${mac}" = "any" && softwarning "Overwritting param: mac '${mac}' becomes '${1}'"
test ${nomac} -eq 0 && mac="${1}"
@@ -3454,6 +3637,56 @@
shift
;;
+ srctype|SRCTYPE|sourcetype|SOURCETYPE)
+ shift
+ if [ ${reverse} -eq 0 ]
+ then
+ srctypenot=
+ if [ "${1}" = "not" -o "${1}" = "NOT" ]
+ then
+ shift
+ srctypenot="!"
+ fi
+ test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'"
+ srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
+ else
+ dsttypenot=
+ if [ "${1}" = "not" -o "${1}" = "NOT" ]
+ then
+ shift
+ dsttypenot="!"
+ fi
+ test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'"
+ dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
+ fi
+ shift
+ ;;
+
+ dsttype|DSTTYPE|destinationtype|DESTINATIONTYPE)
+ shift
+ if [ ${reverse} -eq 0 ]
+ then
+ dsttypenot=
+ if [ "${1}" = "not" -o "${1}" = "NOT" ]
+ then
+ shift
+ dsttypenot="!"
+ fi
+ test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'"
+ dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
+ else
+ srctypenot=
+ if [ "${1}" = "not" -o "${1}" = "NOT" ]
+ then
+ shift
+ srctypenot="!"
+ fi
+ test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'"
+ srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
+ fi
+ shift
+ ;;
+
sport|SPORT|sourceport|SOURCEPORT)
shift
if [ ${reverse} -eq 0 ]
@@ -3591,6 +3824,11 @@
fi
;;
+ recent|RECENT)
+ local -a action_param=("recent" "${2}" "${3}" "${4}")
+ shift 4
+ ;;
+
knock|KNOCK)
local -a action_param=("knock" "${2}")
shift 2
@@ -3750,6 +3988,10 @@
fi
;;
+ tarpit|TARPIT)
+ action="TARPIT"
+ ;;
+
*)
chain_exists "${action}"
local action_is_chain=$?
@@ -3991,7 +4233,7 @@
# this temporary chain.
- # ignore 'statenot' since it is negated in the positive rules
+ # ignore 'statenot', 'srctypenot', 'dsttypenot' since it is negated in the positive rules
if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ]
then
if [ ${action_is_chain} -eq 1 ]
@@ -4540,6 +4782,25 @@
;;
esac
+ # addrtype (srctype, dsttype)
+ local -a addrtype_arg=()
+ local -a stp_arg=()
+ local -a dtp_arg=()
+ if [ ! -z "${srctype}${dsttype}" ]
+ then
+ local -a addrtype_arg=("-m" "addrtype")
+
+ if [ ! -z "${srctype}" ]
+ then
+ local -a stp_arg=("${srctypenot}" "--src-type" "${srctype}")
+ fi
+
+ if [ ! -z "${dsttype}" ]
+ then
+ local -a dtp_arg=("${dsttypenot}" "--dst-type" "${dsttype}")
+ fi
+ fi
+
# state
local -a state_arg=()
if [ ! -z "${state}" ]
@@ -4562,15 +4823,15 @@
fi
# build the command
- declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}")
+ declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${addrtype_arg[@]}" "${stp_arg[@]}" "${dtp_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}")
# log mode selection
local -a logopts_arg=()
if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
then
- local -a logopts_arg=("--ulog-prefix='${logtxt}:'")
+ local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'")
else
- local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'")
+ local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'")
fi
# log / loglimit
@@ -5005,8 +5266,8 @@
stop)
test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored."
- test -f /var/lock/subsys/firehol && ${RM_CMD} -f /var/lock/subsys/firehol
- test -f /var/lock/subsys/iptables && ${RM_CMD} -f /var/lock/subsys/iptables
+ test -f "${FIREHOL_LOCK_DIR}/firehol" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/firehol"
+ test -f "${FIREHOL_LOCK_DIR}/iptables" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/iptables"
echo -n $"FireHOL: Clearing Firewall:"
load_kernel_module ip_tables
@@ -5038,7 +5299,7 @@
condrestart)
test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored."
FIREHOL_TRY=0
- if [ -f /var/lock/subsys/firehol ]
+ if [ -f "${FIREHOL_LOCK_DIR}/firehol" ]
then
exit 0
fi
@@ -5459,6 +5720,13 @@
if [ ${FIREHOL_WIZARD} -eq 1 ]
then
+ # require commands for wizard mode
+ require_cmd ip
+ require_cmd netstat
+ require_cmd egrep
+ require_cmd date
+ require_cmd hostname
+
wizard_ask() {
local prompt="${1}"; shift
local def="${1}"; shift
@@ -5603,7 +5871,12 @@
local i4=${4}
local i5=${5:-32}
- echo ${i1}.${i2}.${i3}.${i4}/${i5}
+ if [ "${i5}" = "32" ]
+ then
+ echo ${i1}.${i2}.${i3}.${i4}
+ else
+ echo ${i1}.${i2}.${i3}.${i4}/${i5}
+ fi
}
ips2net() {
@@ -6354,11 +6627,11 @@
# Remove the saved firewall, so that the trap will not restore it.
${RM_CMD} -f "${FIREHOL_SAVED}"
-# RedHat startup service locking.
-if [ -d /var/lock/subsys ]
+# Startup service locking.
+if [ -d "${FIREHOL_LOCK_DIR}" ]
then
- ${TOUCH_CMD} /var/lock/subsys/iptables
- ${TOUCH_CMD} /var/lock/subsys/firehol
+ ${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/iptables"
+ ${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/firehol"
fi