initial commit of file from CVS for e-smith-packetfilter on Wed 12 Jul 09:02:33 BST 2023
parent
b2c0968fc3
commit
4a060af783
@ -0,0 +1,4 @@
|
||||
*.rpm
|
||||
*.log
|
||||
*spec-20*
|
||||
*.tar.xz
|
@ -0,0 +1,21 @@
|
||||
# Makefile for source rpm: e-smith-packetfilter
|
||||
# $Id: Makefile,v 1.1 2016/02/05 22:13:26 stephdl Exp $
|
||||
NAME := e-smith-packetfilter
|
||||
SPECFILE = $(firstword $(wildcard *.spec))
|
||||
|
||||
define find-makefile-common
|
||||
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
|
||||
endef
|
||||
|
||||
MAKEFILE_COMMON := $(shell $(find-makefile-common))
|
||||
|
||||
ifeq ($(MAKEFILE_COMMON),)
|
||||
# attept a checkout
|
||||
define checkout-makefile-common
|
||||
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
|
||||
endef
|
||||
|
||||
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
|
||||
endif
|
||||
|
||||
include $(MAKEFILE_COMMON)
|
@ -1,3 +1,17 @@
|
||||
# e-smith-packetfilter
|
||||
# <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> e-smith-packetfilter
|
||||
|
||||
SMEServer Koozali developed git repo for e-smith-packetfilter smeserver
|
||||
SMEServer Koozali developed git repo for e-smith-packetfilter smeserver
|
||||
|
||||
## Wiki
|
||||
<br />https://wiki.koozali.org/
|
||||
|
||||
## Bugzilla
|
||||
Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-packetfilter&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
|
||||
|
||||
## Description
|
||||
|
||||
<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
|
||||
*Once it has been checked, then this comment will be deleted*
|
||||
<br />
|
||||
|
||||
The e-smith-packetfilter software is an open source Linux-based firewall system that is used to protect networks from malicious attacks and unauthorized access. It has a modular design and can be easily customized to meet the needs of any organization. The software provides robust protection against Denial of Service (DoS) attacks, port scanning, IP spoofing, port scanning, and other security threats. It also offers advanced features such as content filtering, URL filtering, and stateful packet inspection. The software is easy to set up and manage, making it an ideal choice for organizations of all sizes.
|
||||
|
@ -0,0 +1 @@
|
||||
sme10
|
@ -0,0 +1,46 @@
|
||||
#!/usr/bin/perl -w
|
||||
|
||||
use esmith::Build::CreateLinks qw(:all);
|
||||
|
||||
templates2events("/etc/ulogd.conf", qw(post-install post-upgrade e-smith-packetfilter-update));
|
||||
|
||||
# conf-masq
|
||||
|
||||
templates2events("/etc/rc.d/init.d/masq", qw(
|
||||
console-save
|
||||
bootstrap-console-save
|
||||
network-create
|
||||
network-delete
|
||||
remoteaccess-update
|
||||
email-update
|
||||
e-smith-packetfilter-update
|
||||
));
|
||||
|
||||
foreach (qw(console-save ip-change network-create network-delete remoteaccess-update e-smith-packetfilter-update))
|
||||
{
|
||||
safe_symlink("reload", "root/etc/e-smith/events/$_/services2adjust/masq");
|
||||
}
|
||||
|
||||
my $event ="e-smith-packetfilter-update";
|
||||
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ulogd");
|
||||
event_link("systemd-reload", $event, "89");
|
||||
event_link("systemd-default", $event, "88");
|
||||
templates2events("/etc/logrotate.d/ulogd", ($event,qw(post-install post-upgrade bootstrap-console-save)) );
|
||||
|
||||
|
||||
#systemd
|
||||
foreach my $target (qw(multi-user sme-server))
|
||||
{
|
||||
system('mkdir -p root/usr/lib/systemd/system/'.$target.'.target.wants/');
|
||||
|
||||
foreach my $unit (qw(
|
||||
masq.service
|
||||
ulogd.service
|
||||
))
|
||||
{
|
||||
symlink("../$unit",
|
||||
"root/usr/lib/systemd/system/$target.target.wants/$unit")
|
||||
or die "Can't symlink to root/usr/lib/systemd/system/$target.target.wants/$unit: $!";
|
||||
}
|
||||
}
|
||||
|
@ -0,0 +1,908 @@
|
||||
# $Id: e-smith-packetfilter.spec,v 1.15 2021/11/16 03:18:06 jpp Exp $
|
||||
|
||||
Summary: e-smith server and gateway - packetfilter add-on
|
||||
%define name e-smith-packetfilter
|
||||
Name: %{name}
|
||||
%define version 2.6.0
|
||||
%define release 9
|
||||
Version: %{version}
|
||||
Release: %{release}%{?dist}
|
||||
License: GPL
|
||||
Group: Networking/Daemons
|
||||
Source: %{name}-%{version}.tar.xz
|
||||
|
||||
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
|
||||
BuildArchitectures: noarch
|
||||
Requires: e-smith-base >= 5.8.0-49
|
||||
Requires: ulogd >= 2
|
||||
Requires: daemontools
|
||||
Requires: iptables
|
||||
BuildRequires: e-smith-devtools
|
||||
Obsoletes: e-smith-ipmasq
|
||||
AutoReqProv: no
|
||||
Requires(pre): /usr/sbin/useradd
|
||||
|
||||
%description
|
||||
e-smith server and gateway software - packetfilter add-on
|
||||
|
||||
%changelog
|
||||
* Wed Jul 12 2023 cvs2git.sh aka Brian Read <brianr@koozali.org> 2.6.0-9.sme
|
||||
- Roll up patches and move to git repo [SME: 12338]
|
||||
|
||||
* Wed Jul 12 2023 BogusDateBot
|
||||
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
|
||||
by assuming the date is correct and changing the weekday.
|
||||
Mon Apr 21 2001 --> Mon Apr 16 2001 or Sat Apr 21 2001 or Mon Apr 23 2001 or ....
|
||||
Fri Nov 23 2006 --> Fri Nov 17 2006 or Thu Nov 23 2006 or Fri Nov 24 2006 or ....
|
||||
Fri Apr 09 2007 --> Fri Apr 06 2007 or Mon Apr 09 2007 or Fri Apr 13 2007 or ....
|
||||
|
||||
* Mon Nov 15 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.6.0-8.sme
|
||||
- restrict VPN networks to their interface [SME: 11640]
|
||||
remove remoteVPNSubnet property added VPNif property
|
||||
|
||||
* Wed Apr 07 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.6.0-7.sme
|
||||
- fix dropin file not expanded on initial installation [SME: 11528]
|
||||
- fix noise on logrotate, doing a restart instead of reload [SME: 11451]
|
||||
|
||||
* Thu Mar 04 2021 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-6.sme
|
||||
- move ulogd to systemd [SME: 11426]
|
||||
- require ulogd 2 [SME: 11426]
|
||||
|
||||
* Wed Mar 03 2021 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-5.sme
|
||||
- remove pptpd last references [SME: 11420]
|
||||
|
||||
* Fri Feb 12 2021 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-4.sme
|
||||
- remove /usr/lib/systemd/system-preset/80-koozali-packetfilter.preset [SME: 10958]
|
||||
|
||||
* Fri Dec 11 2020 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-3.sme
|
||||
- drop pptpd support [SME: 11251]
|
||||
|
||||
* Tue Nov 10 2020 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-2.sme
|
||||
- launch masq using systemd unit [SME: 11089]
|
||||
- create event to avoid reboot on update [SME: 11122]
|
||||
|
||||
* Fri Feb 05 2016 stephane de Labrusse <stephdl@de-labrusse.fr> 2.6.0-1.sme
|
||||
- Initial release to sme10
|
||||
|
||||
* Thu Feb 28 2013 Ian Wells <esmith@wellsi.com> 2.4.0-3.sme
|
||||
- Prevent multiple instances of the masq script running,
|
||||
patch by Charlie Brady [SME: 7415]
|
||||
|
||||
* Tue Feb 19 2013 Daniel Berteaud <daniel@firewall-services.com> 2.4.0-2.sme
|
||||
- Use extrapositioned negation (Credits to John Crisp) [SME: 7262]
|
||||
|
||||
* Wed Feb 6 2013 Shad L. Lords <slords@mail.com> 2.4.0-1.sme
|
||||
- Roll new stream for sme9
|
||||
|
||||
* Tue Oct 7 2008 Shad L. Lords <slords@mail.com> 2.2.0-1.sme
|
||||
- Roll new stream to separate sme7/sme8 trees [SME: 4633]
|
||||
|
||||
* Fri May 18 2007 Shad L. Lords <slords@mail.com> 1.18.0-6
|
||||
- Use correct lib for modules
|
||||
|
||||
* Sun Apr 29 2007 Shad L. Lords <slords@mail.com>
|
||||
- Clean up spec so package can be built by koji/plague
|
||||
|
||||
* Fri Apr 09 2007 Stephen Noble <support@dungog.net> 1.18.0-5
|
||||
- Fix masq error in server only mode (cannot open UDPPort) [SME: 2812]
|
||||
|
||||
* Fri Apr 06 2007 Shad L. Lords <slords@mail.com> 1.18.0-4
|
||||
- Fix perms for ulogd.conf file [SME: 2722]
|
||||
|
||||
* Mon Mar 19 2007 Shad L. Lords <slords@mail.com> 1.18.0-3
|
||||
- Update ulogd.conf to new format [SME: 2744]
|
||||
|
||||
* Fri Feb 09 2007 Shad L. Lords <slords@mail.com> 1.18.0-2
|
||||
- Fix sorting for Ports properties [SME: 56]
|
||||
|
||||
* Fri Jan 26 2007 Shad L. Lords <slords@mail.com> 1.18.0-1
|
||||
- Roll stable stream. [SME: 2328]
|
||||
|
||||
* Thu Jan 18 2007 Shad L. Lords <slords@mail.com> 1.17.0-7
|
||||
- Move last masq fragments from e-smith-base.
|
||||
|
||||
* Wed Jan 17 2007 Shad L. Lords <slords@mail.com> 1.17.0-6
|
||||
- Use both {TCP,UDP}Port and {TCP,UDP}Ports for masq template [SME: 56]
|
||||
|
||||
* Thu Dec 07 2006 Shad L. Lords <slords@mail.com>
|
||||
- Update to new release naming. No functional changes.
|
||||
- Make Packager generic
|
||||
|
||||
* Thu Nov 23 2006 Gordon Rowell <gordonr@gormand.com.au> 1.17.0-04
|
||||
Fri Nov 23 2006 --> Fri Nov 17 2006 or Thu Nov 23 2006 or Fri Nov 24 2006 or ....
|
||||
- Remove TCPMinimizeDelay default for ssh [SME: 2083]
|
||||
|
||||
* Mon Aug 28 2006 Charlie Brady <charlie_brady@mitel.com> 1.17.0-03
|
||||
- Ensure that $OUTERNET is an IP address. [SME: 1815]
|
||||
|
||||
* Sun Aug 13 2006 Charlie Brady <charlie_brady@mitel.com> 1.17.0-02
|
||||
- Merge in masq fragments from e-smith-base.
|
||||
|
||||
* Sun Aug 13 2006 Charlie Brady <charlie_brady@mitel.com> 1.17.0-01
|
||||
- Roll new development stream.
|
||||
|
||||
* Wed Jul 26 2006 Gordon Rowell <gordonr@gormand.com.au> 1.16.0-05
|
||||
- Remove redundant auto-generated service-specific denylog rules from
|
||||
90InboundTCP10filter_{tcp,udp} [SME: 1776]
|
||||
|
||||
* Tue Jul 18 2006 Charlie Brady <charlie_brady@mitel.com> 1.16.0-04
|
||||
- Bundle fragments from e-smith-ipmasq and obsolete that RPM. [SME: 1002]
|
||||
|
||||
* Tue Jun 20 2006 Filippo Carletti <carletti@mobilia.it> 1.16.0-03
|
||||
- No longer drop UDP packets in serveronly mode [SME: 1002]
|
||||
|
||||
* Thu Apr 6 2006 Gavin Weight <gweight@gmail.com> 1.2.0-02
|
||||
- Make ident TCP reject configurable, based on oidentd status.
|
||||
If oidentd{status} is enabled, allow ident, otherwise REJECT it [SME: 85]
|
||||
|
||||
* Wed Mar 15 2006 Charlie Brady <charlie_brady@mitel.com> 1.2.0-01
|
||||
- Roll stable stream version. [SME: 1016]
|
||||
|
||||
* Wed Nov 30 2005 Gordon Rowell <gordonr@gormand.com.au> 1.15.1-12
|
||||
- Bump release number only
|
||||
|
||||
* Wed Sep 21 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.15.1-11]
|
||||
- Remove force/masq/status fragment, and fix "masq adjust" so
|
||||
that it is harmless if firewall is disabled. This leaves unsolved
|
||||
the problem of whether to toggle disabled->enabled during upgrades.
|
||||
[SF: 1261356]
|
||||
|
||||
* Wed Sep 7 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.15.1-10]
|
||||
- Fix location of force/status fragment for masq service. [SF: 1261356]
|
||||
|
||||
* Tue Aug 30 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.15.1-09]
|
||||
- Add force/status fragment for masq service, to force enabled.
|
||||
This ensures that firewall is running after a system upgrade,
|
||||
to avoid various panel failure modes. Solution to be reviewed
|
||||
for alternatives later. [SF: 1261356]
|
||||
|
||||
* Fri Aug 26 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.15.1-08]
|
||||
- Remove filtering of outbound ICMP - it's blocking legitimate ICMP
|
||||
redirects. [MN00093544]
|
||||
|
||||
* Tue Aug 2 2005 Shad Lords <slords@email.com>
|
||||
- [1.15.1-07]
|
||||
- Add default $masq{Stealth} db entry
|
||||
|
||||
* Tue Aug 2 2005 Gordon Rowell <gordonr@gormand.com.au>
|
||||
- [1.15.1-06]
|
||||
- Rejct IDENT with a TCP reset [SF: 1240659]
|
||||
- Add support for UDPPort (c.f. TCPPort) property to allow
|
||||
filtered UDP [SF: 1241398]
|
||||
- Add support for DenyHosts property (see 1.15.0-02 for AllowHosts)
|
||||
[SF: 1241398]
|
||||
|
||||
* Mon Jul 18 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.15.1-05]
|
||||
- Tidy up path reference to networks db. [SF: 1216546]
|
||||
|
||||
* Tue Jun 7 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.15.1-04]
|
||||
- Fix ulogd logging to stdout not being captured by multilog.
|
||||
|
||||
* Mon May 2 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.15.1-03]
|
||||
- Add requires headers for ulogd and daemontools.
|
||||
|
||||
* Sun May 1 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.15.1-02]
|
||||
- Switch to logging via ulogd and multilog.
|
||||
|
||||
* Sun May 1 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.15.1-01]
|
||||
- Roll new development stream - 1.15.1
|
||||
|
||||
* Wed Mar 30 2005 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.15.0-15]
|
||||
- Set $OUTERNET to equal $LocalIP in masq script in serveronly mode,
|
||||
so that masq script (if enabled) does not block allowed public access.
|
||||
- Remove various 45Allow* fragments as TCPPort properties of services
|
||||
will allow access if public access is enabled.
|
||||
|
||||
* Fri Nov 12 2004 Tony Clayton <apc@e-smith.com>
|
||||
- [1.15.0-14]
|
||||
- More cleanup for iptables-trace [tonyc]
|
||||
|
||||
* Fri Nov 12 2004 Tony Clayton <apc@e-smith.com>
|
||||
- [1.15.0-13]
|
||||
- update to latest iptables-trace [tonyc] :
|
||||
- add logging for default chain policy fallback
|
||||
- fix stop() bug causing _any_ rules with --log-prefix to be removed
|
||||
|
||||
* Fri Apr 30 2004 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.15.0-12]
|
||||
- Made TOS settings configurable, with just ssh set by default.
|
||||
[msoulier dpar-28993]
|
||||
|
||||
* Wed Feb 25 2004 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.15.0-11]
|
||||
- Tightened rules for remote vpn subnets. [msoulier dpar-21836]
|
||||
|
||||
* Wed Jan 28 2004 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.15.0-10]
|
||||
- Fixed iptables-trace "stop" removing rules from the denylog chain.
|
||||
[msoulier 10955]
|
||||
|
||||
* Wed Jan 28 2004 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.15.0-09]
|
||||
- Added a toggle of the trace option during adjust, so adjusts work with trace
|
||||
enabled. [msoulier 8117]
|
||||
|
||||
* Mon Dec 1 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.15.0-08]
|
||||
- Changed multicast DROP target to denylog, so it toggles. [msoulier 9450]
|
||||
|
||||
* Mon Dec 1 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.15.0-07]
|
||||
- Changed the toggle property name to DenylogTarget. [msoulier 9450]
|
||||
|
||||
* Mon Dec 1 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.15.0-06]
|
||||
- Added firewall-wide toggle for denylog DROP/REJECT. [msoulier 9450]
|
||||
|
||||
* Sat Nov 29 2003 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.15.0-05]
|
||||
- Ensure that masq script expands without error in serveronly mode.
|
||||
[charlieb 10162]
|
||||
|
||||
* Sat Oct 4 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.15.0-04]
|
||||
- Fixed error in masq fragment with stealth enabled. [msoulier 10165]
|
||||
|
||||
* Thu Sep 25 2003 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.15.0-03]
|
||||
- Add masq to 0.0.0.0/0 for public, unrestricted [gordonr 10050]
|
||||
|
||||
* Tue Sep 23 2003 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.15.0-02]
|
||||
- New fragment 90InboundTCP10filter_tcp, a further step towards
|
||||
auto-generation of rules, removing the 45Allow* fragments:
|
||||
|
||||
For all services which have a TCPPort property defined:
|
||||
If the service is 'enabled' and the service is 'public',
|
||||
generate iptables rules as follows:
|
||||
If an AllowHosts property is defined, allow only those hosts
|
||||
Otherwise allow all hosts
|
||||
|
||||
AllowHosts is comma separated, and can contain IPs, IP/mask and CIDR
|
||||
|
||||
This will generate duplicate rules until the 45Allow* fragments
|
||||
are removed, which can happen once the TCPPort property is defined
|
||||
for a service.
|
||||
|
||||
QUERY: Should this be TCPPort (singular) or TCPPorts (plural)?
|
||||
TODO: Create db defaults fragments to deprecate the 45Allow* fragments
|
||||
TODO: Possibly add DenyHosts processing [gordonr 10050]
|
||||
|
||||
* Tue Sep 23 2003 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.15.0-01]
|
||||
- Changing version to development stream number - 1.15.0
|
||||
- Dev stream [gordonr 10050]
|
||||
|
||||
* Thu Jun 26 2003 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.14.0-01]
|
||||
- Changing version to stable stream number - 1.14.0
|
||||
|
||||
* Tue Jun 17 2003 Tony Clayton <apc@e-smith.com>
|
||||
- [1.13.0-27]
|
||||
- Again [tonyc 8578]
|
||||
|
||||
* Tue Jun 17 2003 Tony Clayton <apc@e-smith.com>
|
||||
- [1.13.0-26]
|
||||
- Add lo->lo ACCEPT rule back to 90local_chk00Start fragment [tonyc 8578]
|
||||
|
||||
* Mon Jun 16 2003 Tony Clayton <apc@e-smith.com>
|
||||
- [1.13.0-25]
|
||||
- Split 90AllowLocal masq fragment into 90local_chk* [tonyc 8578]
|
||||
|
||||
* Mon Jun 2 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-24]
|
||||
- Explicitely blocking multicast not from a local network.
|
||||
[msoulier 6031]
|
||||
|
||||
* Thu May 1 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-23]
|
||||
- Added chain creation during adjust. What a thought. [msoulier 7695]
|
||||
|
||||
* Thu May 1 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-22]
|
||||
- Added support for a PPPconn chain to track rules to permit PPTP connections.
|
||||
[msoulier 7695]
|
||||
|
||||
* Fri Apr 25 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-21]
|
||||
- Refactored the 90adjustUDP template into multiple fragments. [msoulier 8505]
|
||||
|
||||
* Fri Apr 25 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-20]
|
||||
- Refactored the 90adjustTCP template into multiple fragments. [msoulier 8505]
|
||||
|
||||
* Tue Apr 22 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-19]
|
||||
- Accepting all traffic from the loopback interface. [msoulier 8299]
|
||||
|
||||
* Mon Apr 21 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-18]
|
||||
- Removed acceptance of anything not from the external interface. The local
|
||||
networks list should be sufficient. [msoulier 8299]
|
||||
|
||||
* Mon Apr 21 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-17]
|
||||
- Added handling of local_chk chain in adjustment. [msoulier 8299]
|
||||
|
||||
* Mon Apr 14 2003 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.13.0-16]
|
||||
- Flag pptp masq as on by default [gordonr 6694]
|
||||
|
||||
* Tue Apr 8 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-15]
|
||||
- Added iptables-trace in /etc/rc.d/init.d. [msoulier 7613]
|
||||
|
||||
* Tue Apr 1 2003 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.13.0-14]
|
||||
- Added denylog: prefix to denied packet logs [gordonr 6852]
|
||||
|
||||
* Tue Mar 25 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-13]
|
||||
- Portforwarding still had problems, fixed here. [msoulier 7284]
|
||||
|
||||
* Tue Mar 25 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-12]
|
||||
- Added ForwardedTCP and ForwardedUDP, as well as supporting code to
|
||||
permit certain ports to be opened for forwarded traffic inbound. Required
|
||||
for portforwarding. [msoulier 7284]
|
||||
|
||||
* Fri Mar 7 2003 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.13.0-11]
|
||||
- Add "use esmith::util" to 01localNetworks fragment. Needed if
|
||||
esmith::templates form of processTemplate is used. [charlieb 5650]
|
||||
|
||||
* Fri Feb 21 2003 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.13.0-10]
|
||||
- Remove quotes around 'Name' - not required [gordonr 7343]
|
||||
|
||||
* Fri Feb 21 2003 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.13.0-09]
|
||||
- Make use of ExternalInterface definition in 00Definitions [gordonr 7343]
|
||||
- Update dependency on e-smithbase [gordonr 7343]
|
||||
|
||||
* Mon Feb 3 2003 Mark Knox <markk@e-smith.com>
|
||||
- [1.13.0-08]
|
||||
- Open port 443 when either web server is enabled [markk 6428]
|
||||
|
||||
* Fri Jan 24 2003 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.13.0-07]
|
||||
- Fix one last broken here document. [charlieb 6651]
|
||||
|
||||
* Thu Jan 23 2003 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.13.0-06]
|
||||
- Fix a few typos in previous round of masq fragment changes. [charlieb]
|
||||
|
||||
* Thu Jan 23 2003 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.13.0-05]
|
||||
- formatting changes in masq/00Functions template fragment [charlieb]
|
||||
- Use connection tracking on both INPUT and FORWARD tables [charlieb 6651]
|
||||
- Allow any local traffic on INPUT and FORWARD chains. Local traffic
|
||||
is currently defined as all traffic which didn't come in via the
|
||||
external interface. That definition can easily change, as there is
|
||||
a special chain for accepting local traffic. [charlieb 6709]
|
||||
- Remove explicit allow of multicast traffic, as it is a subset of "local"
|
||||
traffic [charlieb 6031, 6709]
|
||||
- Move ICMP type checking into "adjust" part of masq script [charlieb 6709]
|
||||
|
||||
* Sat Jan 18 2003 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.13.0-04]
|
||||
- Permitting multicast traffic to and from the internal interface.
|
||||
[msoulier 6031]
|
||||
|
||||
* Wed Jan 15 2003 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.13.0-03]
|
||||
- Put back non-redundant DROP lines, but add a comment as to why
|
||||
they are there [gordonr 6580]
|
||||
|
||||
* Wed Jan 15 2003 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.13.0-02]
|
||||
- Remove redundant DROP lines from denylog chain [gordonr 6580]
|
||||
|
||||
* Thu Jan 9 2003 Mark Knox <markk@e-smith.com>
|
||||
- [1.13.0-01]
|
||||
- Forced version update by co2rpm to 1.13.0
|
||||
|
||||
* Mon Dec 16 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.12.0-01]
|
||||
- Roll to stable version to 1.12.0
|
||||
|
||||
* Fri Nov 29 2002 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.11.0-07]
|
||||
- Added a get_safe_id function, to factor out firewall rule scanning code, and
|
||||
prevent chain name clashes in the extreme case. [msoulier 5696]
|
||||
|
||||
* Thu Nov 28 2002 Michael Soulier <msoulier@e-smith.com>
|
||||
- [1.11.0-06]
|
||||
- Removed specific tcp_in and udp_in chains in favour of the InboundTCP_$$ and
|
||||
InboundUDP__$$ chains. They are far, far easier to manage, especially for
|
||||
the portforwarding blade. [msoulier 5696]
|
||||
|
||||
* Wed Nov 20 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.11.0-05]
|
||||
- Make sure that --numeric is used with any --list command, to avoid
|
||||
reverse lookup delays. [charlieb 5644]
|
||||
|
||||
* Wed Nov 13 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.11.0-04]
|
||||
- Peel off ICMP for checking after packets for ESTABLISHED and RELATED
|
||||
connections are allowed. This allows outbound ping to work. [charlieb 5423]
|
||||
|
||||
* Mon Nov 11 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.11.0-03]
|
||||
- Apply UDP filtering only on traffic entering via external
|
||||
interface. [charlieb 5644]
|
||||
|
||||
* Mon Nov 11 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.11.0-02]
|
||||
- Add UDP input filter setup and adjust rules.
|
||||
Re-arrange 00Functions a bit so that perl block is
|
||||
shorter and the rest is in-line [charlieb 5644]
|
||||
- Move adjustEnd to 92, to allow 91 hole for any adjustments
|
||||
needing to be done after input filter rules are adjusted
|
||||
(e.g. port forwarding).
|
||||
|
||||
* Mon Nov 11 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.11.0-01]
|
||||
- rolling development stream to 1.11.0
|
||||
|
||||
* Sat Oct 19 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.10.0-08]
|
||||
- Send default packets on the FORWARD filter to denylog, rather than
|
||||
DROP. [charlieb 5246]
|
||||
- Revert 2) from 1.10.0-05 checkin. 5.5 ipchains forwarding rules do not allow
|
||||
IP masqueraded packets. [charlieb 5246]
|
||||
|
||||
* Fri Oct 18 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.10.0-07]
|
||||
- Commit new file 42CheckTCPInput which was missed in last checkin.
|
||||
[charlieb 5246]
|
||||
|
||||
* Fri Oct 18 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.10.0-06]
|
||||
- Create a new intermediate TCP input chain, and create a new temporary
|
||||
TCP input chain whenever we run "masq adjust". This ensures that
|
||||
new TCP input checking rules occur at the same place during input
|
||||
checking as existing rules, and also means that rules previously created
|
||||
by now-removed packages disappear. [charlieb 4501, 5246]
|
||||
|
||||
* Thu Oct 17 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.10.0-05]
|
||||
- Fix to the previous change 1) to restore some commented out rules,
|
||||
and 2) to fix those rules so that they match the 5.5 ipchains
|
||||
version. [charlieb 5246]
|
||||
|
||||
* Thu Oct 17 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.10.0-04]
|
||||
- Changes so that local networks can be added/deleted and "masq adjust"
|
||||
will correctly re-adjust the filters. [charlieb 5246]
|
||||
|
||||
* Tue Oct 15 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.10.0-03]
|
||||
- Change 00Functions so that "tcp_in" function can create chains as required
|
||||
during "masq adjust", so that new modules can add rules and still avoid
|
||||
"masq restart". [charlieb 4501]
|
||||
|
||||
* Tue Oct 15 2002 Mark Knox <markk@e-smith.com>
|
||||
- [1.10.0-02]
|
||||
- Re-add echo-reply support (doesn't work with conntrack) [markk 5213]
|
||||
|
||||
* Sat Oct 12 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.10.0-01]
|
||||
- Roll to maintained version number to 1.10.0
|
||||
- Remove "perl createlinks" from %build section, since we no longer
|
||||
have a createlinks file.
|
||||
|
||||
* Fri Oct 11 2002 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.9.15-07]
|
||||
- Check the correct configDB entry for public POP [gordonr 5181]
|
||||
|
||||
* Tue Oct 8 2002 Mark Knox <markk@e-smith.com>
|
||||
- [1.9.15-06]
|
||||
- Use denylog target for dropped ICMP packets [markk 5095]
|
||||
- Remove explicit echo-reply support (we use conntrack now) [markk 5095]
|
||||
|
||||
* Mon Oct 7 2002 Mark Knox <markk@e-smith.com>
|
||||
- [1.9.15-05]
|
||||
- Drop ICMP echo-requests on ext i/f when in private s/g mode or if Stealth
|
||||
property is set. General cleanup of ICMP rules. [markk 5095]
|
||||
|
||||
* Wed Sep 11 2002 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.9.15-04]
|
||||
- Added extra slosh in tcp_in as one gets gobbled by template evaluation
|
||||
and we need one in the final output. Reformatted the lines and moved
|
||||
proto/port together on first line of pair for readability [gordonr 4792]
|
||||
|
||||
* Thu Sep 5 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.15-03]
|
||||
- Fix tcp_in function - it doesn't work too well without the jump to the
|
||||
newly defined rule. Change DROP to denylog in the placeholder rule,
|
||||
even though it is short-lived. [charlieb 4792]
|
||||
|
||||
* Mon Sep 2 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.15-02]
|
||||
- Remove createlinks script and network-{create,delete} event directories -
|
||||
the required change was made in e-smith-base, and this shouldn't have
|
||||
been checked in. [charlieb 4501]
|
||||
|
||||
* Wed Aug 28 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.15-01]
|
||||
- Rolling minor version number to work around wrinkle in co2rpm [charlieb 3700]
|
||||
|
||||
* Wed Aug 28 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.14-04]
|
||||
- Remove 45AllowAUTH masq fragment - moved to e-smith-oidentd package.
|
||||
[charlieb 4435]
|
||||
|
||||
* Tue Aug 27 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.14-03]
|
||||
- Fix iptables syntax in AdjustTOS fragment [charlieb 1268]
|
||||
|
||||
* Mon Aug 26 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.14-02]
|
||||
- Fix AllowICMPfromLAN template error [charlieb 1268]
|
||||
|
||||
* Thu Aug 22 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.14-01]
|
||||
- Use full iptables path in status fragment - allows "service masq status" to
|
||||
work. [charlieb 1268]
|
||||
- Fix local networks list [charlieb 1268]
|
||||
|
||||
* Tue Aug 20 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.13-01]
|
||||
- Fix syntax in 30adjustTOS fragment. Move definitions to start of masq
|
||||
script where they can be used in functions. [charlieb 4501]
|
||||
|
||||
* Mon Aug 19 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.12-01]
|
||||
- Add 90adjustDenyLog fragment missed in last commit. [charlieb 4501]
|
||||
|
||||
* Mon Aug 19 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.11-01]
|
||||
- Further re-arrangement to facilitate non-disruptive update of filtering
|
||||
rules. [charlieb 4501]
|
||||
|
||||
* Fri Aug 16 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.10-01]
|
||||
- Remove 98adjust, and split it into 49adjustStart, 50adjustTCP and 51adjustEnd
|
||||
fragments. Migrate network stack tuning stuff to sysctl.conf templates.
|
||||
Add TOS adjustment stuff. [charlieb 4501]
|
||||
|
||||
* Thu Aug 15 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.9-01]
|
||||
- Change masq template fragments to allow non-disruptive modification.
|
||||
Add "masq adjust" verb. [charlieb 4501]
|
||||
|
||||
* Thu Aug 8 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.8-01]
|
||||
- Remove deprecated split in masq template fragment, and add FIXME comment
|
||||
to code which looks to be wrong. [charlieb 1268]
|
||||
|
||||
* Wed Jul 31 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.7-01]
|
||||
- Use iptables state tracking to allow return traffic. Remove special
|
||||
rules set up to allow the return traffic. [charlieb 4499]
|
||||
|
||||
* Tue Jul 23 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.6-01]
|
||||
- Allow local and masqueraded traffic on forward chain. Fix syntax for denylog
|
||||
chain. [charlieb 1268]
|
||||
|
||||
* Thu Jul 18 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.5-01]
|
||||
- Avoid a perl warning from use of ${httpd-e-smith}{status} -
|
||||
change to ${'httpd-e-smith'}{status}. [charlieb 1268]
|
||||
|
||||
* Wed Jul 17 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.4-01]
|
||||
- Change syntax from ipchains (2.2 kernel) to iptables (2.4 kernel).
|
||||
[charlieb 1268]
|
||||
- Add "status" option to list tables.
|
||||
- Miscellaneous syntax cleanups.
|
||||
|
||||
* Tue Jul 2 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.3-01]
|
||||
- Add "modprobe ipchains" to allow firewall to work with 2.4 kernel
|
||||
[charlieb 4223]
|
||||
|
||||
* Fri Jun 21 2002 Mark Knox <markk@e-smith.com>
|
||||
- [1.9.2-01]
|
||||
- Allow ICMP from all "local" networks, not just physical LAN [markk 3698]
|
||||
|
||||
* Fri Jun 21 2002 Mark Knox <markk@e-smith.com>
|
||||
- [1.9.1-01]
|
||||
- Allow ICMP on internal interface [markk 3698]
|
||||
|
||||
* Wed Jun 5 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.9.0-01]
|
||||
- Changing version to maintained stream number to 1.9.0
|
||||
|
||||
* Fri May 31 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.8.0-01]
|
||||
- Changing version to maintained stream number to 1.8.0
|
||||
|
||||
* Thu May 23 2002 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.7.3-01]
|
||||
- RPM rebuild forced by cvsroot2rpm
|
||||
|
||||
* Fri May 10 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.7.2-01]
|
||||
- Remove 45AllowSMTP - moved to e-smith-mailfront. [charlieb 3419]
|
||||
|
||||
* Fri May 10 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.7.1-01]
|
||||
- No change. Test build of CVS conversion.
|
||||
|
||||
* Fri May 10 2002 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.7.0-01]
|
||||
- rollRPM: Rolled version number to 1.7.0-01. Includes patches up to 1.6.0-02.
|
||||
|
||||
* Wed Dec 19 2001 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.6.0-02]
|
||||
- Restore run time lookup of ExternalIP by /etc/rc.d/init.d/masq.
|
||||
- Make sure that OUTERNET is set to a valid IP address, even if
|
||||
ExternalIP is not set in config db, to avoid syntax errors in
|
||||
ipchains command in masq script.
|
||||
|
||||
* Tue Dec 11 2001 Jason Miller <jay@e-smith.com>
|
||||
- [1.6.0-01]
|
||||
- rollRPM: Rolled version number to 1.6.0-01. Includes patches up to 1.5.0-05.
|
||||
|
||||
* Thu Dec 06 2001 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.5.0-05]
|
||||
- Add support for ippp0 as the external interface - if sync ISDN is used.
|
||||
|
||||
* Wed Nov 21 2001 Adrian Chung <adrianc@e-smith.com>
|
||||
- [1.5.0-04]
|
||||
- Add $OUT = "" to 01localNetworks so that '1' isn't output
|
||||
into template when 01localNetworks generates no output.
|
||||
|
||||
* Wed Nov 21 2001 Adrian Chung <adrianc@e-smith.com>
|
||||
- [1.5.0-03]
|
||||
- Splitting @locals and $primaryLocalNet generation out of
|
||||
40AllowLocals into 01localNetworks.
|
||||
- transproxy fragment from e-smith-proxy needs these variables in
|
||||
35transproxy.
|
||||
|
||||
* Tue Nov 06 2001 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.5.0-02]
|
||||
- Fix variable naming error in setting up @locals array.
|
||||
- Remove forwarding rules from stopmasq section - and remove the 'stop'
|
||||
alias for this case - there is a separate stop section of the script.
|
||||
- Add bidirectional forwarding rules for each local network to our network.
|
||||
This both enables the forwarded traffic, and also prevents masquerading
|
||||
of the local traffic.
|
||||
|
||||
* Mon Nov 5 2001 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.5.0-01]
|
||||
- Rolled version number to 1.5.0-01. Includes patches upto 1.4.0-02.
|
||||
|
||||
* Mon Oct 29 2001 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.4.0-02]
|
||||
- Allow packet forwarding from localnet to localnet in serveronly mode -
|
||||
this is necessary for PPTP VPN termination.
|
||||
|
||||
* Thu Aug 23 2001 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.4.0-01]
|
||||
- Rolled version number to 1.4.0-01. Includes patches upto 1.3.0-08.
|
||||
|
||||
* Fri Aug 17 2001 gordonr
|
||||
- [1.3.0-08]
|
||||
- Autorebuild by rebuildRPM
|
||||
|
||||
* Mon Aug 13 2001 Adrian Chung <adrianc@e-smith.com>
|
||||
- [1.3.0-07]
|
||||
- Apply the patch. :)
|
||||
|
||||
* Fri Aug 10 2001 Adrian Chung <adrianc@e-smith.com>
|
||||
- [1.3.0-06]
|
||||
- Multicast range is 224.0.0.0 to 239.255.255.255 which
|
||||
is 224.0.0.0/4 not 224.0.0.0/3.
|
||||
224.0.0.0/3 covers 255.255.255.255 which denies DHCP traffic
|
||||
|
||||
* Sat Apr 21 2001 Gordon Rowell <gordonr@e-smith.com>
|
||||
Mon Apr 21 2001 --> Mon Apr 16 2001 or Sat Apr 21 2001 or Mon Apr 23 2001 or ....
|
||||
- [1.3.0-05]
|
||||
- Putback Charlie's change to add Stealth property to masq service, defaulting
|
||||
to "no". If set to "yes", external ICMP echo packets are ignored.
|
||||
|
||||
* Sat Apr 07 2001 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.3.0-04]
|
||||
- Forward port patches from 1.2.0-01 to 1.2.0-06
|
||||
|
||||
* Sun Mar 25 2001 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.2.0-06]
|
||||
- Two new properties of masq service - PermitHighUDP and PermitHighTCP.
|
||||
Both default to "yes", but provide an easy way to block unprivileged
|
||||
TCP/UDP or both.
|
||||
|
||||
* Fri Mar 23 2001 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.2.0-05]
|
||||
- Default auth/smtp/http[s] to public for backwards compatability
|
||||
|
||||
* Fri Mar 23 2001 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.2.0-04]
|
||||
- masq service now has an optional property Logging, defaulting to "none"
|
||||
- Only log denied packets if Logging is other than "none" - this stops
|
||||
logging of the SMB chatter on cable and other shared networks
|
||||
- Ignore SMB and RIP packets unless Logging is "all"
|
||||
|
||||
* Thu Mar 22 2001 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.2.0-03]
|
||||
- Check access property for httpd-e-smith/smtpd/identd
|
||||
|
||||
* Wed Mar 7 2001 Adrian Chung <adrianc@e-smith.com>
|
||||
- [1.3.0-03]
|
||||
- set rp_filter to 0 for 'all' interface as well.
|
||||
|
||||
* Wed Mar 7 2001 Adrian Chung <adrianc@e-smith.com>
|
||||
- [1.3.0-02]
|
||||
- set rp_filter to 0 for 'default' interface, explicitly set
|
||||
it to 1 for eth0, eth1.
|
||||
- ipsec-restart will set eth1 to '0'.
|
||||
|
||||
* Wed Mar 7 2001 Adrian Chung <adrianc@e-smith.com>
|
||||
- [1.3.0-01]
|
||||
- branching to development stream.
|
||||
|
||||
* Thu Feb 8 2001 Adrian Chung <adrianc@e-smith.com>
|
||||
- [1.2.0-02]
|
||||
- Rolling release number for GPG signing.
|
||||
|
||||
* Thu Jan 25 2001 Peter Samuel <peters@e-smith.com>
|
||||
- [1.2.0-01]
|
||||
- Rolled version number to 1.2.0-01. Includes patches upto 1.1.0-16.
|
||||
|
||||
* Thu Jan 25 2001 Adrian Chung <adrianc@e-smith.com>
|
||||
- [1.1.0-16]
|
||||
- removed 35DenyUnrouteable fragment, since it affects
|
||||
us, and anyone else using a provider who masquerades
|
||||
connections.
|
||||
|
||||
* Wed Jan 24 2001 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.1.0-15]
|
||||
- Remove AllowFTP fragment - moved to e-smith-proftpd.
|
||||
|
||||
* Thu Jan 18 2001 Adrian Chung <adrianc@e-smith.com>
|
||||
- [1.1.0-14]
|
||||
- adjusted 45AllowFTP to follow value of FTP accessLimits instead
|
||||
of service status.
|
||||
|
||||
* Mon Dec 18 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-13]
|
||||
- Added use esmith::db
|
||||
|
||||
* Mon Dec 18 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-12]
|
||||
- Backed out -11 patch - not required
|
||||
- Reordered fragments
|
||||
|
||||
* Mon Dec 18 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-11]
|
||||
- Added source/destination to icmp rules
|
||||
|
||||
* Fri Dec 15 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-10]
|
||||
- Added protocol option to icmp fragments
|
||||
- Removed masqstart/masqstop
|
||||
- Allowed icmp echo-request and echo-reply
|
||||
|
||||
* Fri Dec 15 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-9]
|
||||
- Rearranged fragments
|
||||
- Split some rules into new chains
|
||||
- Added extra ICMP rules
|
||||
|
||||
* Fri Dec 15 2000 Charlie Brady <charlieb@e-smith.com>
|
||||
- [1.1.0-8]
|
||||
- Move AllowSSH template fragment to e-smith-openssh.
|
||||
- Fix uninitialised value problem in 15Definitions.
|
||||
|
||||
* Tue Dec 12 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-7]
|
||||
- Normalised AUTH template and fixed HTTP[S] templates
|
||||
|
||||
* Tue Dec 12 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-6]
|
||||
- Used hard-quote form of HERE documents to avoid $ expansions
|
||||
|
||||
* Tue Dec 12 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-5]
|
||||
- Normalised structure of 45Allow* fragments
|
||||
- Moved 45AllowIONonPriv to 46AllowIONonPriv
|
||||
|
||||
* Tue Dec 12 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-4]
|
||||
- Fixed service name in templates - imapd -> imap
|
||||
- Changed mode -> access
|
||||
|
||||
* Tue Dec 12 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-3]
|
||||
- Rewrote 15definitions and 45* fragments which checked services entries
|
||||
|
||||
* Tue Dec 05 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-2]
|
||||
- Determine ExternalIP at run time
|
||||
- Modified templates to check services entries
|
||||
- Added COPYING file and GPL Copyright
|
||||
|
||||
* Tue Dec 05 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [1.1.0-1]
|
||||
- Rolled version and tarball including patches to 0.1-4
|
||||
- Used e-smith-devtools
|
||||
|
||||
* Thu Nov 30 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- [0.1-4]
|
||||
- Changes to match change to pppoe service
|
||||
|
||||
* Wed Nov 29 2000 Gordon Rowell <gordonr@e-smith.com>
|
||||
- Handle ppp0 as external interface for PPPoE setups
|
||||
|
||||
* Tue Nov 21 2000 Charlie Brady <charlieb@e-smith.com>
|
||||
- Remove extraneous } in 15definitions
|
||||
|
||||
* Sun Nov 19 2000 Charlie Brady <charlieb@e-smith.com>
|
||||
- initial release
|
||||
|
||||
%prep
|
||||
%setup
|
||||
rm -rf root/var/service/ulogd
|
||||
mkdir -p root/run/ulog
|
||||
|
||||
|
||||
%build
|
||||
perl createlinks
|
||||
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
for file in masq
|
||||
do
|
||||
mkdir -p root/etc/e-smith/templates/etc/rc.d/init.d/$file
|
||||
ln -s /etc/e-smith/templates-default/template-begin-shell \
|
||||
root/etc/e-smith/templates/etc/rc.d/init.d/$file/template-begin
|
||||
done
|
||||
|
||||
(cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT)
|
||||
mkdir -p $RPM_BUILD_ROOT/var/log/iptables
|
||||
mkdir -p $RPM_BUILD_ROOT/service
|
||||
#ln -s /var/service/ulogd $RPM_BUILD_ROOT/service/ulogd
|
||||
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
|
||||
--dir /var/log/iptables 'attr(0755,ulog,ulog)' \
|
||||
--dir /run/ulog 'attr(2755,ulog,ulog)' \
|
||||
> e-smith-%{version}-filelist
|
||||
echo "%doc COPYING" >> e-smith-%{version}-filelist
|
||||
# --dir /var/service/ulogd 'attr(1755,root,root)' \
|
||||
# --file /var/service/ulogd/run 'attr(0755,root,root)' \
|
||||
# --dir /var/service/ulogd/log 'attr(0755,root,root)' \
|
||||
# --file /var/service/ulogd/log/run 'attr(0755,root,root)' \
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%pre
|
||||
if [ $1 -gt 1 ] ; then
|
||||
if [ -e /var/service/ulogd/run ] ; then
|
||||
/usr/bin/sv d ulogd
|
||||
/usr/bin/sv d ulogd/log
|
||||
fi
|
||||
fi
|
||||
|
||||
/usr/sbin/groupadd \
|
||||
-g 1010 -o ulog 2>/dev/null || :
|
||||
|
||||
/usr/sbin/useradd \
|
||||
-u 1010 -g 1010 -c 'ulogd user' -d /var/log/ulogd \
|
||||
-M -s /bin/false ulog || :
|
||||
|
||||
%files -f e-smith-%{version}-filelist
|
||||
%defattr(-,root,root)
|
@ -0,0 +1 @@
|
||||
drop
|
@ -0,0 +1 @@
|
||||
most
|
@ -0,0 +1 @@
|
||||
no
|
@ -0,0 +1 @@
|
||||
disabled
|
@ -0,0 +1 @@
|
||||
yes
|
@ -0,0 +1 @@
|
||||
enabled
|
@ -0,0 +1 @@
|
||||
service
|
@ -0,0 +1 @@
|
||||
enabled
|
@ -0,0 +1 @@
|
||||
service
|
@ -0,0 +1 @@
|
||||
enabled
|
@ -0,0 +1 @@
|
||||
PERMS=0755
|
@ -0,0 +1 @@
|
||||
PERMS=0600
|
@ -0,0 +1,23 @@
|
||||
/var/log/ulogd/ulogd.log \{
|
||||
missingok
|
||||
notifempty
|
||||
weekly
|
||||
compress
|
||||
sharedscripts
|
||||
postrotate
|
||||
/usr/bin/systemctl restart ulogd > /dev/null 2>&1
|
||||
endscript
|
||||
\}
|
||||
|
||||
/var/log/iptables/*.log \{
|
||||
missingok
|
||||
notifempty
|
||||
daily
|
||||
compress
|
||||
sharedscripts
|
||||
postrotate
|
||||
/usr/bin/systemctl restart ulogd > /dev/null 2>&1
|
||||
endscript
|
||||
\}
|
||||
|
||||
|
@ -0,0 +1,20 @@
|
||||
{
|
||||
my $internalif = $InternalInterface{Name};
|
||||
my $outernet = ($SystemMode eq "serveronly") ?
|
||||
$LocalIP : '$(/sbin/e-smith/config get ExternalIP)';
|
||||
|
||||
$OUT .= <<HERE;
|
||||
|
||||
INTERNALIF=$internalif
|
||||
OUTERNET=$outernet
|
||||
if [ -z "\$OUTERNET" ]
|
||||
then
|
||||
OUTERNET=1.1.1.1 # Put in placeholder address, to ensure correct iptables syntax
|
||||
fi
|
||||
HERE
|
||||
|
||||
if ($SystemMode ne "serveronly")
|
||||
{ $OUT .= " OUTERIF=".$ExternalInterface{Name} }
|
||||
else
|
||||
{ $OUT .= "# OUTERIF='there_isnt_one'"; }
|
||||
}
|
@ -0,0 +1,124 @@
|
||||
{
|
||||
@tcp_acl_rules = ();
|
||||
# Define a function which can be used in subsequent fragments
|
||||
# This function collects a list of TCP ports, and whether
|
||||
# or not inbound TCP connections are permitted to the port
|
||||
# The list is later used in the "adjust" section of the overall
|
||||
# mask script to set up chains and rules which implement the
|
||||
# policy
|
||||
sub allow_tcp_in
|
||||
{
|
||||
my $port = shift;
|
||||
my $allow = shift;
|
||||
my $target = $allow ? "ACCEPT" : "denylog";
|
||||
push @tcp_acl_rules, " adjust_tcp_in $port $target";
|
||||
return "";
|
||||
}
|
||||
@udp_acl_rules = ();
|
||||
# This function collects a list of UDP ports, and whether
|
||||
# or not inbound UDP packets are permitted to the port
|
||||
# The list is later used in the "adjust" section of the overall
|
||||
# mask script to set up chains and rules which implement the
|
||||
# policy
|
||||
sub allow_udp_in
|
||||
{
|
||||
my $port = shift;
|
||||
my $allow = shift;
|
||||
my $target = $allow ? "ACCEPT" : "denylog";
|
||||
push @udp_acl_rules, " adjust_udp_in $port $target";
|
||||
return "";
|
||||
}
|
||||
@tcp_forward_acl_rules = ();
|
||||
# This function performs the same function as allow_tcp_in, except that
|
||||
# it works with the FORWARD chain instead of the INPUT chain.
|
||||
sub allow_tcp_forward
|
||||
{
|
||||
my $port = shift;
|
||||
my $allow = shift;
|
||||
my $target = $allow ? "ACCEPT" : "denylog";
|
||||
push @tcp_forward_acl_rules, " adjust_tcp_in $port $target";
|
||||
return "";
|
||||
}
|
||||
@udp_forward_acl_rules = ();
|
||||
# This function performs the same function as allow_udp_in, except that
|
||||
# it works with the FORWARD chain instead of the INPUT chain.
|
||||
sub allow_udp_forward
|
||||
{
|
||||
my $port = shift;
|
||||
my $allow = shift;
|
||||
my $target = $allow ? "ACCEPT" : "denylog";
|
||||
push @udp_forward_acl_rules, " adjust_udp_in $port $target";
|
||||
return "";
|
||||
}
|
||||
"";
|
||||
}
|
||||
|
||||
adjust_tcp_in() \{
|
||||
local dport=$1
|
||||
local target=$2
|
||||
local chain=$3
|
||||
local dnet=$4
|
||||
# Add the rule requested.
|
||||
rule="/sbin/iptables --append $chain --protocol tcp --dport $dport"
|
||||
if [ -n "$dnet" ]; then
|
||||
rule="$rule --destination $dnet"
|
||||
fi
|
||||
rule="$rule --in-interface $\{OUTERIF:-$INTERNALIF\} --jump $target"
|
||||
$rule
|
||||
\}
|
||||
|
||||
adjust_udp_in() \{
|
||||
local dport=$1
|
||||
local target=$2
|
||||
local chain=$3
|
||||
local dnet=$4
|
||||
# Add the rule requested.
|
||||
rule="/sbin/iptables --append $chain --protocol udp --dport $dport"
|
||||
if [ -n "$dnet" ]; then
|
||||
rule="$rule --destination $dnet"
|
||||
fi
|
||||
rule="$rule --in-interface $\{OUTERIF:-$INTERNALIF\} --jump $target"
|
||||
$rule
|
||||
\}
|
||||
|
||||
get_safe_id() \{
|
||||
# Expect arguments of, chain_name, table, mode, where mode can be either
|
||||
# find or new
|
||||
local chain_name=$1
|
||||
local table=$2
|
||||
local mode=$3
|
||||
|
||||
# Find the existing numbered chain.
|
||||
current=$(/sbin/iptables --table $table --list $chain_name --numeric |\
|
||||
sed -n '3s/ .*//p')
|
||||
if [ "x$current" = "x" ]; then
|
||||
# We didn't find it.
|
||||
echo "ERROR: Cannot find chain $chain_name in table $table" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# If we're in find mode, return this chain.
|
||||
case "$mode" in
|
||||
find)
|
||||
echo $current ;;
|
||||
|
||||
new)
|
||||
# Make sure the number on this chain doesn't conflict with our
|
||||
# process ID.
|
||||
current_id=$(echo $current |\
|
||||
sed -n -e "s/^$chain_name//" -e "s/^_//p")
|
||||
if [ "x$current_id" = "x" ]
|
||||
then
|
||||
echo "ERROR: Cannot find process ID on chain name" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
# If it conflicts with our process ID, add one to ours.
|
||||
if [ $current_id -eq $$ ]
|
||||
then
|
||||
echo $\{chain_name\}_$(expr $$ + 1)
|
||||
else
|
||||
echo $\{chain_name\}_$$
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
\}
|
@ -0,0 +1,5 @@
|
||||
|
||||
case "$1" in
|
||||
|
||||
start)
|
||||
echo -n "Enabling IP masquerading: "
|
@ -0,0 +1,36 @@
|
||||
{
|
||||
#----------------------------------------------------------------------
|
||||
# This template defines both:
|
||||
# - our local network/netmask ($primaryLocalNet)
|
||||
# - a list of all our local networks from the networks database.
|
||||
#----------------------------------------------------------------------
|
||||
$OUT = "";
|
||||
|
||||
# We won't use "my" for @locals, so that we can use it in other fragments
|
||||
@locals = ();
|
||||
|
||||
use esmith::util;
|
||||
|
||||
my ($network, $broadcast) =
|
||||
esmith::util::computeNetworkAndBroadcast ($LocalIP, $LocalNetmask);
|
||||
|
||||
$primaryLocalNet = "$network/$LocalNetmask";
|
||||
push @locals, $primaryLocalNet;
|
||||
|
||||
use esmith::NetworksDB;
|
||||
$nets = esmith::NetworksDB->open;
|
||||
|
||||
foreach my $network ($nets->get_all_by_prop(type => 'network'))
|
||||
{
|
||||
my $key = $network->key;
|
||||
my $mask = $network->prop('Mask');
|
||||
push @locals, "$key/$mask";
|
||||
}
|
||||
# Remove duplicates.
|
||||
my %count = ();
|
||||
foreach my $net (@locals)
|
||||
{
|
||||
$count{$net}++;
|
||||
}
|
||||
@locals = keys %count;
|
||||
}
|
@ -0,0 +1,6 @@
|
||||
/sbin/iptables -F -t filter
|
||||
/sbin/iptables -F -t nat
|
||||
/sbin/iptables -F -t mangle
|
||||
/sbin/iptables -X -t filter
|
||||
/sbin/iptables -X -t nat
|
||||
/sbin/iptables -X -t mangle
|
@ -0,0 +1,3 @@
|
||||
/sbin/iptables --flush FORWARD
|
||||
/sbin/iptables --flush INPUT
|
||||
/sbin/iptables --flush OUTPUT
|
@ -0,0 +1,2 @@
|
||||
/sbin/modprobe ip_nat_ftp
|
||||
/sbin/modprobe ip_conntrack_ftp
|
@ -0,0 +1,22 @@
|
||||
{
|
||||
# We need to be sure that we have enough rules to replace when we adjust the
|
||||
# ruleset. We currently have three settings for packetlogging - "all",
|
||||
# "most" and "some".
|
||||
#
|
||||
# "some" equates to this:
|
||||
#
|
||||
# ...
|
||||
# /sbin/iptables --replace denylog 1 -p udp --dport 520 --jump DROP
|
||||
# /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump DROP
|
||||
# /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump DROP
|
||||
# /sbin/iptables --replace denylog 4 --jump ULOG ...
|
||||
# ...
|
||||
#
|
||||
# After we do the logging with rule 4, we need rule 5 to drop the packet.
|
||||
}
|
||||
/sbin/iptables --new-chain denylog
|
||||
/sbin/iptables --append denylog --jump DROP
|
||||
/sbin/iptables --append denylog --jump DROP
|
||||
/sbin/iptables --append denylog --jump DROP
|
||||
/sbin/iptables --append denylog --jump DROP
|
||||
/sbin/iptables --append denylog --jump DROP
|
@ -0,0 +1,20 @@
|
||||
{
|
||||
my @tcp_minimize_delay = ();
|
||||
if ($masq{TCPMinimizeDelay})
|
||||
{
|
||||
@tcp_minimize_delay = split ',', $masq{TCPMinimizeDelay};
|
||||
}
|
||||
$ports = "@tcp_minimize_delay";
|
||||
$ports = 'pass' unless $ports;
|
||||
$OUT = '';
|
||||
}
|
||||
# Set telnet, www, smtp, pop3 and FTP for minimum delay
|
||||
for port in {$ports}
|
||||
do
|
||||
if [ $port != 'pass' ]
|
||||
then
|
||||
/sbin/iptables --table mangle --append OUTPUT \
|
||||
--protocol tcp --dport $port \
|
||||
-j TOS --set-tos Minimize-Delay
|
||||
fi
|
||||
done
|
@ -0,0 +1,5 @@
|
||||
# TODO - this hasn't yet been converted for iptables - does it
|
||||
# need to be?
|
||||
|
||||
# set timeouts for tcp tcpfin udp
|
||||
#/sbin/iptables --masquerading --set 14400 60 600
|
@ -0,0 +1,8 @@
|
||||
|
||||
/sbin/iptables --new-chain state_chk
|
||||
# Allow any already established or related connection
|
||||
/sbin/iptables --append state_chk -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# We filter all input and forwarded traffic this way
|
||||
/sbin/iptables --append INPUT -j state_chk
|
||||
/sbin/iptables --append FORWARD -j state_chk
|
@ -0,0 +1,16 @@
|
||||
|
||||
# Create a new chain to handle local traffic
|
||||
/sbin/iptables --new-chain local_chk
|
||||
/sbin/iptables --new-chain local_chk_1
|
||||
|
||||
# Accept any traffic initiated on "local" interfaces
|
||||
if [ -n "$OUTERIF" ]; then
|
||||
/sbin/iptables --append local_chk_1 \
|
||||
! --in-interface $OUTERIF -j ACCEPT
|
||||
fi
|
||||
/sbin/iptables --append local_chk -j local_chk_1
|
||||
|
||||
# We filter all input and forwarded traffic this way
|
||||
/sbin/iptables --append INPUT -j local_chk
|
||||
/sbin/iptables --append FORWARD -j local_chk
|
||||
|
@ -0,0 +1,7 @@
|
||||
# Drop all multicast traffic. Note that anything on from a local network
|
||||
# will have already been accepted via the local_chk chain.
|
||||
/sbin/iptables --append INPUT -s 224.0.0.0/4 -j denylog
|
||||
/sbin/iptables --append INPUT -d 224.0.0.0/4 -j denylog
|
||||
|
||||
/sbin/iptables --append OUTPUT -s 224.0.0.0/4 -j denylog
|
||||
/sbin/iptables --append OUTPUT -d 224.0.0.0/4 -j denylog
|
@ -0,0 +1,8 @@
|
||||
/sbin/iptables --table nat --new-chain PostroutingOutbound
|
||||
/sbin/iptables --table nat --append PostroutingOutbound \
|
||||
--source $OUTERNET -j ACCEPT
|
||||
/sbin/iptables --append PostroutingOutbound -t nat -j MASQUERADE
|
||||
if [ -n "$OUTERIF" ]; then
|
||||
/sbin/iptables --append POSTROUTING -t nat \
|
||||
--out-interface $OUTERIF -j PostroutingOutbound
|
||||
fi
|
@ -0,0 +1,10 @@
|
||||
{
|
||||
if ($ExternalDHCP eq "on")
|
||||
#DHCP CLIENT ALLOW - I'm not sure that we need this, since it
|
||||
# could be covered by connection tracking.
|
||||
{
|
||||
$OUT .= <<'HERE';
|
||||
/sbin/iptables --append INPUT -p udp --dport 67:68 -i ${OUTERIF:-$INTERNALIF} -j ACCEPT
|
||||
HERE
|
||||
}
|
||||
}
|
@ -0,0 +1,7 @@
|
||||
/sbin/iptables --new-chain InboundICMP
|
||||
/sbin/iptables --new-chain InboundICMP_1
|
||||
/sbin/iptables --append INPUT --protocol icmp --jump InboundICMP
|
||||
/sbin/iptables --append InboundICMP --protocol icmp --jump InboundICMP_1
|
||||
# Catch any returns, just in case
|
||||
/sbin/iptables --append INPUT --protocol icmp --jump denylog
|
||||
/sbin/iptables --append InboundICMP --protocol icmp --jump denylog
|
@ -0,0 +1,6 @@
|
||||
/sbin/iptables --new-chain ForwardedTCP
|
||||
/sbin/iptables --new-chain ForwardedTCP_1
|
||||
/sbin/iptables --append FORWARD --protocol tcp --syn --jump ForwardedTCP
|
||||
/sbin/iptables --append ForwardedTCP --protocol tcp --syn --jump ForwardedTCP_1
|
||||
# Catch any returns.
|
||||
/sbin/iptables --append ForwardedTCP --protocol tcp --syn --jump denylog
|
@ -0,0 +1,7 @@
|
||||
/sbin/iptables --new-chain InboundTCP
|
||||
/sbin/iptables --new-chain InboundTCP_1
|
||||
/sbin/iptables --append INPUT --protocol tcp --syn --jump InboundTCP
|
||||
/sbin/iptables --append InboundTCP --protocol tcp --syn --jump InboundTCP_1
|
||||
# Catch any returns, just in case
|
||||
/sbin/iptables --append INPUT --protocol tcp --syn --jump denylog
|
||||
/sbin/iptables --append InboundTCP --protocol tcp --syn --jump denylog
|
@ -0,0 +1,6 @@
|
||||
/sbin/iptables --new-chain ForwardedUDP
|
||||
/sbin/iptables --new-chain ForwardedUDP_1
|
||||
/sbin/iptables --append FORWARD --protocol udp --jump ForwardedUDP
|
||||
/sbin/iptables --append ForwardedUDP --protocol udp --jump ForwardedUDP_1
|
||||
# Catch any returns.
|
||||
/sbin/iptables --append ForwardedUDP --protocol udp --jump denylog
|
@ -0,0 +1,9 @@
|
||||
/sbin/iptables --new-chain InboundUDP
|
||||
/sbin/iptables --new-chain InboundUDP_1
|
||||
/sbin/iptables --append INPUT --protocol udp --in-interface $\{OUTERIF:-$INTERNALIF\} \
|
||||
--jump InboundUDP
|
||||
/sbin/iptables --append InboundUDP --protocol udp --jump InboundUDP_1
|
||||
# Catch any returns, just in case
|
||||
/sbin/iptables --append INPUT --protocol udp --in-interface $\{OUTERIF:-$INTERNALIF\} \
|
||||
--jump denylog
|
||||
/sbin/iptables --append InboundUDP --protocol udp --jump denylog
|
@ -0,0 +1,9 @@
|
||||
{
|
||||
my $status = $dhcpd{status} || 'disabled';
|
||||
if ($status eq 'enabled')
|
||||
{
|
||||
$OUT .= <<'HERE';
|
||||
/sbin/iptables --append INPUT -p udp --sport 67:68 -i $INTERNALIF -j ACCEPT
|
||||
HERE
|
||||
}
|
||||
}
|
@ -0,0 +1,5 @@
|
||||
{
|
||||
## Set Default rule on FORWARD chain to denylog
|
||||
}
|
||||
/sbin/iptables --policy FORWARD DROP
|
||||
/sbin/iptables --append FORWARD --jump denylog
|
@ -0,0 +1,5 @@
|
||||
{
|
||||
## Set default policy
|
||||
}
|
||||
/sbin/iptables --policy INPUT DROP
|
||||
/sbin/iptables --append INPUT --jump denylog
|
@ -0,0 +1,5 @@
|
||||
{
|
||||
## Set default policy
|
||||
}
|
||||
/sbin/iptables --policy OUTPUT ACCEPT
|
||||
/sbin/iptables --append OUTPUT --jump ACCEPT
|
@ -0,0 +1,4 @@
|
||||
$0 adjust
|
||||
echo "done"
|
||||
;;
|
||||
|
@ -0,0 +1,13 @@
|
||||
|
||||
adjust)
|
||||
status=$(/sbin/e-smith/config getprop masq status)
|
||||
if [ $status = "disabled" ]
|
||||
then
|
||||
exit 0
|
||||
fi
|
||||
test -z "$2" && exec chpst -l /var/lock/masq.adjust $0 adjust with_lock
|
||||
trace=$(/sbin/e-smith/config getprop masq Trace)
|
||||
if [ $trace = "enabled" ]; then
|
||||
# Toggle trace off.
|
||||
$0 trace
|
||||
fi
|
@ -0,0 +1,7 @@
|
||||
{
|
||||
$OUT .=<<'EOF';
|
||||
OLD_ForwardedTCP=$(get_safe_id ForwardedTCP filter find)
|
||||
NEW_ForwardedTCP=$(get_safe_id ForwardedTCP filter new)
|
||||
/sbin/iptables --new-chain $NEW_ForwardedTCP
|
||||
EOF
|
||||
}
|
@ -0,0 +1,7 @@
|
||||
{
|
||||
# Append all our forwarding rules.
|
||||
foreach my $rule (@tcp_forward_acl_rules)
|
||||
{
|
||||
$OUT .= "$rule \$NEW_ForwardedTCP\n";
|
||||
}
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
{
|
||||
# Activate the chain and destroy the old.
|
||||
$OUT .=<<'EOF';
|
||||
/sbin/iptables --replace ForwardedTCP 1 \
|
||||
--jump $NEW_ForwardedTCP
|
||||
/sbin/iptables --flush $OLD_ForwardedTCP
|
||||
/sbin/iptables --delete-chain $OLD_ForwardedTCP
|
||||
EOF
|
||||
}
|
@ -0,0 +1,8 @@
|
||||
{
|
||||
# Repeat this exercise for the ForwardedUDP chain.
|
||||
$OUT .=<<'EOF';
|
||||
OLD_ForwardedUDP=$(get_safe_id ForwardedUDP filter find)
|
||||
NEW_ForwardedUDP=$(get_safe_id ForwardedUDP filter new)
|
||||
/sbin/iptables --new-chain $NEW_ForwardedUDP
|
||||
EOF
|
||||
}
|
@ -0,0 +1,7 @@
|
||||
{
|
||||
# Append our forwarding rules.
|
||||
foreach my $rule (@udp_forward_acl_rules)
|
||||
{
|
||||
$OUT .= "$rule \$NEW_ForwardedUDP\n";
|
||||
}
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
{
|
||||
# Activate the new chain and destroy the old.
|
||||
$OUT .=<<'EOF';
|
||||
/sbin/iptables --replace ForwardedUDP 1 \
|
||||
--jump $NEW_ForwardedUDP
|
||||
/sbin/iptables --flush $OLD_ForwardedUDP
|
||||
/sbin/iptables --delete-chain $OLD_ForwardedUDP
|
||||
EOF
|
||||
}
|
@ -0,0 +1,10 @@
|
||||
{
|
||||
# Find the current InboundTCP_$$ chain, and create a new one.
|
||||
$OUT .=<<'EOF';
|
||||
OLD_InboundTCP=$(get_safe_id InboundTCP filter find)
|
||||
NEW_InboundTCP=$(get_safe_id InboundTCP filter new)
|
||||
/sbin/iptables --new-chain $NEW_InboundTCP
|
||||
EOF
|
||||
$OUT .= " /sbin/iptables --append \$NEW_InboundTCP \\! " .
|
||||
"--destination \$OUTERNET --jump denylog\n";
|
||||
}
|
@ -0,0 +1,14 @@
|
||||
{
|
||||
return "" if $oidentd{status} eq "enabled";
|
||||
|
||||
return <<'END_REJECT_IDENT';
|
||||
|
||||
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 113 \
|
||||
--destination $OUTERNET \
|
||||
--jump REJECT \
|
||||
--reject-with tcp-reset
|
||||
|
||||
END_REJECT_IDENT
|
||||
}
|
||||
|
||||
|
@ -0,0 +1,44 @@
|
||||
{
|
||||
@tcpsvcs = ($DB->get_all_by_prop( TCPPort => '\d+'), $DB->get_all_by_prop( TCPPorts => '\d+(,\d+|:\d+)*'));
|
||||
foreach my $filter ( sort {$a->key cmp $b->key} @tcpsvcs )
|
||||
{
|
||||
my %props = $filter->props();
|
||||
|
||||
my @ports = grep { $_ } split /[;,]/, ($props{TCPPort} || '').",".($props{TCPPorts} || '');
|
||||
|
||||
my $deny_hosts = $props{DenyHosts} || '';
|
||||
|
||||
my $allow_hosts = $props{AllowHosts} || '0.0.0.0/0';
|
||||
|
||||
unless ( ($props{status} || 'disabled') eq 'enabled')
|
||||
{
|
||||
$allow_hosts = '';
|
||||
}
|
||||
|
||||
unless ( ($props{access} || 'private') eq 'public')
|
||||
{
|
||||
$allow_hosts = '';
|
||||
}
|
||||
|
||||
$OUT .= " # " . $filter->key . ": TCPPorts: " . (join ',', @ports) . ", AllowHosts: $allow_hosts, DenyHosts: $deny_hosts\n";
|
||||
|
||||
foreach my $port (sort { @a = split /[^\d]/, $a; @b = split /[^\d]/, $b; $a[0] <=> $b[0] || $a cmp $b } @ports)
|
||||
{
|
||||
foreach my $host (split(',', $deny_hosts))
|
||||
{
|
||||
$OUT .= <<HERE;
|
||||
/sbin/iptables -A \$NEW_InboundTCP --proto tcp --dport $port \\
|
||||
--destination \$OUTERNET --src $host --jump denylog
|
||||
HERE
|
||||
}
|
||||
|
||||
foreach my $host (split(',', $allow_hosts))
|
||||
{
|
||||
$OUT .= <<HERE;
|
||||
/sbin/iptables -A \$NEW_InboundTCP --proto tcp --dport $port \\
|
||||
--destination \$OUTERNET --src $host --jump ACCEPT
|
||||
HERE
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,7 @@
|
||||
{
|
||||
# Append all our inbound tcp rules to it.
|
||||
foreach my $rule (@tcp_acl_rules)
|
||||
{
|
||||
$OUT .= "$rule \$NEW_InboundTCP\n";
|
||||
}
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
{
|
||||
# Having created a new Inbound TCP chain, activate it and destroy the old.
|
||||
$OUT .=<<'EOF';
|
||||
/sbin/iptables --replace InboundTCP 1 \
|
||||
--jump $NEW_InboundTCP
|
||||
/sbin/iptables --flush $OLD_InboundTCP
|
||||
/sbin/iptables --delete-chain $OLD_InboundTCP
|
||||
EOF
|
||||
}
|
@ -0,0 +1,10 @@
|
||||
{
|
||||
# Find the current InboundUDP_$$ chain and create a new one.
|
||||
$OUT .=<<'EOF';
|
||||
OLD_InboundUDP=$(get_safe_id InboundUDP filter find)
|
||||
NEW_InboundUDP=$(get_safe_id InboundUDP filter new)
|
||||
/sbin/iptables --new-chain $NEW_InboundUDP
|
||||
EOF
|
||||
$OUT .= " /sbin/iptables --append \$NEW_InboundUDP \\! " .
|
||||
"--destination \$OUTERNET --jump denylog\n";
|
||||
}
|
@ -0,0 +1,44 @@
|
||||
{
|
||||
@udpsvcs = ($DB->get_all_by_prop( UDPPort => '\d+'), $DB->get_all_by_prop( UDPPorts => '\d+(,\d+|:\d+)*'));
|
||||
foreach my $filter ( sort {$a->key cmp $b->key} @udpsvcs )
|
||||
{
|
||||
my %props = $filter->props();
|
||||
|
||||
my @ports = grep { $_ } split /[;,]/, ($props{UDPPort} || '').",".($props{UDPPorts} || '');
|
||||
|
||||
my $deny_hosts = $props{DenyHosts} || '';
|
||||
|
||||
my $allow_hosts = $props{AllowHosts} || '0.0.0.0/0';
|
||||
|
||||
unless ( ($props{status} || 'disabled') eq 'enabled')
|
||||
{
|
||||
$allow_hosts = '';
|
||||
}
|
||||
|
||||
unless ( ($props{access} || 'private') eq 'public')
|
||||
{
|
||||
$allow_hosts = '';
|
||||
}
|
||||
|
||||
$OUT .= " # " . $filter->key . ": UDPPorts: " . (join ',', @ports) . ", AllowHosts: $allow_hosts, DenyHosts: $deny_hosts\n";
|
||||
|
||||
foreach my $port (sort { @a = split /[^\d]/, $a; @b = split /[^\d]/, $b; $a[0] <=> $b[0] || $a cmp $b } @ports)
|
||||
{
|
||||
foreach my $host (split(',', $deny_hosts))
|
||||
{
|
||||
$OUT .= <<HERE;
|
||||
/sbin/iptables -A \$NEW_InboundUDP --proto udp --dport $port \\
|
||||
--destination \$OUTERNET --src $host --jump denylog
|
||||
HERE
|
||||
}
|
||||
|
||||
foreach my $host (split(',', $allow_hosts))
|
||||
{
|
||||
$OUT .= <<HERE;
|
||||
/sbin/iptables -A \$NEW_InboundUDP --proto udp --dport $port \\
|
||||
--destination \$OUTERNET --src $host --jump ACCEPT
|
||||
HERE
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,7 @@
|
||||
{
|
||||
# Append all our inbound udp rules to it.
|
||||
foreach my $rule (@udp_acl_rules)
|
||||
{
|
||||
$OUT .= "$rule \$NEW_InboundUDP\n";
|
||||
}
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
{
|
||||
# Having created a new Inbound UDP chain, activate it and destroy the old.
|
||||
$OUT .=<<'EOF';
|
||||
/sbin/iptables --replace InboundUDP 1 \
|
||||
--jump $NEW_InboundUDP
|
||||
/sbin/iptables --flush $OLD_InboundUDP
|
||||
/sbin/iptables --delete-chain $OLD_InboundUDP
|
||||
EOF
|
||||
}
|
@ -0,0 +1,29 @@
|
||||
{
|
||||
my $logging = $masq{Logging} || "none";
|
||||
my $target = $masq{DenylogTarget} eq "drop" ? 'DROP' : 'REJECT';
|
||||
|
||||
if ( $logging eq "none" )
|
||||
{
|
||||
$OUT .= " /sbin/iptables --replace denylog 1 --jump $target";
|
||||
}
|
||||
elsif ($logging eq "all")
|
||||
{
|
||||
$OUT .= <<"HERE";
|
||||
/sbin/iptables --replace denylog 1 --jump ULOG --ulog-nlgroup 1 --ulog-prefix \"denylog:\"
|
||||
/sbin/iptables --replace denylog 2 --jump $target
|
||||
/sbin/iptables --replace denylog 3 --jump $target
|
||||
/sbin/iptables --replace denylog 4 --jump $target
|
||||
/sbin/iptables --replace denylog 5 --jump $target
|
||||
HERE
|
||||
}
|
||||
else
|
||||
{
|
||||
$OUT .= <<"HERE";
|
||||
/sbin/iptables --replace denylog 1 -p udp --dport 520 --jump $target
|
||||
/sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump $target
|
||||
/sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump $target
|
||||
/sbin/iptables --replace denylog 4 --jump ULOG --ulog-nlgroup 1 --ulog-prefix \"denylog:\"
|
||||
/sbin/iptables --replace denylog 5 --jump $target
|
||||
HERE
|
||||
}
|
||||
}
|
@ -0,0 +1,41 @@
|
||||
# Find the current InboundICMP_$$ chain, and create a new one.
|
||||
IBI=$(get_safe_id InboundICMP filter find)
|
||||
new=$(get_safe_id InboundICMP filter new)
|
||||
/sbin/iptables --new-chain $new
|
||||
{
|
||||
my $stealth = $masq{Stealth} || 'no';
|
||||
if ($stealth eq 'yes')
|
||||
{
|
||||
$OUT .= <<HERE;
|
||||
/sbin/iptables --append \$new --proto icmp \\
|
||||
--icmp-type echo-request --in-interface \${OUTERIF:-\$INTERNALIF} --jump denylog
|
||||
HERE
|
||||
}
|
||||
# We want to be very selective on the ICMPs we accept to stop
|
||||
# route hijacking
|
||||
|
||||
my @OKicmpTypes = (
|
||||
qw(
|
||||
echo-request
|
||||
echo-reply
|
||||
destination-unreachable
|
||||
source-quench
|
||||
time-exceeded
|
||||
parameter-problem
|
||||
) );
|
||||
|
||||
|
||||
foreach my $icmpType (@OKicmpTypes)
|
||||
{
|
||||
$OUT .= <<HERE;
|
||||
/sbin/iptables --append \$new --proto icmp \\
|
||||
--icmp-type $icmpType --jump ACCEPT
|
||||
HERE
|
||||
}
|
||||
# Having created a new Inbound ICMP chain, activate it and
|
||||
# destroy the old.
|
||||
}
|
||||
/sbin/iptables --append $new --jump denylog
|
||||
/sbin/iptables --replace InboundICMP 1 --jump $new
|
||||
/sbin/iptables --flush "$IBI"
|
||||
/sbin/iptables --delete-chain "$IBI"
|
@ -0,0 +1,2 @@
|
||||
/sbin/iptables --table nat --replace PostroutingOutbound 1 \
|
||||
--source $OUTERNET -j ACCEPT
|
@ -0,0 +1,8 @@
|
||||
{
|
||||
$OUT .=<<'EOF';
|
||||
OLD_local_chk=$(get_safe_id local_chk filter find)
|
||||
NEW_local_chk=$(get_safe_id local_chk filter new)
|
||||
/sbin/iptables --new-chain $NEW_local_chk
|
||||
/sbin/iptables -A $NEW_local_chk --in-interface lo -j ACCEPT
|
||||
EOF
|
||||
}
|
@ -0,0 +1,19 @@
|
||||
{
|
||||
$OUT = "";
|
||||
my $locals = "@locals";
|
||||
if (@locals)
|
||||
{
|
||||
# Make a new local_chk chain and add any networks found in networks db
|
||||
foreach my $local (@locals)
|
||||
{
|
||||
# If the network is a remote vpn subnet, restrict it to the VPN
|
||||
# interface.
|
||||
my ($net, $msk) = split /\//, $local;
|
||||
my $netrec = $nets->get($net);
|
||||
die "Can't find network $net in networks db!\n" unless $netrec;
|
||||
$OUT .= "/sbin/iptables -A \$NEW_local_chk -s $local";
|
||||
$OUT .= " --in-interface " . $netrec->prop('VPNif') if ( $netrec->prop('VPNif') );
|
||||
$OUT .= " -j ACCEPT\n";
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
{
|
||||
# Activate the chain and destroy the old.
|
||||
$OUT .=<<'EOF';
|
||||
/sbin/iptables --replace local_chk 1 \
|
||||
--jump $NEW_local_chk
|
||||
/sbin/iptables --flush $OLD_local_chk
|
||||
/sbin/iptables --delete-chain $OLD_local_chk
|
||||
EOF
|
||||
}
|
@ -0,0 +1,5 @@
|
||||
if [ $trace = "enabled" ]; then
|
||||
# Toggle trace back on.
|
||||
$0 trace
|
||||
fi
|
||||
;;
|
@ -0,0 +1,14 @@
|
||||
{
|
||||
# #####START MASQ#####
|
||||
# masqstart)
|
||||
# echo ""
|
||||
# echo -n "Starting IP Masquerading:"
|
||||
# ## Read Masq Rules
|
||||
# # . $CONFIG_DIR/pmfirewall.rules.masq
|
||||
# echo " Done!"
|
||||
# echo ""
|
||||
# echo "Internal: $INTERNALIF $INTERNALNET"
|
||||
# echo "External: $OUTERIF $OUTERNET"
|
||||
# echo "" ;;
|
||||
#
|
||||
}
|
@ -0,0 +1,8 @@
|
||||
|
||||
masqstop)
|
||||
echo ""
|
||||
echo -n "Shuting down IP Masquerading:"
|
||||
/sbin/iptables -F FORWARD
|
||||
/sbin/iptables -P FORWARD DROP
|
||||
echo " Done!"
|
||||
echo "" ;;
|
@ -0,0 +1,6 @@
|
||||
restart)
|
||||
$0 stop
|
||||
$0 start
|
||||
;;
|
||||
|
||||
|
@ -0,0 +1,8 @@
|
||||
status)
|
||||
echo $"Table: filter"
|
||||
/sbin/iptables --list -n
|
||||
echo $"Table: nat"
|
||||
/sbin/iptables -t nat --list -n
|
||||
echo $"Table: mangle"
|
||||
/sbin/iptables -t mangle --list -n
|
||||
;;
|
@ -0,0 +1,38 @@
|
||||
{
|
||||
#####STOP FIREWALL####
|
||||
}
|
||||
stop)
|
||||
echo ""
|
||||
echo -n "Shutting down IP masquerade and firewall rules:"
|
||||
/sbin/iptables -P FORWARD DROP
|
||||
/sbin/iptables -P OUTPUT ACCEPT
|
||||
/sbin/iptables -P INPUT {
|
||||
# Set "safe" default mode.
|
||||
($SystemMode eq "serveronly") ? "ACCEPT" : "DROP"
|
||||
}
|
||||
/sbin/iptables -F INPUT
|
||||
/sbin/iptables -F OUTPUT
|
||||
/sbin/iptables -F FORWARD
|
||||
/sbin/iptables -F
|
||||
{
|
||||
$OUT .= '';
|
||||
# Allow forwarding of local addresses, as we might be a VPN endpoint
|
||||
# in serveronly mode
|
||||
# @locals contains a list of local networks, with the real local
|
||||
# network first
|
||||
my @mylocals = @locals;
|
||||
my $local = shift @mylocals;
|
||||
$OUT .= " /sbin/iptables --append FORWARD -s $local" .
|
||||
" -d $local -j ACCEPT\n";
|
||||
foreach my $network (@mylocals)
|
||||
{
|
||||
$OUT .= " /sbin/iptables --append FORWARD -s $network" .
|
||||
" -d $local -j ACCEPT\n";
|
||||
$OUT .= " /sbin/iptables --append FORWARD -s $local" .
|
||||
" -d $network -j ACCEPT\n";
|
||||
}
|
||||
} /sbin/iptables -X
|
||||
echo " Done!"
|
||||
echo "" ;;
|
||||
|
||||
|
@ -0,0 +1,15 @@
|
||||
trace)
|
||||
trace=$(/sbin/e-smith/config getprop masq Trace)
|
||||
if [ $trace = "enabled" ]; then
|
||||
action="stop"
|
||||
echo "Disabling iptables-trace..."
|
||||
/sbin/e-smith/config setprop masq Trace disabled
|
||||
else
|
||||
action="start"
|
||||
echo "Enabling iptables-trace..."
|
||||
/sbin/e-smith/config setprop masq Trace enabled
|
||||
fi
|
||||
|
||||
/etc/init.d/iptables-trace $action
|
||||
;;
|
||||
|
@ -0,0 +1,6 @@
|
||||
*)
|
||||
echo "Usage: masq \{start|stop|restart|...\}"
|
||||
exit 1
|
||||
|
||||
esac
|
||||
exit 0
|
@ -0,0 +1,7 @@
|
||||
[global]
|
||||
nlgroup=1
|
||||
logfile=/var/log/ulogd/ulogd.log
|
||||
loglevel=5
|
||||
rmem=131071
|
||||
bufsize=150000
|
||||
|
@ -0,0 +1,38 @@
|
||||
|
||||
######################################################################
|
||||
# PLUGIN OPTIONS
|
||||
######################################################################
|
||||
# We have to configure and load all the plugins we want to use
|
||||
# general rules:
|
||||
#
|
||||
# 0. don't specify any plugin for ulogd to load them all
|
||||
# 1. load the plugins _first_ from the global section
|
||||
# 2. options for each plugin in seperate section below
|
||||
|
||||
#plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
|
||||
plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_inppkt_UNIXSOCK.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_inpflow_NFCT.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
|
||||
plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_filter_IP2BIN.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_filter_IP2HBIN.so"
|
||||
plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_filter_HWHDR.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_filter_PRINTFLOW.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_filter_MARK.so"
|
||||
plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_output_SYSLOG.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_output_XML.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_output_SQLITE3.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_output_GPRINT.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_output_NACCT.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_output_PCAP.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_output_PGSQL.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_output_MYSQL.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_output_DBI.so"
|
||||
plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_inpflow_NFACCT.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_output_GRAPHITE.so"
|
||||
#plugin="/usr/lib64/ulogd/ulogd_output_JSON.so"
|
||||
|
@ -0,0 +1,4 @@
|
||||
|
||||
#our base stack ULOG to LOGEMU
|
||||
stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
|
||||
|
@ -0,0 +1,10 @@
|
||||
[ulog1]
|
||||
# denylog:
|
||||
# netlink multicast group (the same as the iptables --ulog-nlgroup param)
|
||||
nlgroup=1
|
||||
|
||||
|
||||
[emu1]
|
||||
file="/var/log/iptables/denylog.log"
|
||||
sync=1
|
||||
|
@ -0,0 +1,96 @@
|
||||
#!/bin/bash
|
||||
# $Id: iptables-trace,v 1.14 2004/11/13 00:31:15 apc Exp $
|
||||
# Tony Clayton <t ny-netfilter@clayt n.ca>
|
||||
|
||||
# You may use and edit this code freely. If you make changes to
|
||||
# it that are generally useful, please email them to me and/or
|
||||
# post them on the netfilter mailing list <netfilter@lists.netfilter.org>
|
||||
|
||||
LOGPREFIX='${table:0:1}:${chain:0:14}:$rulenumber:${target:0:14}'
|
||||
MAXPREFIXSIZE=27
|
||||
PRINT=0
|
||||
IPTABLES="iptables"
|
||||
|
||||
log_entry() {
|
||||
local action=$1
|
||||
local table=$3 cmd=$4 chain=$5
|
||||
local rulenumber="-"
|
||||
shift 5
|
||||
if [ "$last_chain" != "$chain" ]; then
|
||||
rulenum=1
|
||||
fi
|
||||
case $action in
|
||||
(add|addpolicy)
|
||||
local rulespec
|
||||
if [ "$action" = "add" ]; then
|
||||
cmd="-I"
|
||||
rulespec=$rulenum
|
||||
rulenumber=$rulenum
|
||||
let rulenum=$rulenum+2
|
||||
fi
|
||||
while [ "$1" != "-j" ]; do
|
||||
rulespec="$rulespec $1"
|
||||
shift;
|
||||
done
|
||||
shift;
|
||||
target=$1
|
||||
eval prefix="${LOGPREFIX}"
|
||||
|
||||
$IPTABLES -t $table $cmd $chain $rulespec -j LOG \
|
||||
--log-prefix "*${prefix:0:$MAXPREFIXSIZE}:"
|
||||
;;
|
||||
(skip)
|
||||
let rulenum=$rulenum+1
|
||||
;;
|
||||
(delete)
|
||||
$IPTABLES -t $table -D $chain $rulenum
|
||||
;;
|
||||
esac
|
||||
last_chain=$chain
|
||||
}
|
||||
|
||||
start() {
|
||||
for table in $(cat /proc/net/ip_tables_names); do
|
||||
rulenum=1
|
||||
iptables-save -t $table | grep '^-' | \
|
||||
while read rule; do
|
||||
log_entry add -t $table $rule
|
||||
done
|
||||
# log default policy for each chain
|
||||
iptables-save -t $table | grep '^:' | tr -d : | \
|
||||
while read chain target rest; do
|
||||
if [ "$target" != "-" ]; then
|
||||
log_entry addpolicy -t $table -A $chain -j $target
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
stop() {
|
||||
for table in $(cat /proc/net/ip_tables_names); do
|
||||
iptables-save -t $table | grep '^-' | \
|
||||
while read cmd; do
|
||||
echo $cmd | grep -q -e '--log-prefix "\*'
|
||||
if [ $? -eq 0 ]; then
|
||||
log_entry delete -t $table $cmd
|
||||
else
|
||||
log_entry skip -t $table $cmd
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start) start
|
||||
;;
|
||||
stop) stop
|
||||
;;
|
||||
start_test) IPTABLES="echo iptables"; start
|
||||
;;
|
||||
stop_test) IPTABLES="echo iptables"; stop
|
||||
;;
|
||||
*) echo $"Usage: $0 {start|stop}"
|
||||
exit 1
|
||||
esac
|
||||
|
||||
exit 0
|
@ -0,0 +1 @@
|
||||
ulogd:any:/sbin/e-smith/expand-template /etc/logrotate.d/ulogd
|
@ -0,0 +1,18 @@
|
||||
[Unit]
|
||||
Description=masq, the Koozali SME Server firewall script
|
||||
Before=network-pre.target
|
||||
Wants=network-pre.target
|
||||
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service firewalld.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStartPre=/sbin/e-smith/service-status masq
|
||||
ExecStart=/etc/rc.d/init.d/masq start
|
||||
ExecStop=/etc/rc.d/init.d/masq stop
|
||||
ExecReload=/etc/rc.d/init.d/masq adjust
|
||||
RemainAfterExit=yes
|
||||
|
||||
|
||||
[Install]
|
||||
WantedBy=sme-server.target
|
||||
|
@ -0,0 +1,3 @@
|
||||
[Unit]
|
||||
Wants=ulogd.service
|
||||
|
@ -0,0 +1,17 @@
|
||||
[Unit]
|
||||
Description=Netfilter Userspace Logging Daemon
|
||||
Before=masq.service
|
||||
|
||||
[Service]
|
||||
User=root
|
||||
Group=root
|
||||
Restart=always
|
||||
TimeoutSec=0
|
||||
Type=forking
|
||||
|
||||
PIDFile=/run/ulog/ulogd.pid
|
||||
ExecStart=/usr/sbin/ulogd --daemon --uid ulog --pidfile /run/ulog/ulogd.pid
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
|
||||
[Install]
|
||||
WantedBy=sme-server.target multi-user.target
|
@ -0,0 +1 @@
|
||||
d /run/ulog 2755 ulog ulog
|
Loading…
Reference in New Issue