initial commit of file from CVS for e-smith-packetfilter on Wed 12 Jul 09:02:33 BST 2023

This commit is contained in:
Brian Read 2023-07-12 09:02:33 +01:00
parent b2c0968fc3
commit 4a060af783
87 changed files with 2343 additions and 2 deletions

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
*.rpm
*.log
*spec-20*
*.tar.xz

21
Makefile Normal file
View File

@ -0,0 +1,21 @@
# Makefile for source rpm: e-smith-packetfilter
# $Id: Makefile,v 1.1 2016/02/05 22:13:26 stephdl Exp $
NAME := e-smith-packetfilter
SPECFILE = $(firstword $(wildcard *.spec))
define find-makefile-common
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
endef
MAKEFILE_COMMON := $(shell $(find-makefile-common))
ifeq ($(MAKEFILE_COMMON),)
# attept a checkout
define checkout-makefile-common
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
endef
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
endif
include $(MAKEFILE_COMMON)

View File

@ -1,3 +1,17 @@
# e-smith-packetfilter
# <img src="https://www.koozali.org/images/koozali/Logo/Png/Koozali_logo_2016.png" width="25%" vertical="auto" style="vertical-align:bottom"> e-smith-packetfilter
SMEServer Koozali developed git repo for e-smith-packetfilter smeserver
SMEServer Koozali developed git repo for e-smith-packetfilter smeserver
## Wiki
<br />https://wiki.koozali.org/
## Bugzilla
Show list of outstanding bugs: [here](https://bugs.koozali.org/buglist.cgi?component=e-smith-packetfilter&product=SME%20Server%2010.X&query_format=advanced&limit=0&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=CONFIRMED)
## Description
<br />*This description has been generated by an LLM AI system and cannot be relied on to be fully correct.*
*Once it has been checked, then this comment will be deleted*
<br />
The e-smith-packetfilter software is an open source Linux-based firewall system that is used to protect networks from malicious attacks and unauthorized access. It has a modular design and can be easily customized to meet the needs of any organization. The software provides robust protection against Denial of Service (DoS) attacks, port scanning, IP spoofing, port scanning, and other security threats. It also offers advanced features such as content filtering, URL filtering, and stateful packet inspection. The software is easy to set up and manage, making it an ideal choice for organizations of all sizes.

340
additional/COPYING Normal file
View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

1
contriborbase Normal file
View File

@ -0,0 +1 @@
sme10

46
createlinks Normal file
View File

@ -0,0 +1,46 @@
#!/usr/bin/perl -w
use esmith::Build::CreateLinks qw(:all);
templates2events("/etc/ulogd.conf", qw(post-install post-upgrade e-smith-packetfilter-update));
# conf-masq
templates2events("/etc/rc.d/init.d/masq", qw(
console-save
bootstrap-console-save
network-create
network-delete
remoteaccess-update
email-update
e-smith-packetfilter-update
));
foreach (qw(console-save ip-change network-create network-delete remoteaccess-update e-smith-packetfilter-update))
{
safe_symlink("reload", "root/etc/e-smith/events/$_/services2adjust/masq");
}
my $event ="e-smith-packetfilter-update";
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/ulogd");
event_link("systemd-reload", $event, "89");
event_link("systemd-default", $event, "88");
templates2events("/etc/logrotate.d/ulogd", ($event,qw(post-install post-upgrade bootstrap-console-save)) );
#systemd
foreach my $target (qw(multi-user sme-server))
{
system('mkdir -p root/usr/lib/systemd/system/'.$target.'.target.wants/');
foreach my $unit (qw(
masq.service
ulogd.service
))
{
symlink("../$unit",
"root/usr/lib/systemd/system/$target.target.wants/$unit")
or die "Can't symlink to root/usr/lib/systemd/system/$target.target.wants/$unit: $!";
}
}

908
e-smith-packetfilter.spec Normal file
View File

@ -0,0 +1,908 @@
# $Id: e-smith-packetfilter.spec,v 1.15 2021/11/16 03:18:06 jpp Exp $
Summary: e-smith server and gateway - packetfilter add-on
%define name e-smith-packetfilter
Name: %{name}
%define version 2.6.0
%define release 9
Version: %{version}
Release: %{release}%{?dist}
License: GPL
Group: Networking/Daemons
Source: %{name}-%{version}.tar.xz
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
BuildArchitectures: noarch
Requires: e-smith-base >= 5.8.0-49
Requires: ulogd >= 2
Requires: daemontools
Requires: iptables
BuildRequires: e-smith-devtools
Obsoletes: e-smith-ipmasq
AutoReqProv: no
Requires(pre): /usr/sbin/useradd
%description
e-smith server and gateway software - packetfilter add-on
%changelog
* Wed Jul 12 2023 cvs2git.sh aka Brian Read <brianr@koozali.org> 2.6.0-9.sme
- Roll up patches and move to git repo [SME: 12338]
* Wed Jul 12 2023 BogusDateBot
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
by assuming the date is correct and changing the weekday.
Mon Apr 21 2001 --> Mon Apr 16 2001 or Sat Apr 21 2001 or Mon Apr 23 2001 or ....
Fri Nov 23 2006 --> Fri Nov 17 2006 or Thu Nov 23 2006 or Fri Nov 24 2006 or ....
Fri Apr 09 2007 --> Fri Apr 06 2007 or Mon Apr 09 2007 or Fri Apr 13 2007 or ....
* Mon Nov 15 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.6.0-8.sme
- restrict VPN networks to their interface [SME: 11640]
remove remoteVPNSubnet property added VPNif property
* Wed Apr 07 2021 Jean-Philippe Pialasse <tests@pialasse.com> 2.6.0-7.sme
- fix dropin file not expanded on initial installation [SME: 11528]
- fix noise on logrotate, doing a restart instead of reload [SME: 11451]
* Thu Mar 04 2021 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-6.sme
- move ulogd to systemd [SME: 11426]
- require ulogd 2 [SME: 11426]
* Wed Mar 03 2021 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-5.sme
- remove pptpd last references [SME: 11420]
* Fri Feb 12 2021 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-4.sme
- remove /usr/lib/systemd/system-preset/80-koozali-packetfilter.preset [SME: 10958]
* Fri Dec 11 2020 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-3.sme
- drop pptpd support [SME: 11251]
* Tue Nov 10 2020 Jean-Philipe Pialasse <tests@pialasse.com> 2.6.0-2.sme
- launch masq using systemd unit [SME: 11089]
- create event to avoid reboot on update [SME: 11122]
* Fri Feb 05 2016 stephane de Labrusse <stephdl@de-labrusse.fr> 2.6.0-1.sme
- Initial release to sme10
* Thu Feb 28 2013 Ian Wells <esmith@wellsi.com> 2.4.0-3.sme
- Prevent multiple instances of the masq script running,
patch by Charlie Brady [SME: 7415]
* Tue Feb 19 2013 Daniel Berteaud <daniel@firewall-services.com> 2.4.0-2.sme
- Use extrapositioned negation (Credits to John Crisp) [SME: 7262]
* Wed Feb 6 2013 Shad L. Lords <slords@mail.com> 2.4.0-1.sme
- Roll new stream for sme9
* Tue Oct 7 2008 Shad L. Lords <slords@mail.com> 2.2.0-1.sme
- Roll new stream to separate sme7/sme8 trees [SME: 4633]
* Fri May 18 2007 Shad L. Lords <slords@mail.com> 1.18.0-6
- Use correct lib for modules
* Sun Apr 29 2007 Shad L. Lords <slords@mail.com>
- Clean up spec so package can be built by koji/plague
* Fri Apr 09 2007 Stephen Noble <support@dungog.net> 1.18.0-5
- Fix masq error in server only mode (cannot open UDPPort) [SME: 2812]
* Fri Apr 06 2007 Shad L. Lords <slords@mail.com> 1.18.0-4
- Fix perms for ulogd.conf file [SME: 2722]
* Mon Mar 19 2007 Shad L. Lords <slords@mail.com> 1.18.0-3
- Update ulogd.conf to new format [SME: 2744]
* Fri Feb 09 2007 Shad L. Lords <slords@mail.com> 1.18.0-2
- Fix sorting for Ports properties [SME: 56]
* Fri Jan 26 2007 Shad L. Lords <slords@mail.com> 1.18.0-1
- Roll stable stream. [SME: 2328]
* Thu Jan 18 2007 Shad L. Lords <slords@mail.com> 1.17.0-7
- Move last masq fragments from e-smith-base.
* Wed Jan 17 2007 Shad L. Lords <slords@mail.com> 1.17.0-6
- Use both {TCP,UDP}Port and {TCP,UDP}Ports for masq template [SME: 56]
* Thu Dec 07 2006 Shad L. Lords <slords@mail.com>
- Update to new release naming. No functional changes.
- Make Packager generic
* Thu Nov 23 2006 Gordon Rowell <gordonr@gormand.com.au> 1.17.0-04
Fri Nov 23 2006 --> Fri Nov 17 2006 or Thu Nov 23 2006 or Fri Nov 24 2006 or ....
- Remove TCPMinimizeDelay default for ssh [SME: 2083]
* Mon Aug 28 2006 Charlie Brady <charlie_brady@mitel.com> 1.17.0-03
- Ensure that $OUTERNET is an IP address. [SME: 1815]
* Sun Aug 13 2006 Charlie Brady <charlie_brady@mitel.com> 1.17.0-02
- Merge in masq fragments from e-smith-base.
* Sun Aug 13 2006 Charlie Brady <charlie_brady@mitel.com> 1.17.0-01
- Roll new development stream.
* Wed Jul 26 2006 Gordon Rowell <gordonr@gormand.com.au> 1.16.0-05
- Remove redundant auto-generated service-specific denylog rules from
90InboundTCP10filter_{tcp,udp} [SME: 1776]
* Tue Jul 18 2006 Charlie Brady <charlie_brady@mitel.com> 1.16.0-04
- Bundle fragments from e-smith-ipmasq and obsolete that RPM. [SME: 1002]
* Tue Jun 20 2006 Filippo Carletti <carletti@mobilia.it> 1.16.0-03
- No longer drop UDP packets in serveronly mode [SME: 1002]
* Thu Apr 6 2006 Gavin Weight <gweight@gmail.com> 1.2.0-02
- Make ident TCP reject configurable, based on oidentd status.
If oidentd{status} is enabled, allow ident, otherwise REJECT it [SME: 85]
* Wed Mar 15 2006 Charlie Brady <charlie_brady@mitel.com> 1.2.0-01
- Roll stable stream version. [SME: 1016]
* Wed Nov 30 2005 Gordon Rowell <gordonr@gormand.com.au> 1.15.1-12
- Bump release number only
* Wed Sep 21 2005 Charlie Brady <charlieb@e-smith.com>
- [1.15.1-11]
- Remove force/masq/status fragment, and fix "masq adjust" so
that it is harmless if firewall is disabled. This leaves unsolved
the problem of whether to toggle disabled->enabled during upgrades.
[SF: 1261356]
* Wed Sep 7 2005 Charlie Brady <charlieb@e-smith.com>
- [1.15.1-10]
- Fix location of force/status fragment for masq service. [SF: 1261356]
* Tue Aug 30 2005 Charlie Brady <charlieb@e-smith.com>
- [1.15.1-09]
- Add force/status fragment for masq service, to force enabled.
This ensures that firewall is running after a system upgrade,
to avoid various panel failure modes. Solution to be reviewed
for alternatives later. [SF: 1261356]
* Fri Aug 26 2005 Charlie Brady <charlieb@e-smith.com>
- [1.15.1-08]
- Remove filtering of outbound ICMP - it's blocking legitimate ICMP
redirects. [MN00093544]
* Tue Aug 2 2005 Shad Lords <slords@email.com>
- [1.15.1-07]
- Add default $masq{Stealth} db entry
* Tue Aug 2 2005 Gordon Rowell <gordonr@gormand.com.au>
- [1.15.1-06]
- Rejct IDENT with a TCP reset [SF: 1240659]
- Add support for UDPPort (c.f. TCPPort) property to allow
filtered UDP [SF: 1241398]
- Add support for DenyHosts property (see 1.15.0-02 for AllowHosts)
[SF: 1241398]
* Mon Jul 18 2005 Charlie Brady <charlieb@e-smith.com>
- [1.15.1-05]
- Tidy up path reference to networks db. [SF: 1216546]
* Tue Jun 7 2005 Charlie Brady <charlieb@e-smith.com>
- [1.15.1-04]
- Fix ulogd logging to stdout not being captured by multilog.
* Mon May 2 2005 Charlie Brady <charlieb@e-smith.com>
- [1.15.1-03]
- Add requires headers for ulogd and daemontools.
* Sun May 1 2005 Charlie Brady <charlieb@e-smith.com>
- [1.15.1-02]
- Switch to logging via ulogd and multilog.
* Sun May 1 2005 Charlie Brady <charlieb@e-smith.com>
- [1.15.1-01]
- Roll new development stream - 1.15.1
* Wed Mar 30 2005 Charlie Brady <charlieb@e-smith.com>
- [1.15.0-15]
- Set $OUTERNET to equal $LocalIP in masq script in serveronly mode,
so that masq script (if enabled) does not block allowed public access.
- Remove various 45Allow* fragments as TCPPort properties of services
will allow access if public access is enabled.
* Fri Nov 12 2004 Tony Clayton <apc@e-smith.com>
- [1.15.0-14]
- More cleanup for iptables-trace [tonyc]
* Fri Nov 12 2004 Tony Clayton <apc@e-smith.com>
- [1.15.0-13]
- update to latest iptables-trace [tonyc] :
- add logging for default chain policy fallback
- fix stop() bug causing _any_ rules with --log-prefix to be removed
* Fri Apr 30 2004 Michael Soulier <msoulier@e-smith.com>
- [1.15.0-12]
- Made TOS settings configurable, with just ssh set by default.
[msoulier dpar-28993]
* Wed Feb 25 2004 Michael Soulier <msoulier@e-smith.com>
- [1.15.0-11]
- Tightened rules for remote vpn subnets. [msoulier dpar-21836]
* Wed Jan 28 2004 Michael Soulier <msoulier@e-smith.com>
- [1.15.0-10]
- Fixed iptables-trace "stop" removing rules from the denylog chain.
[msoulier 10955]
* Wed Jan 28 2004 Michael Soulier <msoulier@e-smith.com>
- [1.15.0-09]
- Added a toggle of the trace option during adjust, so adjusts work with trace
enabled. [msoulier 8117]
* Mon Dec 1 2003 Michael Soulier <msoulier@e-smith.com>
- [1.15.0-08]
- Changed multicast DROP target to denylog, so it toggles. [msoulier 9450]
* Mon Dec 1 2003 Michael Soulier <msoulier@e-smith.com>
- [1.15.0-07]
- Changed the toggle property name to DenylogTarget. [msoulier 9450]
* Mon Dec 1 2003 Michael Soulier <msoulier@e-smith.com>
- [1.15.0-06]
- Added firewall-wide toggle for denylog DROP/REJECT. [msoulier 9450]
* Sat Nov 29 2003 Charlie Brady <charlieb@e-smith.com>
- [1.15.0-05]
- Ensure that masq script expands without error in serveronly mode.
[charlieb 10162]
* Sat Oct 4 2003 Michael Soulier <msoulier@e-smith.com>
- [1.15.0-04]
- Fixed error in masq fragment with stealth enabled. [msoulier 10165]
* Thu Sep 25 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.15.0-03]
- Add masq to 0.0.0.0/0 for public, unrestricted [gordonr 10050]
* Tue Sep 23 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.15.0-02]
- New fragment 90InboundTCP10filter_tcp, a further step towards
auto-generation of rules, removing the 45Allow* fragments:
For all services which have a TCPPort property defined:
If the service is 'enabled' and the service is 'public',
generate iptables rules as follows:
If an AllowHosts property is defined, allow only those hosts
Otherwise allow all hosts
AllowHosts is comma separated, and can contain IPs, IP/mask and CIDR
This will generate duplicate rules until the 45Allow* fragments
are removed, which can happen once the TCPPort property is defined
for a service.
QUERY: Should this be TCPPort (singular) or TCPPorts (plural)?
TODO: Create db defaults fragments to deprecate the 45Allow* fragments
TODO: Possibly add DenyHosts processing [gordonr 10050]
* Tue Sep 23 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.15.0-01]
- Changing version to development stream number - 1.15.0
- Dev stream [gordonr 10050]
* Thu Jun 26 2003 Charlie Brady <charlieb@e-smith.com>
- [1.14.0-01]
- Changing version to stable stream number - 1.14.0
* Tue Jun 17 2003 Tony Clayton <apc@e-smith.com>
- [1.13.0-27]
- Again [tonyc 8578]
* Tue Jun 17 2003 Tony Clayton <apc@e-smith.com>
- [1.13.0-26]
- Add lo->lo ACCEPT rule back to 90local_chk00Start fragment [tonyc 8578]
* Mon Jun 16 2003 Tony Clayton <apc@e-smith.com>
- [1.13.0-25]
- Split 90AllowLocal masq fragment into 90local_chk* [tonyc 8578]
* Mon Jun 2 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-24]
- Explicitely blocking multicast not from a local network.
[msoulier 6031]
* Thu May 1 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-23]
- Added chain creation during adjust. What a thought. [msoulier 7695]
* Thu May 1 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-22]
- Added support for a PPPconn chain to track rules to permit PPTP connections.
[msoulier 7695]
* Fri Apr 25 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-21]
- Refactored the 90adjustUDP template into multiple fragments. [msoulier 8505]
* Fri Apr 25 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-20]
- Refactored the 90adjustTCP template into multiple fragments. [msoulier 8505]
* Tue Apr 22 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-19]
- Accepting all traffic from the loopback interface. [msoulier 8299]
* Mon Apr 21 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-18]
- Removed acceptance of anything not from the external interface. The local
networks list should be sufficient. [msoulier 8299]
* Mon Apr 21 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-17]
- Added handling of local_chk chain in adjustment. [msoulier 8299]
* Mon Apr 14 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.13.0-16]
- Flag pptp masq as on by default [gordonr 6694]
* Tue Apr 8 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-15]
- Added iptables-trace in /etc/rc.d/init.d. [msoulier 7613]
* Tue Apr 1 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.13.0-14]
- Added denylog: prefix to denied packet logs [gordonr 6852]
* Tue Mar 25 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-13]
- Portforwarding still had problems, fixed here. [msoulier 7284]
* Tue Mar 25 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-12]
- Added ForwardedTCP and ForwardedUDP, as well as supporting code to
permit certain ports to be opened for forwarded traffic inbound. Required
for portforwarding. [msoulier 7284]
* Fri Mar 7 2003 Charlie Brady <charlieb@e-smith.com>
- [1.13.0-11]
- Add "use esmith::util" to 01localNetworks fragment. Needed if
esmith::templates form of processTemplate is used. [charlieb 5650]
* Fri Feb 21 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.13.0-10]
- Remove quotes around 'Name' - not required [gordonr 7343]
* Fri Feb 21 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.13.0-09]
- Make use of ExternalInterface definition in 00Definitions [gordonr 7343]
- Update dependency on e-smithbase [gordonr 7343]
* Mon Feb 3 2003 Mark Knox <markk@e-smith.com>
- [1.13.0-08]
- Open port 443 when either web server is enabled [markk 6428]
* Fri Jan 24 2003 Charlie Brady <charlieb@e-smith.com>
- [1.13.0-07]
- Fix one last broken here document. [charlieb 6651]
* Thu Jan 23 2003 Charlie Brady <charlieb@e-smith.com>
- [1.13.0-06]
- Fix a few typos in previous round of masq fragment changes. [charlieb]
* Thu Jan 23 2003 Charlie Brady <charlieb@e-smith.com>
- [1.13.0-05]
- formatting changes in masq/00Functions template fragment [charlieb]
- Use connection tracking on both INPUT and FORWARD tables [charlieb 6651]
- Allow any local traffic on INPUT and FORWARD chains. Local traffic
is currently defined as all traffic which didn't come in via the
external interface. That definition can easily change, as there is
a special chain for accepting local traffic. [charlieb 6709]
- Remove explicit allow of multicast traffic, as it is a subset of "local"
traffic [charlieb 6031, 6709]
- Move ICMP type checking into "adjust" part of masq script [charlieb 6709]
* Sat Jan 18 2003 Michael Soulier <msoulier@e-smith.com>
- [1.13.0-04]
- Permitting multicast traffic to and from the internal interface.
[msoulier 6031]
* Wed Jan 15 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.13.0-03]
- Put back non-redundant DROP lines, but add a comment as to why
they are there [gordonr 6580]
* Wed Jan 15 2003 Gordon Rowell <gordonr@e-smith.com>
- [1.13.0-02]
- Remove redundant DROP lines from denylog chain [gordonr 6580]
* Thu Jan 9 2003 Mark Knox <markk@e-smith.com>
- [1.13.0-01]
- Forced version update by co2rpm to 1.13.0
* Mon Dec 16 2002 Charlie Brady <charlieb@e-smith.com>
- [1.12.0-01]
- Roll to stable version to 1.12.0
* Fri Nov 29 2002 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-07]
- Added a get_safe_id function, to factor out firewall rule scanning code, and
prevent chain name clashes in the extreme case. [msoulier 5696]
* Thu Nov 28 2002 Michael Soulier <msoulier@e-smith.com>
- [1.11.0-06]
- Removed specific tcp_in and udp_in chains in favour of the InboundTCP_$$ and
InboundUDP__$$ chains. They are far, far easier to manage, especially for
the portforwarding blade. [msoulier 5696]
* Wed Nov 20 2002 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-05]
- Make sure that --numeric is used with any --list command, to avoid
reverse lookup delays. [charlieb 5644]
* Wed Nov 13 2002 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-04]
- Peel off ICMP for checking after packets for ESTABLISHED and RELATED
connections are allowed. This allows outbound ping to work. [charlieb 5423]
* Mon Nov 11 2002 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-03]
- Apply UDP filtering only on traffic entering via external
interface. [charlieb 5644]
* Mon Nov 11 2002 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-02]
- Add UDP input filter setup and adjust rules.
Re-arrange 00Functions a bit so that perl block is
shorter and the rest is in-line [charlieb 5644]
- Move adjustEnd to 92, to allow 91 hole for any adjustments
needing to be done after input filter rules are adjusted
(e.g. port forwarding).
* Mon Nov 11 2002 Charlie Brady <charlieb@e-smith.com>
- [1.11.0-01]
- rolling development stream to 1.11.0
* Sat Oct 19 2002 Charlie Brady <charlieb@e-smith.com>
- [1.10.0-08]
- Send default packets on the FORWARD filter to denylog, rather than
DROP. [charlieb 5246]
- Revert 2) from 1.10.0-05 checkin. 5.5 ipchains forwarding rules do not allow
IP masqueraded packets. [charlieb 5246]
* Fri Oct 18 2002 Charlie Brady <charlieb@e-smith.com>
- [1.10.0-07]
- Commit new file 42CheckTCPInput which was missed in last checkin.
[charlieb 5246]
* Fri Oct 18 2002 Charlie Brady <charlieb@e-smith.com>
- [1.10.0-06]
- Create a new intermediate TCP input chain, and create a new temporary
TCP input chain whenever we run "masq adjust". This ensures that
new TCP input checking rules occur at the same place during input
checking as existing rules, and also means that rules previously created
by now-removed packages disappear. [charlieb 4501, 5246]
* Thu Oct 17 2002 Charlie Brady <charlieb@e-smith.com>
- [1.10.0-05]
- Fix to the previous change 1) to restore some commented out rules,
and 2) to fix those rules so that they match the 5.5 ipchains
version. [charlieb 5246]
* Thu Oct 17 2002 Charlie Brady <charlieb@e-smith.com>
- [1.10.0-04]
- Changes so that local networks can be added/deleted and "masq adjust"
will correctly re-adjust the filters. [charlieb 5246]
* Tue Oct 15 2002 Charlie Brady <charlieb@e-smith.com>
- [1.10.0-03]
- Change 00Functions so that "tcp_in" function can create chains as required
during "masq adjust", so that new modules can add rules and still avoid
"masq restart". [charlieb 4501]
* Tue Oct 15 2002 Mark Knox <markk@e-smith.com>
- [1.10.0-02]
- Re-add echo-reply support (doesn't work with conntrack) [markk 5213]
* Sat Oct 12 2002 Charlie Brady <charlieb@e-smith.com>
- [1.10.0-01]
- Roll to maintained version number to 1.10.0
- Remove "perl createlinks" from %build section, since we no longer
have a createlinks file.
* Fri Oct 11 2002 Gordon Rowell <gordonr@e-smith.com>
- [1.9.15-07]
- Check the correct configDB entry for public POP [gordonr 5181]
* Tue Oct 8 2002 Mark Knox <markk@e-smith.com>
- [1.9.15-06]
- Use denylog target for dropped ICMP packets [markk 5095]
- Remove explicit echo-reply support (we use conntrack now) [markk 5095]
* Mon Oct 7 2002 Mark Knox <markk@e-smith.com>
- [1.9.15-05]
- Drop ICMP echo-requests on ext i/f when in private s/g mode or if Stealth
property is set. General cleanup of ICMP rules. [markk 5095]
* Wed Sep 11 2002 Gordon Rowell <gordonr@e-smith.com>
- [1.9.15-04]
- Added extra slosh in tcp_in as one gets gobbled by template evaluation
and we need one in the final output. Reformatted the lines and moved
proto/port together on first line of pair for readability [gordonr 4792]
* Thu Sep 5 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.15-03]
- Fix tcp_in function - it doesn't work too well without the jump to the
newly defined rule. Change DROP to denylog in the placeholder rule,
even though it is short-lived. [charlieb 4792]
* Mon Sep 2 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.15-02]
- Remove createlinks script and network-{create,delete} event directories -
the required change was made in e-smith-base, and this shouldn't have
been checked in. [charlieb 4501]
* Wed Aug 28 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.15-01]
- Rolling minor version number to work around wrinkle in co2rpm [charlieb 3700]
* Wed Aug 28 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.14-04]
- Remove 45AllowAUTH masq fragment - moved to e-smith-oidentd package.
[charlieb 4435]
* Tue Aug 27 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.14-03]
- Fix iptables syntax in AdjustTOS fragment [charlieb 1268]
* Mon Aug 26 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.14-02]
- Fix AllowICMPfromLAN template error [charlieb 1268]
* Thu Aug 22 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.14-01]
- Use full iptables path in status fragment - allows "service masq status" to
work. [charlieb 1268]
- Fix local networks list [charlieb 1268]
* Tue Aug 20 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.13-01]
- Fix syntax in 30adjustTOS fragment. Move definitions to start of masq
script where they can be used in functions. [charlieb 4501]
* Mon Aug 19 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.12-01]
- Add 90adjustDenyLog fragment missed in last commit. [charlieb 4501]
* Mon Aug 19 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.11-01]
- Further re-arrangement to facilitate non-disruptive update of filtering
rules. [charlieb 4501]
* Fri Aug 16 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.10-01]
- Remove 98adjust, and split it into 49adjustStart, 50adjustTCP and 51adjustEnd
fragments. Migrate network stack tuning stuff to sysctl.conf templates.
Add TOS adjustment stuff. [charlieb 4501]
* Thu Aug 15 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.9-01]
- Change masq template fragments to allow non-disruptive modification.
Add "masq adjust" verb. [charlieb 4501]
* Thu Aug 8 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.8-01]
- Remove deprecated split in masq template fragment, and add FIXME comment
to code which looks to be wrong. [charlieb 1268]
* Wed Jul 31 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.7-01]
- Use iptables state tracking to allow return traffic. Remove special
rules set up to allow the return traffic. [charlieb 4499]
* Tue Jul 23 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.6-01]
- Allow local and masqueraded traffic on forward chain. Fix syntax for denylog
chain. [charlieb 1268]
* Thu Jul 18 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.5-01]
- Avoid a perl warning from use of ${httpd-e-smith}{status} -
change to ${'httpd-e-smith'}{status}. [charlieb 1268]
* Wed Jul 17 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.4-01]
- Change syntax from ipchains (2.2 kernel) to iptables (2.4 kernel).
[charlieb 1268]
- Add "status" option to list tables.
- Miscellaneous syntax cleanups.
* Tue Jul 2 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.3-01]
- Add "modprobe ipchains" to allow firewall to work with 2.4 kernel
[charlieb 4223]
* Fri Jun 21 2002 Mark Knox <markk@e-smith.com>
- [1.9.2-01]
- Allow ICMP from all "local" networks, not just physical LAN [markk 3698]
* Fri Jun 21 2002 Mark Knox <markk@e-smith.com>
- [1.9.1-01]
- Allow ICMP on internal interface [markk 3698]
* Wed Jun 5 2002 Charlie Brady <charlieb@e-smith.com>
- [1.9.0-01]
- Changing version to maintained stream number to 1.9.0
* Fri May 31 2002 Charlie Brady <charlieb@e-smith.com>
- [1.8.0-01]
- Changing version to maintained stream number to 1.8.0
* Thu May 23 2002 Gordon Rowell <gordonr@e-smith.com>
- [1.7.3-01]
- RPM rebuild forced by cvsroot2rpm
* Fri May 10 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.2-01]
- Remove 45AllowSMTP - moved to e-smith-mailfront. [charlieb 3419]
* Fri May 10 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.1-01]
- No change. Test build of CVS conversion.
* Fri May 10 2002 Charlie Brady <charlieb@e-smith.com>
- [1.7.0-01]
- rollRPM: Rolled version number to 1.7.0-01. Includes patches up to 1.6.0-02.
* Wed Dec 19 2001 Charlie Brady <charlieb@e-smith.com>
- [1.6.0-02]
- Restore run time lookup of ExternalIP by /etc/rc.d/init.d/masq.
- Make sure that OUTERNET is set to a valid IP address, even if
ExternalIP is not set in config db, to avoid syntax errors in
ipchains command in masq script.
* Tue Dec 11 2001 Jason Miller <jay@e-smith.com>
- [1.6.0-01]
- rollRPM: Rolled version number to 1.6.0-01. Includes patches up to 1.5.0-05.
* Thu Dec 06 2001 Charlie Brady <charlieb@e-smith.com>
- [1.5.0-05]
- Add support for ippp0 as the external interface - if sync ISDN is used.
* Wed Nov 21 2001 Adrian Chung <adrianc@e-smith.com>
- [1.5.0-04]
- Add $OUT = "" to 01localNetworks so that '1' isn't output
into template when 01localNetworks generates no output.
* Wed Nov 21 2001 Adrian Chung <adrianc@e-smith.com>
- [1.5.0-03]
- Splitting @locals and $primaryLocalNet generation out of
40AllowLocals into 01localNetworks.
- transproxy fragment from e-smith-proxy needs these variables in
35transproxy.
* Tue Nov 06 2001 Charlie Brady <charlieb@e-smith.com>
- [1.5.0-02]
- Fix variable naming error in setting up @locals array.
- Remove forwarding rules from stopmasq section - and remove the 'stop'
alias for this case - there is a separate stop section of the script.
- Add bidirectional forwarding rules for each local network to our network.
This both enables the forwarded traffic, and also prevents masquerading
of the local traffic.
* Mon Nov 5 2001 Charlie Brady <charlieb@e-smith.com>
- [1.5.0-01]
- Rolled version number to 1.5.0-01. Includes patches upto 1.4.0-02.
* Mon Oct 29 2001 Charlie Brady <charlieb@e-smith.com>
- [1.4.0-02]
- Allow packet forwarding from localnet to localnet in serveronly mode -
this is necessary for PPTP VPN termination.
* Thu Aug 23 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.4.0-01]
- Rolled version number to 1.4.0-01. Includes patches upto 1.3.0-08.
* Fri Aug 17 2001 gordonr
- [1.3.0-08]
- Autorebuild by rebuildRPM
* Mon Aug 13 2001 Adrian Chung <adrianc@e-smith.com>
- [1.3.0-07]
- Apply the patch. :)
* Fri Aug 10 2001 Adrian Chung <adrianc@e-smith.com>
- [1.3.0-06]
- Multicast range is 224.0.0.0 to 239.255.255.255 which
is 224.0.0.0/4 not 224.0.0.0/3.
224.0.0.0/3 covers 255.255.255.255 which denies DHCP traffic
* Sat Apr 21 2001 Gordon Rowell <gordonr@e-smith.com>
Mon Apr 21 2001 --> Mon Apr 16 2001 or Sat Apr 21 2001 or Mon Apr 23 2001 or ....
- [1.3.0-05]
- Putback Charlie's change to add Stealth property to masq service, defaulting
to "no". If set to "yes", external ICMP echo packets are ignored.
* Sat Apr 07 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.3.0-04]
- Forward port patches from 1.2.0-01 to 1.2.0-06
* Sun Mar 25 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.2.0-06]
- Two new properties of masq service - PermitHighUDP and PermitHighTCP.
Both default to "yes", but provide an easy way to block unprivileged
TCP/UDP or both.
* Fri Mar 23 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.2.0-05]
- Default auth/smtp/http[s] to public for backwards compatability
* Fri Mar 23 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.2.0-04]
- masq service now has an optional property Logging, defaulting to "none"
- Only log denied packets if Logging is other than "none" - this stops
logging of the SMB chatter on cable and other shared networks
- Ignore SMB and RIP packets unless Logging is "all"
* Thu Mar 22 2001 Gordon Rowell <gordonr@e-smith.com>
- [1.2.0-03]
- Check access property for httpd-e-smith/smtpd/identd
* Wed Mar 7 2001 Adrian Chung <adrianc@e-smith.com>
- [1.3.0-03]
- set rp_filter to 0 for 'all' interface as well.
* Wed Mar 7 2001 Adrian Chung <adrianc@e-smith.com>
- [1.3.0-02]
- set rp_filter to 0 for 'default' interface, explicitly set
it to 1 for eth0, eth1.
- ipsec-restart will set eth1 to '0'.
* Wed Mar 7 2001 Adrian Chung <adrianc@e-smith.com>
- [1.3.0-01]
- branching to development stream.
* Thu Feb 8 2001 Adrian Chung <adrianc@e-smith.com>
- [1.2.0-02]
- Rolling release number for GPG signing.
* Thu Jan 25 2001 Peter Samuel <peters@e-smith.com>
- [1.2.0-01]
- Rolled version number to 1.2.0-01. Includes patches upto 1.1.0-16.
* Thu Jan 25 2001 Adrian Chung <adrianc@e-smith.com>
- [1.1.0-16]
- removed 35DenyUnrouteable fragment, since it affects
us, and anyone else using a provider who masquerades
connections.
* Wed Jan 24 2001 Charlie Brady <charlieb@e-smith.com>
- [1.1.0-15]
- Remove AllowFTP fragment - moved to e-smith-proftpd.
* Thu Jan 18 2001 Adrian Chung <adrianc@e-smith.com>
- [1.1.0-14]
- adjusted 45AllowFTP to follow value of FTP accessLimits instead
of service status.
* Mon Dec 18 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-13]
- Added use esmith::db
* Mon Dec 18 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-12]
- Backed out -11 patch - not required
- Reordered fragments
* Mon Dec 18 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-11]
- Added source/destination to icmp rules
* Fri Dec 15 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-10]
- Added protocol option to icmp fragments
- Removed masqstart/masqstop
- Allowed icmp echo-request and echo-reply
* Fri Dec 15 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-9]
- Rearranged fragments
- Split some rules into new chains
- Added extra ICMP rules
* Fri Dec 15 2000 Charlie Brady <charlieb@e-smith.com>
- [1.1.0-8]
- Move AllowSSH template fragment to e-smith-openssh.
- Fix uninitialised value problem in 15Definitions.
* Tue Dec 12 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-7]
- Normalised AUTH template and fixed HTTP[S] templates
* Tue Dec 12 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-6]
- Used hard-quote form of HERE documents to avoid $ expansions
* Tue Dec 12 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-5]
- Normalised structure of 45Allow* fragments
- Moved 45AllowIONonPriv to 46AllowIONonPriv
* Tue Dec 12 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-4]
- Fixed service name in templates - imapd -> imap
- Changed mode -> access
* Tue Dec 12 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-3]
- Rewrote 15definitions and 45* fragments which checked services entries
* Tue Dec 05 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-2]
- Determine ExternalIP at run time
- Modified templates to check services entries
- Added COPYING file and GPL Copyright
* Tue Dec 05 2000 Gordon Rowell <gordonr@e-smith.com>
- [1.1.0-1]
- Rolled version and tarball including patches to 0.1-4
- Used e-smith-devtools
* Thu Nov 30 2000 Gordon Rowell <gordonr@e-smith.com>
- [0.1-4]
- Changes to match change to pppoe service
* Wed Nov 29 2000 Gordon Rowell <gordonr@e-smith.com>
- Handle ppp0 as external interface for PPPoE setups
* Tue Nov 21 2000 Charlie Brady <charlieb@e-smith.com>
- Remove extraneous } in 15definitions
* Sun Nov 19 2000 Charlie Brady <charlieb@e-smith.com>
- initial release
%prep
%setup
rm -rf root/var/service/ulogd
mkdir -p root/run/ulog
%build
perl createlinks
%install
rm -rf $RPM_BUILD_ROOT
for file in masq
do
mkdir -p root/etc/e-smith/templates/etc/rc.d/init.d/$file
ln -s /etc/e-smith/templates-default/template-begin-shell \
root/etc/e-smith/templates/etc/rc.d/init.d/$file/template-begin
done
(cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT)
mkdir -p $RPM_BUILD_ROOT/var/log/iptables
mkdir -p $RPM_BUILD_ROOT/service
#ln -s /var/service/ulogd $RPM_BUILD_ROOT/service/ulogd
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
--dir /var/log/iptables 'attr(0755,ulog,ulog)' \
--dir /run/ulog 'attr(2755,ulog,ulog)' \
> e-smith-%{version}-filelist
echo "%doc COPYING" >> e-smith-%{version}-filelist
# --dir /var/service/ulogd 'attr(1755,root,root)' \
# --file /var/service/ulogd/run 'attr(0755,root,root)' \
# --dir /var/service/ulogd/log 'attr(0755,root,root)' \
# --file /var/service/ulogd/log/run 'attr(0755,root,root)' \
%clean
rm -rf $RPM_BUILD_ROOT
%pre
if [ $1 -gt 1 ] ; then
if [ -e /var/service/ulogd/run ] ; then
/usr/bin/sv d ulogd
/usr/bin/sv d ulogd/log
fi
fi
/usr/sbin/groupadd \
-g 1010 -o ulog 2>/dev/null || :
/usr/sbin/useradd \
-u 1010 -g 1010 -c 'ulogd user' -d /var/log/ulogd \
-M -s /bin/false ulog || :
%files -f e-smith-%{version}-filelist
%defattr(-,root,root)

View File

@ -0,0 +1 @@
drop

View File

@ -0,0 +1 @@
most

View File

@ -0,0 +1 @@
no

View File

@ -0,0 +1 @@
disabled

View File

@ -0,0 +1 @@
yes

View File

@ -0,0 +1 @@
enabled

View File

@ -0,0 +1 @@
service

View File

@ -0,0 +1 @@
enabled

View File

@ -0,0 +1 @@
service

View File

@ -0,0 +1 @@
enabled

View File

@ -0,0 +1 @@
PERMS=0755

View File

@ -0,0 +1 @@
PERMS=0600

View File

@ -0,0 +1,23 @@
/var/log/ulogd/ulogd.log \{
missingok
notifempty
weekly
compress
sharedscripts
postrotate
/usr/bin/systemctl restart ulogd > /dev/null 2>&1
endscript
\}
/var/log/iptables/*.log \{
missingok
notifempty
daily
compress
sharedscripts
postrotate
/usr/bin/systemctl restart ulogd > /dev/null 2>&1
endscript
\}

View File

@ -0,0 +1,20 @@
{
my $internalif = $InternalInterface{Name};
my $outernet = ($SystemMode eq "serveronly") ?
$LocalIP : '$(/sbin/e-smith/config get ExternalIP)';
$OUT .= <<HERE;
INTERNALIF=$internalif
OUTERNET=$outernet
if [ -z "\$OUTERNET" ]
then
OUTERNET=1.1.1.1 # Put in placeholder address, to ensure correct iptables syntax
fi
HERE
if ($SystemMode ne "serveronly")
{ $OUT .= " OUTERIF=".$ExternalInterface{Name} }
else
{ $OUT .= "# OUTERIF='there_isnt_one'"; }
}

View File

@ -0,0 +1,124 @@
{
@tcp_acl_rules = ();
# Define a function which can be used in subsequent fragments
# This function collects a list of TCP ports, and whether
# or not inbound TCP connections are permitted to the port
# The list is later used in the "adjust" section of the overall
# mask script to set up chains and rules which implement the
# policy
sub allow_tcp_in
{
my $port = shift;
my $allow = shift;
my $target = $allow ? "ACCEPT" : "denylog";
push @tcp_acl_rules, " adjust_tcp_in $port $target";
return "";
}
@udp_acl_rules = ();
# This function collects a list of UDP ports, and whether
# or not inbound UDP packets are permitted to the port
# The list is later used in the "adjust" section of the overall
# mask script to set up chains and rules which implement the
# policy
sub allow_udp_in
{
my $port = shift;
my $allow = shift;
my $target = $allow ? "ACCEPT" : "denylog";
push @udp_acl_rules, " adjust_udp_in $port $target";
return "";
}
@tcp_forward_acl_rules = ();
# This function performs the same function as allow_tcp_in, except that
# it works with the FORWARD chain instead of the INPUT chain.
sub allow_tcp_forward
{
my $port = shift;
my $allow = shift;
my $target = $allow ? "ACCEPT" : "denylog";
push @tcp_forward_acl_rules, " adjust_tcp_in $port $target";
return "";
}
@udp_forward_acl_rules = ();
# This function performs the same function as allow_udp_in, except that
# it works with the FORWARD chain instead of the INPUT chain.
sub allow_udp_forward
{
my $port = shift;
my $allow = shift;
my $target = $allow ? "ACCEPT" : "denylog";
push @udp_forward_acl_rules, " adjust_udp_in $port $target";
return "";
}
"";
}
adjust_tcp_in() \{
local dport=$1
local target=$2
local chain=$3
local dnet=$4
# Add the rule requested.
rule="/sbin/iptables --append $chain --protocol tcp --dport $dport"
if [ -n "$dnet" ]; then
rule="$rule --destination $dnet"
fi
rule="$rule --in-interface $\{OUTERIF:-$INTERNALIF\} --jump $target"
$rule
\}
adjust_udp_in() \{
local dport=$1
local target=$2
local chain=$3
local dnet=$4
# Add the rule requested.
rule="/sbin/iptables --append $chain --protocol udp --dport $dport"
if [ -n "$dnet" ]; then
rule="$rule --destination $dnet"
fi
rule="$rule --in-interface $\{OUTERIF:-$INTERNALIF\} --jump $target"
$rule
\}
get_safe_id() \{
# Expect arguments of, chain_name, table, mode, where mode can be either
# find or new
local chain_name=$1
local table=$2
local mode=$3
# Find the existing numbered chain.
current=$(/sbin/iptables --table $table --list $chain_name --numeric |\
sed -n '3s/ .*//p')
if [ "x$current" = "x" ]; then
# We didn't find it.
echo "ERROR: Cannot find chain $chain_name in table $table" 1>&2
exit 1
fi
# If we're in find mode, return this chain.
case "$mode" in
find)
echo $current ;;
new)
# Make sure the number on this chain doesn't conflict with our
# process ID.
current_id=$(echo $current |\
sed -n -e "s/^$chain_name//" -e "s/^_//p")
if [ "x$current_id" = "x" ]
then
echo "ERROR: Cannot find process ID on chain name" 1>&2
exit 1
fi
# If it conflicts with our process ID, add one to ours.
if [ $current_id -eq $$ ]
then
echo $\{chain_name\}_$(expr $$ + 1)
else
echo $\{chain_name\}_$$
fi
;;
esac
\}

View File

@ -0,0 +1,5 @@
case "$1" in
start)
echo -n "Enabling IP masquerading: "

View File

@ -0,0 +1,36 @@
{
#----------------------------------------------------------------------
# This template defines both:
# - our local network/netmask ($primaryLocalNet)
# - a list of all our local networks from the networks database.
#----------------------------------------------------------------------
$OUT = "";
# We won't use "my" for @locals, so that we can use it in other fragments
@locals = ();
use esmith::util;
my ($network, $broadcast) =
esmith::util::computeNetworkAndBroadcast ($LocalIP, $LocalNetmask);
$primaryLocalNet = "$network/$LocalNetmask";
push @locals, $primaryLocalNet;
use esmith::NetworksDB;
$nets = esmith::NetworksDB->open;
foreach my $network ($nets->get_all_by_prop(type => 'network'))
{
my $key = $network->key;
my $mask = $network->prop('Mask');
push @locals, "$key/$mask";
}
# Remove duplicates.
my %count = ();
foreach my $net (@locals)
{
$count{$net}++;
}
@locals = keys %count;
}

View File

@ -0,0 +1,6 @@
/sbin/iptables -F -t filter
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle
/sbin/iptables -X -t filter
/sbin/iptables -X -t nat
/sbin/iptables -X -t mangle

View File

@ -0,0 +1,3 @@
/sbin/iptables --flush FORWARD
/sbin/iptables --flush INPUT
/sbin/iptables --flush OUTPUT

View File

@ -0,0 +1,2 @@
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

View File

@ -0,0 +1,22 @@
{
# We need to be sure that we have enough rules to replace when we adjust the
# ruleset. We currently have three settings for packetlogging - "all",
# "most" and "some".
#
# "some" equates to this:
#
# ...
# /sbin/iptables --replace denylog 1 -p udp --dport 520 --jump DROP
# /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump DROP
# /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump DROP
# /sbin/iptables --replace denylog 4 --jump ULOG ...
# ...
#
# After we do the logging with rule 4, we need rule 5 to drop the packet.
}
/sbin/iptables --new-chain denylog
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP

View File

@ -0,0 +1,20 @@
{
my @tcp_minimize_delay = ();
if ($masq{TCPMinimizeDelay})
{
@tcp_minimize_delay = split ',', $masq{TCPMinimizeDelay};
}
$ports = "@tcp_minimize_delay";
$ports = 'pass' unless $ports;
$OUT = '';
}
# Set telnet, www, smtp, pop3 and FTP for minimum delay
for port in {$ports}
do
if [ $port != 'pass' ]
then
/sbin/iptables --table mangle --append OUTPUT \
--protocol tcp --dport $port \
-j TOS --set-tos Minimize-Delay
fi
done

View File

@ -0,0 +1,5 @@
# TODO - this hasn't yet been converted for iptables - does it
# need to be?
# set timeouts for tcp tcpfin udp
#/sbin/iptables --masquerading --set 14400 60 600

View File

@ -0,0 +1,8 @@
/sbin/iptables --new-chain state_chk
# Allow any already established or related connection
/sbin/iptables --append state_chk -m state --state ESTABLISHED,RELATED -j ACCEPT
# We filter all input and forwarded traffic this way
/sbin/iptables --append INPUT -j state_chk
/sbin/iptables --append FORWARD -j state_chk

View File

@ -0,0 +1,16 @@
# Create a new chain to handle local traffic
/sbin/iptables --new-chain local_chk
/sbin/iptables --new-chain local_chk_1
# Accept any traffic initiated on "local" interfaces
if [ -n "$OUTERIF" ]; then
/sbin/iptables --append local_chk_1 \
! --in-interface $OUTERIF -j ACCEPT
fi
/sbin/iptables --append local_chk -j local_chk_1
# We filter all input and forwarded traffic this way
/sbin/iptables --append INPUT -j local_chk
/sbin/iptables --append FORWARD -j local_chk

View File

@ -0,0 +1,7 @@
# Drop all multicast traffic. Note that anything on from a local network
# will have already been accepted via the local_chk chain.
/sbin/iptables --append INPUT -s 224.0.0.0/4 -j denylog
/sbin/iptables --append INPUT -d 224.0.0.0/4 -j denylog
/sbin/iptables --append OUTPUT -s 224.0.0.0/4 -j denylog
/sbin/iptables --append OUTPUT -d 224.0.0.0/4 -j denylog

View File

@ -0,0 +1,8 @@
/sbin/iptables --table nat --new-chain PostroutingOutbound
/sbin/iptables --table nat --append PostroutingOutbound \
--source $OUTERNET -j ACCEPT
/sbin/iptables --append PostroutingOutbound -t nat -j MASQUERADE
if [ -n "$OUTERIF" ]; then
/sbin/iptables --append POSTROUTING -t nat \
--out-interface $OUTERIF -j PostroutingOutbound
fi

View File

@ -0,0 +1,10 @@
{
if ($ExternalDHCP eq "on")
#DHCP CLIENT ALLOW - I'm not sure that we need this, since it
# could be covered by connection tracking.
{
$OUT .= <<'HERE';
/sbin/iptables --append INPUT -p udp --dport 67:68 -i ${OUTERIF:-$INTERNALIF} -j ACCEPT
HERE
}
}

View File

@ -0,0 +1,7 @@
/sbin/iptables --new-chain InboundICMP
/sbin/iptables --new-chain InboundICMP_1
/sbin/iptables --append INPUT --protocol icmp --jump InboundICMP
/sbin/iptables --append InboundICMP --protocol icmp --jump InboundICMP_1
# Catch any returns, just in case
/sbin/iptables --append INPUT --protocol icmp --jump denylog
/sbin/iptables --append InboundICMP --protocol icmp --jump denylog

View File

@ -0,0 +1,6 @@
/sbin/iptables --new-chain ForwardedTCP
/sbin/iptables --new-chain ForwardedTCP_1
/sbin/iptables --append FORWARD --protocol tcp --syn --jump ForwardedTCP
/sbin/iptables --append ForwardedTCP --protocol tcp --syn --jump ForwardedTCP_1
# Catch any returns.
/sbin/iptables --append ForwardedTCP --protocol tcp --syn --jump denylog

View File

@ -0,0 +1,7 @@
/sbin/iptables --new-chain InboundTCP
/sbin/iptables --new-chain InboundTCP_1
/sbin/iptables --append INPUT --protocol tcp --syn --jump InboundTCP
/sbin/iptables --append InboundTCP --protocol tcp --syn --jump InboundTCP_1
# Catch any returns, just in case
/sbin/iptables --append INPUT --protocol tcp --syn --jump denylog
/sbin/iptables --append InboundTCP --protocol tcp --syn --jump denylog

View File

@ -0,0 +1,6 @@
/sbin/iptables --new-chain ForwardedUDP
/sbin/iptables --new-chain ForwardedUDP_1
/sbin/iptables --append FORWARD --protocol udp --jump ForwardedUDP
/sbin/iptables --append ForwardedUDP --protocol udp --jump ForwardedUDP_1
# Catch any returns.
/sbin/iptables --append ForwardedUDP --protocol udp --jump denylog

View File

@ -0,0 +1,9 @@
/sbin/iptables --new-chain InboundUDP
/sbin/iptables --new-chain InboundUDP_1
/sbin/iptables --append INPUT --protocol udp --in-interface $\{OUTERIF:-$INTERNALIF\} \
--jump InboundUDP
/sbin/iptables --append InboundUDP --protocol udp --jump InboundUDP_1
# Catch any returns, just in case
/sbin/iptables --append INPUT --protocol udp --in-interface $\{OUTERIF:-$INTERNALIF\} \
--jump denylog
/sbin/iptables --append InboundUDP --protocol udp --jump denylog

View File

@ -0,0 +1,9 @@
{
my $status = $dhcpd{status} || 'disabled';
if ($status eq 'enabled')
{
$OUT .= <<'HERE';
/sbin/iptables --append INPUT -p udp --sport 67:68 -i $INTERNALIF -j ACCEPT
HERE
}
}

View File

@ -0,0 +1,5 @@
{
## Set Default rule on FORWARD chain to denylog
}
/sbin/iptables --policy FORWARD DROP
/sbin/iptables --append FORWARD --jump denylog

View File

@ -0,0 +1,5 @@
{
## Set default policy
}
/sbin/iptables --policy INPUT DROP
/sbin/iptables --append INPUT --jump denylog

View File

@ -0,0 +1,5 @@
{
## Set default policy
}
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables --append OUTPUT --jump ACCEPT

View File

@ -0,0 +1,4 @@
$0 adjust
echo "done"
;;

View File

@ -0,0 +1,13 @@
adjust)
status=$(/sbin/e-smith/config getprop masq status)
if [ $status = "disabled" ]
then
exit 0
fi
test -z "$2" && exec chpst -l /var/lock/masq.adjust $0 adjust with_lock
trace=$(/sbin/e-smith/config getprop masq Trace)
if [ $trace = "enabled" ]; then
# Toggle trace off.
$0 trace
fi

View File

@ -0,0 +1,7 @@
{
$OUT .=<<'EOF';
OLD_ForwardedTCP=$(get_safe_id ForwardedTCP filter find)
NEW_ForwardedTCP=$(get_safe_id ForwardedTCP filter new)
/sbin/iptables --new-chain $NEW_ForwardedTCP
EOF
}

View File

@ -0,0 +1,7 @@
{
# Append all our forwarding rules.
foreach my $rule (@tcp_forward_acl_rules)
{
$OUT .= "$rule \$NEW_ForwardedTCP\n";
}
}

View File

@ -0,0 +1,9 @@
{
# Activate the chain and destroy the old.
$OUT .=<<'EOF';
/sbin/iptables --replace ForwardedTCP 1 \
--jump $NEW_ForwardedTCP
/sbin/iptables --flush $OLD_ForwardedTCP
/sbin/iptables --delete-chain $OLD_ForwardedTCP
EOF
}

View File

@ -0,0 +1,8 @@
{
# Repeat this exercise for the ForwardedUDP chain.
$OUT .=<<'EOF';
OLD_ForwardedUDP=$(get_safe_id ForwardedUDP filter find)
NEW_ForwardedUDP=$(get_safe_id ForwardedUDP filter new)
/sbin/iptables --new-chain $NEW_ForwardedUDP
EOF
}

View File

@ -0,0 +1,7 @@
{
# Append our forwarding rules.
foreach my $rule (@udp_forward_acl_rules)
{
$OUT .= "$rule \$NEW_ForwardedUDP\n";
}
}

View File

@ -0,0 +1,9 @@
{
# Activate the new chain and destroy the old.
$OUT .=<<'EOF';
/sbin/iptables --replace ForwardedUDP 1 \
--jump $NEW_ForwardedUDP
/sbin/iptables --flush $OLD_ForwardedUDP
/sbin/iptables --delete-chain $OLD_ForwardedUDP
EOF
}

View File

@ -0,0 +1,10 @@
{
# Find the current InboundTCP_$$ chain, and create a new one.
$OUT .=<<'EOF';
OLD_InboundTCP=$(get_safe_id InboundTCP filter find)
NEW_InboundTCP=$(get_safe_id InboundTCP filter new)
/sbin/iptables --new-chain $NEW_InboundTCP
EOF
$OUT .= " /sbin/iptables --append \$NEW_InboundTCP \\! " .
"--destination \$OUTERNET --jump denylog\n";
}

View File

@ -0,0 +1,14 @@
{
return "" if $oidentd{status} eq "enabled";
return <<'END_REJECT_IDENT';
/sbin/iptables -A $NEW_InboundTCP --proto tcp --dport 113 \
--destination $OUTERNET \
--jump REJECT \
--reject-with tcp-reset
END_REJECT_IDENT
}

View File

@ -0,0 +1,44 @@
{
@tcpsvcs = ($DB->get_all_by_prop( TCPPort => '\d+'), $DB->get_all_by_prop( TCPPorts => '\d+(,\d+|:\d+)*'));
foreach my $filter ( sort {$a->key cmp $b->key} @tcpsvcs )
{
my %props = $filter->props();
my @ports = grep { $_ } split /[;,]/, ($props{TCPPort} || '').",".($props{TCPPorts} || '');
my $deny_hosts = $props{DenyHosts} || '';
my $allow_hosts = $props{AllowHosts} || '0.0.0.0/0';
unless ( ($props{status} || 'disabled') eq 'enabled')
{
$allow_hosts = '';
}
unless ( ($props{access} || 'private') eq 'public')
{
$allow_hosts = '';
}
$OUT .= " # " . $filter->key . ": TCPPorts: " . (join ',', @ports) . ", AllowHosts: $allow_hosts, DenyHosts: $deny_hosts\n";
foreach my $port (sort { @a = split /[^\d]/, $a; @b = split /[^\d]/, $b; $a[0] <=> $b[0] || $a cmp $b } @ports)
{
foreach my $host (split(',', $deny_hosts))
{
$OUT .= <<HERE;
/sbin/iptables -A \$NEW_InboundTCP --proto tcp --dport $port \\
--destination \$OUTERNET --src $host --jump denylog
HERE
}
foreach my $host (split(',', $allow_hosts))
{
$OUT .= <<HERE;
/sbin/iptables -A \$NEW_InboundTCP --proto tcp --dport $port \\
--destination \$OUTERNET --src $host --jump ACCEPT
HERE
}
}
}
}

View File

@ -0,0 +1,7 @@
{
# Append all our inbound tcp rules to it.
foreach my $rule (@tcp_acl_rules)
{
$OUT .= "$rule \$NEW_InboundTCP\n";
}
}

View File

@ -0,0 +1,9 @@
{
# Having created a new Inbound TCP chain, activate it and destroy the old.
$OUT .=<<'EOF';
/sbin/iptables --replace InboundTCP 1 \
--jump $NEW_InboundTCP
/sbin/iptables --flush $OLD_InboundTCP
/sbin/iptables --delete-chain $OLD_InboundTCP
EOF
}

View File

@ -0,0 +1,10 @@
{
# Find the current InboundUDP_$$ chain and create a new one.
$OUT .=<<'EOF';
OLD_InboundUDP=$(get_safe_id InboundUDP filter find)
NEW_InboundUDP=$(get_safe_id InboundUDP filter new)
/sbin/iptables --new-chain $NEW_InboundUDP
EOF
$OUT .= " /sbin/iptables --append \$NEW_InboundUDP \\! " .
"--destination \$OUTERNET --jump denylog\n";
}

View File

@ -0,0 +1,44 @@
{
@udpsvcs = ($DB->get_all_by_prop( UDPPort => '\d+'), $DB->get_all_by_prop( UDPPorts => '\d+(,\d+|:\d+)*'));
foreach my $filter ( sort {$a->key cmp $b->key} @udpsvcs )
{
my %props = $filter->props();
my @ports = grep { $_ } split /[;,]/, ($props{UDPPort} || '').",".($props{UDPPorts} || '');
my $deny_hosts = $props{DenyHosts} || '';
my $allow_hosts = $props{AllowHosts} || '0.0.0.0/0';
unless ( ($props{status} || 'disabled') eq 'enabled')
{
$allow_hosts = '';
}
unless ( ($props{access} || 'private') eq 'public')
{
$allow_hosts = '';
}
$OUT .= " # " . $filter->key . ": UDPPorts: " . (join ',', @ports) . ", AllowHosts: $allow_hosts, DenyHosts: $deny_hosts\n";
foreach my $port (sort { @a = split /[^\d]/, $a; @b = split /[^\d]/, $b; $a[0] <=> $b[0] || $a cmp $b } @ports)
{
foreach my $host (split(',', $deny_hosts))
{
$OUT .= <<HERE;
/sbin/iptables -A \$NEW_InboundUDP --proto udp --dport $port \\
--destination \$OUTERNET --src $host --jump denylog
HERE
}
foreach my $host (split(',', $allow_hosts))
{
$OUT .= <<HERE;
/sbin/iptables -A \$NEW_InboundUDP --proto udp --dport $port \\
--destination \$OUTERNET --src $host --jump ACCEPT
HERE
}
}
}
}

View File

@ -0,0 +1,7 @@
{
# Append all our inbound udp rules to it.
foreach my $rule (@udp_acl_rules)
{
$OUT .= "$rule \$NEW_InboundUDP\n";
}
}

View File

@ -0,0 +1,9 @@
{
# Having created a new Inbound UDP chain, activate it and destroy the old.
$OUT .=<<'EOF';
/sbin/iptables --replace InboundUDP 1 \
--jump $NEW_InboundUDP
/sbin/iptables --flush $OLD_InboundUDP
/sbin/iptables --delete-chain $OLD_InboundUDP
EOF
}

View File

@ -0,0 +1,29 @@
{
my $logging = $masq{Logging} || "none";
my $target = $masq{DenylogTarget} eq "drop" ? 'DROP' : 'REJECT';
if ( $logging eq "none" )
{
$OUT .= " /sbin/iptables --replace denylog 1 --jump $target";
}
elsif ($logging eq "all")
{
$OUT .= <<"HERE";
/sbin/iptables --replace denylog 1 --jump ULOG --ulog-nlgroup 1 --ulog-prefix \"denylog:\"
/sbin/iptables --replace denylog 2 --jump $target
/sbin/iptables --replace denylog 3 --jump $target
/sbin/iptables --replace denylog 4 --jump $target
/sbin/iptables --replace denylog 5 --jump $target
HERE
}
else
{
$OUT .= <<"HERE";
/sbin/iptables --replace denylog 1 -p udp --dport 520 --jump $target
/sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump $target
/sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump $target
/sbin/iptables --replace denylog 4 --jump ULOG --ulog-nlgroup 1 --ulog-prefix \"denylog:\"
/sbin/iptables --replace denylog 5 --jump $target
HERE
}
}

View File

@ -0,0 +1,41 @@
# Find the current InboundICMP_$$ chain, and create a new one.
IBI=$(get_safe_id InboundICMP filter find)
new=$(get_safe_id InboundICMP filter new)
/sbin/iptables --new-chain $new
{
my $stealth = $masq{Stealth} || 'no';
if ($stealth eq 'yes')
{
$OUT .= <<HERE;
/sbin/iptables --append \$new --proto icmp \\
--icmp-type echo-request --in-interface \${OUTERIF:-\$INTERNALIF} --jump denylog
HERE
}
# We want to be very selective on the ICMPs we accept to stop
# route hijacking
my @OKicmpTypes = (
qw(
echo-request
echo-reply
destination-unreachable
source-quench
time-exceeded
parameter-problem
) );
foreach my $icmpType (@OKicmpTypes)
{
$OUT .= <<HERE;
/sbin/iptables --append \$new --proto icmp \\
--icmp-type $icmpType --jump ACCEPT
HERE
}
# Having created a new Inbound ICMP chain, activate it and
# destroy the old.
}
/sbin/iptables --append $new --jump denylog
/sbin/iptables --replace InboundICMP 1 --jump $new
/sbin/iptables --flush "$IBI"
/sbin/iptables --delete-chain "$IBI"

View File

@ -0,0 +1,2 @@
/sbin/iptables --table nat --replace PostroutingOutbound 1 \
--source $OUTERNET -j ACCEPT

View File

@ -0,0 +1,8 @@
{
$OUT .=<<'EOF';
OLD_local_chk=$(get_safe_id local_chk filter find)
NEW_local_chk=$(get_safe_id local_chk filter new)
/sbin/iptables --new-chain $NEW_local_chk
/sbin/iptables -A $NEW_local_chk --in-interface lo -j ACCEPT
EOF
}

View File

@ -0,0 +1,19 @@
{
$OUT = "";
my $locals = "@locals";
if (@locals)
{
# Make a new local_chk chain and add any networks found in networks db
foreach my $local (@locals)
{
# If the network is a remote vpn subnet, restrict it to the VPN
# interface.
my ($net, $msk) = split /\//, $local;
my $netrec = $nets->get($net);
die "Can't find network $net in networks db!\n" unless $netrec;
$OUT .= "/sbin/iptables -A \$NEW_local_chk -s $local";
$OUT .= " --in-interface " . $netrec->prop('VPNif') if ( $netrec->prop('VPNif') );
$OUT .= " -j ACCEPT\n";
}
}
}

View File

@ -0,0 +1,9 @@
{
# Activate the chain and destroy the old.
$OUT .=<<'EOF';
/sbin/iptables --replace local_chk 1 \
--jump $NEW_local_chk
/sbin/iptables --flush $OLD_local_chk
/sbin/iptables --delete-chain $OLD_local_chk
EOF
}

View File

@ -0,0 +1,5 @@
if [ $trace = "enabled" ]; then
# Toggle trace back on.
$0 trace
fi
;;

View File

@ -0,0 +1,14 @@
{
# #####START MASQ#####
# masqstart)
# echo ""
# echo -n "Starting IP Masquerading:"
# ## Read Masq Rules
# # . $CONFIG_DIR/pmfirewall.rules.masq
# echo " Done!"
# echo ""
# echo "Internal: $INTERNALIF $INTERNALNET"
# echo "External: $OUTERIF $OUTERNET"
# echo "" ;;
#
}

View File

@ -0,0 +1,8 @@
masqstop)
echo ""
echo -n "Shuting down IP Masquerading:"
/sbin/iptables -F FORWARD
/sbin/iptables -P FORWARD DROP
echo " Done!"
echo "" ;;

View File

@ -0,0 +1,6 @@
restart)
$0 stop
$0 start
;;

View File

@ -0,0 +1,8 @@
status)
echo $"Table: filter"
/sbin/iptables --list -n
echo $"Table: nat"
/sbin/iptables -t nat --list -n
echo $"Table: mangle"
/sbin/iptables -t mangle --list -n
;;

View File

@ -0,0 +1,38 @@
{
#####STOP FIREWALL####
}
stop)
echo ""
echo -n "Shutting down IP masquerade and firewall rules:"
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P INPUT {
# Set "safe" default mode.
($SystemMode eq "serveronly") ? "ACCEPT" : "DROP"
}
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F
{
$OUT .= '';
# Allow forwarding of local addresses, as we might be a VPN endpoint
# in serveronly mode
# @locals contains a list of local networks, with the real local
# network first
my @mylocals = @locals;
my $local = shift @mylocals;
$OUT .= " /sbin/iptables --append FORWARD -s $local" .
" -d $local -j ACCEPT\n";
foreach my $network (@mylocals)
{
$OUT .= " /sbin/iptables --append FORWARD -s $network" .
" -d $local -j ACCEPT\n";
$OUT .= " /sbin/iptables --append FORWARD -s $local" .
" -d $network -j ACCEPT\n";
}
} /sbin/iptables -X
echo " Done!"
echo "" ;;

View File

@ -0,0 +1,15 @@
trace)
trace=$(/sbin/e-smith/config getprop masq Trace)
if [ $trace = "enabled" ]; then
action="stop"
echo "Disabling iptables-trace..."
/sbin/e-smith/config setprop masq Trace disabled
else
action="start"
echo "Enabling iptables-trace..."
/sbin/e-smith/config setprop masq Trace enabled
fi
/etc/init.d/iptables-trace $action
;;

View File

@ -0,0 +1,6 @@
*)
echo "Usage: masq \{start|stop|restart|...\}"
exit 1
esac
exit 0

View File

@ -0,0 +1,7 @@
[global]
nlgroup=1
logfile=/var/log/ulogd/ulogd.log
loglevel=5
rmem=131071
bufsize=150000

View File

@ -0,0 +1,38 @@
######################################################################
# PLUGIN OPTIONS
######################################################################
# We have to configure and load all the plugins we want to use
# general rules:
#
# 0. don't specify any plugin for ulogd to load them all
# 1. load the plugins _first_ from the global section
# 2. options for each plugin in seperate section below
#plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so"
#plugin="/usr/lib64/ulogd/ulogd_inppkt_UNIXSOCK.so"
#plugin="/usr/lib64/ulogd/ulogd_inpflow_NFCT.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_IP2BIN.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_IP2HBIN.so"
plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_HWHDR.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_PRINTFLOW.so"
#plugin="/usr/lib64/ulogd/ulogd_filter_MARK.so"
plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so"
#plugin="/usr/lib64/ulogd/ulogd_output_SYSLOG.so"
#plugin="/usr/lib64/ulogd/ulogd_output_XML.so"
#plugin="/usr/lib64/ulogd/ulogd_output_SQLITE3.so"
#plugin="/usr/lib64/ulogd/ulogd_output_GPRINT.so"
#plugin="/usr/lib64/ulogd/ulogd_output_NACCT.so"
#plugin="/usr/lib64/ulogd/ulogd_output_PCAP.so"
#plugin="/usr/lib64/ulogd/ulogd_output_PGSQL.so"
#plugin="/usr/lib64/ulogd/ulogd_output_MYSQL.so"
#plugin="/usr/lib64/ulogd/ulogd_output_DBI.so"
plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
#plugin="/usr/lib64/ulogd/ulogd_inpflow_NFACCT.so"
#plugin="/usr/lib64/ulogd/ulogd_output_GRAPHITE.so"
#plugin="/usr/lib64/ulogd/ulogd_output_JSON.so"

View File

@ -0,0 +1,4 @@
#our base stack ULOG to LOGEMU
stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU

View File

@ -0,0 +1,10 @@
[ulog1]
# denylog:
# netlink multicast group (the same as the iptables --ulog-nlgroup param)
nlgroup=1
[emu1]
file="/var/log/iptables/denylog.log"
sync=1

View File

@ -0,0 +1,96 @@
#!/bin/bash
# $Id: iptables-trace,v 1.14 2004/11/13 00:31:15 apc Exp $
# Tony Clayton <t ny-netfilter@clayt n.ca>
# You may use and edit this code freely. If you make changes to
# it that are generally useful, please email them to me and/or
# post them on the netfilter mailing list <netfilter@lists.netfilter.org>
LOGPREFIX='${table:0:1}:${chain:0:14}:$rulenumber:${target:0:14}'
MAXPREFIXSIZE=27
PRINT=0
IPTABLES="iptables"
log_entry() {
local action=$1
local table=$3 cmd=$4 chain=$5
local rulenumber="-"
shift 5
if [ "$last_chain" != "$chain" ]; then
rulenum=1
fi
case $action in
(add|addpolicy)
local rulespec
if [ "$action" = "add" ]; then
cmd="-I"
rulespec=$rulenum
rulenumber=$rulenum
let rulenum=$rulenum+2
fi
while [ "$1" != "-j" ]; do
rulespec="$rulespec $1"
shift;
done
shift;
target=$1
eval prefix="${LOGPREFIX}"
$IPTABLES -t $table $cmd $chain $rulespec -j LOG \
--log-prefix "*${prefix:0:$MAXPREFIXSIZE}:"
;;
(skip)
let rulenum=$rulenum+1
;;
(delete)
$IPTABLES -t $table -D $chain $rulenum
;;
esac
last_chain=$chain
}
start() {
for table in $(cat /proc/net/ip_tables_names); do
rulenum=1
iptables-save -t $table | grep '^-' | \
while read rule; do
log_entry add -t $table $rule
done
# log default policy for each chain
iptables-save -t $table | grep '^:' | tr -d : | \
while read chain target rest; do
if [ "$target" != "-" ]; then
log_entry addpolicy -t $table -A $chain -j $target
fi
done
done
}
stop() {
for table in $(cat /proc/net/ip_tables_names); do
iptables-save -t $table | grep '^-' | \
while read cmd; do
echo $cmd | grep -q -e '--log-prefix "\*'
if [ $? -eq 0 ]; then
log_entry delete -t $table $cmd
else
log_entry skip -t $table $cmd
fi
done
done
}
case "$1" in
start) start
;;
stop) stop
;;
start_test) IPTABLES="echo iptables"; start
;;
stop_test) IPTABLES="echo iptables"; stop
;;
*) echo $"Usage: $0 {start|stop}"
exit 1
esac
exit 0

View File

@ -0,0 +1 @@
ulogd:any:/sbin/e-smith/expand-template /etc/logrotate.d/ulogd

0
root/run/ulog/.gitignore vendored Normal file
View File

View File

@ -0,0 +1,18 @@
[Unit]
Description=masq, the Koozali SME Server firewall script
Before=network-pre.target
Wants=network-pre.target
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service firewalld.service
[Service]
Type=oneshot
ExecStartPre=/sbin/e-smith/service-status masq
ExecStart=/etc/rc.d/init.d/masq start
ExecStop=/etc/rc.d/init.d/masq stop
ExecReload=/etc/rc.d/init.d/masq adjust
RemainAfterExit=yes
[Install]
WantedBy=sme-server.target

View File

@ -0,0 +1,3 @@
[Unit]
Wants=ulogd.service

View File

@ -0,0 +1,17 @@
[Unit]
Description=Netfilter Userspace Logging Daemon
Before=masq.service
[Service]
User=root
Group=root
Restart=always
TimeoutSec=0
Type=forking
PIDFile=/run/ulog/ulogd.pid
ExecStart=/usr/sbin/ulogd --daemon --uid ulog --pidfile /run/ulog/ulogd.pid
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=sme-server.target multi-user.target

View File

@ -0,0 +1 @@
d /run/ulog 2755 ulog ulog

0
root/var/service/.gitignore vendored Normal file
View File