diff -Nur firehol-1.226/firehol.sh firehol-1.226.new/firehol.sh --- firehol-1.226/firehol.sh 2006-12-29 23:48:19.000000000 +0100 +++ firehol-1.226.new/firehol.sh 2006-12-29 23:49:40.000000000 +0100 @@ -74,13 +74,16 @@ return 0 } -# Check for a command during runtime. -# Currently the following commands are required only when needed: -# -# wget or curl (either is fine) -# gzcat -# +# command on demand support. require_cmd() { + local block=1 + if [ "a$1" = "a-n" ] + then + local block=0 + shift + fi + + # if one is found, return success for x in $1 do eval var=`echo ${x} | tr 'a-z' 'A-Z'`_CMD @@ -92,21 +95,56 @@ fi done + if [ $block -eq 1 ] + then + echo >&2 + echo >&2 "ERROR: THE REQUESTED FEATURE REQUIRES THESE PROGRAMS:" + echo >&2 + echo >&2 " $*" + echo >&2 + echo >&2 " You have requested the use of an optional FireHOL" + echo >&2 " feature that requires certain external programs" + echo >&2 " to be installed in the running system." + echo >&2 + echo >&2 " Please consult your Linux distribution manual to" + echo >&2 " install the package(s) that provide these external" + echo >&2 " programs and retry." + echo >&2 + echo >&2 " Note that you need an operational 'which' command" + echo >&2 " for FireHOL to find all the external programs it" + echo >&2 " needs. Check it yourself. Run:" + echo >&2 + for x in $1 + do + echo >&2 " which $x" + done + + exit 1 + fi + return 1 } +# Currently the following commands are required only when needed. +# (i.e. Command on Demand) +# +# wget or curl (either is fine) +# gzcat +# ip +# netstat +# egrep +# date +# hostname + +# Commands that are mandatory for FireHOL operation: which_cmd CAT_CMD cat which_cmd CUT_CMD cut which_cmd CHOWN_CMD chown which_cmd CHMOD_CMD chmod -which_cmd DATE_CMD date -which_cmd EGREP_CMD egrep which_cmd EXPR_CMD expr which_cmd GAWK_CMD gawk which_cmd GREP_CMD grep which_cmd HEAD_CMD head -which_cmd HOSTNAME_CMD hostname -which_cmd IP_CMD ip which_cmd IPTABLES_CMD iptables which_cmd IPTABLES_SAVE_CMD iptables-save which_cmd LESS_CMD less @@ -114,7 +152,6 @@ which_cmd MKDIR_CMD mkdir which_cmd MV_CMD mv which_cmd MODPROBE_CMD modprobe -which_cmd NETSTAT_CMD netstat which_cmd RENICE_CMD renice which_cmd RM_CMD rm which_cmd SED_CMD sed @@ -170,6 +207,9 @@ FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh" FIREHOL_TMP="${FIREHOL_DIR}/firehol-tmp.sh" +FIREHOL_LOCK_DIR="/var/lock/subsys" +test ! -d "${FIREHOL_LOCK_DIR}" && FIREHOL_LOCK_DIR="/var/lock" + FIREHOL_SPOOL_DIR="/var/spool/firehol" # The default configuration file @@ -209,6 +249,7 @@ # Run our exit even if we don't call exit. trap firehol_exit EXIT +trap firehol_exit SIGHUP # ------------------------------------------------------------------------------ @@ -267,8 +308,8 @@ if [ ! -d "${FIREHOL_SPOOL_DIR}" ] then "${MKDIR_CMD}" "${FIREHOL_SPOOL_DIR}" || exit 1 - "${CHOWN_CMD}" root:root "${FIREHOL_CONFIG_DIR}" || exit 1 - "${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}" || exit 1 + "${CHOWN_CMD}" root:root "${FIREHOL_SPOOL_DIR}" || exit 1 + "${CHMOD_CMD}" 700 "${FIREHOL_SPOOL_DIR}" || exit 1 fi @@ -280,7 +321,7 @@ # Optimized (CIDR) by Marc 'HE' Brockschmidt # Further optimized and reduced by http://www.vergenet.net/linux/aggregate/ # The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path. -RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7 76.0.0.0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4" +RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 42.0.0.0/8 92.0.0.0/6 100.0.0.0/6 104.0.0.0/5 112.0.0.0/5 120.0.0.0/8 127.0.0.0/8 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4 " # Private IPv4 address space # Suggested by Fco.Felix Belmonte @@ -306,6 +347,11 @@ # policy interface subscommand. DEFAULT_INTERFACE_POLICY="DROP" +# The default policy for the router commands of the firewall. +# This can be controlled on a per interface basis using the +# policy interface subscommand. +DEFAULT_ROUTER_POLICY="RETURN" + # Which is the filter table chains policy during firewall activation? FIREHOL_INPUT_ACTIVATION_POLICY="ACCEPT" FIREHOL_OUTPUT_ACTIVATION_POLICY="ACCEPT" @@ -329,6 +375,10 @@ FIREHOL_LOG_MODE="LOG" FIREHOL_LOG_FREQUENCY="1/second" FIREHOL_LOG_BURST="5" +FIREHOL_LOG_PREFIX="" + +# If enabled, FireHOL will silently drop orphan TCP packets with ACK,FIN set. +FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=0 # The client ports to be used for "default" client ports when the # client specified is a foreign host. @@ -427,7 +477,7 @@ work_name= work_inface= work_outface= -work_policy="${DEFAULT_INTERFACE_POLICY}" +work_policy= work_error=0 work_function="Initializing" @@ -618,6 +668,9 @@ server_microsoft_ds_ports="tcp/445" client_microsoft_ds_ports="default" +server_ms_ds_ports="tcp/445" +client_ms_ds_ports="default" + server_mms_ports="tcp/1755 udp/1755" client_mms_ports="default" require_mms_modules="ip_conntrack_mms" @@ -666,6 +719,9 @@ server_oracle_ports="tcp/1521" client_oracle_ports="default" +server_OSPF_ports="89/any" +client_OSPF_ports="any" + server_pop3_ports="tcp/110" client_pop3_ports="default" @@ -708,7 +764,7 @@ client_rtp_ports="any" server_sip_ports="udp/5060" -client_sip_ports="default" +client_sip_ports="5060 default" server_socks_ports="tcp/1080 udp/1080" client_socks_ports="default" @@ -769,7 +825,7 @@ server_vmwareauth_ports="tcp/903" client_vmwareauth_ports="default" -server_vmwareweb_ports="tcp/8222" +server_vmwareweb_ports="tcp/8222 tcp/8333" client_vmwareweb_ports="default" server_vnc_ports="tcp/5900:5903" @@ -1090,10 +1146,12 @@ local server_rquotad_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " rquotad$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" local server_mountd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " mountd$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" local server_lockd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nlockmgr$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" + local server_statd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " status$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" local server_nfsd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nfs$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" test -z "${server_mountd_ports}" && error "Cannot find mountd ports for nfs server '${x}'" && return 1 test -z "${server_lockd_ports}" && error "Cannot find lockd ports for nfs server '${x}'" && return 1 + test -z "${server_statd_ports}" && error "Cannot find statd ports for nfs server '${x}'" && return 1 test -z "${server_nfsd_ports}" && error "Cannot find nfsd ports for nfs server '${x}'" && return 1 local dst= @@ -1113,6 +1171,9 @@ set_work_function "Processing lockd rules for server '${x}'" rules_custom "${mychain}" "${type}" nfs-lockd "${server_lockd_ports}" "500:65535" "${action}" $dst "$@" + + set_work_function "Processing statd rules for server '${x}'" + rules_custom "${mychain}" "${type}" nfs-statd "${server_statd_ports}" "500:65535" "${action}" $dst "$@" set_work_function "Processing nfsd rules for server '${x}'" rules_custom "${mychain}" "${type}" nfs-nfsd "${server_nfsd_ports}" "500:65535" "${action}" $dst "$@" @@ -1798,7 +1859,7 @@ firehol_wget() { local url="${1}" - require_cmd wget curl || error "Cannot find 'wget' or 'curl' in the path." + require_cmd wget curl if [ ! -z "${WGET_CMD}" ] then @@ -2407,9 +2468,9 @@ policy() { work_realcmd_secondary ${FUNCNAME} "$@" - require_work set interface || return 1 + require_work set any || return 1 - set_work_function "Setting interface '${work_inface}' (${work_name}) policy to ${1}" + set_work_function "Setting policy of ${work_name} to ${1}" work_policy="$*" return 0 @@ -2482,6 +2543,11 @@ return 0 ;; + bad-packets|BAD-PACKETS) + protection ${reverse} "invalid fragments new-tcp-w/o-syn malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}" + return $? + ;; + strong|STRONG|full|FULL|all|ALL) protection ${reverse} "invalid fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}" return $? @@ -2529,6 +2595,16 @@ rule in chain "${mychain}" loglimit "SYN FLOOD" action drop || return 1 ;; + all-floods|ALL-FLOODS) + local mychain="${pre}_${work_name}_allflood" + create_chain filter "${mychain}" "${in}_${work_name}" in state NEW || return 1 + + set_work_function "Generating rules to be protected from ALL floods on '${prface}' for ${work_cmd} '${work_name}'" + + rule in chain "${mychain}" limit "${rate}" "${burst}" action return || return 1 + rule in chain "${mychain}" loglimit "ALL FLOOD" action drop || return 1 + ;; + malformed-xmas|MALFORMED-XMAS) local mychain="${pre}_${work_name}_malxmas" create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--tcp-flags ALL ALL" || return 1 @@ -2589,7 +2665,7 @@ # kernel modules. # optionaly require command gzcat -require_cmd gzcat +require_cmd -n gzcat KERNEL_CONFIG= if [ -f "/proc/config" ] @@ -2632,6 +2708,7 @@ echo >&2 " all kernel modules for the services used, without" echo >&2 " being able to detect failures." echo >&2 " " + sleep 2 fi # activation-phase command to check for the existance of @@ -2824,11 +2901,12 @@ work_name= work_inface= work_outface= - work_policy="${DEFAULT_INTERFACE_POLICY}" + work_policy= return 0 } + # ------------------------------------------------------------------------------ # close_interface # WHY: @@ -2841,6 +2919,12 @@ set_work_function "Finilizing interface '${work_name}'" + # Accept all related traffic to the established connections + rule chain "in_${work_name}" state RELATED action ACCEPT || return 1 + rule chain "out_${work_name}" state RELATED action ACCEPT || return 1 + + # make sure we have a policy + test -z "${work_policy}" && work_policy="${DEFAULT_INTERFACE_POLICY}" case "${work_policy}" in return|RETURN) return 0 @@ -2849,15 +2933,18 @@ accept|ACCEPT) ;; - *) + *) local -a inlog=(loglimit "'IN-${work_name}'") local -a outlog=(loglimit "'OUT-${work_name}'") ;; esac - # Accept all related traffic to the established connections - rule chain "in_${work_name}" state RELATED action ACCEPT || return 1 - rule chain "out_${work_name}" state RELATED action ACCEPT || return 1 + if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ] + then + # Silently drop orphan TCP/ACK FIN packets + rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 + rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 + fi rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1 rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1 @@ -2882,6 +2969,32 @@ rule chain "in_${work_name}" state RELATED action ACCEPT || return 1 rule chain "out_${work_name}" state RELATED action ACCEPT || return 1 + # make sure we have a policy + test -z "${work_policy}" && work_policy="${DEFAULT_ROUTER_POLICY}" + case "${work_policy}" in + return|RETURN) + return 0 + ;; + + accept|ACCEPT) + ;; + + *) + local -a inlog=(loglimit "'PASS-${work_name}'") + local -a outlog=(loglimit "'PASS-${work_name}'") + ;; + esac + + if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ] + then + # Silently drop orphan TCP/ACK FIN packets + rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 + rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 + fi + + rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1 + rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1 + return 0 } @@ -2900,6 +3013,14 @@ rule chain OUTPUT state RELATED action ACCEPT || return 1 rule chain FORWARD state RELATED action ACCEPT || return 1 + if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ] + then + # Silently drop orphan TCP/ACK FIN packets + rule chain INPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 + rule chain OUTPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 + rule chain FORWARD state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 + fi + rule chain INPUT loglimit "IN-unknown" action ${UNMATCHED_INPUT_POLICY} || return 1 rule chain OUTPUT loglimit "OUT-unknown" action ${UNMATCHED_OUTPUT_POLICY} || return 1 rule chain FORWARD loglimit "PASS-unknown" action ${UNMATCHED_ROUTER_POLICY} || return 1 @@ -3055,7 +3176,7 @@ # to pass. if [ "${do_accept_limit}" = "1" ] then - local accept_limit_chain="`echo "ACCEPT ${freq} ${burst} ${overflow}" | tr " /." "___"`" + local accept_limit_chain="`echo "ACCEPT LIMIT ${freq} ${burst} ${overflow}" | tr " /." "___"`" # does the chain we need already exist? if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_limit_chain}" ] @@ -3075,9 +3196,9 @@ local -a logopts_arg=() if [ "${FIREHOL_LOG_MODE}" = "ULOG" ] then - local -a logopts_arg=("--ulog-prefix='OVERFLOW:'") + local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'") else - local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='OVERFLOW:'") + local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'") fi iptables ${table} -A "${accept_limit_chain}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" @@ -3096,6 +3217,62 @@ fi ;; + "recent") + # limit NEW connections to the specified rate + local name="${action_param[1]}" + local seconds="${action_param[2]}" + local hits="${action_param[3]}" + + # unset the action_param, so that if this rule does not include NEW connections, + # we will not append anything to the generated iptables statements. + local -a action_param=() + + # find is this rule matches NEW connections + local has_new=`echo "${state}" | grep -i NEW` + local do_accept_recent=0 + if [ -z "${statenot}" ] + then + test ! -z "${has_new}" && local do_accept_recent=1 + else + test -z "${has_new}" && local do_accept_recent=1 + fi + + # we have a match for NEW connections. + # redirect the traffic to a new chain, which will control + # the NEW connections while allowing all the other traffic + # to pass. + if [ "${do_accept_recent}" = "1" ] + then + local accept_recent_chain="`echo "ACCEPT RECENT $name $seconds $hits" | tr " /." "___"`" + + # does the chain we need already exist? + if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}" ] + then + # the chain does not exist. create it. + iptables ${table} -N "${accept_recent_chain}" + touch "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}" + + # first, if the traffic is not a NEW connection, allow it. + # doing this first will speed up normal traffic. + iptables ${table} -A "${accept_recent_chain}" -m state ! --state NEW -j ACCEPT + + # accept NEW connections within the given limits. + iptables ${table} -A "${accept_recent_chain}" -m recent --set --name "${name}" + + local t1= + test ! -z $seconds && local t1="--seconds ${seconds}" + local t2= + test ! -z $hits && local t2="--hitcount ${hits}" + + iptables ${table} -A "${accept_recent_chain}" -m recent --update ${t1} ${t2} --name "${name}" -j RETURN + iptables ${table} -A "${accept_recent_chain}" -j ACCEPT + fi + + # send the rule to be generated to this chain + local action=${accept_recent_chain} + fi + ;; + 'knock') # the name of the knock local name="knock_${action_param[1]}" @@ -3175,6 +3352,12 @@ local dst=any local dstnot= + local srctype= + local srctypenot= + + local dsttype= + local dsttypenot= + local sport=any local sportnot= @@ -3397,7 +3580,7 @@ if [ "${1}" = "not" -o "${1}" = "NOT" ] then shift - macnot="!" + test ${nomac} -eq 0 && macnot="!" fi test ${softwarnings} -eq 1 -a ! "${mac}" = "any" && softwarning "Overwritting param: mac '${mac}' becomes '${1}'" test ${nomac} -eq 0 && mac="${1}" @@ -3454,6 +3637,56 @@ shift ;; + srctype|SRCTYPE|sourcetype|SOURCETYPE) + shift + if [ ${reverse} -eq 0 ] + then + srctypenot= + if [ "${1}" = "not" -o "${1}" = "NOT" ] + then + shift + srctypenot="!" + fi + test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'" + srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" + else + dsttypenot= + if [ "${1}" = "not" -o "${1}" = "NOT" ] + then + shift + dsttypenot="!" + fi + test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'" + dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" + fi + shift + ;; + + dsttype|DSTTYPE|destinationtype|DESTINATIONTYPE) + shift + if [ ${reverse} -eq 0 ] + then + dsttypenot= + if [ "${1}" = "not" -o "${1}" = "NOT" ] + then + shift + dsttypenot="!" + fi + test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'" + dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" + else + srctypenot= + if [ "${1}" = "not" -o "${1}" = "NOT" ] + then + shift + srctypenot="!" + fi + test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'" + srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" + fi + shift + ;; + sport|SPORT|sourceport|SOURCEPORT) shift if [ ${reverse} -eq 0 ] @@ -3591,6 +3824,11 @@ fi ;; + recent|RECENT) + local -a action_param=("recent" "${2}" "${3}" "${4}") + shift 4 + ;; + knock|KNOCK) local -a action_param=("knock" "${2}") shift 2 @@ -3750,6 +3988,10 @@ fi ;; + tarpit|TARPIT) + action="TARPIT" + ;; + *) chain_exists "${action}" local action_is_chain=$? @@ -3991,7 +4233,7 @@ # this temporary chain. - # ignore 'statenot' since it is negated in the positive rules + # ignore 'statenot', 'srctypenot', 'dsttypenot' since it is negated in the positive rules if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ] then if [ ${action_is_chain} -eq 1 ] @@ -4540,6 +4782,25 @@ ;; esac + # addrtype (srctype, dsttype) + local -a addrtype_arg=() + local -a stp_arg=() + local -a dtp_arg=() + if [ ! -z "${srctype}${dsttype}" ] + then + local -a addrtype_arg=("-m" "addrtype") + + if [ ! -z "${srctype}" ] + then + local -a stp_arg=("${srctypenot}" "--src-type" "${srctype}") + fi + + if [ ! -z "${dsttype}" ] + then + local -a dtp_arg=("${dsttypenot}" "--dst-type" "${dsttype}") + fi + fi + # state local -a state_arg=() if [ ! -z "${state}" ] @@ -4562,15 +4823,15 @@ fi # build the command - declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}") + declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${addrtype_arg[@]}" "${stp_arg[@]}" "${dtp_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}") # log mode selection local -a logopts_arg=() if [ "${FIREHOL_LOG_MODE}" = "ULOG" ] then - local -a logopts_arg=("--ulog-prefix='${logtxt}:'") + local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'") else - local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'") + local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'") fi # log / loglimit @@ -5005,8 +5266,8 @@ stop) test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored." - test -f /var/lock/subsys/firehol && ${RM_CMD} -f /var/lock/subsys/firehol - test -f /var/lock/subsys/iptables && ${RM_CMD} -f /var/lock/subsys/iptables + test -f "${FIREHOL_LOCK_DIR}/firehol" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/firehol" + test -f "${FIREHOL_LOCK_DIR}/iptables" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/iptables" echo -n $"FireHOL: Clearing Firewall:" load_kernel_module ip_tables @@ -5038,7 +5299,7 @@ condrestart) test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored." FIREHOL_TRY=0 - if [ -f /var/lock/subsys/firehol ] + if [ -f "${FIREHOL_LOCK_DIR}/firehol" ] then exit 0 fi @@ -5459,6 +5720,13 @@ if [ ${FIREHOL_WIZARD} -eq 1 ] then + # require commands for wizard mode + require_cmd ip + require_cmd netstat + require_cmd egrep + require_cmd date + require_cmd hostname + wizard_ask() { local prompt="${1}"; shift local def="${1}"; shift @@ -5603,7 +5871,12 @@ local i4=${4} local i5=${5:-32} - echo ${i1}.${i2}.${i3}.${i4}/${i5} + if [ "${i5}" = "32" ] + then + echo ${i1}.${i2}.${i3}.${i4} + else + echo ${i1}.${i2}.${i3}.${i4}/${i5} + fi } ips2net() { @@ -6354,11 +6627,11 @@ # Remove the saved firewall, so that the trap will not restore it. ${RM_CMD} -f "${FIREHOL_SAVED}" -# RedHat startup service locking. -if [ -d /var/lock/subsys ] +# Startup service locking. +if [ -d "${FIREHOL_LOCK_DIR}" ] then - ${TOUCH_CMD} /var/lock/subsys/iptables - ${TOUCH_CMD} /var/lock/subsys/firehol + ${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/iptables" + ${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/firehol" fi