summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'net-firewall/firehol')
-rw-r--r--net-firewall/firehol/ChangeLog10
-rw-r--r--net-firewall/firehol/files/digest-firehol-1.2503
-rw-r--r--net-firewall/firehol/files/firehol-1.226-to-250.patch748
-rw-r--r--net-firewall/firehol/files/firehol-1.250-printf.patch47
-rw-r--r--net-firewall/firehol/firehol-1.250.ebuild81
5 files changed, 888 insertions, 1 deletions
diff --git a/net-firewall/firehol/ChangeLog b/net-firewall/firehol/ChangeLog
index b9df3e9417a9..a438eabb0cbb 100644
--- a/net-firewall/firehol/ChangeLog
+++ b/net-firewall/firehol/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for net-firewall/firehol
# Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.21 2006/08/20 03:58:25 weeve Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.22 2006/12/28 20:59:13 centic Exp $
+
+*firehol-1.250 (27 Dec 2006)
+
+ 27 Dec 2006; Dominik Stadler <centic@gentoo.org>
+ +files/firehol-1.226-to-250.patch, +files/firehol-1.250-printf.patch,
+ +firehol-1.250.ebuild:
+ Add version 250 from CVS, fixes bug 151588. Depend on iproute2, fixes Bug
+ 152537. Change printf-statements, fixes Bugs 153858 and 139526
20 Aug 2006; Jason Wever <weeve@gentoo.org> firehol-1.226-r1.ebuild:
Added ~sparc keyword wrt bug #137899.
diff --git a/net-firewall/firehol/files/digest-firehol-1.250 b/net-firewall/firehol/files/digest-firehol-1.250
new file mode 100644
index 000000000000..d2c0f0cf477c
--- /dev/null
+++ b/net-firewall/firehol/files/digest-firehol-1.250
@@ -0,0 +1,3 @@
+MD5 958f6e95bad37013e544da587f55c8b7 firehol-1.226.tar.bz2 118113
+RMD160 bff910e8a3a67ce91f0634177b5ee361edc90e96 firehol-1.226.tar.bz2 118113
+SHA256 b434e8142eb4093516794c6f2213d03efa3c08161758ff836dbd266f0a9438cf firehol-1.226.tar.bz2 118113
diff --git a/net-firewall/firehol/files/firehol-1.226-to-250.patch b/net-firewall/firehol/files/firehol-1.226-to-250.patch
new file mode 100644
index 000000000000..2e042f7f05be
--- /dev/null
+++ b/net-firewall/firehol/files/firehol-1.226-to-250.patch
@@ -0,0 +1,748 @@
+--- firehol.new 2006-12-27 14:13:39.000000000 +0100
++++ firehol.sh 2006-12-27 14:15:57.000000000 +0100
+@@ -10,7 +10,7 @@
+ #
+ # config: /etc/firehol/firehol.conf
+ #
+-# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ #
+
+ # Make sure only root can run us.
+@@ -74,13 +74,16 @@
+ return 0
+ }
+
+-# Check for a command during runtime.
+-# Currently the following commands are required only when needed:
+-#
+-# wget or curl (either is fine)
+-# gzcat
+-#
++# command on demand support.
+ require_cmd() {
++ local block=1
++ if [ "a$1" = "a-n" ]
++ then
++ local block=0
++ shift
++ fi
++
++ # if one is found, return success
+ for x in $1
+ do
+ eval var=`echo ${x} | tr 'a-z' 'A-Z'`_CMD
+@@ -92,21 +95,56 @@
+ fi
+ done
+
++ if [ $block -eq 1 ]
++ then
++ echo >&2
++ echo >&2 "ERROR: THE REQUESTED FEATURE REQUIRES THESE PROGRAMS:"
++ echo >&2
++ echo >&2 " $*"
++ echo >&2
++ echo >&2 " You have requested the use of an optional FireHOL"
++ echo >&2 " feature that requires certain external programs"
++ echo >&2 " to be installed in the running system."
++ echo >&2
++ echo >&2 " Please consult your Linux distribution manual to"
++ echo >&2 " install the package(s) that provide these external"
++ echo >&2 " programs and retry."
++ echo >&2
++ echo >&2 " Note that you need an operational 'which' command"
++ echo >&2 " for FireHOL to find all the external programs it"
++ echo >&2 " needs. Check it yourself. Run:"
++ echo >&2
++ for x in $1
++ do
++ echo >&2 " which $x"
++ done
++
++ exit 1
++ fi
++
+ return 1
+ }
+
++# Currently the following commands are required only when needed.
++# (i.e. Command on Demand)
++#
++# wget or curl (either is fine)
++# gzcat
++# ip
++# netstat
++# egrep
++# date
++# hostname
++
++# Commands that are mandatory for FireHOL operation:
+ which_cmd CAT_CMD cat
+ which_cmd CUT_CMD cut
+ which_cmd CHOWN_CMD chown
+ which_cmd CHMOD_CMD chmod
+-which_cmd DATE_CMD date
+-which_cmd EGREP_CMD egrep
+ which_cmd EXPR_CMD expr
+ which_cmd GAWK_CMD gawk
+ which_cmd GREP_CMD grep
+ which_cmd HEAD_CMD head
+-which_cmd HOSTNAME_CMD hostname
+-which_cmd IP_CMD ip
+ which_cmd IPTABLES_CMD iptables
+ which_cmd IPTABLES_SAVE_CMD iptables-save
+ which_cmd LESS_CMD less
+@@ -114,7 +152,6 @@
+ which_cmd MKDIR_CMD mkdir
+ which_cmd MV_CMD mv
+ which_cmd MODPROBE_CMD modprobe
+-which_cmd NETSTAT_CMD netstat
+ which_cmd RENICE_CMD renice
+ which_cmd RM_CMD rm
+ which_cmd SED_CMD sed
+@@ -134,7 +171,7 @@
+ # Find our minor version
+ firehol_minor_version() {
+ ${CAT_CMD} <<"EOF" | ${CUT_CMD} -d ' ' -f 3 | ${CUT_CMD} -d '.' -f 2
+-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ EOF
+ }
+
+@@ -170,6 +207,9 @@
+ FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh"
+ FIREHOL_TMP="${FIREHOL_DIR}/firehol-tmp.sh"
+
++FIREHOL_LOCK_DIR="/var/lock/subsys"
++test ! -d "${FIREHOL_LOCK_DIR}" && FIREHOL_LOCK_DIR="/var/lock"
++
+ FIREHOL_SPOOL_DIR="/var/spool/firehol"
+
+ # The default configuration file
+@@ -209,6 +249,7 @@
+
+ # Run our exit even if we don't call exit.
+ trap firehol_exit EXIT
++trap firehol_exit SIGHUP
+
+
+ # ------------------------------------------------------------------------------
+@@ -267,8 +308,8 @@
+ if [ ! -d "${FIREHOL_SPOOL_DIR}" ]
+ then
+ "${MKDIR_CMD}" "${FIREHOL_SPOOL_DIR}" || exit 1
+- "${CHOWN_CMD}" root:root "${FIREHOL_CONFIG_DIR}" || exit 1
+- "${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}" || exit 1
++ "${CHOWN_CMD}" root:root "${FIREHOL_SPOOL_DIR}" || exit 1
++ "${CHMOD_CMD}" 700 "${FIREHOL_SPOOL_DIR}" || exit 1
+ fi
+
+
+@@ -280,7 +321,7 @@
+ # Optimized (CIDR) by Marc 'HE' Brockschmidt <marc@marcbrockschmidt.de>
+ # Further optimized and reduced by http://www.vergenet.net/linux/aggregate/
+ # The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path.
+-RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7 76.0.0.0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4"
++RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 42.0.0.0/8 92.0.0.0/6 100.0.0.0/6 104.0.0.0/5 112.0.0.0/5 120.0.0.0/8 127.0.0.0/8 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4 "
+
+ # Private IPv4 address space
+ # Suggested by Fco.Felix Belmonte <ffelix@gescosoft.com>
+@@ -306,6 +347,11 @@
+ # policy interface subscommand.
+ DEFAULT_INTERFACE_POLICY="DROP"
+
++# The default policy for the router commands of the firewall.
++# This can be controlled on a per interface basis using the
++# policy interface subscommand.
++DEFAULT_ROUTER_POLICY="RETURN"
++
+ # Which is the filter table chains policy during firewall activation?
+ FIREHOL_INPUT_ACTIVATION_POLICY="ACCEPT"
+ FIREHOL_OUTPUT_ACTIVATION_POLICY="ACCEPT"
+@@ -329,6 +375,10 @@
+ FIREHOL_LOG_MODE="LOG"
+ FIREHOL_LOG_FREQUENCY="1/second"
+ FIREHOL_LOG_BURST="5"
++FIREHOL_LOG_PREFIX=""
++
++# If enabled, FireHOL will silently drop orphan TCP packets with ACK,FIN set.
++FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=0
+
+ # The client ports to be used for "default" client ports when the
+ # client specified is a foreign host.
+@@ -427,7 +477,7 @@
+ work_name=
+ work_inface=
+ work_outface=
+-work_policy="${DEFAULT_INTERFACE_POLICY}"
++work_policy=
+ work_error=0
+ work_function="Initializing"
+
+@@ -618,6 +668,9 @@
+ server_microsoft_ds_ports="tcp/445"
+ client_microsoft_ds_ports="default"
+
++server_ms_ds_ports="tcp/445"
++client_ms_ds_ports="default"
++
+ server_mms_ports="tcp/1755 udp/1755"
+ client_mms_ports="default"
+ require_mms_modules="ip_conntrack_mms"
+@@ -666,6 +719,9 @@
+ server_oracle_ports="tcp/1521"
+ client_oracle_ports="default"
+
++server_OSPF_ports="89/any"
++client_OSPF_ports="any"
++
+ server_pop3_ports="tcp/110"
+ client_pop3_ports="default"
+
+@@ -708,7 +764,7 @@
+ client_rtp_ports="any"
+
+ server_sip_ports="udp/5060"
+-client_sip_ports="default"
++client_sip_ports="5060 default"
+
+ server_socks_ports="tcp/1080 udp/1080"
+ client_socks_ports="default"
+@@ -769,7 +825,7 @@
+ server_vmwareauth_ports="tcp/903"
+ client_vmwareauth_ports="default"
+
+-server_vmwareweb_ports="tcp/8222"
++server_vmwareweb_ports="tcp/8222 tcp/8333"
+ client_vmwareweb_ports="default"
+
+ server_vnc_ports="tcp/5900:5903"
+@@ -1090,10 +1146,12 @@
+ local server_rquotad_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " rquotad$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
+ local server_mountd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " mountd$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
+ local server_lockd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nlockmgr$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
++ local server_statd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " status$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
+ local server_nfsd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nfs$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`"
+
+ test -z "${server_mountd_ports}" && error "Cannot find mountd ports for nfs server '${x}'" && return 1
+ test -z "${server_lockd_ports}" && error "Cannot find lockd ports for nfs server '${x}'" && return 1
++ test -z "${server_statd_ports}" && error "Cannot find statd ports for nfs server '${x}'" && return 1
+ test -z "${server_nfsd_ports}" && error "Cannot find nfsd ports for nfs server '${x}'" && return 1
+
+ local dst=
+@@ -1113,6 +1171,9 @@
+
+ set_work_function "Processing lockd rules for server '${x}'"
+ rules_custom "${mychain}" "${type}" nfs-lockd "${server_lockd_ports}" "500:65535" "${action}" $dst "$@"
++
++ set_work_function "Processing statd rules for server '${x}'"
++ rules_custom "${mychain}" "${type}" nfs-statd "${server_statd_ports}" "500:65535" "${action}" $dst "$@"
+
+ set_work_function "Processing nfsd rules for server '${x}'"
+ rules_custom "${mychain}" "${type}" nfs-nfsd "${server_nfsd_ports}" "500:65535" "${action}" $dst "$@"
+@@ -1798,7 +1859,7 @@
+ firehol_wget() {
+ local url="${1}"
+
+- require_cmd wget curl || error "Cannot find 'wget' or 'curl' in the path."
++ require_cmd wget curl
+
+ if [ ! -z "${WGET_CMD}" ]
+ then
+@@ -2407,9 +2468,9 @@
+ policy() {
+ work_realcmd_secondary ${FUNCNAME} "$@"
+
+- require_work set interface || return 1
++ require_work set any || return 1
+
+- set_work_function "Setting interface '${work_inface}' (${work_name}) policy to ${1}"
++ set_work_function "Setting policy of ${work_name} to ${1}"
+ work_policy="$*"
+
+ return 0
+@@ -2482,6 +2543,11 @@
+ return 0
+ ;;
+
++ bad-packets|BAD-PACKETS)
++ protection ${reverse} "invalid fragments new-tcp-w/o-syn malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}"
++ return $?
++ ;;
++
+ strong|STRONG|full|FULL|all|ALL)
+ protection ${reverse} "invalid fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}"
+ return $?
+@@ -2529,6 +2595,16 @@
+ rule in chain "${mychain}" loglimit "SYN FLOOD" action drop || return 1
+ ;;
+
++ all-floods|ALL-FLOODS)
++ local mychain="${pre}_${work_name}_allflood"
++ create_chain filter "${mychain}" "${in}_${work_name}" in state NEW || return 1
++
++ set_work_function "Generating rules to be protected from ALL floods on '${prface}' for ${work_cmd} '${work_name}'"
++
++ rule in chain "${mychain}" limit "${rate}" "${burst}" action return || return 1
++ rule in chain "${mychain}" loglimit "ALL FLOOD" action drop || return 1
++ ;;
++
+ malformed-xmas|MALFORMED-XMAS)
+ local mychain="${pre}_${work_name}_malxmas"
+ create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--tcp-flags ALL ALL" || return 1
+@@ -2589,7 +2665,7 @@
+ # kernel modules.
+
+ # optionaly require command gzcat
+-require_cmd gzcat
++require_cmd -n gzcat
+
+ KERNEL_CONFIG=
+ if [ -f "/proc/config" ]
+@@ -2632,6 +2708,7 @@
+ echo >&2 " all kernel modules for the services used, without"
+ echo >&2 " being able to detect failures."
+ echo >&2 " "
++ sleep 2
+ fi
+
+ # activation-phase command to check for the existance of
+@@ -2824,11 +2901,12 @@
+ work_name=
+ work_inface=
+ work_outface=
+- work_policy="${DEFAULT_INTERFACE_POLICY}"
++ work_policy=
+
+ return 0
+ }
+
++
+ # ------------------------------------------------------------------------------
+ # close_interface
+ # WHY:
+@@ -2841,6 +2919,12 @@
+
+ set_work_function "Finilizing interface '${work_name}'"
+
++ # Accept all related traffic to the established connections
++ rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
++ rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
++
++ # make sure we have a policy
++ test -z "${work_policy}" && work_policy="${DEFAULT_INTERFACE_POLICY}"
+ case "${work_policy}" in
+ return|RETURN)
+ return 0
+@@ -2849,15 +2933,18 @@
+ accept|ACCEPT)
+ ;;
+
+- *)
++ *)
+ local -a inlog=(loglimit "'IN-${work_name}'")
+ local -a outlog=(loglimit "'OUT-${work_name}'")
+ ;;
+ esac
+
+- # Accept all related traffic to the established connections
+- rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
+- rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
++ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
++ then
++ # Silently drop orphan TCP/ACK FIN packets
++ rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++ rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++ fi
+
+ rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
+ rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
+@@ -2882,6 +2969,32 @@
+ rule chain "in_${work_name}" state RELATED action ACCEPT || return 1
+ rule chain "out_${work_name}" state RELATED action ACCEPT || return 1
+
++ # make sure we have a policy
++ test -z "${work_policy}" && work_policy="${DEFAULT_ROUTER_POLICY}"
++ case "${work_policy}" in
++ return|RETURN)
++ return 0
++ ;;
++
++ accept|ACCEPT)
++ ;;
++
++ *)
++ local -a inlog=(loglimit "'PASS-${work_name}'")
++ local -a outlog=(loglimit "'PASS-${work_name}'")
++ ;;
++ esac
++
++ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
++ then
++ # Silently drop orphan TCP/ACK FIN packets
++ rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++ rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++ fi
++
++ rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1
++ rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1
++
+ return 0
+ }
+
+@@ -2900,6 +3013,14 @@
+ rule chain OUTPUT state RELATED action ACCEPT || return 1
+ rule chain FORWARD state RELATED action ACCEPT || return 1
+
++ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ]
++ then
++ # Silently drop orphan TCP/ACK FIN packets
++ rule chain INPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++ rule chain OUTPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++ rule chain FORWARD state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1
++ fi
++
+ rule chain INPUT loglimit "IN-unknown" action ${UNMATCHED_INPUT_POLICY} || return 1
+ rule chain OUTPUT loglimit "OUT-unknown" action ${UNMATCHED_OUTPUT_POLICY} || return 1
+ rule chain FORWARD loglimit "PASS-unknown" action ${UNMATCHED_ROUTER_POLICY} || return 1
+@@ -3055,7 +3176,7 @@
+ # to pass.
+ if [ "${do_accept_limit}" = "1" ]
+ then
+- local accept_limit_chain="`echo "ACCEPT ${freq} ${burst} ${overflow}" | tr " /." "___"`"
++ local accept_limit_chain="`echo "ACCEPT LIMIT ${freq} ${burst} ${overflow}" | tr " /." "___"`"
+
+ # does the chain we need already exist?
+ if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_limit_chain}" ]
+@@ -3075,9 +3196,9 @@
+ local -a logopts_arg=()
+ if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
+ then
+- local -a logopts_arg=("--ulog-prefix='OVERFLOW:'")
++ local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'")
+ else
+- local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='OVERFLOW:'")
++ local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'")
+ fi
+ iptables ${table} -A "${accept_limit_chain}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}"
+
+@@ -3096,6 +3217,62 @@
+ fi
+ ;;
+
++ "recent")
++ # limit NEW connections to the specified rate
++ local name="${action_param[1]}"
++ local seconds="${action_param[2]}"
++ local hits="${action_param[3]}"
++
++ # unset the action_param, so that if this rule does not include NEW connections,
++ # we will not append anything to the generated iptables statements.
++ local -a action_param=()
++
++ # find is this rule matches NEW connections
++ local has_new=`echo "${state}" | grep -i NEW`
++ local do_accept_recent=0
++ if [ -z "${statenot}" ]
++ then
++ test ! -z "${has_new}" && local do_accept_recent=1
++ else
++ test -z "${has_new}" && local do_accept_recent=1
++ fi
++
++ # we have a match for NEW connections.
++ # redirect the traffic to a new chain, which will control
++ # the NEW connections while allowing all the other traffic
++ # to pass.
++ if [ "${do_accept_recent}" = "1" ]
++ then
++ local accept_recent_chain="`echo "ACCEPT RECENT $name $seconds $hits" | tr " /." "___"`"
++
++ # does the chain we need already exist?
++ if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}" ]
++ then
++ # the chain does not exist. create it.
++ iptables ${table} -N "${accept_recent_chain}"
++ touch "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}"
++
++ # first, if the traffic is not a NEW connection, allow it.
++ # doing this first will speed up normal traffic.
++ iptables ${table} -A "${accept_recent_chain}" -m state ! --state NEW -j ACCEPT
++
++ # accept NEW connections within the given limits.
++ iptables ${table} -A "${accept_recent_chain}" -m recent --set --name "${name}"
++
++ local t1=
++ test ! -z $seconds && local t1="--seconds ${seconds}"
++ local t2=
++ test ! -z $hits && local t2="--hitcount ${hits}"
++
++ iptables ${table} -A "${accept_recent_chain}" -m recent --update ${t1} ${t2} --name "${name}" -j RETURN
++ iptables ${table} -A "${accept_recent_chain}" -j ACCEPT
++ fi
++
++ # send the rule to be generated to this chain
++ local action=${accept_recent_chain}
++ fi
++ ;;
++
+ 'knock')
+ # the name of the knock
+ local name="knock_${action_param[1]}"
+@@ -3175,6 +3352,12 @@
+ local dst=any
+ local dstnot=
+
++ local srctype=
++ local srctypenot=
++
++ local dsttype=
++ local dsttypenot=
++
+ local sport=any
+ local sportnot=
+
+@@ -3397,7 +3580,7 @@
+ if [ "${1}" = "not" -o "${1}" = "NOT" ]
+ then
+ shift
+- macnot="!"
++ test ${nomac} -eq 0 && macnot="!"
+ fi
+ test ${softwarnings} -eq 1 -a ! "${mac}" = "any" && softwarning "Overwritting param: mac '${mac}' becomes '${1}'"
+ test ${nomac} -eq 0 && mac="${1}"
+@@ -3454,6 +3637,56 @@
+ shift
+ ;;
+
++ srctype|SRCTYPE|sourcetype|SOURCETYPE)
++ shift
++ if [ ${reverse} -eq 0 ]
++ then
++ srctypenot=
++ if [ "${1}" = "not" -o "${1}" = "NOT" ]
++ then
++ shift
++ srctypenot="!"
++ fi
++ test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'"
++ srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
++ else
++ dsttypenot=
++ if [ "${1}" = "not" -o "${1}" = "NOT" ]
++ then
++ shift
++ dsttypenot="!"
++ fi
++ test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'"
++ dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
++ fi
++ shift
++ ;;
++
++ dsttype|DSTTYPE|destinationtype|DESTINATIONTYPE)
++ shift
++ if [ ${reverse} -eq 0 ]
++ then
++ dsttypenot=
++ if [ "${1}" = "not" -o "${1}" = "NOT" ]
++ then
++ shift
++ dsttypenot="!"
++ fi
++ test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'"
++ dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
++ else
++ srctypenot=
++ if [ "${1}" = "not" -o "${1}" = "NOT" ]
++ then
++ shift
++ srctypenot="!"
++ fi
++ test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'"
++ srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`"
++ fi
++ shift
++ ;;
++
+ sport|SPORT|sourceport|SOURCEPORT)
+ shift
+ if [ ${reverse} -eq 0 ]
+@@ -3591,6 +3824,11 @@
+ fi
+ ;;
+
++ recent|RECENT)
++ local -a action_param=("recent" "${2}" "${3}" "${4}")
++ shift 4
++ ;;
++
+ knock|KNOCK)
+ local -a action_param=("knock" "${2}")
+ shift 2
+@@ -3750,6 +3988,10 @@
+ fi
+ ;;
+
++ tarpit|TARPIT)
++ action="TARPIT"
++ ;;
++
+ *)
+ chain_exists "${action}"
+ local action_is_chain=$?
+@@ -3991,7 +4233,7 @@
+ # this temporary chain.
+
+
+- # ignore 'statenot' since it is negated in the positive rules
++ # ignore 'statenot', 'srctypenot', 'dsttypenot' since it is negated in the positive rules
+ if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ]
+ then
+ if [ ${action_is_chain} -eq 1 ]
+@@ -4540,6 +4782,25 @@
+ ;;
+ esac
+
++ # addrtype (srctype, dsttype)
++ local -a addrtype_arg=()
++ local -a stp_arg=()
++ local -a dtp_arg=()
++ if [ ! -z "${srctype}${dsttype}" ]
++ then
++ local -a addrtype_arg=("-m" "addrtype")
++
++ if [ ! -z "${srctype}" ]
++ then
++ local -a stp_arg=("${srctypenot}" "--src-type" "${srctype}")
++ fi
++
++ if [ ! -z "${dsttype}" ]
++ then
++ local -a dtp_arg=("${dsttypenot}" "--dst-type" "${dsttype}")
++ fi
++ fi
++
+ # state
+ local -a state_arg=()
+ if [ ! -z "${state}" ]
+@@ -4562,15 +4823,15 @@
+ fi
+
+ # build the command
+- declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}")
++ declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${addrtype_arg[@]}" "${stp_arg[@]}" "${dtp_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}")
+
+ # log mode selection
+ local -a logopts_arg=()
+ if [ "${FIREHOL_LOG_MODE}" = "ULOG" ]
+ then
+- local -a logopts_arg=("--ulog-prefix='${logtxt}:'")
++ local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'")
+ else
+- local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'")
++ local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'")
+ fi
+
+ # log / loglimit
+@@ -5005,8 +5266,8 @@
+ stop)
+ test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored."
+
+- test -f /var/lock/subsys/firehol && ${RM_CMD} -f /var/lock/subsys/firehol
+- test -f /var/lock/subsys/iptables && ${RM_CMD} -f /var/lock/subsys/iptables
++ test -f "${FIREHOL_LOCK_DIR}/firehol" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/firehol"
++ test -f "${FIREHOL_LOCK_DIR}/iptables" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/iptables"
+
+ echo -n $"FireHOL: Clearing Firewall:"
+ load_kernel_module ip_tables
+@@ -5038,7 +5299,7 @@
+ condrestart)
+ test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored."
+ FIREHOL_TRY=0
+- if [ -f /var/lock/subsys/firehol ]
++ if [ -f "${FIREHOL_LOCK_DIR}/firehol" ]
+ then
+ exit 0
+ fi
+@@ -5154,7 +5415,7 @@
+ else
+
+ ${CAT_CMD} <<EOF
+-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
+ FireHOL is distributed under GPL.
+
+@@ -5340,7 +5601,7 @@
+
+ ${CAT_CMD} <<EOF
+
+-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
+ FireHOL is distributed under GPL.
+ Home Page: http://firehol.sourceforge.net
+@@ -5459,6 +5720,13 @@
+
+ if [ ${FIREHOL_WIZARD} -eq 1 ]
+ then
++ # require commands for wizard mode
++ require_cmd ip
++ require_cmd netstat
++ require_cmd egrep
++ require_cmd date
++ require_cmd hostname
++
+ wizard_ask() {
+ local prompt="${1}"; shift
+ local def="${1}"; shift
+@@ -5603,7 +5871,12 @@
+ local i4=${4}
+ local i5=${5:-32}
+
+- echo ${i1}.${i2}.${i3}.${i4}/${i5}
++ if [ "${i5}" = "32" ]
++ then
++ echo ${i1}.${i2}.${i3}.${i4}
++ else
++ echo ${i1}.${i2}.${i3}.${i4}/${i5}
++ fi
+ }
+
+ ips2net() {
+@@ -5634,7 +5907,7 @@
+
+ "${CAT_CMD}" >&2 <<EOF
+
+-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
+ FireHOL is distributed under GPL.
+ Home Page: http://firehol.sourceforge.net
+@@ -5717,7 +5990,7 @@
+ echo "# "
+
+ ${CAT_CMD} <<EOF
+-# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
++# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $
+ # (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
+ # FireHOL is distributed under GPL.
+ # Home Page: http://firehol.sourceforge.net
+@@ -6354,11 +6627,11 @@
+ # Remove the saved firewall, so that the trap will not restore it.
+ ${RM_CMD} -f "${FIREHOL_SAVED}"
+
+-# RedHat startup service locking.
+-if [ -d /var/lock/subsys ]
++# Startup service locking.
++if [ -d "${FIREHOL_LOCK_DIR}" ]
+ then
+- ${TOUCH_CMD} /var/lock/subsys/iptables
+- ${TOUCH_CMD} /var/lock/subsys/firehol
++ ${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/iptables"
++ ${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/firehol"
+ fi
+
+
diff --git a/net-firewall/firehol/files/firehol-1.250-printf.patch b/net-firewall/firehol/files/firehol-1.250-printf.patch
new file mode 100644
index 000000000000..1222e15de65d
--- /dev/null
+++ b/net-firewall/firehol/files/firehol-1.250-printf.patch
@@ -0,0 +1,47 @@
+--- firehol.sh 2006-12-27 14:34:58.000000000 +0100
++++ firehol.new 2006-12-27 14:53:16.000000000 +0100
+@@ -2412,7 +2412,7 @@
+ printf "runcmd '${check}' '${FIREHOL_LINEID}' " >>${FIREHOL_OUTPUT}
+ fi
+
+- printf "%q " "$@" >>${FIREHOL_OUTPUT}
++ printf "%b " "$@" >>${FIREHOL_OUTPUT}
+ printf "\n" >>${FIREHOL_OUTPUT}
+
+ if [ ${FIREHOL_EXPLAIN} -eq 1 ]
+@@ -4885,7 +4885,7 @@
+ echo >&2 "WARNING"
+ echo >&2 "WHAT : ${work_function}"
+ echo >&2 "WHY :" "$@"
+- printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
++ printf >&2 "COMMAND: "; printf >&2 "%b " "${work_realcmd[@]}"; echo >&2
+ echo >&2 "SOURCE : line ${FIREHOL_LINEID} of ${FIREHOL_CONFIG}"
+ echo >&2
+
+@@ -4906,7 +4906,7 @@
+ echo >&2 "ERROR #: ${work_error}"
+ echo >&2 "WHAT : ${work_function}"
+ echo >&2 "WHY :" "$@"
+- printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2
++ printf >&2 "COMMAND: "; printf >&2 "%b " "${work_realcmd[@]}"; echo >&2
+ echo >&2 "SOURCE : line ${FIREHOL_LINEID} of ${FIREHOL_CONFIG}"
+ echo >&2
+
+@@ -4960,7 +4960,7 @@
+ echo >&2 "WHAT : A runtime command failed to execute (returned error ${ret})."
+ echo >&2 "SOURCE : line ${line} of ${FIREHOL_CONFIG}"
+ printf >&2 "COMMAND : "
+- printf >&2 "%q " "$@"
++ printf >&2 "%b " "$@"
+ printf >&2 "\n"
+ echo >&2 "OUTPUT : "
+ echo >&2
+@@ -5157,7 +5157,7 @@
+ *) ;;
+ esac
+
+- printf "%q " "${work_realcmd[@]}"
++ printf "%b " "${work_realcmd[@]}"
+ printf "\n\n"
+ ) >>${FIREHOL_OUTPUT}
+ }
diff --git a/net-firewall/firehol/firehol-1.250.ebuild b/net-firewall/firehol/firehol-1.250.ebuild
new file mode 100644
index 000000000000..40a31bb072b9
--- /dev/null
+++ b/net-firewall/firehol/firehol-1.250.ebuild
@@ -0,0 +1,81 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/firehol-1.250.ebuild,v 1.1 2006/12/28 20:59:13 centic Exp $
+
+inherit eutils
+
+DESCRIPTION="iptables firewall generator"
+HOMEPAGE="http://firehol.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${PN}-1.226.tar.bz2"
+
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE=""
+KEYWORDS="~amd64 ~ppc ~sparc ~x86"
+
+DEPEND="sys-apps/iproute2"
+RDEPEND="net-firewall/iptables
+ sys-apps/iproute2
+ virtual/modutils
+ || (
+ net-misc/wget
+ net-misc/curl
+ )"
+
+S="${WORKDIR}/${PN}-1.226"
+
+pkg_setup() {
+ # Bug 81600 fail if iproute2 is built with minimal
+ if built_with_use sys-apps/iproute2 minimal; then
+ eerror "Firehol requires iproute2 to be emerged without"
+ eerror "the USE-Flag \"minimal\"."
+ eerror "Re-emerge iproute2 with"
+ eerror "USE=\"-minimal\" emerge sys-apps/iproute2"
+ die "sys-apps/iproute2 without USE=\"minimal\" needed"
+ fi
+}
+
+# patch for embedded Gentoo - GNAP
+# backport from firehol-CVS.
+src_unpack() {
+ unpack ${A}
+ cd ${S} || die
+ epatch ${FILESDIR}/firehol-1.226-to-228.patch || die
+ epatch ${FILESDIR}/firehol-1.226-to-250.patch || die
+ epatch ${FILESDIR}/${P}-printf.patch || die
+}
+
+src_install() {
+ newsbin firehol.sh firehol
+
+ dodir /etc/firehol /etc/firehol/examples /etc/firehol/services
+ insinto /etc/firehol/examples
+ doins examples/* || die
+
+ insinto /etc/conf.d
+ newins ${FILESDIR}/firehol.conf.d firehol || die
+
+ dodoc ChangeLog README TODO WhatIsNew || die
+ dohtml doc/*.html doc/*.css || die
+
+ docinto scripts
+ dodoc get-iana.sh adblock.sh || die
+
+ doman man/*.1 man/*.5 || die
+
+ exeinto /etc/init.d
+ newexe ${FILESDIR}/firehol.initrd firehol || die
+}
+
+pkg_postinst() {
+ einfo "The default path to firehol's configuration file is /etc/firehol/firehol.conf"
+ einfo "See /etc/firehol/examples for configuration examples."
+ #
+ # Install a default configuration if none is available yet
+ if [[ ! -e "${ROOT}/etc/firehol/firehol.conf" ]]; then
+ einfo "Installing a sample configuration as ${ROOT}/etc/firehol/firehol.conf"
+ cp "${ROOT}/etc/firehol/examples/client-all.conf" "${ROOT}/etc/firehol/firehol.conf"
+ fi
+}
+