diff options
Diffstat (limited to 'net-firewall/firehol')
-rw-r--r-- | net-firewall/firehol/ChangeLog | 10 | ||||
-rw-r--r-- | net-firewall/firehol/files/digest-firehol-1.250 | 3 | ||||
-rw-r--r-- | net-firewall/firehol/files/firehol-1.226-to-250.patch | 748 | ||||
-rw-r--r-- | net-firewall/firehol/files/firehol-1.250-printf.patch | 47 | ||||
-rw-r--r-- | net-firewall/firehol/firehol-1.250.ebuild | 81 |
5 files changed, 888 insertions, 1 deletions
diff --git a/net-firewall/firehol/ChangeLog b/net-firewall/firehol/ChangeLog index b9df3e9417a9..a438eabb0cbb 100644 --- a/net-firewall/firehol/ChangeLog +++ b/net-firewall/firehol/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for net-firewall/firehol # Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.21 2006/08/20 03:58:25 weeve Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.22 2006/12/28 20:59:13 centic Exp $ + +*firehol-1.250 (27 Dec 2006) + + 27 Dec 2006; Dominik Stadler <centic@gentoo.org> + +files/firehol-1.226-to-250.patch, +files/firehol-1.250-printf.patch, + +firehol-1.250.ebuild: + Add version 250 from CVS, fixes bug 151588. Depend on iproute2, fixes Bug + 152537. Change printf-statements, fixes Bugs 153858 and 139526 20 Aug 2006; Jason Wever <weeve@gentoo.org> firehol-1.226-r1.ebuild: Added ~sparc keyword wrt bug #137899. diff --git a/net-firewall/firehol/files/digest-firehol-1.250 b/net-firewall/firehol/files/digest-firehol-1.250 new file mode 100644 index 000000000000..d2c0f0cf477c --- /dev/null +++ b/net-firewall/firehol/files/digest-firehol-1.250 @@ -0,0 +1,3 @@ +MD5 958f6e95bad37013e544da587f55c8b7 firehol-1.226.tar.bz2 118113 +RMD160 bff910e8a3a67ce91f0634177b5ee361edc90e96 firehol-1.226.tar.bz2 118113 +SHA256 b434e8142eb4093516794c6f2213d03efa3c08161758ff836dbd266f0a9438cf firehol-1.226.tar.bz2 118113 diff --git a/net-firewall/firehol/files/firehol-1.226-to-250.patch b/net-firewall/firehol/files/firehol-1.226-to-250.patch new file mode 100644 index 000000000000..2e042f7f05be --- /dev/null +++ b/net-firewall/firehol/files/firehol-1.226-to-250.patch @@ -0,0 +1,748 @@ +--- firehol.new 2006-12-27 14:13:39.000000000 +0100 ++++ firehol.sh 2006-12-27 14:15:57.000000000 +0100 +@@ -10,7 +10,7 @@ + # + # config: /etc/firehol/firehol.conf + # +-# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ ++# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ + # + + # Make sure only root can run us. +@@ -74,13 +74,16 @@ + return 0 + } + +-# Check for a command during runtime. +-# Currently the following commands are required only when needed: +-# +-# wget or curl (either is fine) +-# gzcat +-# ++# command on demand support. + require_cmd() { ++ local block=1 ++ if [ "a$1" = "a-n" ] ++ then ++ local block=0 ++ shift ++ fi ++ ++ # if one is found, return success + for x in $1 + do + eval var=`echo ${x} | tr 'a-z' 'A-Z'`_CMD +@@ -92,21 +95,56 @@ + fi + done + ++ if [ $block -eq 1 ] ++ then ++ echo >&2 ++ echo >&2 "ERROR: THE REQUESTED FEATURE REQUIRES THESE PROGRAMS:" ++ echo >&2 ++ echo >&2 " $*" ++ echo >&2 ++ echo >&2 " You have requested the use of an optional FireHOL" ++ echo >&2 " feature that requires certain external programs" ++ echo >&2 " to be installed in the running system." ++ echo >&2 ++ echo >&2 " Please consult your Linux distribution manual to" ++ echo >&2 " install the package(s) that provide these external" ++ echo >&2 " programs and retry." ++ echo >&2 ++ echo >&2 " Note that you need an operational 'which' command" ++ echo >&2 " for FireHOL to find all the external programs it" ++ echo >&2 " needs. Check it yourself. Run:" ++ echo >&2 ++ for x in $1 ++ do ++ echo >&2 " which $x" ++ done ++ ++ exit 1 ++ fi ++ + return 1 + } + ++# Currently the following commands are required only when needed. ++# (i.e. Command on Demand) ++# ++# wget or curl (either is fine) ++# gzcat ++# ip ++# netstat ++# egrep ++# date ++# hostname ++ ++# Commands that are mandatory for FireHOL operation: + which_cmd CAT_CMD cat + which_cmd CUT_CMD cut + which_cmd CHOWN_CMD chown + which_cmd CHMOD_CMD chmod +-which_cmd DATE_CMD date +-which_cmd EGREP_CMD egrep + which_cmd EXPR_CMD expr + which_cmd GAWK_CMD gawk + which_cmd GREP_CMD grep + which_cmd HEAD_CMD head +-which_cmd HOSTNAME_CMD hostname +-which_cmd IP_CMD ip + which_cmd IPTABLES_CMD iptables + which_cmd IPTABLES_SAVE_CMD iptables-save + which_cmd LESS_CMD less +@@ -114,7 +152,6 @@ + which_cmd MKDIR_CMD mkdir + which_cmd MV_CMD mv + which_cmd MODPROBE_CMD modprobe +-which_cmd NETSTAT_CMD netstat + which_cmd RENICE_CMD renice + which_cmd RM_CMD rm + which_cmd SED_CMD sed +@@ -134,7 +171,7 @@ + # Find our minor version + firehol_minor_version() { + ${CAT_CMD} <<"EOF" | ${CUT_CMD} -d ' ' -f 3 | ${CUT_CMD} -d '.' -f 2 +-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ ++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ + EOF + } + +@@ -170,6 +207,9 @@ + FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh" + FIREHOL_TMP="${FIREHOL_DIR}/firehol-tmp.sh" + ++FIREHOL_LOCK_DIR="/var/lock/subsys" ++test ! -d "${FIREHOL_LOCK_DIR}" && FIREHOL_LOCK_DIR="/var/lock" ++ + FIREHOL_SPOOL_DIR="/var/spool/firehol" + + # The default configuration file +@@ -209,6 +249,7 @@ + + # Run our exit even if we don't call exit. + trap firehol_exit EXIT ++trap firehol_exit SIGHUP + + + # ------------------------------------------------------------------------------ +@@ -267,8 +308,8 @@ + if [ ! -d "${FIREHOL_SPOOL_DIR}" ] + then + "${MKDIR_CMD}" "${FIREHOL_SPOOL_DIR}" || exit 1 +- "${CHOWN_CMD}" root:root "${FIREHOL_CONFIG_DIR}" || exit 1 +- "${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}" || exit 1 ++ "${CHOWN_CMD}" root:root "${FIREHOL_SPOOL_DIR}" || exit 1 ++ "${CHMOD_CMD}" 700 "${FIREHOL_SPOOL_DIR}" || exit 1 + fi + + +@@ -280,7 +321,7 @@ + # Optimized (CIDR) by Marc 'HE' Brockschmidt <marc@marcbrockschmidt.de> + # Further optimized and reduced by http://www.vergenet.net/linux/aggregate/ + # The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path. +-RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7 76.0.0.0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4" ++RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 42.0.0.0/8 92.0.0.0/6 100.0.0.0/6 104.0.0.0/5 112.0.0.0/5 120.0.0.0/8 127.0.0.0/8 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4 " + + # Private IPv4 address space + # Suggested by Fco.Felix Belmonte <ffelix@gescosoft.com> +@@ -306,6 +347,11 @@ + # policy interface subscommand. + DEFAULT_INTERFACE_POLICY="DROP" + ++# The default policy for the router commands of the firewall. ++# This can be controlled on a per interface basis using the ++# policy interface subscommand. ++DEFAULT_ROUTER_POLICY="RETURN" ++ + # Which is the filter table chains policy during firewall activation? + FIREHOL_INPUT_ACTIVATION_POLICY="ACCEPT" + FIREHOL_OUTPUT_ACTIVATION_POLICY="ACCEPT" +@@ -329,6 +375,10 @@ + FIREHOL_LOG_MODE="LOG" + FIREHOL_LOG_FREQUENCY="1/second" + FIREHOL_LOG_BURST="5" ++FIREHOL_LOG_PREFIX="" ++ ++# If enabled, FireHOL will silently drop orphan TCP packets with ACK,FIN set. ++FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=0 + + # The client ports to be used for "default" client ports when the + # client specified is a foreign host. +@@ -427,7 +477,7 @@ + work_name= + work_inface= + work_outface= +-work_policy="${DEFAULT_INTERFACE_POLICY}" ++work_policy= + work_error=0 + work_function="Initializing" + +@@ -618,6 +668,9 @@ + server_microsoft_ds_ports="tcp/445" + client_microsoft_ds_ports="default" + ++server_ms_ds_ports="tcp/445" ++client_ms_ds_ports="default" ++ + server_mms_ports="tcp/1755 udp/1755" + client_mms_ports="default" + require_mms_modules="ip_conntrack_mms" +@@ -666,6 +719,9 @@ + server_oracle_ports="tcp/1521" + client_oracle_ports="default" + ++server_OSPF_ports="89/any" ++client_OSPF_ports="any" ++ + server_pop3_ports="tcp/110" + client_pop3_ports="default" + +@@ -708,7 +764,7 @@ + client_rtp_ports="any" + + server_sip_ports="udp/5060" +-client_sip_ports="default" ++client_sip_ports="5060 default" + + server_socks_ports="tcp/1080 udp/1080" + client_socks_ports="default" +@@ -769,7 +825,7 @@ + server_vmwareauth_ports="tcp/903" + client_vmwareauth_ports="default" + +-server_vmwareweb_ports="tcp/8222" ++server_vmwareweb_ports="tcp/8222 tcp/8333" + client_vmwareweb_ports="default" + + server_vnc_ports="tcp/5900:5903" +@@ -1090,10 +1146,12 @@ + local server_rquotad_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " rquotad$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" + local server_mountd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " mountd$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" + local server_lockd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nlockmgr$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" ++ local server_statd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " status$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" + local server_nfsd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nfs$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" + + test -z "${server_mountd_ports}" && error "Cannot find mountd ports for nfs server '${x}'" && return 1 + test -z "${server_lockd_ports}" && error "Cannot find lockd ports for nfs server '${x}'" && return 1 ++ test -z "${server_statd_ports}" && error "Cannot find statd ports for nfs server '${x}'" && return 1 + test -z "${server_nfsd_ports}" && error "Cannot find nfsd ports for nfs server '${x}'" && return 1 + + local dst= +@@ -1113,6 +1171,9 @@ + + set_work_function "Processing lockd rules for server '${x}'" + rules_custom "${mychain}" "${type}" nfs-lockd "${server_lockd_ports}" "500:65535" "${action}" $dst "$@" ++ ++ set_work_function "Processing statd rules for server '${x}'" ++ rules_custom "${mychain}" "${type}" nfs-statd "${server_statd_ports}" "500:65535" "${action}" $dst "$@" + + set_work_function "Processing nfsd rules for server '${x}'" + rules_custom "${mychain}" "${type}" nfs-nfsd "${server_nfsd_ports}" "500:65535" "${action}" $dst "$@" +@@ -1798,7 +1859,7 @@ + firehol_wget() { + local url="${1}" + +- require_cmd wget curl || error "Cannot find 'wget' or 'curl' in the path." ++ require_cmd wget curl + + if [ ! -z "${WGET_CMD}" ] + then +@@ -2407,9 +2468,9 @@ + policy() { + work_realcmd_secondary ${FUNCNAME} "$@" + +- require_work set interface || return 1 ++ require_work set any || return 1 + +- set_work_function "Setting interface '${work_inface}' (${work_name}) policy to ${1}" ++ set_work_function "Setting policy of ${work_name} to ${1}" + work_policy="$*" + + return 0 +@@ -2482,6 +2543,11 @@ + return 0 + ;; + ++ bad-packets|BAD-PACKETS) ++ protection ${reverse} "invalid fragments new-tcp-w/o-syn malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}" ++ return $? ++ ;; ++ + strong|STRONG|full|FULL|all|ALL) + protection ${reverse} "invalid fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}" + return $? +@@ -2529,6 +2595,16 @@ + rule in chain "${mychain}" loglimit "SYN FLOOD" action drop || return 1 + ;; + ++ all-floods|ALL-FLOODS) ++ local mychain="${pre}_${work_name}_allflood" ++ create_chain filter "${mychain}" "${in}_${work_name}" in state NEW || return 1 ++ ++ set_work_function "Generating rules to be protected from ALL floods on '${prface}' for ${work_cmd} '${work_name}'" ++ ++ rule in chain "${mychain}" limit "${rate}" "${burst}" action return || return 1 ++ rule in chain "${mychain}" loglimit "ALL FLOOD" action drop || return 1 ++ ;; ++ + malformed-xmas|MALFORMED-XMAS) + local mychain="${pre}_${work_name}_malxmas" + create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--tcp-flags ALL ALL" || return 1 +@@ -2589,7 +2665,7 @@ + # kernel modules. + + # optionaly require command gzcat +-require_cmd gzcat ++require_cmd -n gzcat + + KERNEL_CONFIG= + if [ -f "/proc/config" ] +@@ -2632,6 +2708,7 @@ + echo >&2 " all kernel modules for the services used, without" + echo >&2 " being able to detect failures." + echo >&2 " " ++ sleep 2 + fi + + # activation-phase command to check for the existance of +@@ -2824,11 +2901,12 @@ + work_name= + work_inface= + work_outface= +- work_policy="${DEFAULT_INTERFACE_POLICY}" ++ work_policy= + + return 0 + } + ++ + # ------------------------------------------------------------------------------ + # close_interface + # WHY: +@@ -2841,6 +2919,12 @@ + + set_work_function "Finilizing interface '${work_name}'" + ++ # Accept all related traffic to the established connections ++ rule chain "in_${work_name}" state RELATED action ACCEPT || return 1 ++ rule chain "out_${work_name}" state RELATED action ACCEPT || return 1 ++ ++ # make sure we have a policy ++ test -z "${work_policy}" && work_policy="${DEFAULT_INTERFACE_POLICY}" + case "${work_policy}" in + return|RETURN) + return 0 +@@ -2849,15 +2933,18 @@ + accept|ACCEPT) + ;; + +- *) ++ *) + local -a inlog=(loglimit "'IN-${work_name}'") + local -a outlog=(loglimit "'OUT-${work_name}'") + ;; + esac + +- # Accept all related traffic to the established connections +- rule chain "in_${work_name}" state RELATED action ACCEPT || return 1 +- rule chain "out_${work_name}" state RELATED action ACCEPT || return 1 ++ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ] ++ then ++ # Silently drop orphan TCP/ACK FIN packets ++ rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ fi + + rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1 + rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1 +@@ -2882,6 +2969,32 @@ + rule chain "in_${work_name}" state RELATED action ACCEPT || return 1 + rule chain "out_${work_name}" state RELATED action ACCEPT || return 1 + ++ # make sure we have a policy ++ test -z "${work_policy}" && work_policy="${DEFAULT_ROUTER_POLICY}" ++ case "${work_policy}" in ++ return|RETURN) ++ return 0 ++ ;; ++ ++ accept|ACCEPT) ++ ;; ++ ++ *) ++ local -a inlog=(loglimit "'PASS-${work_name}'") ++ local -a outlog=(loglimit "'PASS-${work_name}'") ++ ;; ++ esac ++ ++ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ] ++ then ++ # Silently drop orphan TCP/ACK FIN packets ++ rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ fi ++ ++ rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1 ++ rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1 ++ + return 0 + } + +@@ -2900,6 +3013,14 @@ + rule chain OUTPUT state RELATED action ACCEPT || return 1 + rule chain FORWARD state RELATED action ACCEPT || return 1 + ++ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ] ++ then ++ # Silently drop orphan TCP/ACK FIN packets ++ rule chain INPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ rule chain OUTPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ rule chain FORWARD state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ fi ++ + rule chain INPUT loglimit "IN-unknown" action ${UNMATCHED_INPUT_POLICY} || return 1 + rule chain OUTPUT loglimit "OUT-unknown" action ${UNMATCHED_OUTPUT_POLICY} || return 1 + rule chain FORWARD loglimit "PASS-unknown" action ${UNMATCHED_ROUTER_POLICY} || return 1 +@@ -3055,7 +3176,7 @@ + # to pass. + if [ "${do_accept_limit}" = "1" ] + then +- local accept_limit_chain="`echo "ACCEPT ${freq} ${burst} ${overflow}" | tr " /." "___"`" ++ local accept_limit_chain="`echo "ACCEPT LIMIT ${freq} ${burst} ${overflow}" | tr " /." "___"`" + + # does the chain we need already exist? + if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_limit_chain}" ] +@@ -3075,9 +3196,9 @@ + local -a logopts_arg=() + if [ "${FIREHOL_LOG_MODE}" = "ULOG" ] + then +- local -a logopts_arg=("--ulog-prefix='OVERFLOW:'") ++ local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'") + else +- local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='OVERFLOW:'") ++ local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'") + fi + iptables ${table} -A "${accept_limit_chain}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" + +@@ -3096,6 +3217,62 @@ + fi + ;; + ++ "recent") ++ # limit NEW connections to the specified rate ++ local name="${action_param[1]}" ++ local seconds="${action_param[2]}" ++ local hits="${action_param[3]}" ++ ++ # unset the action_param, so that if this rule does not include NEW connections, ++ # we will not append anything to the generated iptables statements. ++ local -a action_param=() ++ ++ # find is this rule matches NEW connections ++ local has_new=`echo "${state}" | grep -i NEW` ++ local do_accept_recent=0 ++ if [ -z "${statenot}" ] ++ then ++ test ! -z "${has_new}" && local do_accept_recent=1 ++ else ++ test -z "${has_new}" && local do_accept_recent=1 ++ fi ++ ++ # we have a match for NEW connections. ++ # redirect the traffic to a new chain, which will control ++ # the NEW connections while allowing all the other traffic ++ # to pass. ++ if [ "${do_accept_recent}" = "1" ] ++ then ++ local accept_recent_chain="`echo "ACCEPT RECENT $name $seconds $hits" | tr " /." "___"`" ++ ++ # does the chain we need already exist? ++ if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}" ] ++ then ++ # the chain does not exist. create it. ++ iptables ${table} -N "${accept_recent_chain}" ++ touch "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}" ++ ++ # first, if the traffic is not a NEW connection, allow it. ++ # doing this first will speed up normal traffic. ++ iptables ${table} -A "${accept_recent_chain}" -m state ! --state NEW -j ACCEPT ++ ++ # accept NEW connections within the given limits. ++ iptables ${table} -A "${accept_recent_chain}" -m recent --set --name "${name}" ++ ++ local t1= ++ test ! -z $seconds && local t1="--seconds ${seconds}" ++ local t2= ++ test ! -z $hits && local t2="--hitcount ${hits}" ++ ++ iptables ${table} -A "${accept_recent_chain}" -m recent --update ${t1} ${t2} --name "${name}" -j RETURN ++ iptables ${table} -A "${accept_recent_chain}" -j ACCEPT ++ fi ++ ++ # send the rule to be generated to this chain ++ local action=${accept_recent_chain} ++ fi ++ ;; ++ + 'knock') + # the name of the knock + local name="knock_${action_param[1]}" +@@ -3175,6 +3352,12 @@ + local dst=any + local dstnot= + ++ local srctype= ++ local srctypenot= ++ ++ local dsttype= ++ local dsttypenot= ++ + local sport=any + local sportnot= + +@@ -3397,7 +3580,7 @@ + if [ "${1}" = "not" -o "${1}" = "NOT" ] + then + shift +- macnot="!" ++ test ${nomac} -eq 0 && macnot="!" + fi + test ${softwarnings} -eq 1 -a ! "${mac}" = "any" && softwarning "Overwritting param: mac '${mac}' becomes '${1}'" + test ${nomac} -eq 0 && mac="${1}" +@@ -3454,6 +3637,56 @@ + shift + ;; + ++ srctype|SRCTYPE|sourcetype|SOURCETYPE) ++ shift ++ if [ ${reverse} -eq 0 ] ++ then ++ srctypenot= ++ if [ "${1}" = "not" -o "${1}" = "NOT" ] ++ then ++ shift ++ srctypenot="!" ++ fi ++ test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'" ++ srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" ++ else ++ dsttypenot= ++ if [ "${1}" = "not" -o "${1}" = "NOT" ] ++ then ++ shift ++ dsttypenot="!" ++ fi ++ test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'" ++ dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" ++ fi ++ shift ++ ;; ++ ++ dsttype|DSTTYPE|destinationtype|DESTINATIONTYPE) ++ shift ++ if [ ${reverse} -eq 0 ] ++ then ++ dsttypenot= ++ if [ "${1}" = "not" -o "${1}" = "NOT" ] ++ then ++ shift ++ dsttypenot="!" ++ fi ++ test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'" ++ dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" ++ else ++ srctypenot= ++ if [ "${1}" = "not" -o "${1}" = "NOT" ] ++ then ++ shift ++ srctypenot="!" ++ fi ++ test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'" ++ srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" ++ fi ++ shift ++ ;; ++ + sport|SPORT|sourceport|SOURCEPORT) + shift + if [ ${reverse} -eq 0 ] +@@ -3591,6 +3824,11 @@ + fi + ;; + ++ recent|RECENT) ++ local -a action_param=("recent" "${2}" "${3}" "${4}") ++ shift 4 ++ ;; ++ + knock|KNOCK) + local -a action_param=("knock" "${2}") + shift 2 +@@ -3750,6 +3988,10 @@ + fi + ;; + ++ tarpit|TARPIT) ++ action="TARPIT" ++ ;; ++ + *) + chain_exists "${action}" + local action_is_chain=$? +@@ -3991,7 +4233,7 @@ + # this temporary chain. + + +- # ignore 'statenot' since it is negated in the positive rules ++ # ignore 'statenot', 'srctypenot', 'dsttypenot' since it is negated in the positive rules + if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ] + then + if [ ${action_is_chain} -eq 1 ] +@@ -4540,6 +4782,25 @@ + ;; + esac + ++ # addrtype (srctype, dsttype) ++ local -a addrtype_arg=() ++ local -a stp_arg=() ++ local -a dtp_arg=() ++ if [ ! -z "${srctype}${dsttype}" ] ++ then ++ local -a addrtype_arg=("-m" "addrtype") ++ ++ if [ ! -z "${srctype}" ] ++ then ++ local -a stp_arg=("${srctypenot}" "--src-type" "${srctype}") ++ fi ++ ++ if [ ! -z "${dsttype}" ] ++ then ++ local -a dtp_arg=("${dsttypenot}" "--dst-type" "${dsttype}") ++ fi ++ fi ++ + # state + local -a state_arg=() + if [ ! -z "${state}" ] +@@ -4562,15 +4823,15 @@ + fi + + # build the command +- declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}") ++ declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${addrtype_arg[@]}" "${stp_arg[@]}" "${dtp_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}") + + # log mode selection + local -a logopts_arg=() + if [ "${FIREHOL_LOG_MODE}" = "ULOG" ] + then +- local -a logopts_arg=("--ulog-prefix='${logtxt}:'") ++ local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'") + else +- local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'") ++ local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'") + fi + + # log / loglimit +@@ -5005,8 +5266,8 @@ + stop) + test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored." + +- test -f /var/lock/subsys/firehol && ${RM_CMD} -f /var/lock/subsys/firehol +- test -f /var/lock/subsys/iptables && ${RM_CMD} -f /var/lock/subsys/iptables ++ test -f "${FIREHOL_LOCK_DIR}/firehol" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/firehol" ++ test -f "${FIREHOL_LOCK_DIR}/iptables" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/iptables" + + echo -n $"FireHOL: Clearing Firewall:" + load_kernel_module ip_tables +@@ -5038,7 +5299,7 @@ + condrestart) + test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored." + FIREHOL_TRY=0 +- if [ -f /var/lock/subsys/firehol ] ++ if [ -f "${FIREHOL_LOCK_DIR}/firehol" ] + then + exit 0 + fi +@@ -5154,7 +5415,7 @@ + else + + ${CAT_CMD} <<EOF +-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ ++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ + (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr> + FireHOL is distributed under GPL. + +@@ -5340,7 +5601,7 @@ + + ${CAT_CMD} <<EOF + +-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ ++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ + (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr> + FireHOL is distributed under GPL. + Home Page: http://firehol.sourceforge.net +@@ -5459,6 +5720,13 @@ + + if [ ${FIREHOL_WIZARD} -eq 1 ] + then ++ # require commands for wizard mode ++ require_cmd ip ++ require_cmd netstat ++ require_cmd egrep ++ require_cmd date ++ require_cmd hostname ++ + wizard_ask() { + local prompt="${1}"; shift + local def="${1}"; shift +@@ -5603,7 +5871,12 @@ + local i4=${4} + local i5=${5:-32} + +- echo ${i1}.${i2}.${i3}.${i4}/${i5} ++ if [ "${i5}" = "32" ] ++ then ++ echo ${i1}.${i2}.${i3}.${i4} ++ else ++ echo ${i1}.${i2}.${i3}.${i4}/${i5} ++ fi + } + + ips2net() { +@@ -5634,7 +5907,7 @@ + + "${CAT_CMD}" >&2 <<EOF + +-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ ++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ + (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr> + FireHOL is distributed under GPL. + Home Page: http://firehol.sourceforge.net +@@ -5717,7 +5990,7 @@ + echo "# " + + ${CAT_CMD} <<EOF +-# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ ++# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ + # (C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr> + # FireHOL is distributed under GPL. + # Home Page: http://firehol.sourceforge.net +@@ -6354,11 +6627,11 @@ + # Remove the saved firewall, so that the trap will not restore it. + ${RM_CMD} -f "${FIREHOL_SAVED}" + +-# RedHat startup service locking. +-if [ -d /var/lock/subsys ] ++# Startup service locking. ++if [ -d "${FIREHOL_LOCK_DIR}" ] + then +- ${TOUCH_CMD} /var/lock/subsys/iptables +- ${TOUCH_CMD} /var/lock/subsys/firehol ++ ${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/iptables" ++ ${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/firehol" + fi + + diff --git a/net-firewall/firehol/files/firehol-1.250-printf.patch b/net-firewall/firehol/files/firehol-1.250-printf.patch new file mode 100644 index 000000000000..1222e15de65d --- /dev/null +++ b/net-firewall/firehol/files/firehol-1.250-printf.patch @@ -0,0 +1,47 @@ +--- firehol.sh 2006-12-27 14:34:58.000000000 +0100 ++++ firehol.new 2006-12-27 14:53:16.000000000 +0100 +@@ -2412,7 +2412,7 @@ + printf "runcmd '${check}' '${FIREHOL_LINEID}' " >>${FIREHOL_OUTPUT} + fi + +- printf "%q " "$@" >>${FIREHOL_OUTPUT} ++ printf "%b " "$@" >>${FIREHOL_OUTPUT} + printf "\n" >>${FIREHOL_OUTPUT} + + if [ ${FIREHOL_EXPLAIN} -eq 1 ] +@@ -4885,7 +4885,7 @@ + echo >&2 "WARNING" + echo >&2 "WHAT : ${work_function}" + echo >&2 "WHY :" "$@" +- printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2 ++ printf >&2 "COMMAND: "; printf >&2 "%b " "${work_realcmd[@]}"; echo >&2 + echo >&2 "SOURCE : line ${FIREHOL_LINEID} of ${FIREHOL_CONFIG}" + echo >&2 + +@@ -4906,7 +4906,7 @@ + echo >&2 "ERROR #: ${work_error}" + echo >&2 "WHAT : ${work_function}" + echo >&2 "WHY :" "$@" +- printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2 ++ printf >&2 "COMMAND: "; printf >&2 "%b " "${work_realcmd[@]}"; echo >&2 + echo >&2 "SOURCE : line ${FIREHOL_LINEID} of ${FIREHOL_CONFIG}" + echo >&2 + +@@ -4960,7 +4960,7 @@ + echo >&2 "WHAT : A runtime command failed to execute (returned error ${ret})." + echo >&2 "SOURCE : line ${line} of ${FIREHOL_CONFIG}" + printf >&2 "COMMAND : " +- printf >&2 "%q " "$@" ++ printf >&2 "%b " "$@" + printf >&2 "\n" + echo >&2 "OUTPUT : " + echo >&2 +@@ -5157,7 +5157,7 @@ + *) ;; + esac + +- printf "%q " "${work_realcmd[@]}" ++ printf "%b " "${work_realcmd[@]}" + printf "\n\n" + ) >>${FIREHOL_OUTPUT} + } diff --git a/net-firewall/firehol/firehol-1.250.ebuild b/net-firewall/firehol/firehol-1.250.ebuild new file mode 100644 index 000000000000..40a31bb072b9 --- /dev/null +++ b/net-firewall/firehol/firehol-1.250.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2006 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/firehol-1.250.ebuild,v 1.1 2006/12/28 20:59:13 centic Exp $ + +inherit eutils + +DESCRIPTION="iptables firewall generator" +HOMEPAGE="http://firehol.sourceforge.net/" +SRC_URI="mirror://sourceforge/${PN}/${PN}-1.226.tar.bz2" + + +LICENSE="GPL-2" +SLOT="0" +IUSE="" +KEYWORDS="~amd64 ~ppc ~sparc ~x86" + +DEPEND="sys-apps/iproute2" +RDEPEND="net-firewall/iptables + sys-apps/iproute2 + virtual/modutils + || ( + net-misc/wget + net-misc/curl + )" + +S="${WORKDIR}/${PN}-1.226" + +pkg_setup() { + # Bug 81600 fail if iproute2 is built with minimal + if built_with_use sys-apps/iproute2 minimal; then + eerror "Firehol requires iproute2 to be emerged without" + eerror "the USE-Flag \"minimal\"." + eerror "Re-emerge iproute2 with" + eerror "USE=\"-minimal\" emerge sys-apps/iproute2" + die "sys-apps/iproute2 without USE=\"minimal\" needed" + fi +} + +# patch for embedded Gentoo - GNAP +# backport from firehol-CVS. +src_unpack() { + unpack ${A} + cd ${S} || die + epatch ${FILESDIR}/firehol-1.226-to-228.patch || die + epatch ${FILESDIR}/firehol-1.226-to-250.patch || die + epatch ${FILESDIR}/${P}-printf.patch || die +} + +src_install() { + newsbin firehol.sh firehol + + dodir /etc/firehol /etc/firehol/examples /etc/firehol/services + insinto /etc/firehol/examples + doins examples/* || die + + insinto /etc/conf.d + newins ${FILESDIR}/firehol.conf.d firehol || die + + dodoc ChangeLog README TODO WhatIsNew || die + dohtml doc/*.html doc/*.css || die + + docinto scripts + dodoc get-iana.sh adblock.sh || die + + doman man/*.1 man/*.5 || die + + exeinto /etc/init.d + newexe ${FILESDIR}/firehol.initrd firehol || die +} + +pkg_postinst() { + einfo "The default path to firehol's configuration file is /etc/firehol/firehol.conf" + einfo "See /etc/firehol/examples for configuration examples." + # + # Install a default configuration if none is available yet + if [[ ! -e "${ROOT}/etc/firehol/firehol.conf" ]]; then + einfo "Installing a sample configuration as ${ROOT}/etc/firehol/firehol.conf" + cp "${ROOT}/etc/firehol/examples/client-all.conf" "${ROOT}/etc/firehol/firehol.conf" + fi +} + |