extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 14:20:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

More AUDIT changes

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-19 08:35:40 -07:00
parent d2ab27c071
commit 814494e277
6 changed files with 170 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Shorewall/Perl/Shorewall/Config.pm
View File

@ -315,7 +315,7 @@ our %config_files = ( #accounting => 1,
#
# Options that involve the the AUDIT target
#
my @auditoptions = qw( BLACKLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
my @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
#
# Directories to search for configuration files
#
@ -3362,12 +3362,12 @@ sub get_configuration( $ ) {
if ( $val = $config{MACLIST_DISPOSITION} ) {
unless ( $val =~ /^A?REJECT$/ ) {
unless ( $val =~ /^A?DROP/ ) {
if ( $val eq 'ACCEPT' ) {
$globals{MACLIST_TARGET} = 'RETURN';
} else {
fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
}
if ( $val =~ /^A?DROP/ ) {
$globals{MACLIST_TARGET} = $val;
} elsif ( $val eq 'ACCEPT' ) {
$globals{MACLIST_TARGET} = 'RETURN';
} else {
fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
}
}
} else {

36
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -168,9 +168,9 @@ sub initialize( $ ) {
%usedactions = ();
if ( $family == F_IPV4 ) {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/;
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AUDIT AACCEPT ADROP AREJECT/;
} else {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/;
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AUDIT AACCEPT ADROP AREJECT/;
}
}
@ -1291,10 +1291,21 @@ sub Limit( $$$$ ) {
add_rule $chainref, '-j ACCEPT';
}
sub AUDIT( $$$$) {
my ($chainref, $level, $tag, $type ) = @_;
require_capability 'AUDIT_TARGET' , 'AUDIT rules', '';
fatal_error "Logging is not permitted in the AUDIT action" if $level;
fatal_error "AUDIT requires a 'type' parameter";
fatal_error "Invalid AUDIT type ($type)" unless $type =~ /^(accept|drop|reject)$/;
add_rule $chainref , "-j AUDIT --type $type";
}
sub AACCEPT ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'AACCEPT policies and rules', '';
require_capability 'AUDIT_TARGET' , 'AACCEPT rules', '';
log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type accept';
@ -1304,7 +1315,7 @@ sub AACCEPT ( $$$ ) {
sub ADROP ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'ADROP policies and rules', '';
require_capability 'AUDIT_TARGET' , 'ADROP rules', '';
log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type drop';
@ -1314,7 +1325,7 @@ sub ADROP ( $$$ ) {
sub AREJECT ( $$$ ) {
my ($chainref, $level, $tag) = @_;
require_capability 'AUDIT_TARGET' , 'AREJECT policies and rules', '';
require_capability 'AUDIT_TARGET' , 'AREJECT rules', '';
log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
add_rule $chainref , '-j AUDIT --type reject';
@ -1329,7 +1340,12 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
'allowInvalid' => \&allowInvalid,
'allowinUPnP' => \&allowinUPnP,
'forwardUPnP' => \&forwardUPnP,
'Limit' => \&Limit, );
'Limit' => \&Limit,
'AUDIT' => \&AUDIT,
'AACCEPT' => \&AACCEPT,
'ADROP' => \&ADROP,
'AREJECT' => \&AREJECT
);
#
# This function is called prior to processing of the policy file. It:
@ -1463,14 +1479,16 @@ sub process_action( $) {
sub process_actions2 () {
progress_message2 "$doing policy actions...";
for ( map normalized_action_name $_, grep $auditpolicies{$_}, @auditoptions ) {
if ( my $ref = use_action( $_ ) ) {
my $ref;
for ( map normalized_action_name $_, grep $auditpolicies{$config{$_}}, @auditoptions ) {
if ( $ref = use_action( $_ ) ) {
process_action( $ref );
}
}
for ( map normalize_action_name $_, ( grep ! ( $targets{$_} & BUILTIN ), keys %policy_actions ) ) {
if ( my $ref = use_action( $_ ) ) {
if ( $ref = use_action( $_ ) ) {
process_action( $ref );
}
}

14
Shorewall/action.AAccept Normal file
View File

@ -0,0 +1,14 @@
#
# Shorewall version 4 - Audit Accept Action
#
# /usr/share/shorewall/action.AAccept
#
# Specify this as the ACCEPT_ACTION if you want ACCEPT policies to be
# Audited
#
###############################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Audit the result
#
AUDIT('accept')

60
Shorewall/action.ADrop Normal file
View File

@ -0,0 +1,60 @@
#
# Shorewall version 4 - Drop Action
#
# /usr/share/shorewall/action.ADrop
#
# Like action.Drop but also Audits
#
# This action is invoked before a DROP policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that 'auth' requests are rejected, even if the policy is
# DROP. Otherwise, you may experience problems establishing
# connections with servers that use auth.
# c) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
#
###############################################################################
#TARGET SOURCE DEST PROTO DPORT SPORT
#
# Count packets that come through here
#
COUNT
#
# Reject 'auth'
#
Auth(REJECT)
#
# Don't log broadcasts
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log.
#
dropInvalid
#
# Drop Microsoft noise so that it doesn't clutter up the log.
#
SMB(DROP)
DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
#
# Audit the result
#
AUDIT('drop')

59
Shorewall/action.AReject Normal file
View File

@ -0,0 +1,59 @@
#
# Shorewall version 4 - AReject Action
#
# /usr/share/shorewall/action.Reject
#
# This action is like Reject only it also audits
#
# This action is invoked before a REJECT policy is enforced. The purpose
# of the action is:
#
# a) Avoid logging lots of useless cruft.
# b) Ensure that certain ICMP packets that are necessary for successful
# internet operation are always ACCEPTed.
#
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
###############################################################################
#TARGET SOURCE DEST PROTO
#
# Count packets that come through here
#
COUNT
#
# Don't log 'auth' -- REJECT
#
Auth(REJECT)
#
# Drop Broadcasts so they don't clutter up the log
# (broadcasts must *not* be rejected).
#
dropBcast
#
# ACCEPT critical ICMP types
#
AllowICMPs - - icmp
#
# Drop packets that are in the INVALID state -- these are usually ICMP packets
# and just confuse people when they appear in the log (these ICMPs cannot be
# rejected).
#
dropInvalid
#
# Reject Microsoft noise so that it doesn't clutter up the log.
#
SMB(REJECT)
DropUPnP
#
# Drop 'newnotsyn' traffic so that it doesn't get logged.
#
dropNotSyn - - tcp
#
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
# the log.
#
DropDNSrep
#
# Audit the result
#
AUDIT('reject')

3
Shorewall/actions.std
View File

@ -8,6 +8,9 @@
#
# Builtin Actions are:
#
# AACCEPT # Audits then accepts a connection request
# ADROP # Audits then drops a connection request
# AREJECT # Audits then drops a connection request
# allowBcast # Silently Allow Broadcast/multicast
# dropBcast # Silently Drop Broadcast/multicast
# dropNotSyn # Silently Drop Non-syn TCP packets