mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
More AUDIT changes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
d2ab27c071
commit
814494e277
@ -315,7 +315,7 @@ our %config_files = ( #accounting => 1,
|
||||
#
|
||||
# Options that involve the the AUDIT target
|
||||
#
|
||||
my @auditoptions = qw( BLACKLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
|
||||
my @auditoptions = qw( BLACKLIST_DISPOSITION MACLIST_DISPOSITION TCP_FLAGS_DISPOSITION );
|
||||
#
|
||||
# Directories to search for configuration files
|
||||
#
|
||||
@ -3362,12 +3362,12 @@ sub get_configuration( $ ) {
|
||||
|
||||
if ( $val = $config{MACLIST_DISPOSITION} ) {
|
||||
unless ( $val =~ /^A?REJECT$/ ) {
|
||||
unless ( $val =~ /^A?DROP/ ) {
|
||||
if ( $val eq 'ACCEPT' ) {
|
||||
$globals{MACLIST_TARGET} = 'RETURN';
|
||||
} else {
|
||||
fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
|
||||
}
|
||||
if ( $val =~ /^A?DROP/ ) {
|
||||
$globals{MACLIST_TARGET} = $val;
|
||||
} elsif ( $val eq 'ACCEPT' ) {
|
||||
$globals{MACLIST_TARGET} = 'RETURN';
|
||||
} else {
|
||||
fatal_error "Invalid value ($config{MACLIST_DISPOSITION}) for MACLIST_DISPOSITION"
|
||||
}
|
||||
}
|
||||
} else {
|
||||
|
@ -168,9 +168,9 @@ sub initialize( $ ) {
|
||||
%usedactions = ();
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AACCEPT ADROP AREJECT/;
|
||||
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit AUDIT AACCEPT ADROP AREJECT/;
|
||||
} else {
|
||||
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AACCEPT ADROP AREJECT/;
|
||||
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid AUDIT AACCEPT ADROP AREJECT/;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1291,10 +1291,21 @@ sub Limit( $$$$ ) {
|
||||
add_rule $chainref, '-j ACCEPT';
|
||||
}
|
||||
|
||||
sub AUDIT( $$$$) {
|
||||
my ($chainref, $level, $tag, $type ) = @_;
|
||||
|
||||
require_capability 'AUDIT_TARGET' , 'AUDIT rules', '';
|
||||
|
||||
fatal_error "Logging is not permitted in the AUDIT action" if $level;
|
||||
fatal_error "AUDIT requires a 'type' parameter";
|
||||
fatal_error "Invalid AUDIT type ($type)" unless $type =~ /^(accept|drop|reject)$/;
|
||||
add_rule $chainref , "-j AUDIT --type $type";
|
||||
}
|
||||
|
||||
sub AACCEPT ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
require_capability 'AUDIT_TARGET' , 'AACCEPT policies and rules', '';
|
||||
require_capability 'AUDIT_TARGET' , 'AACCEPT rules', '';
|
||||
|
||||
log_rule_limit $level, $chainref, 'AACCEPT' , 'ACCEPT', '', $tag, 'add', '' if $level ne '';
|
||||
add_rule $chainref , '-j AUDIT --type accept';
|
||||
@ -1304,7 +1315,7 @@ sub AACCEPT ( $$$ ) {
|
||||
sub ADROP ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
require_capability 'AUDIT_TARGET' , 'ADROP policies and rules', '';
|
||||
require_capability 'AUDIT_TARGET' , 'ADROP rules', '';
|
||||
|
||||
log_rule_limit $level, $chainref, 'ADROP' , 'DROP', '', $tag, 'add', '' if $level ne '';
|
||||
add_rule $chainref , '-j AUDIT --type drop';
|
||||
@ -1314,7 +1325,7 @@ sub ADROP ( $$$ ) {
|
||||
sub AREJECT ( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
require_capability 'AUDIT_TARGET' , 'AREJECT policies and rules', '';
|
||||
require_capability 'AUDIT_TARGET' , 'AREJECT rules', '';
|
||||
|
||||
log_rule_limit $level, $chainref, 'AREJECT' , 'REJECT', '', $tag, 'add', '' if $level ne '';
|
||||
add_rule $chainref , '-j AUDIT --type reject';
|
||||
@ -1329,7 +1340,12 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
|
||||
'allowInvalid' => \&allowInvalid,
|
||||
'allowinUPnP' => \&allowinUPnP,
|
||||
'forwardUPnP' => \&forwardUPnP,
|
||||
'Limit' => \&Limit, );
|
||||
'Limit' => \&Limit,
|
||||
'AUDIT' => \&AUDIT,
|
||||
'AACCEPT' => \&AACCEPT,
|
||||
'ADROP' => \&ADROP,
|
||||
'AREJECT' => \&AREJECT
|
||||
);
|
||||
|
||||
#
|
||||
# This function is called prior to processing of the policy file. It:
|
||||
@ -1463,14 +1479,16 @@ sub process_action( $) {
|
||||
sub process_actions2 () {
|
||||
progress_message2 "$doing policy actions...";
|
||||
|
||||
for ( map normalized_action_name $_, grep $auditpolicies{$_}, @auditoptions ) {
|
||||
if ( my $ref = use_action( $_ ) ) {
|
||||
my $ref;
|
||||
|
||||
for ( map normalized_action_name $_, grep $auditpolicies{$config{$_}}, @auditoptions ) {
|
||||
if ( $ref = use_action( $_ ) ) {
|
||||
process_action( $ref );
|
||||
}
|
||||
}
|
||||
|
||||
for ( map normalize_action_name $_, ( grep ! ( $targets{$_} & BUILTIN ), keys %policy_actions ) ) {
|
||||
if ( my $ref = use_action( $_ ) ) {
|
||||
if ( $ref = use_action( $_ ) ) {
|
||||
process_action( $ref );
|
||||
}
|
||||
}
|
||||
|
14
Shorewall/action.AAccept
Normal file
14
Shorewall/action.AAccept
Normal file
@ -0,0 +1,14 @@
|
||||
#
|
||||
# Shorewall version 4 - Audit Accept Action
|
||||
#
|
||||
# /usr/share/shorewall/action.AAccept
|
||||
#
|
||||
# Specify this as the ACCEPT_ACTION if you want ACCEPT policies to be
|
||||
# Audited
|
||||
#
|
||||
###############################################################################
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Audit the result
|
||||
#
|
||||
AUDIT('accept')
|
60
Shorewall/action.ADrop
Normal file
60
Shorewall/action.ADrop
Normal file
@ -0,0 +1,60 @@
|
||||
#
|
||||
# Shorewall version 4 - Drop Action
|
||||
#
|
||||
# /usr/share/shorewall/action.ADrop
|
||||
#
|
||||
# Like action.Drop but also Audits
|
||||
#
|
||||
# This action is invoked before a DROP policy is enforced. The purpose
|
||||
# of the action is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that 'auth' requests are rejected, even if the policy is
|
||||
# DROP. Otherwise, you may experience problems establishing
|
||||
# connections with servers that use auth.
|
||||
# c) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
#
|
||||
###############################################################################
|
||||
#TARGET SOURCE DEST PROTO DPORT SPORT
|
||||
#
|
||||
# Count packets that come through here
|
||||
#
|
||||
COUNT
|
||||
#
|
||||
# Reject 'auth'
|
||||
#
|
||||
Auth(REJECT)
|
||||
#
|
||||
# Don't log broadcasts
|
||||
#
|
||||
dropBcast
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log.
|
||||
#
|
||||
dropInvalid
|
||||
#
|
||||
# Drop Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB(DROP)
|
||||
DropUPnP
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
||||
# the log.
|
||||
#
|
||||
DropDNSrep
|
||||
#
|
||||
# Audit the result
|
||||
#
|
||||
AUDIT('drop')
|
59
Shorewall/action.AReject
Normal file
59
Shorewall/action.AReject
Normal file
@ -0,0 +1,59 @@
|
||||
#
|
||||
# Shorewall version 4 - AReject Action
|
||||
#
|
||||
# /usr/share/shorewall/action.Reject
|
||||
#
|
||||
# This action is like Reject only it also audits
|
||||
#
|
||||
# This action is invoked before a REJECT policy is enforced. The purpose
|
||||
# of the action is:
|
||||
#
|
||||
# a) Avoid logging lots of useless cruft.
|
||||
# b) Ensure that certain ICMP packets that are necessary for successful
|
||||
# internet operation are always ACCEPTed.
|
||||
#
|
||||
# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
|
||||
###############################################################################
|
||||
#TARGET SOURCE DEST PROTO
|
||||
#
|
||||
# Count packets that come through here
|
||||
#
|
||||
COUNT
|
||||
#
|
||||
# Don't log 'auth' -- REJECT
|
||||
#
|
||||
Auth(REJECT)
|
||||
#
|
||||
# Drop Broadcasts so they don't clutter up the log
|
||||
# (broadcasts must *not* be rejected).
|
||||
#
|
||||
dropBcast
|
||||
#
|
||||
# ACCEPT critical ICMP types
|
||||
#
|
||||
AllowICMPs - - icmp
|
||||
#
|
||||
# Drop packets that are in the INVALID state -- these are usually ICMP packets
|
||||
# and just confuse people when they appear in the log (these ICMPs cannot be
|
||||
# rejected).
|
||||
#
|
||||
dropInvalid
|
||||
#
|
||||
# Reject Microsoft noise so that it doesn't clutter up the log.
|
||||
#
|
||||
SMB(REJECT)
|
||||
DropUPnP
|
||||
#
|
||||
# Drop 'newnotsyn' traffic so that it doesn't get logged.
|
||||
#
|
||||
dropNotSyn - - tcp
|
||||
#
|
||||
# Drop late-arriving DNS replies. These are just a nuisance and clutter up
|
||||
# the log.
|
||||
#
|
||||
DropDNSrep
|
||||
#
|
||||
# Audit the result
|
||||
#
|
||||
AUDIT('reject')
|
||||
|
@ -8,6 +8,9 @@
|
||||
#
|
||||
# Builtin Actions are:
|
||||
#
|
||||
# AACCEPT # Audits then accepts a connection request
|
||||
# ADROP # Audits then drops a connection request
|
||||
# AREJECT # Audits then drops a connection request
|
||||
# allowBcast # Silently Allow Broadcast/multicast
|
||||
# dropBcast # Silently Drop Broadcast/multicast
|
||||
# dropNotSyn # Silently Drop Non-syn TCP packets
|
||||
|
Loading…
Reference in New Issue
Block a user