mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-23 11:11:32 +02:00
Fix blacklist handling
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5557 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
51944d1bb8
commit
b8848a1527
@ -154,10 +154,30 @@ sub setup_syn_flood_chains() {
|
|||||||
|
|
||||||
sub setup_blacklist() {
|
sub setup_blacklist() {
|
||||||
|
|
||||||
|
my $hosts = find_hosts_by_option 'blacklist';
|
||||||
|
|
||||||
|
if ( @$hosts ) {
|
||||||
|
|
||||||
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
|
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
|
||||||
|
|
||||||
progress_message2 " Setting up Blacklist...";
|
progress_message2 " Setting up Blacklist...";
|
||||||
|
|
||||||
|
new_standard_chain 'blacklst';
|
||||||
|
|
||||||
|
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
|
||||||
|
|
||||||
|
if ( $level ) {
|
||||||
|
my $chainref = new_standard_chain 'blacklog';
|
||||||
|
|
||||||
|
log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$env{LOGLIMIT}" , '', 'add', '' );
|
||||||
|
|
||||||
|
add_rule $chainref, "-j $target" ;
|
||||||
|
|
||||||
|
$target = 'blacklog';
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( -s "$ENV{TMP_DIR}/blacklist" ) {
|
||||||
|
|
||||||
open BL, "$ENV{TMP_DIR}/blacklist" or fatal_error "Unable to open stripped blacklist file: $!";
|
open BL, "$ENV{TMP_DIR}/blacklist" or fatal_error "Unable to open stripped blacklist file: $!";
|
||||||
|
|
||||||
progress_message( " Processing " . find_file 'blacklist' . '...' );
|
progress_message( " Processing " . find_file 'blacklist' . '...' );
|
||||||
@ -177,18 +197,17 @@ sub setup_blacklist() {
|
|||||||
$networks ,
|
$networks ,
|
||||||
'' ,
|
'' ,
|
||||||
'' ,
|
'' ,
|
||||||
'-j ' . ($disposition eq 'REJECT' ? 'reject' : $disposition),
|
"-j $target" ,
|
||||||
$level ,
|
'' ,
|
||||||
$disposition ,
|
$disposition ,
|
||||||
'';
|
'';
|
||||||
|
|
||||||
progress_message " \"$line\" added to blacklist";
|
progress_message " \"$line\" added to blacklist";
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
close BL;
|
close BL;
|
||||||
|
|
||||||
my $hosts = find_hosts_by_option 'blacklist';
|
|
||||||
|
|
||||||
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
|
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
|
||||||
|
|
||||||
for my $hostref ( @$hosts ) {
|
for my $hostref ( @$hosts ) {
|
||||||
@ -204,6 +223,7 @@ sub setup_blacklist() {
|
|||||||
|
|
||||||
progress_message " Blacklisting enabled on ${interface}:${network}";
|
progress_message " Blacklisting enabled on ${interface}:${network}";
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub process_criticalhosts() {
|
sub process_criticalhosts() {
|
||||||
@ -363,9 +383,14 @@ sub add_common_rules() {
|
|||||||
|
|
||||||
my $rejectref = new_standard_chain 'reject';
|
my $rejectref = new_standard_chain 'reject';
|
||||||
|
|
||||||
|
$level = $env{BLACKLIST_LOG_LEVEL} || 'info';
|
||||||
|
|
||||||
|
add_rule_pair new_standard_chain( 'logdrop' ), ' ' , 'DROP' , $level ;
|
||||||
|
add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'REJECT' , $level ;
|
||||||
|
|
||||||
new_standard_chain 'dynamic';
|
new_standard_chain 'dynamic';
|
||||||
|
|
||||||
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID' : '';
|
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
|
||||||
|
|
||||||
for $interface ( @interfaces ) {
|
for $interface ( @interfaces ) {
|
||||||
for $chain ( input_chain $interface , forward_chain $interface ) {
|
for $chain ( input_chain $interface , forward_chain $interface ) {
|
||||||
@ -375,11 +400,6 @@ sub add_common_rules() {
|
|||||||
new_standard_chain output_chain( $interface );
|
new_standard_chain output_chain( $interface );
|
||||||
}
|
}
|
||||||
|
|
||||||
$level = $env{BLACKLIST_LOG_LEVEL} || 'info';
|
|
||||||
|
|
||||||
add_rule_pair new_standard_chain( 'logdrop' ), ' ' , 'DROP' , $level ;
|
|
||||||
add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'REJECT' , $level ;
|
|
||||||
|
|
||||||
setup_blacklist;
|
setup_blacklist;
|
||||||
|
|
||||||
$list = find_hosts_by_option 'nosmurfs';
|
$list = find_hosts_by_option 'nosmurfs';
|
||||||
|
|||||||
@ -329,8 +329,8 @@ stop_firewall() {
|
|||||||
emit "
|
emit "
|
||||||
for chain in INPUT OUTPUT; do
|
for chain in INPUT OUTPUT; do
|
||||||
setpolicy \$chain DROP
|
setpolicy \$chain DROP
|
||||||
done";
|
done
|
||||||
emit '';
|
";
|
||||||
} else {
|
} else {
|
||||||
emit "
|
emit "
|
||||||
for chain in INPUT OUTPUT; do
|
for chain in INPUT OUTPUT; do
|
||||||
@ -339,9 +339,8 @@ stop_firewall() {
|
|||||||
|
|
||||||
setpolicy FORWARD DROP
|
setpolicy FORWARD DROP
|
||||||
|
|
||||||
deleteallchains";
|
deleteallchains
|
||||||
|
";
|
||||||
emit '';
|
|
||||||
|
|
||||||
for my $hosts ( @$criticalhosts ) {
|
for my $hosts ( @$criticalhosts ) {
|
||||||
my ( $interface, $host ) = ( split /,/, $hosts );
|
my ( $interface, $host ) = ( split /,/, $hosts );
|
||||||
@ -357,9 +356,9 @@ stop_firewall() {
|
|||||||
|
|
||||||
for chain in INPUT FORWARD; do
|
for chain in INPUT FORWARD; do
|
||||||
setcontinue \$chain
|
setcontinue \$chain
|
||||||
done";
|
done
|
||||||
|
";
|
||||||
|
|
||||||
emit '';
|
|
||||||
}
|
}
|
||||||
} elsif ( ! $config{ADMINISABSENTMINDED} ) {
|
} elsif ( ! $config{ADMINISABSENTMINDED} ) {
|
||||||
emit "
|
emit "
|
||||||
@ -380,9 +379,8 @@ stop_firewall() {
|
|||||||
|
|
||||||
for chain in INPUT FORWARD; do
|
for chain in INPUT FORWARD; do
|
||||||
setcontinue \$chain
|
setcontinue \$chain
|
||||||
done";
|
done
|
||||||
|
";
|
||||||
emit '';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
push_indent;
|
push_indent;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user