Fix blacklist handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5557 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-16 22:19:32 +00:00
parent 51944d1bb8
commit b8848a1527
2 changed files with 80 additions and 62 deletions

View File

@ -154,10 +154,30 @@ sub setup_syn_flood_chains() {
sub setup_blacklist() {
my $hosts = find_hosts_by_option 'blacklist';
if ( @$hosts ) {
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
progress_message2 " Setting up Blacklist...";
new_standard_chain 'blacklst';
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
if ( $level ) {
my $chainref = new_standard_chain 'blacklog';
log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$env{LOGLIMIT}" , '', 'add', '' );
add_rule $chainref, "-j $target" ;
$target = 'blacklog';
}
if ( -s "$ENV{TMP_DIR}/blacklist" ) {
open BL, "$ENV{TMP_DIR}/blacklist" or fatal_error "Unable to open stripped blacklist file: $!";
progress_message( " Processing " . find_file 'blacklist' . '...' );
@ -177,18 +197,17 @@ sub setup_blacklist() {
$networks ,
'' ,
'' ,
'-j ' . ($disposition eq 'REJECT' ? 'reject' : $disposition),
$level ,
"-j $target" ,
'' ,
$disposition ,
'';
progress_message " \"$line\" added to blacklist";
}
}
close BL;
my $hosts = find_hosts_by_option 'blacklist';
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
for my $hostref ( @$hosts ) {
@ -204,6 +223,7 @@ sub setup_blacklist() {
progress_message " Blacklisting enabled on ${interface}:${network}";
}
}
}
sub process_criticalhosts() {
@ -363,9 +383,14 @@ sub add_common_rules() {
my $rejectref = new_standard_chain 'reject';
$level = $env{BLACKLIST_LOG_LEVEL} || 'info';
add_rule_pair new_standard_chain( 'logdrop' ), ' ' , 'DROP' , $level ;
add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'REJECT' , $level ;
new_standard_chain 'dynamic';
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID' : '';
my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
for $interface ( @interfaces ) {
for $chain ( input_chain $interface , forward_chain $interface ) {
@ -375,11 +400,6 @@ sub add_common_rules() {
new_standard_chain output_chain( $interface );
}
$level = $env{BLACKLIST_LOG_LEVEL} || 'info';
add_rule_pair new_standard_chain( 'logdrop' ), ' ' , 'DROP' , $level ;
add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'REJECT' , $level ;
setup_blacklist;
$list = find_hosts_by_option 'nosmurfs';

View File

@ -329,8 +329,8 @@ stop_firewall() {
emit "
for chain in INPUT OUTPUT; do
setpolicy \$chain DROP
done";
emit '';
done
";
} else {
emit "
for chain in INPUT OUTPUT; do
@ -339,9 +339,8 @@ stop_firewall() {
setpolicy FORWARD DROP
deleteallchains";
emit '';
deleteallchains
";
for my $hosts ( @$criticalhosts ) {
my ( $interface, $host ) = ( split /,/, $hosts );
@ -357,9 +356,9 @@ stop_firewall() {
for chain in INPUT FORWARD; do
setcontinue \$chain
done";
done
";
emit '';
}
} elsif ( ! $config{ADMINISABSENTMINDED} ) {
emit "
@ -380,9 +379,8 @@ stop_firewall() {
for chain in INPUT FORWARD; do
setcontinue \$chain
done";
emit '';
done
";
}
push_indent;