extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 17:13:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add 'logdrop' and 'logreject' commands for dynamic blacklisting with logging

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3715 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-03-23 16:37:45 +00:00
parent 5351d30446
commit f0372d9209
5 changed files with 76 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -6,6 +6,8 @@ Changes in 3.2.0 Beta 2
3) Add 'refreshed' extension script.
4) Implement 'logdrop' and 'logreject'
Changes in 3.1.x. and 3.2.x
1) Removal of dynamic zones.

10
Shorewall/compiler
View File

@ -7261,15 +7261,23 @@ initialize_netfilter () {
createchain reject no
createchain dynamic no
createchain logdrop no
createchain logreject no
createchain smurfs no
log_rule ${BLACKLIST_LOGLEVEL:-info} logdrop DROP
log_rule ${BLACKLIST_LOGLEVEL:-info} logreject REJECT
run_iptables -A logdrop -j DROP
run_iptables -A logreject -j reject
indent >&3 << __EOF__
if [ -f /var/lib/shorewall/save ]; then
progress_message2 "Setting up dynamic rules..."
while read target ignore1 ignore2 address rest; do
case \$target in
DROP|reject)
DROP|reject|logdrop|logreject)
run_iptables -A dynamic -s \$address -j \$target
;;
esac

24
Shorewall/help
View File

@ -161,7 +161,7 @@ drop)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored
Shorewall allow, drop, reject and save implement dynamic blacklisting.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
@ -215,12 +215,30 @@ iprange)
equivalent list of network/host addresses."
;;
logdrop)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored and loged.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
logwatch)
echo "logwatch: logwatch [<refresh interval>]
Monitors the LOGFILE, $LOGFILE,
and produces an audible alarm when new Shorewall messages are logged."
;;
logreject)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected and logged.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
refresh)
echo "refresh: refresh
The rules involving the broadcast addresses of firewall interfaces,
@ -232,7 +250,7 @@ reject)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
@ -283,7 +301,7 @@ save)
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help restore\" and \"help forget\""
;;

11
Shorewall/releasenotes.txt
View File

@ -43,6 +43,17 @@ Other changes in 3.2.0 Beta 2
1) A 'refreshed' extension script has been added -- it is executed after
"shorewall refresh" has finished.
2) Two new dynamic blacklisting commands have been added:
logdrop -- like 'drop' but causes the dropped packets to be logged.
logreject -- like 'reject' but causes the rejected packets to be
logged.
Packets are logged at the BLACKLIST_LOGLEVEL if one was specified at the
last "shorewall [re]start"; otherwise, they are logged at the 'info'
log level.
Migration Considerations:
1) A number of macros have been split into two. The macros affected are:

36
Shorewall/shorewall
View File

@ -1314,6 +1314,8 @@ usage() # $1 = exit status
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
echo " ipdecimal { <address> | <integer> }"
echo " iprange <address>-<address>"
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]"
echo " refresh"
echo " reject <address> ..."
@ -1777,6 +1779,8 @@ case "$COMMAND" in
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped"
done
@ -1786,7 +1790,7 @@ case "$COMMAND" in
exit 2
fi
;;
reject)
logdrop)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
@ -1795,7 +1799,29 @@ case "$COMMAND" in
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
$IPTABLES -A dynamic -s $1 -j reject || break 1
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j logdrop || break 1
echo "$1 Dropped"
done
mutex_off
else
error_message "ERROR: Shorewall is not started"
exit 2
fi
;;
reject|logreject)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
mutex_on
while [ $# -gt 1 ]; do
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $COMMAND || break 1
echo "$1 Rejected"
done
mutex_off
@ -1811,7 +1837,11 @@ case "$COMMAND" in
mutex_on
while [ $# -gt 1 ]; do
shift
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
if qt $IPTABLES -D dynamic -s $1 -j reject ||\
qt $IPTABLES -D dynamic -s $1 -j DROP ||\
qt $IPTABLES -D dynamic -s $1 -j logdrop ||\
qt $IPTABLES -D dynamic -s $1 -j logreject
then
echo "$1 Allowed"
else
echo "$1 Not Dropped or Rejected"