extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-29 11:04:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add 'logdrop' and 'logreject' commands for dynamic blacklisting with logging

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3715 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-03-23 16:37:45 +00:00
parent 5351d30446
commit f0372d9209
5 changed files with 76 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -6,6 +6,8 @@ Changes in 3.2.0 Beta 2
3) Add 'refreshed' extension script. 3) Add 'refreshed' extension script.
4) Implement 'logdrop' and 'logreject'
Changes in 3.1.x. and 3.2.x Changes in 3.1.x. and 3.2.x
1) Removal of dynamic zones. 1) Removal of dynamic zones.

10
Shorewall/compiler
View File

@ -7261,15 +7261,23 @@ initialize_netfilter () {
createchain reject no createchain reject no
createchain dynamic no createchain dynamic no
createchain logdrop no
createchain logreject no
createchain smurfs no createchain smurfs no
log_rule ${BLACKLIST_LOGLEVEL:-info} logdrop DROP
log_rule ${BLACKLIST_LOGLEVEL:-info} logreject REJECT
run_iptables -A logdrop -j DROP
run_iptables -A logreject -j reject
indent >&3 << __EOF__ indent >&3 << __EOF__
if [ -f /var/lib/shorewall/save ]; then if [ -f /var/lib/shorewall/save ]; then
progress_message2 "Setting up dynamic rules..." progress_message2 "Setting up dynamic rules..."
while read target ignore1 ignore2 address rest; do while read target ignore1 ignore2 address rest; do
case \$target in case \$target in
DROP|reject) DROP|reject|logdrop|logreject)
run_iptables -A dynamic -s \$address -j \$target run_iptables -A dynamic -s \$address -j \$target
;; ;;
esac esac

24
Shorewall/help
View File

@ -161,7 +161,7 @@ drop)
echo "$1: $1 <address> ... echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored Causes packets from the specified <address> to be ignored
Shorewall allow, drop, reject and save implement dynamic blacklisting. Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\"" See also \"help address\""
;; ;;
@ -215,12 +215,30 @@ iprange)
equivalent list of network/host addresses." equivalent list of network/host addresses."
;; ;;
logdrop)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be ignored and loged.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
logwatch) logwatch)
echo "logwatch: logwatch [<refresh interval>] echo "logwatch: logwatch [<refresh interval>]
Monitors the LOGFILE, $LOGFILE, Monitors the LOGFILE, $LOGFILE,
and produces an audible alarm when new Shorewall messages are logged." and produces an audible alarm when new Shorewall messages are logged."
;; ;;
logreject)
echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected and logged.
Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\""
;;
refresh) refresh)
echo "refresh: refresh echo "refresh: refresh
The rules involving the broadcast addresses of firewall interfaces, The rules involving the broadcast addresses of firewall interfaces,
@ -232,7 +250,7 @@ reject)
echo "$1: $1 <address> ... echo "$1: $1 <address> ...
Causes packets from the specified <address> to be rejected Causes packets from the specified <address> to be rejected
Shorewall allow, drop, rejct and save implement dynamic blacklisting. Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help address\"" See also \"help address\""
;; ;;
@ -283,7 +301,7 @@ save)
and 'shorewall -f start' commands. If <file name> is not given then the state is saved and 'shorewall -f start' commands. If <file name> is not given then the state is saved
in the file specified by the RESTOREFILE option in shorewall.conf. in the file specified by the RESTOREFILE option in shorewall.conf.
Shorewall allow, drop, rejct and save implement dynamic blacklisting. Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
See also \"help restore\" and \"help forget\"" See also \"help restore\" and \"help forget\""
;; ;;

11
Shorewall/releasenotes.txt
View File

@ -43,6 +43,17 @@ Other changes in 3.2.0 Beta 2
1) A 'refreshed' extension script has been added -- it is executed after 1) A 'refreshed' extension script has been added -- it is executed after
"shorewall refresh" has finished. "shorewall refresh" has finished.
2) Two new dynamic blacklisting commands have been added:
logdrop -- like 'drop' but causes the dropped packets to be logged.
logreject -- like 'reject' but causes the rejected packets to be
logged.
Packets are logged at the BLACKLIST_LOGLEVEL if one was specified at the
last "shorewall [re]start"; otherwise, they are logged at the 'info'
log level.
Migration Considerations: Migration Considerations:
1) A number of macros have been split into two. The macros affected are: 1) A number of macros have been split into two. The macros affected are:

36
Shorewall/shorewall
View File

@ -1314,6 +1314,8 @@ usage() # $1 = exit status
echo " ipcalc { <address>/<vlsm> | <address> <netmask> }" echo " ipcalc { <address>/<vlsm> | <address> <netmask> }"
echo " ipdecimal { <address> | <integer> }" echo " ipdecimal { <address> | <integer> }"
echo " iprange <address>-<address>" echo " iprange <address>-<address>"
echo " logdrop <address> ..."
echo " logreject <address> ..."
echo " logwatch [<refresh interval>]" echo " logwatch [<refresh interval>]"
echo " refresh" echo " refresh"
echo " reject <address> ..." echo " reject <address> ..."
@ -1777,6 +1779,8 @@ case "$COMMAND" in
shift shift
qt $IPTABLES -D dynamic -s $1 -j reject qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j DROP || break 1 $IPTABLES -A dynamic -s $1 -j DROP || break 1
echo "$1 Dropped" echo "$1 Dropped"
done done
@ -1786,7 +1790,7 @@ case "$COMMAND" in
exit 2 exit 2
fi fi
;; ;;
reject) logdrop)
[ -n "$debugging" ] && set -x [ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1 [ $# -eq 1 ] && usage 1
if shorewall_is_started ; then if shorewall_is_started ; then
@ -1795,7 +1799,29 @@ case "$COMMAND" in
shift shift
qt $IPTABLES -D dynamic -s $1 -j reject qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP qt $IPTABLES -D dynamic -s $1 -j DROP
$IPTABLES -A dynamic -s $1 -j reject || break 1 qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j logdrop || break 1
echo "$1 Dropped"
done
mutex_off
else
error_message "ERROR: Shorewall is not started"
exit 2
fi
;;
reject|logreject)
[ -n "$debugging" ] && set -x
[ $# -eq 1 ] && usage 1
if shorewall_is_started ; then
mutex_on
while [ $# -gt 1 ]; do
shift
qt $IPTABLES -D dynamic -s $1 -j reject
qt $IPTABLES -D dynamic -s $1 -j DROP
qt $IPTABLES -D dynamic -s $1 -j logreject
qt $IPTABLES -D dynamic -s $1 -j logdrop
$IPTABLES -A dynamic -s $1 -j $COMMAND || break 1
echo "$1 Rejected" echo "$1 Rejected"
done done
mutex_off mutex_off
@ -1811,7 +1837,11 @@ case "$COMMAND" in
mutex_on mutex_on
while [ $# -gt 1 ]; do while [ $# -gt 1 ]; do
shift shift
if qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then if qt $IPTABLES -D dynamic -s $1 -j reject ||\
qt $IPTABLES -D dynamic -s $1 -j DROP ||\
qt $IPTABLES -D dynamic -s $1 -j logdrop ||\
qt $IPTABLES -D dynamic -s $1 -j logreject
then
echo "$1 Allowed" echo "$1 Allowed"
else else
echo "$1 Not Dropped or Rejected" echo "$1 Not Dropped or Rejected"