Commit Graph

27 Commits

Author SHA1 Message Date
Tom Eastep
fa7ad6bd74
Update blacklisting article:
- ipset-based blacklisting
- BLACKLIST policy and action

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2017-01-26 13:17:46 -08:00
Matt Darfeuille
0925636995
(Fwd) [Shorewall-users] Shorewall-lite on OpenWRT
On 7 Jun 2016 at 8:21, Tom Eastep wrote:

> On 06/07/2016 06:40 AM, Matt Darfeuille wrote:
> > On 5 Jun 2016 at 12:53, Tom Eastep wrote:
> >
> >> On 06/05/2016 12:33 PM, Matt Darfeuille wrote:
> >>> On 5 Jun 2016 at 7:57, Tom Eastep wrote:
> >>>
> >>>> On 05/29/2016 02:00 AM, Matt Darfeuille wrote:
> >>>>
> >>>> Hi Matt,
> >>>>
> >>>>>
> >>>>> -------------- Enclosure number 1 ----------------
> >>>>> >From 6ff651108df33ab8be4562caef03a8582e9eac5e Mon Sep 17 00:00:00 2001
> >>>>> From: Matt Darfeuille <matdarf@gmail.com>
> >>>>> Date: Tue, 24 May 2016 13:10:28 +0200
> >>>>> Subject: [PATCH 1/8] Emulate 'ps -p' using grep to work on openwrt
> >>>>>
> >>>>> Signed-off-by: Matt Darfeuille <matdarf@gmail.com>
> >>>>> ---
> >>>>>  Shorewall-core/lib.common | 2 +-
> >>>>>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>>>>
> >>>>> diff --git a/Shorewall-core/lib.common b/Shorewall-core/lib.common
> >>>>> index 03ecb2a..fcb02ee 100644
> >>>>> --- a/Shorewall-core/lib.common
> >>>>> +++ b/Shorewall-core/lib.common
> >>>>> @@ -776,7 +776,7 @@ mutex_on()
> >>>>>  		error_message "WARNING: Stale lockfile ${lockf} removed"
> >>>>>  	    elif [ $lockpid -eq $$ ]; then
> >>>>>                  return 0
> >>>>> -	    elif ! qt ps p ${lockpid}; then
> >>>>> +	    elif ! qt ps | grep -v grep | grep ${lockpid}; then
> >>>>
> >>>> I don't see how this can work -- 'qt ps' will produce no output yet the
> >>>> code pipes into tandem greps.
> >>>>
> >>>> Do you really want this instead?
> >>>>
> >>>> elif ! ps | grep -v grep | qt grep ${lockpid}; then
> >>>>
> >>>
> >>> Oops sorry Tom, that's what I meant(do you want the corrected
> >>> patch?)!
> >>
> >> Yes, please.
> >>
> >
> > Tom, along with correcting this faulty commit I realize, after some
> > more testing, that I've also sent unnecessary commits.
> >
> > Should I revert these 3 commits(git revert ...):
> > Set proper permissions for the LOCKFILE on openwrt
> > 2ded346cb557212389212fd5adcd4c6800edbb62
> > Create lockfile before using openwrt's lock utility
> > 08e8796ff1abc3b24b8bbd40bf5e0a2b36464d61
> > Emulate 'ps -p' using grep to work on openwrt
> > 6ff651108df33ab8be4562caef03a8582e9eac5e
> >
> > or should I simply create new commits that will correct these faulty
> > commits?
> >
> > In other words what's the best way to correct submited commits.
> >
>
> Matt,
>
> Either way is fine.
>

Hopefully these 3 commits will do it(code-fixes.patch):

Patch 1 will correct the error you have point out!
On OpenWRT the lock utility doesn't allow to append the pid of the
currently running script to the LOCKFILE that's why I've simply
deleted that line(patch 2).
I've also reordered the permissions line to be added after the line
that will lock the file specified by the LOCKFILE variable(patch 3).

and two other patches:
While installing shorewall-init using the DESTDIR variable on debian,
'mkdir' would complain if the directory ${DESTDIR}/${etc}/default
already exist; corrected using 'mkdir -p ...'(patch 4).
The last patch will correct a typo in the blacklisting_support
article.

-Matt

-------------- Enclosure number 1 ----------------
>From 1a2ff15c8dc994030e819d2882570d188b99c501 Mon Sep 17 00:00:00 2001
From: Matt Darfeuille <matdarf@gmail.com>
Date: Wed, 8 Jun 2016 09:09:46 +0200
Subject: [PATCH 1/5] Correct pid detection mutex_on()

Signed-off-by: Matt Darfeuille <matdarf@gmail.com>
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-06-08 15:40:48 -07:00
Tom Eastep
a47cfb4f63 Update the blacklisting article for 5.0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-02-17 15:48:10 -08:00
Tom Eastep
35f33b325f Update blacklisting article
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2015-10-05 08:18:52 -07:00
Tom Eastep
9535a7d7df Rename 'Trigger' to 'Event' and document
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-07-11 10:39:21 -07:00
Tom Eastep
d053faadde Allow convertion of a legacy blacklist configuration
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-11-08 12:59:40 -08:00
Tom Eastep
0a605c63f2 Add note about separate blacklist file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-10-31 08:46:11 -07:00
Tom Eastep
835a056eb8 Implement BLACKLIST section in the rules file
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-10-03 16:02:01 -07:00
Tom Eastep
e940f5018e Implement whitelisting.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-05-18 08:30:01 -07:00
Tom Eastep
1d650b41cd Remove blacklisting by destination IP address support
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-15 15:24:58 -07:00
Tom Eastep
b937290740 Add version cautions to blacklisting doc
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-12 07:58:13 -07:00
Tom Eastep
50b4bd8dfe More Blacklist and Secmark documentation updates
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-06 17:26:49 -07:00
Tom Eastep
0234564a1b Add destination IP blacklisting 2010-08-10 17:33:50 -07:00
Tom Eastep
e061d15baf Update blacklisting doc with 4.4.10 behavior.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-06-08 11:32:39 -07:00
Tom Eastep
e788b4c0f6 Mention DYNAMIC_BLACKLIST in the blacklisting doc.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-02-02 11:13:44 -08:00
Tom Eastep
28b0e99492 Explain how to list the dynamic blacklist 2009-10-06 10:20:09 -07:00
teastep
c31f899749 Documentation update for Shorewall 4.3
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9561 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2009-02-28 03:45:43 +00:00
teastep
1cd0d84a16 Add note about 3.2.6 and 'find_first_interface_address'
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8608 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2008-07-07 20:22:09 +00:00
teastep
aec1efe323 More hacks to make xsltproc work
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8604 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2008-07-04 15:25:44 +00:00
teastep
9a326105aa Remove DOCTYPE
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8602 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2008-07-04 15:11:51 +00:00
teastep
fe5af63b14 First cut at removing references to Documentation.htm
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6774 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-07-04 00:10:35 +00:00
teastep
f96772989c First batch of mindless ID changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6693 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-06-28 15:09:37 +00:00
bvukich
b24efabfe7 Punctuation Consistancy layer-2 vs. layer 2
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5252 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-01-18 15:30:55 +00:00
judas_iscariote
109b948d42 I always forget to update the pub date, this is not going
to happend anymore. :)


git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4194 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-07-07 01:04:16 +00:00
teastep
467e62de62 More documentation changes for Lite
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4082 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-06-13 00:07:00 +00:00
teastep
fd4db81725 Add 'logdrop' and 'logreject' commands for dynamic blacklisting with logging
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3716 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-03-23 16:47:07 +00:00
judas_iscariote
4033e6051b renamed to a simpler "docs"
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3521 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-02-23 01:22:17 +00:00