# HG changeset patch # User Michiel Broek # Date 1445769183 -3600 # Node ID 2e298d35241fe686e520c3b33689672b19c00c38 # Parent c8e957eb1b36b8f57f3d9c50ccd3b1a6534be227 Added options to log to syslog or nflog. diff -r c8e957eb1b36 -r 2e298d35241f etc/firewall.conf --- a/etc/firewall.conf Sun Apr 19 11:13:22 2015 +0200 +++ b/etc/firewall.conf Sun Oct 25 11:33:03 2015 +0100 @@ -100,6 +100,11 @@ # for more details. #FW_NO_BRIDGE_NF_CALL="1" +# Log destination. Default is syslog, but you can select nflog that uses the +# ulogd facility. Or, write your own. +FW_LOGDEST=(LOG --log-level info --log-prefix) +#FW_LOGDEST=(NFLOG --nflog-group 0 --nflog-prefix) + # Install a ssh backdoor from this IP. The examples show an exact IP address, # but you can use networks if you like. Exact is better of course. # for IPv4 use: 2.3.4.5/32 diff -r c8e957eb1b36 -r 2e298d35241f sbin/mbse-firewall --- a/sbin/mbse-firewall Sun Apr 19 11:13:22 2015 +0200 +++ b/sbin/mbse-firewall Sun Oct 25 11:33:03 2015 +0100 @@ -22,7 +22,7 @@ # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. # --------------------------------------------------------------------------- -MBSEFW_VERSION="0.0.19" +MBSEFW_VERSION="0.0.20" # Sanity checks if [ "$(id -u)" != "0" ]; then @@ -362,14 +362,14 @@ $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT - $IPTABLES -A INPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_INPUT " + $IPTABLES -A INPUT -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_INPUT " $IPTABLES -A INPUT -p icmp -j DROP $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/0 -j ACCEPT $IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 11/1 -j ACCEPT - $IPTABLES -A OUTPUT -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_OUTPUT " + $IPTABLES -A OUTPUT -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_OUTPUT " $IPTABLES -A OUTPUT -p icmp -j DROP if [ "$FW_FORWARD" = "1" ]; then $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT @@ -377,7 +377,7 @@ $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 8/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT $IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT - $IPTABLES -A FORWARD -p icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_FORWARD " + $IPTABLES -A FORWARD -p icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_FORWARD " $IPTABLES -A FORWARD -p icmp -j DROP fi @@ -435,12 +435,12 @@ $IP6TABLES -A OUTPUT -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j ACCEPT # Drop unmatched icmpv6 but log them so we can debug - $IP6TABLES -A INPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_INPUT " + $IP6TABLES -A INPUT -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_INPUT " $IP6TABLES -A INPUT -p ipv6-icmp -j DROP - $IP6TABLES -A OUTPUT -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_OUTPUT " + $IP6TABLES -A OUTPUT -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_OUTPUT " $IP6TABLES -A OUTPUT -p ipv6-icmp -j DROP [ "$FW_FORWARD" = "1" ] && { - $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_FORWARD " + $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_FORWARD " $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP } fi @@ -651,8 +651,8 @@ fi fi # deny and log the rest - $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " - [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN " + $IPTABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=$NCHAIN " + [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=$NCHAIN " $IPTABLES -A $NCHAIN $iodir ${INTF} -j DROP [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -j DROP echo -n "." @@ -694,14 +694,14 @@ $IPTABLES -A OUTPUT -j FINAL_RULE $IPTABLES -A INPUT -j FINAL_RULE [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -j FINAL_RULE - $IPTABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 " + $IPTABLES -A FINAL_RULE -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=999 " $IPTABLES -A FINAL_RULE -j DROP if [ "$USE_IPV6" = "1" ]; then $IP6TABLES -N FINAL_RULE $IP6TABLES -A OUTPUT -j FINAL_RULE $IP6TABLES -A INPUT -j FINAL_RULE [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -j FINAL_RULE - $IP6TABLES -A FINAL_RULE -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=999 " + $IP6TABLES -A FINAL_RULE -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=999 " $IP6TABLES -A FINAL_RULE -j DROP fi echo "Firewall installed" | $LOGGER @@ -910,15 +910,18 @@ case "$cmd" in start) + [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd start fw_start ;; stop) fw_stop + [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd stop ;; restart) fw_stop + [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd restart fw_start ;;