Mercurial > mbse-firewall / changeset

changeset

Added options to log to syslog or nflog.

Sun, 25 Oct 2015 11:33:03 +0100

author
Michiel Broek <mbroek@mbse.eu>
date
Sun, 25 Oct 2015 11:33:03 +0100
changeset 9
2e298d35241f
parent 8
c8e957eb1b36
child 10
798ac120a09e

Added options to log to syslog or nflog.

etc/firewall.conf file | annotate | diff | comparison | revisions
sbin/mbse-firewall file | annotate | diff | comparison | revisions 
--- a/etc/firewall.conf	Sun Apr 19 11:13:22 2015 +0200
+++ b/etc/firewall.conf	Sun Oct 25 11:33:03 2015 +0100
@@ -100,6 +100,11 @@
 # for more details.
 #FW_NO_BRIDGE_NF_CALL="1"
 
+# Log destination. Default is syslog, but you can select nflog that uses the
+# ulogd facility. Or, write your own.
+FW_LOGDEST=(LOG --log-level info --log-prefix)
+#FW_LOGDEST=(NFLOG --nflog-group 0 --nflog-prefix)
+
 # Install a ssh backdoor from this IP. The examples show an exact IP address,
 # but you can use networks if you like. Exact is better of course.
 # for IPv4 use: 2.3.4.5/32
--- a/sbin/mbse-firewall	Sun Apr 19 11:13:22 2015 +0200
+++ b/sbin/mbse-firewall	Sun Oct 25 11:33:03 2015 +0100
@@ -22,7 +22,7 @@
 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
 # ---------------------------------------------------------------------------
 
-MBSEFW_VERSION="0.0.19"
+MBSEFW_VERSION="0.0.20"
 
 # Sanity checks
 if [ "$(id -u)" != "0" ]; then
@@ -362,14 +362,14 @@
   $IPTABLES -A INPUT   -p icmp  -m icmp  --icmp-type 8/0  -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
   $IPTABLES -A INPUT   -p icmp  -m icmp  --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
   $IPTABLES -A INPUT   -p icmp  -m icmp  --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
-  $IPTABLES -A INPUT   -p icmp  -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_INPUT "
+  $IPTABLES -A INPUT   -p icmp  -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_INPUT "
   $IPTABLES -A INPUT   -p icmp  -j DROP
   $IPTABLES -A OUTPUT  -p icmp  -m icmp  --icmp-type 3    -j ACCEPT
   $IPTABLES -A OUTPUT  -p icmp  -m icmp  --icmp-type 0/0  -j ACCEPT
   $IPTABLES -A OUTPUT  -p icmp  -m icmp  --icmp-type 8/0  -j ACCEPT
   $IPTABLES -A OUTPUT  -p icmp  -m icmp  --icmp-type 11/0 -j ACCEPT
   $IPTABLES -A OUTPUT  -p icmp  -m icmp  --icmp-type 11/1 -j ACCEPT
-  $IPTABLES -A OUTPUT  -p icmp  -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_OUTPUT "
+  $IPTABLES -A OUTPUT  -p icmp  -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_OUTPUT "
   $IPTABLES -A OUTPUT  -p icmp  -j DROP
   if [ "$FW_FORWARD" = "1" ]; then
     $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type 3    -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
@@ -377,7 +377,7 @@
     $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type 8/0  -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
     $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type 11/0 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
     $IPTABLES -A FORWARD -p icmp  -m icmp  --icmp-type 11/1 -m hashlimit --hashlimit 15/second --hashlimit-mode srcip --hashlimit-name icmp -j ACCEPT
-    $IPTABLES -A FORWARD -p icmp  -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv4_FORWARD "
+    $IPTABLES -A FORWARD -p icmp  -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv4_FORWARD "
     $IPTABLES -A FORWARD -p icmp  -j DROP
   fi
 
@@ -435,12 +435,12 @@
     $IP6TABLES -A OUTPUT  -p ipv6-icmp -d ff00::/8 -m icmp6 --icmpv6-type 143 -j ACCEPT
 
     # Drop unmatched icmpv6 but log them so we can debug
-    $IP6TABLES -A INPUT   -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_INPUT "
+    $IP6TABLES -A INPUT   -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_INPUT "
     $IP6TABLES -A INPUT   -p ipv6-icmp -j DROP
-    $IP6TABLES -A OUTPUT  -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_OUTPUT "
+    $IP6TABLES -A OUTPUT  -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_OUTPUT "
     $IP6TABLES -A OUTPUT  -p ipv6-icmp -j DROP
     [ "$FW_FORWARD" = "1" ] && {
-      $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=ICMPv6_FORWARD "
+      $IP6TABLES -A FORWARD -p ipv6-icmp -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=ICMPv6_FORWARD "
       $IP6TABLES -A FORWARD -p ipv6-icmp -j DROP
     }
   fi
@@ -651,8 +651,8 @@
       fi
     fi
     # deny and log the rest
-    $IPTABLES  -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN "
-    [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j LOG --log-level info --log-prefix "DENY=$NCHAIN "
+    $IPTABLES  -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=$NCHAIN "
+    [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=$NCHAIN "
     $IPTABLES  -A $NCHAIN $iodir ${INTF} -j DROP
     [ "$USE_IPV6" == "1" ] && $IP6TABLES -A $NCHAIN $iodir ${INTF} -j DROP
     echo -n "."
@@ -694,14 +694,14 @@
   $IPTABLES -A OUTPUT  -j FINAL_RULE
   $IPTABLES -A INPUT   -j FINAL_RULE
   [ "$FW_FORWARD" = "1" ] && $IPTABLES -A FORWARD -j FINAL_RULE
-  $IPTABLES -A FINAL_RULE  -m limit --limit 10/minute -j LOG  --log-level info --log-prefix "DENY=999 "
+  $IPTABLES -A FINAL_RULE  -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=999 "
   $IPTABLES -A FINAL_RULE  -j DROP
   if [ "$USE_IPV6" = "1" ]; then
     $IP6TABLES -N FINAL_RULE
     $IP6TABLES -A OUTPUT  -j FINAL_RULE
     $IP6TABLES -A INPUT   -j FINAL_RULE
     [ "$FW_FORWARD" = "1" ] && $IP6TABLES -A FORWARD -j FINAL_RULE
-    $IP6TABLES -A FINAL_RULE  -m limit --limit 10/minute -j LOG  --log-level info --log-prefix "DENY=999 "
+    $IP6TABLES -A FINAL_RULE  -m limit --limit 10/minute -j "${FW_LOGDEST[@]}" "DENY=999 "
     $IP6TABLES -A FINAL_RULE  -j DROP
   fi
   echo "Firewall installed" | $LOGGER
@@ -910,15 +910,18 @@
 
 case "$cmd" in
   start)
+	  [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd start
 	  fw_start
 	  ;;
 
   stop)
 	  fw_stop
+	  [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd stop
 	  ;;
 
   restart)
 	  fw_stop
+	  [ -x /etc/rc.d/rc.ulogd ] && /etc/rc.d/rc.ulogd restart
 	  fw_start
 	  ;;

Mercurial Repository: mbse-firewall

mercurial