From efb25e49141d20fcf80314a102b8e6f8c39059f1 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Wed, 14 Jan 2015 04:19:01 -0600 Subject: [PATCH] Bugfix: direction option was confusing because it was mixed with chains - Separate direction command into two separate commands: direction, and chain. - The chain command mimics iptables chains and is automatically populated by the custom lists (aka: custom chains). - When direction is set to something other than none, then the active ethernet device is used. - Code cleanup and changes were performed while working on this. - Added basic support for debugging, define _en_firewall_debug_ to enable custom debugging parameter. --- level_3/firewall/c/firewall.c | 9 +- level_3/firewall/c/firewall.h | 133 +++--- level_3/firewall/c/private-firewall.c | 466 +++++++++++---------- .../firewall/data/settings/example-device-firewall | 119 +++--- level_3/firewall/data/settings/firewall-first | 49 +-- level_3/firewall/data/settings/firewall-last | 12 +- level_3/firewall/data/settings/firewall-other | 23 +- 7 files changed, 438 insertions(+), 373 deletions(-) diff --git a/level_3/firewall/c/firewall.c b/level_3/firewall/c/firewall.c index eaca551..af2de59 100644 --- a/level_3/firewall/c/firewall.c +++ b/level_3/firewall/c/firewall.c @@ -59,6 +59,13 @@ extern "C"{ fl_print_color(f_standard_output, data.context.standout, data.context.reset, f_console_standard_long_version); printf(" Print only the version number"); + printf("\n %s", f_console_symbol_short_disable); + fl_print_color(f_standard_output, data.context.standout, data.context.reset, f_console_standard_short_debug); + + printf(", %s", f_console_symbol_long_disable); + fl_print_color(f_standard_output, data.context.standout, data.context.reset, f_console_standard_long_debug); + printf(" Enable debugging"); + printf("\n\n"); fl_print_color(f_standard_output, data.context.important, data.context.reset, " Available Commands: "); @@ -132,7 +139,7 @@ extern "C"{ if (status == f_no_data) { fl_print_color_line(f_standard_error, data->context.error, data->context.reset, "ERROR: One of the parameters you passed requires an additional parameter that you did not pass."); // TODO: there is a way to identify which parameter is incorrect - // to do this, one must look for any "has_additional" and then see if the "additiona" location is set to 0 + // to do this, one must look for any "has_additional" and then see if the "additional" location is set to 0 // nothing can be 0 as that represents the program name, unless argv[] is improperly created } else if (f_macro_test_for_allocation_errors(status)) { fl_print_color_line(f_standard_error, data->context.error, data->context.reset, "CRITICAL ERROR: unable to allocate memory"); diff --git a/level_3/firewall/c/firewall.h b/level_3/firewall/c/firewall.h index 21cc80a..08c1360 100644 --- a/level_3/firewall/c/firewall.h +++ b/level_3/firewall/c/firewall.h @@ -122,47 +122,31 @@ extern "C"{ #define firewall_rule "rule" #define firewall_rule_length 4 - #define firewall_direction "direction" - #define firewall_direction_input "input" - #define firewall_direction_output "output" - #define firewall_direction_forward "forward" - #define firewall_direction_postrouting "postrouting" - #define firewall_direction_prerouting "prerouting" - #define firewall_direction_none "none" - - #define firewall_direction_length 9 - #define firewall_direction_input_length 5 - #define firewall_direction_output_length 6 - #define firewall_direction_forward_length 7 - #define firewall_direction_postrouting_length 12 - #define firewall_direction_prerouting_length 11 - #define firewall_direction_none_length 4 - - #define firewall_direction_forward_input "forward-input" - #define firewall_direction_forward_output "forward-output" - #define firewall_direction_postrouting_input "postrouting-input" - #define firewall_direction_postrouting_output "postrouting-output" - #define firewall_direction_prerouting_input "prerouting-input" - #define firewall_direction_prerouting_output "prerouting-output" - - #define firewall_direction_forward_input_length 13 - #define firewall_direction_forward_output_length 14 - #define firewall_direction_postrouting_input_length 17 - #define firewall_direction_postrouting_output_length 18 - #define firewall_direction_prerouting_input_length 16 - #define firewall_direction_prerouting_output_length 17 - - #define firewall_direction_input_command "INPUT" - #define firewall_direction_output_command "OUTPUT" - #define firewall_direction_forward_command "FORWARD" - #define firewall_direction_postrouting_command "POSTROUTING" - #define firewall_direction_prerouting_command "PREROUTING" - - #define firewall_direction_input_command_length 5 - #define firewall_direction_output_command_length 6 - #define firewall_direction_forward_command_length 7 - #define firewall_direction_postrouting_command_length 11 - #define firewall_direction_prerouting_command_length 10 + #define firewall_chain "chain" + #define firewall_chain_forward "FORWARD" + #define firewall_chain_input "INPUT" + #define firewall_chain_none "none" + #define firewall_chain_output "OUTPUT" + #define firewall_chain_postrouting "POSTROUTING" + #define firewall_chain_prerouting "PREROUTING" + + #define firewall_chain_length 5 + #define firewall_chain_forward_length 7 + #define firewall_chain_input_length 5 + #define firewall_chain_none_length 4 + #define firewall_chain_output_length 6 + #define firewall_chain_postrouting_length 12 + #define firewall_chain_prerouting_length 11 + + #define firewall_direction "direction" + #define firewall_direction_input "input" + #define firewall_direction_output "output" + #define firewall_direction_none "none" + + #define firewall_direction_length 9 + #define firewall_direction_input_length 5 + #define firewall_direction_output_length 6 + #define firewall_direction_none_length 4 #define firewall_action "action" #define firewall_action_append "append" @@ -206,14 +190,13 @@ extern "C"{ #define firewall_protocol_length 8 #define firewall_protocol_none_length 4 - #define firewall_protocol_command "-p" - + #define firewall_protocol_command "-p" #define firewall_protocol_command_length 2 #define firewall_chain_create_command "-N" - #define firewall_chain_unchain_command "-X" + #define firewall_chain_unchain_command "-X" - #define firewall_chain_create_command_length 2 + #define firewall_chain_create_command_length 2 #define firewall_chain_unchain_command_length 2 enum { @@ -229,37 +212,63 @@ extern "C"{ firewall_parameter_light, firewall_parameter_no_color, firewall_parameter_version, + firewall_parameter_debug, firewall_parameter_command_start, firewall_parameter_command_stop, firewall_parameter_command_restart, firewall_parameter_command_lock, firewall_parameter_command_show, - firewall_direction_forward_id, - firewall_direction_postrouting_id, - firewall_direction_prerouting_id, + firewall_direction_input_id, + firewall_direction_output_id, firewall_direction_none_id, + firewall_chain_forward_id, + firewall_chain_custom_id, + firewall_chain_input_id, + firewall_chain_none_id, + firewall_chain_output_id, + firewall_chain_postrouting_id, + firewall_chain_prerouting_id, + firewall_action_append_id, firewall_action_insert_id, firewall_action_policy_id, firewall_action_none_id, }; - #define f_console_parameter_initialize_firewall \ - { \ - f_console_parameter_initialize(f_console_standard_short_help, f_console_standard_long_help, 0, 0, f_false, f_console_type_normal, 0), \ - f_console_parameter_initialize(f_console_standard_short_light, f_console_standard_long_light, 0, 0, f_false, f_console_type_inverse, 0), \ - f_console_parameter_initialize(f_console_standard_short_no_color, f_console_standard_long_no_color, 0, 0, f_false, f_console_type_inverse, 0), \ - f_console_parameter_initialize(f_console_standard_short_version, f_console_standard_long_version, 0, 0, f_false, f_console_type_inverse, 0), \ - f_console_parameter_initialize(0, 0, 0, firewall_command_start, f_false, f_console_type_other, firewall_command_start_length), \ - f_console_parameter_initialize(0, 0, 0, firewall_command_stop, f_false, f_console_type_other, firewall_command_stop_length), \ - f_console_parameter_initialize(0, 0, 0, firewall_command_restart, f_false, f_console_type_other, firewall_command_restart_length), \ - f_console_parameter_initialize(0, 0, 0, firewall_command_lock, f_false, f_console_type_other, firewall_command_lock_length), \ - f_console_parameter_initialize(0, 0, 0, firewall_command_show, f_false, f_console_type_other, firewall_command_show_length), \ - } - - #define firewall_total_parameters 9 + #ifdef _en_firewall_debug_ + #define f_console_parameter_initialize_firewall \ + { \ + f_console_parameter_initialize(f_console_standard_short_help, f_console_standard_long_help, 0, 0, f_false, f_console_type_normal, 0), \ + f_console_parameter_initialize(f_console_standard_short_light, f_console_standard_long_light, 0, 0, f_false, f_console_type_inverse, 0), \ + f_console_parameter_initialize(f_console_standard_short_no_color, f_console_standard_long_no_color, 0, 0, f_false, f_console_type_inverse, 0), \ + f_console_parameter_initialize(f_console_standard_short_version, f_console_standard_long_version, 0, 0, f_false, f_console_type_inverse, 0), \ + f_console_parameter_initialize(f_console_standard_short_debug, f_console_standard_long_debug, 0, 0, f_false, f_console_type_inverse, 0), \ + f_console_parameter_initialize(0, 0, 0, firewall_command_start, f_false, f_console_type_other, firewall_command_start_length), \ + f_console_parameter_initialize(0, 0, 0, firewall_command_stop, f_false, f_console_type_other, firewall_command_stop_length), \ + f_console_parameter_initialize(0, 0, 0, firewall_command_restart, f_false, f_console_type_other, firewall_command_restart_length), \ + f_console_parameter_initialize(0, 0, 0, firewall_command_lock, f_false, f_console_type_other, firewall_command_lock_length), \ + f_console_parameter_initialize(0, 0, 0, firewall_command_show, f_false, f_console_type_other, firewall_command_show_length), \ + } + + #define firewall_total_parameters 10 + #else + #define f_console_parameter_initialize_firewall \ + { \ + f_console_parameter_initialize(f_console_standard_short_help, f_console_standard_long_help, 0, 0, f_false, f_console_type_normal, 0), \ + f_console_parameter_initialize(f_console_standard_short_light, f_console_standard_long_light, 0, 0, f_false, f_console_type_inverse, 0), \ + f_console_parameter_initialize(f_console_standard_short_no_color, f_console_standard_long_no_color, 0, 0, f_false, f_console_type_inverse, 0), \ + f_console_parameter_initialize(f_console_standard_short_version, f_console_standard_long_version, 0, 0, f_false, f_console_type_inverse, 0), \ + f_console_parameter_initialize(0, 0, 0, firewall_command_start, f_false, f_console_type_other, firewall_command_start_length), \ + f_console_parameter_initialize(0, 0, 0, firewall_command_stop, f_false, f_console_type_other, firewall_command_stop_length), \ + f_console_parameter_initialize(0, 0, 0, firewall_command_restart, f_false, f_console_type_other, firewall_command_restart_length), \ + f_console_parameter_initialize(0, 0, 0, firewall_command_lock, f_false, f_console_type_other, firewall_command_lock_length), \ + f_console_parameter_initialize(0, 0, 0, firewall_command_show, f_false, f_console_type_other, firewall_command_show_length), \ + } + + #define firewall_total_parameters 9 + #endif // _en_firewall_debug_ #endif // _di_firewall_defines_ #ifndef _di_firewall_data_ diff --git a/level_3/firewall/c/private-firewall.c b/level_3/firewall/c/private-firewall.c index a4e03c6..e9f381d 100644 --- a/level_3/firewall/c/private-firewall.c +++ b/level_3/firewall/c/private-firewall.c @@ -20,12 +20,11 @@ f_dynamic_string ip_list = f_dynamic_string_initialize; // iptables command arguments - f_bool direction_input = f_true; - f_bool direction_output = f_false; f_bool device_all = f_false; f_bool ip_list_direction = f_false; // false = source, true = destination f_bool use_protocol = f_false; uint8_t tool = firewall_program_ip46tables; + uint8_t chain = firewall_chain_none_id; f_array_length repeat = 2; f_array_length r = 0; @@ -53,6 +52,11 @@ device.used = data.devices.array[local.device].used; } + // for custom chains, the chain command may not be specified. + if (!(local.is_main || local.is_stop || local.is_lock)) { + chain = firewall_chain_custom_id; + } + for (; i < local.rule_objects.used; i++) { length = (local.rule_objects.array[i].stop - local.rule_objects.array[i].start) + 1; invalid = f_false; @@ -62,89 +66,68 @@ f_delete_dynamic_string(status2, ip_list); - if (length >= firewall_direction_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_direction, length, firewall_direction_length) == f_equal_to) { + // process chain rule + if (length >= firewall_chain_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_chain, length, firewall_chain_length) == f_equal_to) { + if (chain == firewall_chain_custom_id) { + // custom chains can only apply to themselves, so silently ignore chain commands specified within a custom chain. + fprintf(f_standard_warning, "WARNING: At line %u, the chain option is meaningless inside of a custom chain.", (unsigned int) i); + continue; + } + length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1; if (local.rule_contents.array[i].used <= 0 || local.rule_contents.array[i].used > 1) { invalid = f_true; - } else { - if (length < firewall_direction_input_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_input, length, firewall_direction_input_length) == f_not_equal_to) { - if (length < firewall_direction_output_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_output, length, firewall_direction_output_length) == f_not_equal_to) { - if (length < firewall_direction_forward_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_forward, length, firewall_direction_forward_length) == f_not_equal_to) { - if (length < firewall_direction_postrouting_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_postrouting, length, firewall_direction_postrouting_length) == f_not_equal_to) { - if (length < firewall_direction_prerouting_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_prerouting, length, firewall_direction_prerouting_length) == f_not_equal_to) { - if (length < firewall_direction_none_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_none, length, firewall_direction_none_length) == f_not_equal_to) { - if (length < firewall_direction_forward_input_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_forward_input, length, firewall_direction_forward_input_length) == f_not_equal_to) { - if (length < firewall_direction_forward_output_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_forward_output, length, firewall_direction_forward_output_length) == f_not_equal_to) { - if (length < firewall_direction_postrouting_input_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_postrouting_input, length, firewall_direction_postrouting_input_length) == f_not_equal_to) { - if (length < firewall_direction_postrouting_output_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_postrouting_output, length, firewall_direction_postrouting_output_length) == f_not_equal_to) { - if (length < firewall_direction_prerouting_input_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_prerouting_input, length, firewall_direction_prerouting_input_length) == f_not_equal_to) { - if (length < firewall_direction_prerouting_output_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_prerouting_output, length, firewall_direction_prerouting_output_length) == f_not_equal_to) { - invalid = f_true; - } else { - direction_input = f_false; - direction_output = f_true; - direction = firewall_direction_prerouting_id; - } - } else { - direction_input = f_true; - direction_output = f_false; - direction = firewall_direction_prerouting_id; - } - } else { - direction_input = f_false; - direction_output = f_true; - direction = firewall_direction_postrouting_id; - } - } else { - direction_input = f_true; - direction_output = f_false; - direction = firewall_direction_postrouting_id; - } - } else { - direction_input = f_false; - direction_output = f_true; - direction = firewall_direction_forward_id; - } - } else { - direction_input = f_true; - direction_output = f_false; - direction = firewall_direction_forward_id; - } - } else { - direction_input = f_false; - direction_output = f_false; - direction = firewall_direction_none_id; - } - } else { - direction_input = f_false; - direction_output = f_false; - direction = firewall_direction_postrouting_id; - } - } else { - direction_input = f_false; - direction_output = f_false; - direction = firewall_direction_prerouting_id; - } - } else { - direction_input = f_false; - direction_output = f_false; - direction = firewall_direction_forward_id; - } - } else { - direction_input = f_false; - direction_output = f_true; - direction = firewall_direction_none_id; - } - } else { - direction_input = f_true; - direction_output = f_false; - direction = firewall_direction_none_id; - } + } + else if (length >= firewall_chain_input_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_input, length, firewall_chain_input_length) == f_equal_to) { + chain = firewall_chain_input_id; + } + else if (length >= firewall_chain_output_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_output, length, firewall_chain_output_length) == f_equal_to) { + chain = firewall_chain_output_id; + } + else if (length >= firewall_chain_forward_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_forward, length, firewall_chain_forward_length) == f_equal_to) { + chain = firewall_chain_forward_id; + } + else if (length >= firewall_chain_postrouting_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_postrouting, length, firewall_chain_postrouting_length) == f_equal_to) { + chain = firewall_chain_postrouting_id; + } + else if (length >= firewall_chain_prerouting_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_prerouting, length, firewall_chain_prerouting_length) == f_equal_to) { + chain = firewall_chain_prerouting_id; + } + else if (length >= firewall_chain_none_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_none, length, firewall_chain_none_length) == f_equal_to) { + chain = firewall_chain_none_id; + } + else { + invalid = f_true; + } + + if (!invalid) continue; + } + // process direction rule + else if (length >= firewall_direction_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_direction, length, firewall_direction_length) == f_equal_to) { + length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1; + + if (local.rule_contents.array[i].used <= 0 || local.rule_contents.array[i].used > 1) { + invalid = f_true; + } + else if (length >= firewall_direction_input_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_input, length, firewall_direction_input_length) == f_equal_to) { + direction = firewall_direction_input_id; + } + else if (length >= firewall_direction_output_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_output, length, firewall_direction_output_length) == f_equal_to) { + direction = firewall_direction_output_id; + } + else if (length >= firewall_direction_none_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_none, length, firewall_direction_none_length) == f_equal_to) { + direction = firewall_direction_none_id; + } + else { + // direction must be specified, and no custom directions are allowed. + invalid = f_true; } if (!invalid) continue; - } else if (length >= firewall_device_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_device, length, firewall_device_length) == f_equal_to) { + } + // process device rule. + else if (length >= firewall_device_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_device, length, firewall_device_length) == f_equal_to) { length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1; if (local.rule_contents.array[i].used <= 0 || local.rule_contents.array[i].used > 1) { @@ -172,35 +155,38 @@ if (f_error_is_error(status)) break; strncat(device.string, local.buffer.string + local.rule_contents.array[i].array[0].start, length); - device.used = length; + device.used = length; device_all = f_false; continue; } - } else if (length >= firewall_action_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_action, length, firewall_action_length) == f_equal_to) { + } + // process action rule. + else if (length >= firewall_action_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_action, length, firewall_action_length) == f_equal_to) { length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1; if (local.rule_contents.array[i].used <= 0 || local.rule_contents.array[i].used > 1) { invalid = f_true; - } else if (length < firewall_action_append_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_append, length, firewall_action_append_length) == f_not_equal_to) { - if (length < firewall_action_insert_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_insert, length, firewall_action_insert_length) == f_not_equal_to) { - if (length < firewall_action_policy_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_policy, length, firewall_action_policy_length) == f_not_equal_to) { - if (length < firewall_action_none_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_none, length, firewall_action_none_length) == f_not_equal_to) { - invalid = f_true; - } else { - action = firewall_action_none_id; - } - } else { - action = firewall_action_policy_id; - } - } else { - action = firewall_action_insert_id; - } - } else { + } + else if (length >= firewall_action_append_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_append, length, firewall_action_append_length) == f_equal_to) { action = firewall_action_append_id; } + else if (length >= firewall_action_insert_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_insert, length, firewall_action_insert_length) == f_equal_to) { + action = firewall_action_insert_id; + } + else if (length >= firewall_action_policy_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_policy, length, firewall_action_policy_length) == f_equal_to) { + action = firewall_action_policy_id; + } + else if (length >= firewall_action_none_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_none, length, firewall_action_none_length) == f_equal_to) { + action = firewall_action_none_id; + } + else { + invalid = f_true; + } if (!invalid) continue; - } else if (length >= firewall_ip_list_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_ip_list, length, firewall_ip_list_length) == f_equal_to) { + } + // process ip_list rule. + else if (length >= firewall_ip_list_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_ip_list, length, firewall_ip_list_length) == f_equal_to) { length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1; is_ip_list = f_true; @@ -232,7 +218,9 @@ continue; } - } else if (length >= firewall_tool_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_tool, length, firewall_tool_length) == f_equal_to) { + } + // process tool rule. + else if (length >= firewall_tool_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_tool, length, firewall_tool_length) == f_equal_to) { length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1; if (local.rule_contents.array[i].used <= 0 || local.rule_contents.array[i].used > 1) { @@ -259,7 +247,9 @@ if (!invalid) continue; } - } else if (length < firewall_rule_length || fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_rule, length, firewall_rule_length) == f_not_equal_to) { + } + // process rule rule, if the remaining rule does not match as firewall_rule, then it is an invalid rule. + else if (length < firewall_rule_length || fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_rule, length, firewall_rule_length) == f_not_equal_to) { if (length > 0) { fl_print_color_code(f_standard_warning, data.context.warning); fprintf(f_standard_warning, "WARNING: At line %u, the object '", (unsigned int) i); @@ -329,122 +319,140 @@ // FIXME: (this issue is probably everywhere) Implement an strncat function for dynamic strings or if I already have one implement, make sure it is used in every applicable place // (this way I can automatically handle updating the used buffer) // also look into auto-allocated space if necessary with the said function - if (action == firewall_action_append_id) { - f_resize_dynamic_string(status, argument, firewall_action_append_command_length); - - if (f_error_is_error(status)) break; - - strncat(argument.string, firewall_action_append_command, firewall_action_append_command_length); - argument.used = firewall_action_append_command_length; - } else if (action == firewall_action_insert_id) { - f_resize_dynamic_string(status, argument, firewall_action_insert_command_length); - - if (f_error_is_error(status)) break; - strncat(argument.string, firewall_action_insert_command, firewall_action_insert_command_length); - argument.used = firewall_action_insert_command_length; - } else if (action == firewall_action_policy_id) { - f_resize_dynamic_string(status, argument, firewall_action_policy_command_length); + // process the action when a non-none chain is specified. + if (chain != firewall_chain_none_id && action != firewall_action_none_id) { + if (action == firewall_action_append_id) { + f_resize_dynamic_string(status, argument, firewall_action_append_command_length); - if (f_error_is_error(status)) break; - - strncat(argument.string, firewall_action_policy_command, firewall_action_policy_command_length); - argument.used = firewall_action_policy_command_length; - } - - if (argument.used > 0) { - f_resize_dynamic_strings(status, arguments, arguments.used + 1); - - if (f_error_is_error(status)) break; + if (f_error_is_error(status)) break; - arguments.array[arguments.used].string = argument.string; - arguments.array[arguments.used].size = argument.size; - arguments.array[arguments.used].used = argument.used; - arguments.used++; - argument.string = f_null; - argument.size = 0; - argument.used = 0; - } + strncat(argument.string, firewall_action_append_command, firewall_action_append_command_length); + argument.used = firewall_action_append_command_length; + } else if (action == firewall_action_insert_id) { + f_resize_dynamic_string(status, argument, firewall_action_insert_command_length); + if (f_error_is_error(status)) break; - if (action != firewall_action_none_id) { - if (!(local.is_main || local.is_stop || local.is_lock)) { - f_resize_dynamic_string(status, argument, data.chains.array[local.chain_ids.array[local.chain]].used); + strncat(argument.string, firewall_action_insert_command, firewall_action_insert_command_length); + argument.used = firewall_action_insert_command_length; + } else if (action == firewall_action_policy_id) { + f_resize_dynamic_string(status, argument, firewall_action_policy_command_length); if (f_error_is_error(status)) break; - strncat(argument.string, data.chains.array[local.chain_ids.array[local.chain]].string, data.chains.array[local.chain_ids.array[local.chain]].used); - argument.used = data.chains.array[local.chain].used; + strncat(argument.string, firewall_action_policy_command, firewall_action_policy_command_length); + argument.used = firewall_action_policy_command_length; + } - } else if (direction == firewall_direction_forward_id) { - f_resize_dynamic_string(status, argument, firewall_direction_forward_command_length); + if (argument.used > 0) { + f_resize_dynamic_strings(status, arguments, arguments.used + 1); if (f_error_is_error(status)) break; - strncat(argument.string, firewall_direction_forward_command, firewall_direction_forward_command_length); - argument.used = firewall_direction_forward_command_length; - } else if (direction == firewall_direction_postrouting_id) { - f_resize_dynamic_string(status, argument, firewall_direction_postrouting_command_length); - - if (f_error_is_error(status)) break; + arguments.array[arguments.used].string = argument.string; + arguments.array[arguments.used].size = argument.size; + arguments.array[arguments.used].used = argument.used; + arguments.used++; + argument.string = f_null; + argument.size = 0; + argument.used = 0; - strncat(argument.string, firewall_direction_postrouting_command, firewall_direction_postrouting_command_length); - argument.used += firewall_direction_postrouting_command_length; - } else if (direction == firewall_direction_prerouting_id) { - f_resize_dynamic_string(status, argument, firewall_direction_prerouting_command_length); + // process the chain, which is required by the action. + if (chain == firewall_chain_custom_id) { + f_resize_dynamic_string(status, argument, data.chains.array[local.chain_ids.array[local.chain]].used); + if (f_error_is_error(status)) break; - if (f_error_is_error(status)) break; + strncat(argument.string, data.chains.array[local.chain_ids.array[local.chain]].string, data.chains.array[local.chain_ids.array[local.chain]].used); + argument.used = data.chains.array[local.chain].used; + } else if (chain == firewall_chain_forward_id) { + f_resize_dynamic_string(status, argument, firewall_chain_forward_length); + if (f_error_is_error(status)) break; - strncat(argument.string, firewall_direction_prerouting_command, firewall_direction_prerouting_command_length); - argument.used = firewall_direction_prerouting_command_length; - } else if (direction_input) { - f_resize_dynamic_string(status, argument, firewall_direction_input_command_length); + strncat(argument.string, firewall_chain_forward, firewall_chain_forward_length); + argument.used = firewall_chain_forward_length; + } else if (chain == firewall_chain_postrouting_id) { + f_resize_dynamic_string(status, argument, firewall_chain_postrouting_length); + if (f_error_is_error(status)) break; - if (f_error_is_error(status)) break; + strncat(argument.string, firewall_chain_postrouting, firewall_chain_postrouting_length); + argument.used += firewall_chain_postrouting_length; + } else if (chain == firewall_chain_prerouting_id) { + f_resize_dynamic_string(status, argument, firewall_chain_prerouting_length); + if (f_error_is_error(status)) break; - strncat(argument.string, firewall_direction_input_command, firewall_direction_input_command_length); - argument.used = firewall_direction_input_command_length; - } else if (direction_output) { - f_resize_dynamic_string(status, argument, firewall_direction_output_command_length); + strncat(argument.string, firewall_chain_prerouting, firewall_chain_prerouting_length); + argument.used = firewall_chain_prerouting_length; + } else if (chain == firewall_chain_input_id) { + f_resize_dynamic_string(status, argument, firewall_chain_input_length); + if (f_error_is_error(status)) break; - if (f_error_is_error(status)) break; + strncat(argument.string, firewall_chain_input, firewall_chain_input_length); + argument.used = firewall_chain_input_length; + } else if (chain == firewall_chain_output_id) { + f_resize_dynamic_string(status, argument, firewall_chain_output_length); + if (f_error_is_error(status)) break; - strncat(argument.string, firewall_direction_output_command, firewall_direction_output_command_length); - argument.used = firewall_direction_output_command_length; - } - } + strncat(argument.string, firewall_chain_output, firewall_chain_output_length); + argument.used = firewall_chain_output_length; + } - if (argument.used > 0) { - f_resize_dynamic_strings(status, arguments, arguments.used + 1); + if (argument.used > 0) { + f_resize_dynamic_strings(status, arguments, arguments.used + 1); - if (f_error_is_error(status)) break; + if (f_error_is_error(status)) break; - arguments.array[arguments.used].string = argument.string; - arguments.array[arguments.used].size = argument.size; - arguments.array[arguments.used].used = argument.used; - arguments.used++; - argument.string = f_null; - argument.size = 0; - argument.used = 0; + arguments.array[arguments.used].string = argument.string; + arguments.array[arguments.used].size = argument.size; + arguments.array[arguments.used].used = argument.used; + arguments.used++; + argument.string = f_null; + argument.size = 0; + argument.used = 0; + } + } } - if (device.used > 0) { + // add the device if and only if a non-none direction is specified. + if (device.used > 0 && (direction == firewall_direction_input_id || direction == firewall_direction_output_id)) { if (length < firewall_device_all_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_device_all, length, firewall_device_all_length) == f_not_equal_to) { - if (direction_input) { + if (direction == firewall_direction_input_id) { f_resize_dynamic_string(status, argument, firewall_device_input_command_length); if (f_error_is_error(status)) break; strncat(argument.string, firewall_device_input_command, firewall_device_input_command_length); argument.used = firewall_device_input_command_length; - } else if (direction_output) { + } + else if (direction == firewall_direction_output_id) { f_resize_dynamic_string(status, argument, firewall_device_output_command_length); if (f_error_is_error(status)) break; strncat(argument.string, firewall_device_output_command, firewall_device_output_command_length); argument.used = firewall_device_output_command_length; } + + if (argument.used > 0) { + f_resize_dynamic_strings(status, arguments, arguments.used + 1); + + if (f_error_is_error(status)) break; + + arguments.array[arguments.used].string = argument.string; + arguments.array[arguments.used].size = argument.size; + arguments.array[arguments.used].used = argument.used; + arguments.used++; + argument.string = f_null; + argument.size = 0; + argument.used = 0; + } } + // add the device. + f_resize_dynamic_string(status, argument, device.used); + if (f_error_is_error(status)) break; + + strncat(argument.string, device.string, device.used); + argument.used = device.used; + if (argument.used > 0) { f_resize_dynamic_strings(status, arguments, arguments.used + 1); @@ -458,28 +466,6 @@ argument.size = 0; argument.used = 0; } - - if (direction_input || direction_output) { - f_resize_dynamic_string(status, argument, device.used); - if (f_error_is_error(status)) break; - - strncat(argument.string, device.string, device.used); - argument.used = device.used; - } - } - - if (argument.used > 0) { - f_resize_dynamic_strings(status, arguments, arguments.used + 1); - - if (f_error_is_error(status)) break; - - arguments.array[arguments.used].string = argument.string; - arguments.array[arguments.used].size = argument.size; - arguments.array[arguments.used].used = argument.used; - arguments.used++; - argument.string = f_null; - argument.size = 0; - argument.used = 0; } if (use_protocol) { @@ -491,7 +477,6 @@ if (argument.used > 0) { f_resize_dynamic_strings(status, arguments, arguments.used + 1); - if (f_error_is_error(status)) break; arguments.array[arguments.used].string = argument.string; @@ -508,20 +493,20 @@ strncat(argument.string, protocol.string, protocol.used); argument.used = protocol.used; - } - if (argument.used > 0) { - f_resize_dynamic_strings(status, arguments, arguments.used + 1); + if (argument.used > 0) { + f_resize_dynamic_strings(status, arguments, arguments.used + 1); - if (f_error_is_error(status)) break; + if (f_error_is_error(status)) break; - arguments.array[arguments.used].string = argument.string; - arguments.array[arguments.used].size = argument.size; - arguments.array[arguments.used].used = argument.used; - arguments.used++; - argument.string = f_null; - argument.size = 0; - argument.used = 0; + arguments.array[arguments.used].string = argument.string; + arguments.array[arguments.used].size = argument.size; + arguments.array[arguments.used].used = argument.used; + arguments.used++; + argument.string = f_null; + argument.size = 0; + argument.used = 0; + } } // last up is the "rule" @@ -529,7 +514,7 @@ f_string_length subcounter = 0; if (is_ip_list) { - // skip past the direction + // skip past the chain subcounter++; length = (local.rule_contents.array[i].array[subcounter].stop - local.rule_contents.array[i].array[subcounter].start) + 1; @@ -583,6 +568,7 @@ break; } + // now execute the generated commands. if (arguments.used > 1) { if (is_ip_list) { f_file file = f_file_initialize; @@ -734,6 +720,19 @@ arguments.array[arguments.used].used = ip_argument.used; arguments.used++; + // print command when debugging. + #ifdef _en_firewall_debug_ + if (data.parameters[firewall_parameter_debug].result == f_console_result_found) { + f_string_length i = 0; + + fprintf(f_standard_output, "DEBUG: "); + for (; i < arguments.used; i++) { + fprintf(f_standard_output, "%s ", arguments.array[i].string); + } + fprintf(f_standard_output, "\n"); + } + #endif // _en_firewall_debug_ + status = fll_execute_program((f_string) current_tool, arguments, &results); if (status == f_failure) { @@ -796,6 +795,19 @@ if (status == f_failure || status == f_invalid_parameter) break; } else { + // print command when debugging. + #ifdef _en_firewall_debug_ + if (data.parameters[firewall_parameter_debug].result == f_console_result_found) { + f_string_length i = 0; + + fprintf(f_standard_output, "DEBUG: "); + for (; i < arguments.used; i++) { + fprintf(f_standard_output, "%s ", arguments.array[i].string); + } + fprintf(f_standard_output, "\n"); + } + #endif // _en_firewall_debug_ + status = fll_execute_program(current_tool, arguments, &results); if (status == f_failure) { @@ -819,9 +831,9 @@ break; } } - } // for - } - } + } + } // for + } // for f_delete_dynamic_string(status2, ip_list); f_delete_dynamic_string(status2, argument); @@ -1005,6 +1017,19 @@ return status; } + // print command when debugging. + #ifdef _en_firewall_debug_ + if (data->parameters[firewall_parameter_debug].result == f_console_result_found) { + f_string_length i = 0; + + fprintf(f_standard_output, "DEBUG: "); + for (; i < arguments.used; i++) { + fprintf(f_standard_output, "%s ", arguments.array[i].string); + } + fprintf(f_standard_output, "\n"); + } + #endif // _en_firewall_debug_ + tool = firewall_program_iptables; status = fll_execute_program((f_string) firewall_tool_iptables, arguments, &results); @@ -1014,6 +1039,19 @@ arguments.array[0].used = firewall_tool_ip6tables_length; arguments.used = 3; + // print command when debugging. + #ifdef _en_firewall_debug_ + if (data->parameters[firewall_parameter_debug].result == f_console_result_found) { + f_string_length i = 0; + + fprintf(f_standard_output, "DEBUG: "); + for (; i < arguments.used; i++) { + fprintf(f_standard_output, "%s ", arguments.array[i].string); + } + fprintf(f_standard_output, "\n"); + } + #endif // _en_firewall_debug_ + tool = firewall_program_ip6tables; status = fll_execute_program((f_string) firewall_tool_ip6tables, arguments, &results); } diff --git a/level_3/firewall/data/settings/example-device-firewall b/level_3/firewall/data/settings/example-device-firewall index f58e5eb..1ecff18 100644 --- a/level_3/firewall/data/settings/example-device-firewall +++ b/level_3/firewall/data/settings/example-device-firewall @@ -1,17 +1,19 @@ # fss-0002 # valid tool: iptables, ip6tables, ip46tables (ip46tables = both ip4 and ip6 tables, which is the default). -# valid direction: input, output, forward, postrouting, postrouting-output, postrouting-input, prerouting, prerouting-output, prerouting-input, none. +# valid direction: input, output, none. # valid device: all, this, (any device name goes here without parenthesis). # valid action: append, insert, policy, none. # valid procotol: none, (any valid iptables protocol type, such as tcp, udp, and icmp). +# reserved chains: INPUT, OUTPUT, FORWARD, POSTROUTING, PREROUTING, none (this only applies from within a 'main' list). # some options for -j: ACCEPT, REJECT, DROP, RETURN, LOG, AUDIT, CHECKSUM, CLASSIFY, CLUSTERIP, CONNMARK, CONNSECMARK, CT, DNAT, DNPT, DSCP, ECN, HL, HMARK, IDLETIMER, LED, MARK, MASQUERADE, MIRROR, NETMAP, NFLOG, NFQUEUE, NOTRACK, RATETEST, REDIRECT, SAME, SECMARK, SET, SNAT, SNPT, TCPMSS,TCPOPTSTRIP, TEE, TOS, TPROXY, TRACE, TTL, ULOG. # some options for -t: nat, mangle, filter, raw, security (filter is the default). # some options for --state: NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED, SNAT, DNAT. # some options for --ctstatus: NONE, EXPECTED, SEEN_REPLY, ASSURED, CONFIRMED. main: + chain INPUT device this - direction input + direction none # Define a blacklist and a whitelist, put ip addresses in the file named 'example-device-whitelist' separated by whitespace to whitelist an ip address # (ip_list might be removed in the future once I figure out how ipset works and confirm if ipset can replace my ip_list.) @@ -21,36 +23,39 @@ main: #ip_list destination example-device-blacklist -j REJECT # Connection marking for vlans or QoS (via: tc). - #direction prerouting + #chain PREROUTING #rule -t mangle -j CONNMARK --restore-mark - #direction input + #chain INPUT # save markings that have been restored (prerouting). - #direction prerouting + #chain PREROUTING #rule -t mangle -m mark --mark 2 -j CONNMARK --save-mark #rule -t mangle -m mark --mark 3 -j CONNMARK --save-mark - #direction input + #chain INPUT # example rate limit using marking for port 22 #protocol tcp + #chain OUTPUT #direction output #rule -t mangle --sport 22 -j MARK --set-mark 2 + #chain INPUT #direction input #rule -t mangle --dport 22 -j MARK --set-mark 2 + #direction none # rate limit when there are 8 or more connections from a single host. #protocol tcp - #direction output + #chain OUTPUT #rule -t mangle -m connlimit --connlimit-above 7 -j MARK --set-mark 3 - #direction input + #chain INPUT #rule -t mangle -m connlimit --connlimit-above 7 -j MARK --set-mark 3 # save markings that have been assigned (postrouting). #protocol none - #direction postrouting + #chain POSTROUTING #rule -t mangle -m mark --mark 2 -j CONNMARK --save-mark #rule -t mangle -m mark --mark 3 -j CONNMARK --save-mark - #direction input + #chain INPUT # randomly trigger the rule (51% of the time) and then the reset of the time go to the second rule. @@ -65,19 +70,18 @@ input-tcp: protocol tcp ## Http / Web - #rule --dport 80 -m state --state NEW -j LOG --log-prefix "TRAFFIC:WEB " - #rule --dport 80 -m state --state NEW -j ACCEPT + #rule --dport 80 -j LOG --log-prefix "TRAFFIC:WEB " + #rule --dport 80 -j ACCEPT ## Http / Web redirect to Https / Secure Web #tool iptables - #direction prerouting-input - #rule -t nat --dport 80 -m state --state NEW -j REDIRECT --to-port 443 + #rule -t nat --dport 80 -j REDIRECT --to-port 443 #tool ip46tables #direction input ## Https / Secure Web - #rule --dport 443 -m state --state NEW -j LOG --log-prefix "TRAFFIC:WEB " - #rule --dport 443 -m state --state NEW -j ACCEPT + #rule --dport 443 -j LOG --log-prefix "TRAFFIC:WEB " + #rule --dport 443 -j ACCEPT ## Http / Https / Web throttle connections that occur too often. #rule --dport 80 --sync -m recent --name http_throttle --set @@ -86,41 +90,41 @@ input-tcp: #rule --dport 443 --sync -m recent --name http_throttle --update --seconds 3 --hitcount 10 -j DROP ## MySQL - #rule --dport 3306 -m state --state NEW -j ACCEPT + #rule --dport 3306 -j ACCEPT ## Music Player Daemon - #rule --dport 6600 -m state --state NEW -j ACCEPT + #rule --dport 6600 -j ACCEPT ## Camsource - #rule --dport 9192 -m state --state NEW -j ACCEPT + #rule --dport 9192 -j ACCEPT ## Cups Printer Administration - #rule --dport 631 -m state --state NEW -j ACCEPT + #rule --dport 631 -j ACCEPT ## Ssh (OpenSSH) - #rule --dport 22 -m state --state NEW -j LOG --log-prefix "TRAFFIC:SSH " - #rule --dport 22 -m state --state NEW -j ACCEPT + #rule --dport 22 -j LOG --log-prefix "TRAFFIC:SSH " + #rule --dport 22 -j ACCEPT ## clamd (Clam Antivirus) - remote access, not needed for normal - #rule --dport 3310 -m state --state NEW -j ACCEPT + #rule --dport 3310 -j ACCEPT ## Virtual Network Client Server (add 1 for each seperat vnc server) - #rule --dport 5900 -m state --state NEW -j ACCEPT + #rule --dport 5900 -j ACCEPT ## Printer Port, is probably open...safer to close unless you are SERVING a printer - #rule --dport 515 -m state --state NEW -j REJECT + #rule --dport 515 -j REJECT ## Subversion server - #rule --dport 3690 -m state --state NEW -j ACCEPT + #rule --dport 3690 -j ACCEPT ## Silc server - #rule --dport 706 -m state --state NEW -j ACCEPT + #rule --dport 706 -j ACCEPT ## Worms of Prey - #rule --dport 47288 -m state --state NEW -j ACCEPT + #rule --dport 47288 -j ACCEPT ## Git Daemon - #rule --dport 9418 -m state --state NEW -j ACCEPT + #rule --dport 9418 -j ACCEPT ## Ldap Server #rule --dport 389 -j ACCEPT @@ -137,18 +141,19 @@ input-udp: protocol udp ## DNS Server (Bind or Maradns) (zoneserver from maradns does this portion) - #rule --dport 53 -m state --state NEW -j ACCEPT + #rule --dport 53 -j ACCEPT - ## DHCP Server - #rule -m state --state NEW --dport 67 --sport 68 -j ACCEPT - #rule -m state --state NEW --dport 68 --sport 67 -j ACCEPT + ## DHCP Server (providing dhcp address to clients) + #tool iptables + #rule --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT + #tool ip46tables ## Subversion server - #rule --dport 3690 -m state --state NEW -j ACCEPT + #rule --dport 3690 -j ACCEPT ## Worms of Prey - #rule --sport 47288:47544 -m state --state NEW -j ACCEPT - #rule --dport 47288:47544 -m state --state NEW -j ACCEPT + #rule --sport 47288:47544 -j ACCEPT + #rule --dport 47288:47544 -j ACCEPT input-icmp: @@ -157,55 +162,55 @@ input-icmp: protocol icmp # allow all icmp input, such as pings - #rule -m state --state NEW -j ACCEPT + #rule -j ACCEPT # allow icmp: echo reply (outbound ping) - ##rule --icmp-type 0 -m state --state NEW -j ACCEPT + ##rule --icmp-type 0 -j ACCEPT # allow icmp: destination unreachable - #rule --icmp-type 3 -m state --state NEW -j ACCEPT + #rule --icmp-type 3 -j ACCEPT # allow icmp: source quench - #rule --icmp-type 4 -m state --state NEW -j ACCEPT + #rule --icmp-type 4 -j ACCEPT # allow icmp: redirect - #rule --icmp-type 5 -m state --state NEW -j ACCEPT + #rule --icmp-type 5 -j ACCEPT # allow icmp: echo request (inbound ping) - #rule --icmp-type 8 -m state --state NEW -j ACCEPT + #rule --icmp-type 8 -j ACCEPT # allow icmp: router advertisement - #rule --icmp-type 9 -m state --state NEW -j ACCEPT + #rule --icmp-type 9 -j ACCEPT # allow icmp: router Solicitation - #rule --icmp-type 10 -m state --state NEW -j ACCEPT + #rule --icmp-type 10 -j ACCEPT # allow icmp: time exceeded - #rule --icmp-type 11 -m state --state NEW -j ACCEPT + #rule --icmp-type 11 -j ACCEPT # allow icmp: bad ip header - #rule --icmp-type 12 -m state --state NEW -j ACCEPT + #rule --icmp-type 12 -j ACCEPT # allow icmp: timestamp - #rule --icmp-type 13 -m state --state NEW -j ACCEPT + #rule --icmp-type 13 -j ACCEPT # allow icmp: timestamp reply - #rule --icmp-type 14 -m state --state NEW -j ACCEPT + #rule --icmp-type 14 -j ACCEPT # allow icmp: information request - #rule --icmp-type 15 -m state --state NEW -j ACCEPT + #rule --icmp-type 15 -j ACCEPT # allow icmp: information reply - #rule --icmp-type 16 -m state --state NEW -j ACCEPT + #rule --icmp-type 16 -j ACCEPT # allow icmp: address request - #rule --icmp-type 17 -m state --state NEW -j ACCEPT + #rule --icmp-type 17 -j ACCEPT # allow icmp: address reply - #rule --icmp-type 18 -m state --state NEW -j ACCEPT + #rule --icmp-type 18 -j ACCEPT # allow icmp: traceroute - #rule --icmp-type 30 -m state --state NEW -j ACCEPT + #rule --icmp-type 30 -j ACCEPT output-tcp: @@ -220,10 +225,12 @@ output-udp: protocol udp ## DNS Server (Bind or Maradns) (zoneserver from maradns does this portion) - #rule --dport 53 -m state --state NEW -j ACCEPT + #rule --dport 53 -j ACCEPT - ## DHCP Server - #rule -m state --state NEW --dport 67 --sport 68 -j ACCEPT + ## DHCP Server (providing dhcp address to clients) + #tool iptables + #rule --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT + #tool ip46tables output-icmp: diff --git a/level_3/firewall/data/settings/firewall-first b/level_3/firewall/data/settings/firewall-first index 788de35..f655c3b 100644 --- a/level_3/firewall/data/settings/firewall-first +++ b/level_3/firewall/data/settings/firewall-first @@ -14,91 +14,86 @@ main: tool ip46tables # setup initial operations + chain INPUT direction input action append # Enable ALL local connections (loopback) device lo + chain OUTPUT direction output rule -j ACCEPT + chain INPUT direction input rule -j ACCEPT device all - # the above loopback rules should catch all true loopback connections - # the following loopback rules will only catch anything if a loopback spoofing is happending - # therefore, do not allow spoof by DROPing - #tool iptables - #rule -s 127.0.0.1 -j DROP - #rule -d 127.0.0.1 -j DROP - #tool ip46tables - # Drop all INVALID packets so they aren't even processed - direction output + chain OUTPUT rule -m state --state INVALID -j DROP - direction input + chain INPUT rule -m state --state INVALID -j DROP # Drop multicasts and broadcasts, they should not exist for a router and in most cases should be avoided. # unicasts are the normal behavior and blocking them would be very unusual. - direction output + chain OUTPUT rule -m pkttype --pkt-type broadcast -j output-casting rule -m pkttype --pkt-type multicast -j output-casting #rule -m pkttype --pkt-type unicast -j output-casting - direction input + chain INPUT rule -m pkttype --pkt-type broadcast -j input-casting rule -m pkttype --pkt-type multicast -j input-casting #rule -m pkttype --pkt-type unicast -j input-casting # Allow ALL input&output connections that have already been established by this host (using conntrack might be more efficient) - direction output + chain OUTPUT rule -m state --state ESTABLISHED,RELATED -j ACCEPT #rule -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - direction input + chain INPUT rule -m state --state ESTABLISHED,RELATED -j ACCEPT #rule -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # send all tcp packets to the tcp queue - direction output + chain OUTPUT protocol tcp rule -m state --state NEW -j output-tcp - direction input + chain INPUT rule -m state --state NEW -j input-tcp # send all udp packets to the udp queue - direction output + chain OUTPUT protocol udp rule -m state --state NEW -j output-udp - direction input + chain INPUT rule -m state --state NEW -j input-udp # send all ipv4 icmp packets to the icmp queue tool iptables - direction output + chain OUTPUT protocol icmp rule -m state --state NEW -j output-icmp - direction input + chain INPUT rule -m state --state NEW -j input-icmp - # send all ipv6 icmp packets to the icmp queue + # send all ipv6 icmp packets to the icmp queue (alternatively put this in its own chain, such as input-icmpv6 and output-icmpv6) tool ip6tables - direction output + chain OUTPUT protocol icmpv6 rule -m state --state NEW -j output-icmp - direction input + chain INPUT rule -m state --state NEW -j input-icmp @@ -149,11 +144,11 @@ input-casting: protocol none tool ip46tables - # do not auto-drop dhcp messages sent from a dhcp server. + # do not auto-drop dhcp messages sent from a dhcp server to a local dhcp client. # dhcp offer/acknowledge (the source address must be the routers address, so do not allow 0.0.0.0/0) protocol udp tool iptables - rule ! -s 0.0.0.0 --sport 67 -d 255.255.255.255 --dport 68 -j RETURN + rule --sport 67 -d 255.255.255.255 --dport 68 -j RETURN protocol none tool ip46tables @@ -167,11 +162,11 @@ output-casting: protocol none tool ip46tables - # do not auto-drop dhcp messages sent to a dhcp server. + # do not auto-drop dhcp client messages sent to a dhcp server. # dhcp discover/request (for the request, the dhcp server ip address is known but for some reason the dhcp standard states tat the src is 0.0.0.0. protocol udp tool iptables - rule -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j RETURN + rule --sport 68 -d 255.255.255.255 --dport 67 -j RETURN protocol none tool ip46tables diff --git a/level_3/firewall/data/settings/firewall-last b/level_3/firewall/data/settings/firewall-last index b2132fa..02157ec 100644 --- a/level_3/firewall/data/settings/firewall-last +++ b/level_3/firewall/data/settings/firewall-last @@ -1,26 +1,28 @@ # fss-0002 main: - direction input + chain INPUT + device all + direction none # Log everything else (input) # everything that reaches this point without being accepted, reject, or otherwise handled will be logged rule -m state --state NEW -j LOG --log-prefix "FIREWALL:INPUT " - direction output + chain OUTPUT ## Log everything else (output) #rule -j LOG --log-prefix "FIREWALL:OUTPUT " # the catch-all policies action policy - direction input + chain INPUT rule DROP - direction output + chain OUTPUT rule DROP - direction forward + chain FORWARD rule DROP diff --git a/level_3/firewall/data/settings/firewall-other b/level_3/firewall/data/settings/firewall-other index 5009f2a..5112a34 100644 --- a/level_3/firewall/data/settings/firewall-other +++ b/level_3/firewall/data/settings/firewall-other @@ -3,18 +3,19 @@ stop: action policy - direction input + chain INPUT rule ACCEPT - direction output + chain OUTPUT rule ACCEPT - direction forward + chain FORWARD rule ACCEPT + chain none direction none action none - rule --flush + rule -t filter --flush tool iptables rule -t nat --flush @@ -28,18 +29,20 @@ stop: rule -t mangle --delete-chain tool ip46tables + lock: action policy - direction input + chain INPUT rule DROP - direction output + chain OUTPUT rule DROP - direction forward + chain FORWARD rule DROP + chain none direction none action none rule --flush @@ -56,7 +59,11 @@ lock: rule -t mangle --delete-chain tool ip46tables + device lo action insert + direction output + chain OUTPUT + rule -j ACCEPT direction input - device lo + chain INPUT rule -j ACCEPT -- 1.8.3.1