onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

2009-12-14 vadim <vadim@vk.crocodile.org>

Browse Source 
* src/res/configlets/linux24/automatic_rules: Generation of the
automatic rules (matching ESTABLISHED and INVALID states,
backup ssh access and others) now uses configlet. Fixes #883

* src/res/configlets/linux24/automatic_rules: generated script can
now include automatic rules to match IPv6 neighbor discovery ICMP6
packets. This is controlled by a checkbox in the iptables
"advanced" settings dialog and is off by default. Fixes #878
This commit is contained in:
Vadim Kurland 2009-12-15 00:15:58 +00:00
parent dbd9ab11f0
commit 493d22fd1c
8 changed files with 186 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2134
#define BUILD_NUM 2135

9
doc/ChangeLog
View File

@ -1,5 +1,14 @@
2009-12-14 vadim <vadim@vk.crocodile.org>
* src/res/configlets/linux24/automatic_rules: Generation of the
automatic rules (matching ESTABLISHED and INVALID states,
backup ssh access and others) now uses configlet. Fixes #883
* src/res/configlets/linux24/automatic_rules: generated script can
now include automatic rules to match IPv6 neighbor discovery ICMP6
packets. This is controlled by a checkbox in the iptables
"advanced" settings dialog and is off by default. Fixes #878
* PrefsDialog.cpp (PrefsDialog::accept): Added a place in the
global Preferences dialog for options specific for different
object types. First parameters include options for DNSName and

5
src/gui/iptAdvancedDialog.cpp
View File

@ -135,7 +135,10 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o)
data.registerOption(m_dialog->clampMSStoMTU, fwoptions, "clamp_mss_to_mtu");
data.registerOption(m_dialog->makeTagClassifyTerminating,
fwoptions, "classify_mark_terminating");
slm=getActionsOnReject( obj->getStr("platform").c_str());
data.registerOption(m_dialog->ipv6NeighborDiscovery,
fwoptions, "add_rules_for_ipv6_neighbor_discovery");
slm = getActionsOnReject( obj->getStr("platform").c_str());
m_dialog->actionOnReject->clear();
m_dialog->actionOnReject->addItems(getScreenNames(slm));
data.registerOption(m_dialog-> actionOnReject,

36
src/gui/iptadvanceddialog_q.ui
View File

@ -8,8 +8,8 @@
<rect>
<x>0</x>
<y>0</y>
<width>671</width>
<height>758</height>
<width>700</width>
<height>814</height>
</rect>
</property>
<property name="sizePolicy" >
@ -208,7 +208,7 @@
</property>
</widget>
</item>
<item row="6" column="0" colspan="6" >
<item rowspan="2" row="6" column="0" colspan="6" >
<widget class="Line" name="line4_2" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
@ -234,7 +234,7 @@
</property>
</widget>
</item>
<item rowspan="5" row="8" column="0" >
<item rowspan="6" row="8" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
@ -386,7 +386,19 @@ in host settings dialog.
</property>
</widget>
</item>
<item row="17" column="1" >
<item row="17" column="1" colspan="5" >
<widget class="QCheckBox" name="ipv6NeighborDiscovery" >
<property name="toolTip" >
<string>Compiler will automatically generate rules to permit ICMP6 packets used in IPv6
Neighbor Discovery after the rules that accept ESTABLISHED,RELATE and before
the rule that drops packets in state INVALID.</string>
</property>
<property name="text" >
<string>Add rules to accept IPv6 Neighbor Discovery packets to IPv6 policies</string>
</property>
</widget>
</item>
<item row="18" column="1" >
<widget class="QLabel" name="textLabel9" >
<property name="text" >
<string>Default action on 'Reject':</string>
@ -396,10 +408,10 @@ in host settings dialog.
</property>
</widget>
</item>
<item row="17" column="2" colspan="3" >
<item row="18" column="2" colspan="3" >
<widget class="QComboBox" name="actionOnReject" />
</item>
<item row="17" column="5" >
<item row="18" column="5" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
@ -415,7 +427,7 @@ in host settings dialog.
</property>
</spacer>
</item>
<item row="18" column="0" colspan="6" >
<item rowspan="2" row="19" column="0" colspan="6" >
<widget class="Line" name="line4" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
@ -428,7 +440,7 @@ in host settings dialog.
</property>
</widget>
</item>
<item row="19" column="0" >
<item row="21" column="0" >
<spacer>
<property name="orientation" >
<enum>Qt::Horizontal</enum>
@ -444,7 +456,7 @@ in host settings dialog.
</property>
</spacer>
</item>
<item row="19" column="1" colspan="2" >
<item rowspan="2" row="20" column="1" colspan="2" >
<widget class="QCheckBox" name="mgmt_ssh" >
<property name="text" >
<string>Always permit ssh access from
@ -453,7 +465,7 @@ with this address:</string>
</property>
</widget>
</item>
<item row="19" column="4" colspan="2" >
<item row="21" column="4" colspan="2" >
<widget class="QLineEdit" name="mgmt_addr" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
@ -469,7 +481,7 @@ with this address:</string>
</property>
</widget>
</item>
<item row="20" column="1" >
<item row="22" column="1" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>

202
src/iptlib/PolicyCompiler_PrintRule.cpp
View File

@ -53,6 +53,8 @@
#include "combinedAddress.h"
#include "Configlet.h"
#include <QStringList>
#include <iostream>
@ -1583,11 +1585,6 @@ string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules()
ostringstream res;
bool isIPv6 = ipt_comp->ipv6;
/*
* bug #1092141: "irritating FORWARD rule for established connections"
* Need rules in FORWARD chain only if ip forwarding is on or set to
* "no change"
*/
string s = compiler->getCachedFwOpt()->getStr("linux24_ip_forward");
bool ipforward= (s.empty() || s=="1" || s=="On" || s=="on");
s = compiler->getCachedFwOpt()->getStr("linux24_ipv6_forward");
@ -1595,35 +1592,19 @@ string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules()
bool ipforw = ((!ipt_comp->ipv6 && ipforward) ||
(ipt_comp->ipv6 && ip6forward));
if ( compiler->getCachedFwOpt()->getBool("accept_established") &&
ipt_comp->my_table=="filter")
{
res << _startRuleLine()
<< "INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
<< _endRuleLine();
Configlet configlet(compiler->fw, "linux24", "automatic_rules");
configlet.removeComments();
configlet.collapseEmptyStrings(true);
res << _startRuleLine()
<< "OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
<< _endRuleLine();
configlet.setVariable("begin_rule", _startRuleLine().c_str());
configlet.setVariable("end_rule", _endRuleLine().c_str());
if (ipforw)
res << _startRuleLine()
<< "FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"
<< _endRuleLine();
configlet.setVariable("ipforw", ipforw);
configlet.setVariable("accept_established",
compiler->getCachedFwOpt()->getBool("accept_established") &&
ipt_comp->my_table=="filter");
res << endl;
}
/*
* it helps to add backup ssh access rule as early as possible so that
* ssh session opened from the management station won't break after
* all chains are flushed. The installation process may stall if
* stdout buffer gets filled with diagnostic or progress output from
* this script printed after chains are flushed but before a rule
* permitting ssh is installed. This may happen if script debugging is
* on or there are many NAT rules (so it prints a lot of "Rule NN
* (NAT)" lines).
*/
if ( compiler->getCachedFwOpt()->getBool("mgmt_ssh") &&
! compiler->getCachedFwOpt()->getStr("mgmt_addr").empty() )
{
@ -1653,132 +1634,69 @@ string PolicyCompiler_ipt::PrintRule::_printOptionalGlobalRules()
}
if (addr_is_good)
{
res << "# backup ssh access" << endl;
res << "#" << endl;
/* bug #1106701: 'backup ssh access' and statefulness interation
* Need to add rules with ESTABLISHED and RELATED to make sure backup ssh access
* works even when global rule that accepts ESTABLISHED and RELATED is disabled
*/
res << _startRuleLine() << "INPUT -p tcp -m tcp -s "
<< inet_addr->toString()
<< " --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT"
<< _endRuleLine();
res << _startRuleLine() << "OUTPUT -p tcp -m tcp -d "
<< inet_addr->toString()
<< " --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT"
<< _endRuleLine();
res << endl;
configlet.setVariable("mgmt_access", 1);
configlet.setVariable("management_address", inet_addr->toString().c_str());
} else
{
QString err("Backup ssh access rule could not be added "
"because specified address '%1' is invalid");
compiler->warning(err.arg(addr_str.c_str()).toStdString());
}
}
if ( ! compiler->getCachedFwOpt()->getBool("accept_new_tcp_with_no_syn") )
{
res << "# drop TCP sessions opened prior firewall restart"
<< endl;
res << "#" << endl;
res << _startRuleLine()
<< "INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP"
<< _endRuleLine();
res << _startRuleLine()
<< "OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP"
<< _endRuleLine();
if (ipforw)
res << _startRuleLine()
<< "FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP"
<< _endRuleLine();
res << endl;
}
if ( compiler->getCachedFwOpt()->getBool("drop_invalid") )
{
res << "# drop packets that do not match any valid state "
<< endl;
res << "#" << endl;
if ( !compiler->getCachedFwOpt()->getBool("log_invalid"))
{
res << _startRuleLine()
<< "OUTPUT -m state --state INVALID -j DROP"
<< _endRuleLine();
res << _startRuleLine()
<< "INPUT -m state --state INVALID -j DROP"
<< _endRuleLine();
if (ipforw)
res << _startRuleLine()
<< "FORWARD -m state --state INVALID -j DROP"
<< _endRuleLine();
} else
{
res << _createChain("drop_invalid");
res << _startRuleLine()
<< "OUTPUT -m state --state INVALID -j drop_invalid"
<< _endRuleLine();
res << _startRuleLine()
<< "INPUT -m state --state INVALID -j drop_invalid"
<< _endRuleLine();
if (ipforw)
res << _startRuleLine()
<< "FORWARD -m state --state INVALID -j drop_invalid"
<< _endRuleLine();
configlet.setVariable(
"drop_new_tcp_with_no_syn",
! compiler->getCachedFwOpt()->getBool("accept_new_tcp_with_no_syn"));
res << _startRuleLine();
configlet.setVariable(
"add_rules_for_ipv6_neighbor_discovery",
isIPv6 &&
compiler->getCachedFwOpt()->getBool("add_rules_for_ipv6_neighbor_discovery"));
// Note: there is no ULOG for ip6tables yet
if (!isIPv6 && compiler->getCachedFwOpt()->getBool("use_ULOG"))
{
string s = compiler->getCachedFwOpt()->getStr("ulog_nlgroup");
configlet.setVariable("drop_invalid",
compiler->getCachedFwOpt()->getBool("drop_invalid") &&
!compiler->getCachedFwOpt()->getBool("log_invalid"));
res << "drop_invalid -j ULOG ";
configlet.setVariable("drop_invalid_and_log",
compiler->getCachedFwOpt()->getBool("drop_invalid") &&
compiler->getCachedFwOpt()->getBool("log_invalid"));
if (!s.empty())
res << "--ulog-nlgroup " << s << " ";
configlet.setVariable("create_drop_invalid_chain",
_createChain("drop_invalid").c_str());
int r;
if ((r = compiler->getCachedFwOpt()->getInt("ulog_cprange"))!=0)
res << "--ulog-cprange " << r << " ";
if ((r = compiler->getCachedFwOpt()->getInt("ulog_qthreshold"))!=0)
res << " --ulog-qthreshold " << r << " ";
res << "--ulog-prefix ";
if (compiler->getCachedFwOpt()->getBool("log_invalid") &&
!isIPv6 &&
compiler->getCachedFwOpt()->getBool("use_ULOG"))
{
configlet.setVariable("use_ulog", 1);
} else {
res << "drop_invalid -j LOG "
<< "--log-level debug --log-prefix ";
}
string s = compiler->getCachedFwOpt()->getStr("ulog_nlgroup");
configlet.setVariable("use_nlgroup", !s.empty());
configlet.setVariable("nlgroup", s.c_str());
s = "INVALID state -- DENY ";
int r = compiler->getCachedFwOpt()->getInt("ulog_cprange");
configlet.setVariable("use_cprange", r!=0);
configlet.setVariable("cprange", r);
res << _printLogPrefix("-1",
"DENY",
"global",
"drop_invalid",
"Policy",
"BLOCK INVALID",
s)
<< _endRuleLine()
<< _startRuleLine() << "drop_invalid -j DROP"
<< _endRuleLine();
}
res << endl;
}
r = compiler->getCachedFwOpt()->getInt("ulog_qthreshold");
configlet.setVariable("use_qthreshold", r!=0);
configlet.setVariable("qthreshold", r);
} else
configlet.setVariable("not_use_ulog", 1);
return res.str();
configlet.setVariable("invalid_match_log_prefix",
_printLogPrefix("-1",
"DENY",
"global",
"drop_invalid",
"Policy",
"BLOCK INVALID",
"INVALID state -- DENY ").c_str());
return configlet.expand().toStdString();
}
string PolicyCompiler_ipt::PrintRule::_quote(const string &s)

85
src/res/configlets/linux24/automatic_rules Normal file
View File

@ -0,0 +1,85 @@
## -*- mode: shell-script; -*-
##
## Each rule must start with {{$begin_rule}} and end with
## {{$end_rule}}. Variable $begin_rule has value "$IPTABLES -A" if
## generated script is in the shell script format, or just empty
## string if it is in iptables-restore format
## bug #1092141: "irritating FORWARD rule for established connections"
## Need rules in FORWARD chain only if ip forwarding is on or set to
## "no change"
{{if accept_established}}
# accept established sessions
{{$begin_rule}} INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{$begin_rule}} FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{endif}}
## it helps to add backup ssh access rule as early as possible so that
## ssh session opened from the management station won't break after
## all chains are flushed. The installation process may stall if
## stdout buffer gets filled with diagnostic or progress output from
## this script printed after chains are flushed but before a rule
## permitting ssh is installed. This may happen if script debugging is
## on or there are many NAT rules (so it prints a lot of "Rule NN
## (NAT)" lines).
{{if mgmt_access}}
# backup ssh access
{{$begin_rule}} INPUT -p tcp -m tcp -s {{$management_address}} --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p tcp -m tcp -d {{$management_address}} --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT {{$end_rule}}
{{endif}}
{{if drop_new_tcp_with_no_syn}}
# drop TCP sessions opened prior firewall restart
{{$begin_rule}} INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP {{$end_rule}}
{{$begin_rule}} OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP {{$end_rule}}
{{if ipforw}}
{{$begin_rule}} FORWARD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP {{$end_rule}}
{{endif}}
{{endif}}
{{if add_rules_for_ipv6_neighbor_discovery}}
# rules to permit IPv6 Neighbor discovery
{{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-solicitation -j ACCEPT {{$end_rule}}
{{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type router-advertisement -j ACCEPT {{$end_rule}}
{{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-solicitation -j ACCEPT {{$end_rule}}
{{$begin_rule}} INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT {{$end_rule}}
{{$begin_rule}} OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j ACCEPT {{$end_rule}}
{{endif}}
{{if drop_invalid}}
# drop packets that do not match any valid state
{{$begin_rule}} OUTPUT -m state --state INVALID -j DROP {{$end_rule}}
{{$begin_rule}} INPUT -m state --state INVALID -j DROP {{$end_rule}}
{{if ipforw}}
{{$begin_rule}} FORWARD -m state --state INVALID -j DROP {{$end_rule}}
{{endif}}
{{endif}}
{{if drop_invalid_and_log}}
# drop packets that do not match any valid state and log them
{{$create_drop_invalid_chain}}
{{$begin_rule}} OUTPUT -m state --state INVALID -j drop_invalid {{$end_rule}}
{{$begin_rule}} INPUT -m state --state INVALID -j drop_invalid {{$end_rule}}
{{if ipforw}}
{{$begin_rule}} FORWARD -m state --state INVALID -j drop_invalid {{$end_rule}}
{{endif}}
{{if use_ulog}}
{{$begin_rule}} drop_invalid -j ULOG {{if use_nlgroup}}--ulog-nlgroup {{$nlgroup}}{{endif}} {{if use_cprange}}--ulog-cprange {{$cprange}}{{endif}} {{if use_qthreshold}}--ulog-qthreshold {{$qthreshold}}{{endif}} --ulog-prefix {{$invalid_match_log_prefix}}{{$end_rule}}
{{endif}}
{{if not_use_ulog}}
{{$begin_rule}} drop_invalid -j LOG --log-level debug --log-prefix {{$invalid_match_log_prefix}}{{$end_rule}}
{{endif}}
{{$begin_rule}} drop_invalid -j DROP {{$end_rule}}
{{endif}}

3
test/ipt/objects-for-regression-tests.fwb
View File

@ -29180,7 +29180,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4833F62B6131" host_OS="linux24" inactive="False" lastCompiled="1260217773" lastInstalled="0" lastModified="1247356067" platform="iptables" version="" name="firewall-ipv6-1" comment="Using ULOG globally, but ipv6 rules&#10;should fall back to LOG because&#10;there is no ULOG for ip6tables yet&#10;Bug 2141911&#10;" ro="False">
<Firewall id="id4833F62B6131" host_OS="linux24" inactive="False" lastCompiled="1260831611" lastInstalled="0" lastModified="1260831598" platform="iptables" version="" name="firewall-ipv6-1" comment="Using ULOG globally, but ipv6 rules&#10;should fall back to LOG because&#10;there is no ULOG for ip6tables yet&#10;Bug 2141911&#10;" ro="False">
<NAT id="id4833F62F6131" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -29892,6 +29892,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_check_state_rule">true</Option>
<Option name="add_rules_for_ipv6_neighbor_discovery">True</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>

2
test/ipt/quick-cmp.sh
View File

@ -7,7 +7,7 @@ for f in $(ls *.fw.orig)
do
V="$f <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
echo "echo \"$V\" | cut -c1-72"
new_f=$(echo $f | sed 's/.org//')
new_f=$(echo $f | sed 's/.orig//')
echo "$DIFFCMD $f $new_f"
done
exit 0