Compare commits
11 Commits
Author | SHA1 | Date |
---|---|---|
Brie Bruns | 423f6caff4 | |
Brie Bruns | f82d1fa2cd | |
Brie Bruns | 182651e108 | |
Brie Bruns | 3e54d20c78 | |
Brie Bruns | dab267b561 | |
Brie Bruns | 582335b190 | |
Brie Bruns | a0d5687567 | |
Brie Bruns | 33261c140e | |
Brie Bruns | 3e7c254037 | |
Brie Bruns | 6a2589b8f2 | |
Brie Bruns | 1ea92aa558 |
|
@ -1,3 +1,11 @@
|
|||
2.2.1 - 04/17/2021
|
||||
- Add support for iptables options via IPTABLESOPT and IP6TABLESOPT. These options are
|
||||
applied at the beginning of the command line options to EVERY instance of $IPTABLES.
|
||||
Useful for '-w' to deal with xtables lock issues.
|
||||
|
||||
2.2 - 04/09/2020
|
||||
- Add multiport support to acl/forward
|
||||
|
||||
2.1p2 - 02/27/2020
|
||||
- Fix issue with NAT variable not being reset after being changed
|
||||
|
||||
|
|
12
INSTALL
12
INSTALL
|
@ -1,4 +1,4 @@
|
|||
SRFirewall v2.0 http://www.sosdg.org/freestuff/firewall
|
||||
SRFirewall v2.2.1 http://www.sosdg.org/freestuff/firewall
|
||||
Written by: Brielle Bruns <bruns@2mbit.com>
|
||||
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
||||
|
||||
|
@ -21,14 +21,14 @@ it:
|
|||
|
||||
=== Begin commands ===
|
||||
cd /usr/src
|
||||
svn checkout http://firewall-sosdg.googlecode.com/svn/srfirewall srfirewall-trunk
|
||||
ln -s /usr/src/srfirewall-trunk/lib /usr/local/lib/srfirewall
|
||||
ln -s /usr/src/srfirewall-trunk/bin/srfirewall /usr/local/bin/srfirewall
|
||||
cp -R /usr/src/srfirewall-trunk/etc /usr/local/etc/srfirewall
|
||||
git clone https://git.sosdg.org/brielle/SRFirewall.git
|
||||
ln -s /usr/src/srfirewall/lib /usr/local/lib/srfirewall
|
||||
ln -s /usr/src/srfirewall/bin/srfirewall /usr/local/bin/srfirewall
|
||||
cp -R /usr/src/srfirewall/etc /usr/local/etc/srfirewall
|
||||
=== End commands ===
|
||||
|
||||
Then when you want to update to bleeding edge, all you have to run is
|
||||
'svn update'.
|
||||
'git pull'.
|
||||
|
||||
You _will_ need to look for newly changed/added files and update
|
||||
appropriately.
|
||||
|
|
2
README
2
README
|
@ -1,4 +1,4 @@
|
|||
SRFirewall v2.1
|
||||
SRFirewall v2.2.1
|
||||
http://www.sosdg.org/freestuff/firewall
|
||||
Written by: Brielle Bruns <bruns@2mbit.com>
|
||||
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
# Static config options, normally do not need to change
|
||||
FW_VERSION="2.1p2"
|
||||
FW_VERSION="2.2.1"
|
||||
|
||||
# Important directory locations
|
||||
FWPREFIX="/usr/local"
|
||||
|
@ -155,6 +155,16 @@ if [ ! -e "/proc/net/ip6_tables_names" ] && [ "${EnableIPv6}" == "yes" ] && [ "$
|
|||
fi
|
||||
fi
|
||||
|
||||
# Splice in iptables options via IPTABLESOPT and IP6TABLESOPT
|
||||
if [ -x "${IPTABLES}" ] && [ -x "${IPTABLESOPT}" ]; then
|
||||
IPTABLES="${IPTABLES} ${IPTABLESOPT}"
|
||||
fi
|
||||
|
||||
if [ -x "${IP6TABLES}" ] && [ -x "${IP6TABLESOPT}" ]; then
|
||||
IPTABLES="${IP6TABLES} ${IP6TABLESOPT}"
|
||||
fi
|
||||
|
||||
|
||||
# Set up proper state matching variables, since there is old and new style.
|
||||
if [ "$StateMatching" ]; then
|
||||
case $StateMatching in
|
||||
|
|
|
@ -338,8 +338,8 @@ function enable_filtering {
|
|||
[[ -z ${state} ]] && state="-"
|
||||
([[ ${IP_VERSION} == "ipv4" ]] && [[ ${Enablev4ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
|
||||
([[ ${IP_VERSION} == "ipv6" ]] && [[ ${Enablev6ConnectionTracking} == "yes" ]] && [[ ! ${state} == "-" ]]) && conntrack_state="${M_STATE} ${C_STATE} ${state}"
|
||||
[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
|
||||
[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
|
||||
#[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
|
||||
#[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
|
||||
[[ ${srcaddress} != "-" ]] && srcaddress="-s ${srcaddress}"
|
||||
[[ ${dstaddress} != "-" ]] && dstaddress="-d ${dstaddress}"
|
||||
([[ ${interface} != "-" ]] && [[ ${direction} == "IN" ]]) && interface="-i ${interface}"
|
||||
|
@ -353,6 +353,15 @@ function enable_filtering {
|
|||
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${direction} ${action} ${interface} ${srcaddress} ${srcport} ${dstaddress} ${dstport} ${protocol} ${syn} ${custom}"
|
||||
|
||||
dstmultiport="no"
|
||||
srcmultiport="no"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--dport ${srcport}"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
|
||||
|
||||
# Blank variables that we're not going to use.
|
||||
[[ ${interface} == "-" ]] && interface=""
|
||||
[[ ${dstport} == "-" ]] && dstport=""
|
||||
|
@ -416,10 +425,20 @@ function enable_forwarding {
|
|||
([[ ${syn} == "syn" ]] && [[ ${protocol} == "udp" ]]) && syn="-"
|
||||
[[ ${syn} == "syn" ]] && syn="--syn"
|
||||
[[ ${syn} == "notsyn" ]] && syn="! --syn"
|
||||
[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
|
||||
[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
|
||||
([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
|
||||
([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
|
||||
dstmultiport="no"
|
||||
srcmultiport="no"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstport} =~ (-|:|,) ]]) && dstmultiport="yes"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcport} =~ (-|:|,) ]]) && srcmultiport="yes"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} != "yes" ]]) && dstport="--dport ${dstport}"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} != "yes" ]]) && srcport="--sport ${srcport}"
|
||||
([[ ${dstport} != "-" ]] && [[ ${dstmultiport} == "yes" ]]) && dstport="-m multiport --dports ${dstport}"
|
||||
([[ ${srcport} != "-" ]] && [[ ${srcmultiport} == "yes" ]]) && srcport="-m multiport --sports ${srcport}"
|
||||
([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport=${srcport/sport/dport}
|
||||
([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport=${dstport/dport/sport}
|
||||
#[[ ${dstport} != "-" ]] && dstport="--dport ${dstport}"
|
||||
#[[ ${srcport} != "-" ]] && srcport="--sport ${srcport}"
|
||||
#([[ ${bidirectional} == "yes" ]] && [[ ${srcport} != "-" ]]) && revsrcport="--dport ${srcport}"
|
||||
#([[ ${bidirectional} == "yes" ]] && [[ ${dstport} != "-" ]]) && revdstport="--sport ${dstport}"
|
||||
[[ ${protocol} != "-" ]] && protocol="-p ${protocol}"
|
||||
|
||||
${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR}${action} ${srcinterface} ${srcaddress} ${dstinterface} ${dstaddress} ${bidirectional} ${srcport} ${dstport} ${protocol} ${syn} ${state}"
|
||||
|
@ -541,7 +560,7 @@ function enable_services {
|
|||
&& ${display} RED "service.conf: Error - must begin with service name or port number: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
|
||||
[[ ${protocol} == "-" ]] \
|
||||
&& ${display} RED "service.conf: Error - protocol can not be empty: ${DEFAULT_COLOR}${service} ${protocol} ${interface} ${address} ${srcaddress}" && continue
|
||||
[[ ${service} =~ "," ]] && multiport="yes"
|
||||
[[ ${service} =~ (-|:|,) ]] && multiport="yes"
|
||||
# Do some creative work with variables to make building the iptables rules fairly painless
|
||||
([[ ${service} != "-" ]] && [[ ${multiport} != "yes" ]]) && service="--dport ${service}"
|
||||
([[ ${service} != "-" ]] && [[ ${multiport} == "yes" ]]) && service="-m multiport --dports ${service}"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"version": "2.1p2",
|
||||
"version": "2.2.1",
|
||||
"state": "stable",
|
||||
"scope": "minor fixes",
|
||||
"changes": "See CHANGELOG",
|
||||
"download": "https://source.sosdg.org/brielle/srfirewall/repository/archive.tar.bz2?ref=v2.1p2"
|
||||
"download": "https://git.sosdg.org/brielle/SRFirewall/releases"
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue