From a7a587dfe43442ecf25f52273149b0b9316db95f Mon Sep 17 00:00:00 2001 From: Dominik Stadler Date: Thu, 28 Dec 2006 20:59:13 +0000 Subject: [PATCH] Upgrade to Version 250 from CVS, fixes some Bugs, also adjust for newer bash by using %b instead of %q in printf-statements. Package-Manager: portage-2.1.2_rc2-r2 --- net-firewall/firehol/ChangeLog | 10 +- net-firewall/firehol/Manifest | 33 +- .../firehol/files/digest-firehol-1.250 | 3 + .../firehol/files/firehol-1.226-to-250.patch | 748 ++++++++++++++++++ .../firehol/files/firehol-1.250-printf.patch | 47 ++ net-firewall/firehol/firehol-1.250.ebuild | 81 ++ 6 files changed, 917 insertions(+), 5 deletions(-) create mode 100644 net-firewall/firehol/files/digest-firehol-1.250 create mode 100644 net-firewall/firehol/files/firehol-1.226-to-250.patch create mode 100644 net-firewall/firehol/files/firehol-1.250-printf.patch create mode 100644 net-firewall/firehol/firehol-1.250.ebuild diff --git a/net-firewall/firehol/ChangeLog b/net-firewall/firehol/ChangeLog index b9df3e9417a9..a438eabb0cbb 100644 --- a/net-firewall/firehol/ChangeLog +++ b/net-firewall/firehol/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for net-firewall/firehol # Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.21 2006/08/20 03:58:25 weeve Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/ChangeLog,v 1.22 2006/12/28 20:59:13 centic Exp $ + +*firehol-1.250 (27 Dec 2006) + + 27 Dec 2006; Dominik Stadler + +files/firehol-1.226-to-250.patch, +files/firehol-1.250-printf.patch, + +firehol-1.250.ebuild: + Add version 250 from CVS, fixes bug 151588. Depend on iproute2, fixes Bug + 152537. Change printf-statements, fixes Bugs 153858 and 139526 20 Aug 2006; Jason Wever firehol-1.226-r1.ebuild: Added ~sparc keyword wrt bug #137899. diff --git a/net-firewall/firehol/Manifest b/net-firewall/firehol/Manifest index 3bf50df66f63..5a8b4be87e09 100644 --- a/net-firewall/firehol/Manifest +++ b/net-firewall/firehol/Manifest @@ -1,7 +1,18 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + AUX firehol-1.226-to-228.patch 2311 RMD160 9adefc751d465dd193134b3243e6d34300216f7c SHA1 5f900b6e2a6f475596aa1bff4eafad37109fb5c9 SHA256 8a682147e82665124b256d9fadf16d989bf310f2480168e888d4b048e60b910c MD5 0d4eceaa49f1a12171145a685e42c015 files/firehol-1.226-to-228.patch 2311 RMD160 9adefc751d465dd193134b3243e6d34300216f7c files/firehol-1.226-to-228.patch 2311 SHA256 8a682147e82665124b256d9fadf16d989bf310f2480168e888d4b048e60b910c files/firehol-1.226-to-228.patch 2311 +AUX firehol-1.226-to-250.patch 25526 RMD160 25a554e64f65e0dad93f87e70f9b158fd3eca047 SHA1 7de892b3e83e26de7f5697eba0583bf025a182a0 SHA256 e55a0e6c4ff8baf61681c252cb870e77375adbab9e8ee6cc67f9a33b56900278 +MD5 4b1c93cb0f0fe8454d1b085188ea1893 files/firehol-1.226-to-250.patch 25526 +RMD160 25a554e64f65e0dad93f87e70f9b158fd3eca047 files/firehol-1.226-to-250.patch 25526 +SHA256 e55a0e6c4ff8baf61681c252cb870e77375adbab9e8ee6cc67f9a33b56900278 files/firehol-1.226-to-250.patch 25526 +AUX firehol-1.250-printf.patch 1496 RMD160 df025b1bf110ba50b2d8060a145aa79af39a8b26 SHA1 a3450b2b3c94c94be4f64aebdbdbf6a0fc5e3b19 SHA256 35ab81db53612f938ca37f592d85e68260573084c34b598a7c4254b3d3fab071 +MD5 bfaa62f4b3eb2956611c1085e61ca673 files/firehol-1.250-printf.patch 1496 +RMD160 df025b1bf110ba50b2d8060a145aa79af39a8b26 files/firehol-1.250-printf.patch 1496 +SHA256 35ab81db53612f938ca37f592d85e68260573084c34b598a7c4254b3d3fab071 files/firehol-1.250-printf.patch 1496 AUX firehol.conf.d 70 RMD160 a87dc5fb7ba67d3f87d9672de62ba5081925ddcb SHA1 5a31d6751f0ea13550218132ff210e3286694152 SHA256 0e6bae0a5329d6b527cf0ae7183acf04f0f08f5a931bf5e82a789053faed4e3c MD5 76b78f59bdc0f07399dd54e1b756c3cb files/firehol.conf.d 70 RMD160 a87dc5fb7ba67d3f87d9672de62ba5081925ddcb files/firehol.conf.d 70 @@ -15,10 +26,14 @@ EBUILD firehol-1.226-r1.ebuild 2021 RMD160 6e262180bb89259b8dac202408af50a06139b MD5 8a6ec261a65f2da2be33888ca5825c29 firehol-1.226-r1.ebuild 2021 RMD160 6e262180bb89259b8dac202408af50a06139be13 firehol-1.226-r1.ebuild 2021 SHA256 0894a8bd7642bc8b6dfe270d9be4552f44015020febf71f6b2966e5c33b576a2 firehol-1.226-r1.ebuild 2021 -MISC ChangeLog 4057 RMD160 112ed970db4f7ba712f7afcc83abf1420a366ab9 SHA1 e0a59497e94da6cefad15c5e12b03a58610a83f3 SHA256 d5b5396d583fa83b44a959b5bf040fa3e13e49dae78518c677da0136d80ba9a8 -MD5 30ccd2d84bb2690b031a72fb60a25173 ChangeLog 4057 -RMD160 112ed970db4f7ba712f7afcc83abf1420a366ab9 ChangeLog 4057 -SHA256 d5b5396d583fa83b44a959b5bf040fa3e13e49dae78518c677da0136d80ba9a8 ChangeLog 4057 +EBUILD firehol-1.250.ebuild 2190 RMD160 578b124cd98abbbac437c7fe2dc98c75313e1715 SHA1 d6e0f8c7150f71371e8713b8dd777221ec3fe768 SHA256 19e7224cd23c49b8a6e338c08f00935b70edb8e2ca9467481ea74b85d1ffb3ac +MD5 06efe9ef2731658fe21789bcb14e3d45 firehol-1.250.ebuild 2190 +RMD160 578b124cd98abbbac437c7fe2dc98c75313e1715 firehol-1.250.ebuild 2190 +SHA256 19e7224cd23c49b8a6e338c08f00935b70edb8e2ca9467481ea74b85d1ffb3ac firehol-1.250.ebuild 2190 +MISC ChangeLog 4378 RMD160 d7c2d7544dd7da72f1171c131ce76a37719b778c SHA1 b29762eac1371738d58c66dbe574424783a39abb SHA256 090f1bf91da85d8076e429d6aa44a676206fe264f39f0615062415517d8d690f +MD5 bad63709f67d3f428fc1924f96c9c317 ChangeLog 4378 +RMD160 d7c2d7544dd7da72f1171c131ce76a37719b778c ChangeLog 4378 +SHA256 090f1bf91da85d8076e429d6aa44a676206fe264f39f0615062415517d8d690f ChangeLog 4378 MISC metadata.xml 232 RMD160 d8974ec04155ee7c05c49808735fe6d6cca0a541 SHA1 b417ff2a1791163c7ef78c244c84f4ac0dd28396 SHA256 1ee782bb36d2551c41eb7f4dafc946ea2699771f4ea724cca4363b69eb4e84d4 MD5 4086491e8b7c76b8138dc140f7742978 metadata.xml 232 RMD160 d8974ec04155ee7c05c49808735fe6d6cca0a541 metadata.xml 232 @@ -26,3 +41,13 @@ SHA256 1ee782bb36d2551c41eb7f4dafc946ea2699771f4ea724cca4363b69eb4e84d4 metadata MD5 307ce774f075b24a9f1c58d191f0aa17 files/digest-firehol-1.226-r1 244 RMD160 46fa3ffb007c7979d8261ed9eb2ba932fd6046bf files/digest-firehol-1.226-r1 244 SHA256 33e71811998e454a012d49facc452e1abb8b05c90cf563ce8faf583426f04410 files/digest-firehol-1.226-r1 244 +MD5 307ce774f075b24a9f1c58d191f0aa17 files/digest-firehol-1.250 244 +RMD160 46fa3ffb007c7979d8261ed9eb2ba932fd6046bf files/digest-firehol-1.250 244 +SHA256 33e71811998e454a012d49facc452e1abb8b05c90cf563ce8faf583426f04410 files/digest-firehol-1.250 244 +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.5 (GNU/Linux) + +iD8DBQFFlFKw7IRIh26aCTkRAg9KAJ0fp5Z+QUAD9s0/Fkixe03oTVE7AwCfXR+Q +9bOzrjLXxZyQ8yYQcLB5hbk= +=zLV1 +-----END PGP SIGNATURE----- diff --git a/net-firewall/firehol/files/digest-firehol-1.250 b/net-firewall/firehol/files/digest-firehol-1.250 new file mode 100644 index 000000000000..d2c0f0cf477c --- /dev/null +++ b/net-firewall/firehol/files/digest-firehol-1.250 @@ -0,0 +1,3 @@ +MD5 958f6e95bad37013e544da587f55c8b7 firehol-1.226.tar.bz2 118113 +RMD160 bff910e8a3a67ce91f0634177b5ee361edc90e96 firehol-1.226.tar.bz2 118113 +SHA256 b434e8142eb4093516794c6f2213d03efa3c08161758ff836dbd266f0a9438cf firehol-1.226.tar.bz2 118113 diff --git a/net-firewall/firehol/files/firehol-1.226-to-250.patch b/net-firewall/firehol/files/firehol-1.226-to-250.patch new file mode 100644 index 000000000000..2e042f7f05be --- /dev/null +++ b/net-firewall/firehol/files/firehol-1.226-to-250.patch @@ -0,0 +1,748 @@ +--- firehol.new 2006-12-27 14:13:39.000000000 +0100 ++++ firehol.sh 2006-12-27 14:15:57.000000000 +0100 +@@ -10,7 +10,7 @@ + # + # config: /etc/firehol/firehol.conf + # +-# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ ++# $Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ + # + + # Make sure only root can run us. +@@ -74,13 +74,16 @@ + return 0 + } + +-# Check for a command during runtime. +-# Currently the following commands are required only when needed: +-# +-# wget or curl (either is fine) +-# gzcat +-# ++# command on demand support. + require_cmd() { ++ local block=1 ++ if [ "a$1" = "a-n" ] ++ then ++ local block=0 ++ shift ++ fi ++ ++ # if one is found, return success + for x in $1 + do + eval var=`echo ${x} | tr 'a-z' 'A-Z'`_CMD +@@ -92,21 +95,56 @@ + fi + done + ++ if [ $block -eq 1 ] ++ then ++ echo >&2 ++ echo >&2 "ERROR: THE REQUESTED FEATURE REQUIRES THESE PROGRAMS:" ++ echo >&2 ++ echo >&2 " $*" ++ echo >&2 ++ echo >&2 " You have requested the use of an optional FireHOL" ++ echo >&2 " feature that requires certain external programs" ++ echo >&2 " to be installed in the running system." ++ echo >&2 ++ echo >&2 " Please consult your Linux distribution manual to" ++ echo >&2 " install the package(s) that provide these external" ++ echo >&2 " programs and retry." ++ echo >&2 ++ echo >&2 " Note that you need an operational 'which' command" ++ echo >&2 " for FireHOL to find all the external programs it" ++ echo >&2 " needs. Check it yourself. Run:" ++ echo >&2 ++ for x in $1 ++ do ++ echo >&2 " which $x" ++ done ++ ++ exit 1 ++ fi ++ + return 1 + } + ++# Currently the following commands are required only when needed. ++# (i.e. Command on Demand) ++# ++# wget or curl (either is fine) ++# gzcat ++# ip ++# netstat ++# egrep ++# date ++# hostname ++ ++# Commands that are mandatory for FireHOL operation: + which_cmd CAT_CMD cat + which_cmd CUT_CMD cut + which_cmd CHOWN_CMD chown + which_cmd CHMOD_CMD chmod +-which_cmd DATE_CMD date +-which_cmd EGREP_CMD egrep + which_cmd EXPR_CMD expr + which_cmd GAWK_CMD gawk + which_cmd GREP_CMD grep + which_cmd HEAD_CMD head +-which_cmd HOSTNAME_CMD hostname +-which_cmd IP_CMD ip + which_cmd IPTABLES_CMD iptables + which_cmd IPTABLES_SAVE_CMD iptables-save + which_cmd LESS_CMD less +@@ -114,7 +152,6 @@ + which_cmd MKDIR_CMD mkdir + which_cmd MV_CMD mv + which_cmd MODPROBE_CMD modprobe +-which_cmd NETSTAT_CMD netstat + which_cmd RENICE_CMD renice + which_cmd RM_CMD rm + which_cmd SED_CMD sed +@@ -134,7 +171,7 @@ + # Find our minor version + firehol_minor_version() { + ${CAT_CMD} <<"EOF" | ${CUT_CMD} -d ' ' -f 3 | ${CUT_CMD} -d '.' -f 2 +-$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ ++$Id: firehol-1.226-to-250.patch,v 1.1 2006/12/28 20:59:13 centic Exp $ + EOF + } + +@@ -170,6 +207,9 @@ + FIREHOL_SAVED="${FIREHOL_DIR}/firehol-save.sh" + FIREHOL_TMP="${FIREHOL_DIR}/firehol-tmp.sh" + ++FIREHOL_LOCK_DIR="/var/lock/subsys" ++test ! -d "${FIREHOL_LOCK_DIR}" && FIREHOL_LOCK_DIR="/var/lock" ++ + FIREHOL_SPOOL_DIR="/var/spool/firehol" + + # The default configuration file +@@ -209,6 +249,7 @@ + + # Run our exit even if we don't call exit. + trap firehol_exit EXIT ++trap firehol_exit SIGHUP + + + # ------------------------------------------------------------------------------ +@@ -267,8 +308,8 @@ + if [ ! -d "${FIREHOL_SPOOL_DIR}" ] + then + "${MKDIR_CMD}" "${FIREHOL_SPOOL_DIR}" || exit 1 +- "${CHOWN_CMD}" root:root "${FIREHOL_CONFIG_DIR}" || exit 1 +- "${CHMOD_CMD}" 700 "${FIREHOL_CONFIG_DIR}" || exit 1 ++ "${CHOWN_CMD}" root:root "${FIREHOL_SPOOL_DIR}" || exit 1 ++ "${CHMOD_CMD}" 700 "${FIREHOL_SPOOL_DIR}" || exit 1 + fi + + +@@ -280,7 +321,7 @@ + # Optimized (CIDR) by Marc 'HE' Brockschmidt + # Further optimized and reduced by http://www.vergenet.net/linux/aggregate/ + # The supplied get-iana.sh uses 'aggregate-flim' if it finds it in the path. +-RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/7 76.0.0.0/6 89.0.0.0/8 90.0.0.0/7 92.0.0.0/6 96.0.0.0/3 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4" ++RESERVED_IPS="0.0.0.0/7 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/7 39.0.0.0/8 42.0.0.0/8 92.0.0.0/6 100.0.0.0/6 104.0.0.0/5 112.0.0.0/5 120.0.0.0/8 127.0.0.0/8 173.0.0.0/8 174.0.0.0/7 176.0.0.0/5 184.0.0.0/6 197.0.0.0/8 223.0.0.0/8 240.0.0.0/4 " + + # Private IPv4 address space + # Suggested by Fco.Felix Belmonte +@@ -306,6 +347,11 @@ + # policy interface subscommand. + DEFAULT_INTERFACE_POLICY="DROP" + ++# The default policy for the router commands of the firewall. ++# This can be controlled on a per interface basis using the ++# policy interface subscommand. ++DEFAULT_ROUTER_POLICY="RETURN" ++ + # Which is the filter table chains policy during firewall activation? + FIREHOL_INPUT_ACTIVATION_POLICY="ACCEPT" + FIREHOL_OUTPUT_ACTIVATION_POLICY="ACCEPT" +@@ -329,6 +375,10 @@ + FIREHOL_LOG_MODE="LOG" + FIREHOL_LOG_FREQUENCY="1/second" + FIREHOL_LOG_BURST="5" ++FIREHOL_LOG_PREFIX="" ++ ++# If enabled, FireHOL will silently drop orphan TCP packets with ACK,FIN set. ++FIREHOL_DROP_ORPHAN_TCP_ACK_FIN=0 + + # The client ports to be used for "default" client ports when the + # client specified is a foreign host. +@@ -427,7 +477,7 @@ + work_name= + work_inface= + work_outface= +-work_policy="${DEFAULT_INTERFACE_POLICY}" ++work_policy= + work_error=0 + work_function="Initializing" + +@@ -618,6 +668,9 @@ + server_microsoft_ds_ports="tcp/445" + client_microsoft_ds_ports="default" + ++server_ms_ds_ports="tcp/445" ++client_ms_ds_ports="default" ++ + server_mms_ports="tcp/1755 udp/1755" + client_mms_ports="default" + require_mms_modules="ip_conntrack_mms" +@@ -666,6 +719,9 @@ + server_oracle_ports="tcp/1521" + client_oracle_ports="default" + ++server_OSPF_ports="89/any" ++client_OSPF_ports="any" ++ + server_pop3_ports="tcp/110" + client_pop3_ports="default" + +@@ -708,7 +764,7 @@ + client_rtp_ports="any" + + server_sip_ports="udp/5060" +-client_sip_ports="default" ++client_sip_ports="5060 default" + + server_socks_ports="tcp/1080 udp/1080" + client_socks_ports="default" +@@ -769,7 +825,7 @@ + server_vmwareauth_ports="tcp/903" + client_vmwareauth_ports="default" + +-server_vmwareweb_ports="tcp/8222" ++server_vmwareweb_ports="tcp/8222 tcp/8333" + client_vmwareweb_ports="default" + + server_vnc_ports="tcp/5900:5903" +@@ -1090,10 +1146,12 @@ + local server_rquotad_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " rquotad$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" + local server_mountd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " mountd$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" + local server_lockd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nlockmgr$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" ++ local server_statd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " status$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" + local server_nfsd_ports="`${CAT_CMD} "${tmp}" | ${GREP_CMD} " nfs$" | ( while read a b proto port s; do echo "$proto/$port"; done ) | ${SORT_CMD} | ${UNIQ_CMD}`" + + test -z "${server_mountd_ports}" && error "Cannot find mountd ports for nfs server '${x}'" && return 1 + test -z "${server_lockd_ports}" && error "Cannot find lockd ports for nfs server '${x}'" && return 1 ++ test -z "${server_statd_ports}" && error "Cannot find statd ports for nfs server '${x}'" && return 1 + test -z "${server_nfsd_ports}" && error "Cannot find nfsd ports for nfs server '${x}'" && return 1 + + local dst= +@@ -1113,6 +1171,9 @@ + + set_work_function "Processing lockd rules for server '${x}'" + rules_custom "${mychain}" "${type}" nfs-lockd "${server_lockd_ports}" "500:65535" "${action}" $dst "$@" ++ ++ set_work_function "Processing statd rules for server '${x}'" ++ rules_custom "${mychain}" "${type}" nfs-statd "${server_statd_ports}" "500:65535" "${action}" $dst "$@" + + set_work_function "Processing nfsd rules for server '${x}'" + rules_custom "${mychain}" "${type}" nfs-nfsd "${server_nfsd_ports}" "500:65535" "${action}" $dst "$@" +@@ -1798,7 +1859,7 @@ + firehol_wget() { + local url="${1}" + +- require_cmd wget curl || error "Cannot find 'wget' or 'curl' in the path." ++ require_cmd wget curl + + if [ ! -z "${WGET_CMD}" ] + then +@@ -2407,9 +2468,9 @@ + policy() { + work_realcmd_secondary ${FUNCNAME} "$@" + +- require_work set interface || return 1 ++ require_work set any || return 1 + +- set_work_function "Setting interface '${work_inface}' (${work_name}) policy to ${1}" ++ set_work_function "Setting policy of ${work_name} to ${1}" + work_policy="$*" + + return 0 +@@ -2482,6 +2543,11 @@ + return 0 + ;; + ++ bad-packets|BAD-PACKETS) ++ protection ${reverse} "invalid fragments new-tcp-w/o-syn malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}" ++ return $? ++ ;; ++ + strong|STRONG|full|FULL|all|ALL) + protection ${reverse} "invalid fragments new-tcp-w/o-syn icmp-floods syn-floods malformed-xmas malformed-null malformed-bad" "${rate}" "${burst}" + return $? +@@ -2529,6 +2595,16 @@ + rule in chain "${mychain}" loglimit "SYN FLOOD" action drop || return 1 + ;; + ++ all-floods|ALL-FLOODS) ++ local mychain="${pre}_${work_name}_allflood" ++ create_chain filter "${mychain}" "${in}_${work_name}" in state NEW || return 1 ++ ++ set_work_function "Generating rules to be protected from ALL floods on '${prface}' for ${work_cmd} '${work_name}'" ++ ++ rule in chain "${mychain}" limit "${rate}" "${burst}" action return || return 1 ++ rule in chain "${mychain}" loglimit "ALL FLOOD" action drop || return 1 ++ ;; ++ + malformed-xmas|MALFORMED-XMAS) + local mychain="${pre}_${work_name}_malxmas" + create_chain filter "${mychain}" "${in}_${work_name}" in proto tcp custom "--tcp-flags ALL ALL" || return 1 +@@ -2589,7 +2665,7 @@ + # kernel modules. + + # optionaly require command gzcat +-require_cmd gzcat ++require_cmd -n gzcat + + KERNEL_CONFIG= + if [ -f "/proc/config" ] +@@ -2632,6 +2708,7 @@ + echo >&2 " all kernel modules for the services used, without" + echo >&2 " being able to detect failures." + echo >&2 " " ++ sleep 2 + fi + + # activation-phase command to check for the existance of +@@ -2824,11 +2901,12 @@ + work_name= + work_inface= + work_outface= +- work_policy="${DEFAULT_INTERFACE_POLICY}" ++ work_policy= + + return 0 + } + ++ + # ------------------------------------------------------------------------------ + # close_interface + # WHY: +@@ -2841,6 +2919,12 @@ + + set_work_function "Finilizing interface '${work_name}'" + ++ # Accept all related traffic to the established connections ++ rule chain "in_${work_name}" state RELATED action ACCEPT || return 1 ++ rule chain "out_${work_name}" state RELATED action ACCEPT || return 1 ++ ++ # make sure we have a policy ++ test -z "${work_policy}" && work_policy="${DEFAULT_INTERFACE_POLICY}" + case "${work_policy}" in + return|RETURN) + return 0 +@@ -2849,15 +2933,18 @@ + accept|ACCEPT) + ;; + +- *) ++ *) + local -a inlog=(loglimit "'IN-${work_name}'") + local -a outlog=(loglimit "'OUT-${work_name}'") + ;; + esac + +- # Accept all related traffic to the established connections +- rule chain "in_${work_name}" state RELATED action ACCEPT || return 1 +- rule chain "out_${work_name}" state RELATED action ACCEPT || return 1 ++ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ] ++ then ++ # Silently drop orphan TCP/ACK FIN packets ++ rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ fi + + rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1 + rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1 +@@ -2882,6 +2969,32 @@ + rule chain "in_${work_name}" state RELATED action ACCEPT || return 1 + rule chain "out_${work_name}" state RELATED action ACCEPT || return 1 + ++ # make sure we have a policy ++ test -z "${work_policy}" && work_policy="${DEFAULT_ROUTER_POLICY}" ++ case "${work_policy}" in ++ return|RETURN) ++ return 0 ++ ;; ++ ++ accept|ACCEPT) ++ ;; ++ ++ *) ++ local -a inlog=(loglimit "'PASS-${work_name}'") ++ local -a outlog=(loglimit "'PASS-${work_name}'") ++ ;; ++ esac ++ ++ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ] ++ then ++ # Silently drop orphan TCP/ACK FIN packets ++ rule chain "in_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ rule reverse chain "out_${work_name}" state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ fi ++ ++ rule chain "in_${work_name}" "${inlog[@]}" action ${work_policy} || return 1 ++ rule reverse chain "out_${work_name}" "${outlog[@]}" action ${work_policy} || return 1 ++ + return 0 + } + +@@ -2900,6 +3013,14 @@ + rule chain OUTPUT state RELATED action ACCEPT || return 1 + rule chain FORWARD state RELATED action ACCEPT || return 1 + ++ if [ "${FIREHOL_DROP_ORPHAN_TCP_ACK_FIN}" = "1" ] ++ then ++ # Silently drop orphan TCP/ACK FIN packets ++ rule chain INPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ rule chain OUTPUT state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ rule chain FORWARD state NEW proto tcp custom "--tcp-flags ALL ACK,FIN" action DROP || return 1 ++ fi ++ + rule chain INPUT loglimit "IN-unknown" action ${UNMATCHED_INPUT_POLICY} || return 1 + rule chain OUTPUT loglimit "OUT-unknown" action ${UNMATCHED_OUTPUT_POLICY} || return 1 + rule chain FORWARD loglimit "PASS-unknown" action ${UNMATCHED_ROUTER_POLICY} || return 1 +@@ -3055,7 +3176,7 @@ + # to pass. + if [ "${do_accept_limit}" = "1" ] + then +- local accept_limit_chain="`echo "ACCEPT ${freq} ${burst} ${overflow}" | tr " /." "___"`" ++ local accept_limit_chain="`echo "ACCEPT LIMIT ${freq} ${burst} ${overflow}" | tr " /." "___"`" + + # does the chain we need already exist? + if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_limit_chain}" ] +@@ -3075,9 +3196,9 @@ + local -a logopts_arg=() + if [ "${FIREHOL_LOG_MODE}" = "ULOG" ] + then +- local -a logopts_arg=("--ulog-prefix='OVERFLOW:'") ++ local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'") + else +- local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='OVERFLOW:'") ++ local -a logopts_arg=("--log-level" "${FIREHOL_LOG_LEVEL}" "--log-prefix='${FIREHOL_LOG_PREFIX}LIMIT_OVERFLOW:'") + fi + iptables ${table} -A "${accept_limit_chain}" -m limit --limit "${FIREHOL_LOG_FREQUENCY}" --limit-burst "${FIREHOL_LOG_BURST}" -j ${FIREHOL_LOG_MODE} ${FIREHOL_LOG_OPTIONS} "${logopts_arg[@]}" + +@@ -3096,6 +3217,62 @@ + fi + ;; + ++ "recent") ++ # limit NEW connections to the specified rate ++ local name="${action_param[1]}" ++ local seconds="${action_param[2]}" ++ local hits="${action_param[3]}" ++ ++ # unset the action_param, so that if this rule does not include NEW connections, ++ # we will not append anything to the generated iptables statements. ++ local -a action_param=() ++ ++ # find is this rule matches NEW connections ++ local has_new=`echo "${state}" | grep -i NEW` ++ local do_accept_recent=0 ++ if [ -z "${statenot}" ] ++ then ++ test ! -z "${has_new}" && local do_accept_recent=1 ++ else ++ test -z "${has_new}" && local do_accept_recent=1 ++ fi ++ ++ # we have a match for NEW connections. ++ # redirect the traffic to a new chain, which will control ++ # the NEW connections while allowing all the other traffic ++ # to pass. ++ if [ "${do_accept_recent}" = "1" ] ++ then ++ local accept_recent_chain="`echo "ACCEPT RECENT $name $seconds $hits" | tr " /." "___"`" ++ ++ # does the chain we need already exist? ++ if [ ! -f "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}" ] ++ then ++ # the chain does not exist. create it. ++ iptables ${table} -N "${accept_recent_chain}" ++ touch "${FIREHOL_CHAINS_DIR}/${accept_recent_chain}" ++ ++ # first, if the traffic is not a NEW connection, allow it. ++ # doing this first will speed up normal traffic. ++ iptables ${table} -A "${accept_recent_chain}" -m state ! --state NEW -j ACCEPT ++ ++ # accept NEW connections within the given limits. ++ iptables ${table} -A "${accept_recent_chain}" -m recent --set --name "${name}" ++ ++ local t1= ++ test ! -z $seconds && local t1="--seconds ${seconds}" ++ local t2= ++ test ! -z $hits && local t2="--hitcount ${hits}" ++ ++ iptables ${table} -A "${accept_recent_chain}" -m recent --update ${t1} ${t2} --name "${name}" -j RETURN ++ iptables ${table} -A "${accept_recent_chain}" -j ACCEPT ++ fi ++ ++ # send the rule to be generated to this chain ++ local action=${accept_recent_chain} ++ fi ++ ;; ++ + 'knock') + # the name of the knock + local name="knock_${action_param[1]}" +@@ -3175,6 +3352,12 @@ + local dst=any + local dstnot= + ++ local srctype= ++ local srctypenot= ++ ++ local dsttype= ++ local dsttypenot= ++ + local sport=any + local sportnot= + +@@ -3397,7 +3580,7 @@ + if [ "${1}" = "not" -o "${1}" = "NOT" ] + then + shift +- macnot="!" ++ test ${nomac} -eq 0 && macnot="!" + fi + test ${softwarnings} -eq 1 -a ! "${mac}" = "any" && softwarning "Overwritting param: mac '${mac}' becomes '${1}'" + test ${nomac} -eq 0 && mac="${1}" +@@ -3454,6 +3637,56 @@ + shift + ;; + ++ srctype|SRCTYPE|sourcetype|SOURCETYPE) ++ shift ++ if [ ${reverse} -eq 0 ] ++ then ++ srctypenot= ++ if [ "${1}" = "not" -o "${1}" = "NOT" ] ++ then ++ shift ++ srctypenot="!" ++ fi ++ test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'" ++ srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" ++ else ++ dsttypenot= ++ if [ "${1}" = "not" -o "${1}" = "NOT" ] ++ then ++ shift ++ dsttypenot="!" ++ fi ++ test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'" ++ dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" ++ fi ++ shift ++ ;; ++ ++ dsttype|DSTTYPE|destinationtype|DESTINATIONTYPE) ++ shift ++ if [ ${reverse} -eq 0 ] ++ then ++ dsttypenot= ++ if [ "${1}" = "not" -o "${1}" = "NOT" ] ++ then ++ shift ++ dsttypenot="!" ++ fi ++ test ${softwarnings} -eq 1 -a ! "${dsttype}" = "" && softwarning "Overwritting param: dsttype '${dsttype}' becomes '${1}'" ++ dsttype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" ++ else ++ srctypenot= ++ if [ "${1}" = "not" -o "${1}" = "NOT" ] ++ then ++ shift ++ srctypenot="!" ++ fi ++ test ${softwarnings} -eq 1 -a ! "${srctype}" = "" && softwarning "Overwritting param: srctype '${srctype}' becomes '${1}'" ++ srctype="`echo ${1} | sed "s|^ \+||" | sed "s| \+\$||" | sed "s| \+|,|g" | tr a-z A-Z`" ++ fi ++ shift ++ ;; ++ + sport|SPORT|sourceport|SOURCEPORT) + shift + if [ ${reverse} -eq 0 ] +@@ -3591,6 +3824,11 @@ + fi + ;; + ++ recent|RECENT) ++ local -a action_param=("recent" "${2}" "${3}" "${4}") ++ shift 4 ++ ;; ++ + knock|KNOCK) + local -a action_param=("knock" "${2}") + shift 2 +@@ -3750,6 +3988,10 @@ + fi + ;; + ++ tarpit|TARPIT) ++ action="TARPIT" ++ ;; ++ + *) + chain_exists "${action}" + local action_is_chain=$? +@@ -3991,7 +4233,7 @@ + # this temporary chain. + + +- # ignore 'statenot' since it is negated in the positive rules ++ # ignore 'statenot', 'srctypenot', 'dsttypenot' since it is negated in the positive rules + if [ ! -z "${infacenot}${outfacenot}${physinnot}${physoutnot}${macnot}${srcnot}${dstnot}${sportnot}${dportnot}${protonot}${uidnot}${gidnot}${pidnot}${sidnot}${cmdnot}${marknot}${tosnot}${dscpnot}" ] + then + if [ ${action_is_chain} -eq 1 ] +@@ -4540,6 +4782,25 @@ + ;; + esac + ++ # addrtype (srctype, dsttype) ++ local -a addrtype_arg=() ++ local -a stp_arg=() ++ local -a dtp_arg=() ++ if [ ! -z "${srctype}${dsttype}" ] ++ then ++ local -a addrtype_arg=("-m" "addrtype") ++ ++ if [ ! -z "${srctype}" ] ++ then ++ local -a stp_arg=("${srctypenot}" "--src-type" "${srctype}") ++ fi ++ ++ if [ ! -z "${dsttype}" ] ++ then ++ local -a dtp_arg=("${dsttypenot}" "--dst-type" "${dsttype}") ++ fi ++ fi ++ + # state + local -a state_arg=() + if [ ! -z "${state}" ] +@@ -4562,15 +4823,15 @@ + fi + + # build the command +- declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}") ++ declare -a basecmd=("${inf_arg[@]}" "${outf_arg[@]}" "${physdev_arg[@]}" "${inph_arg[@]}" "${outph_arg[@]}" "${limit_arg[@]}" "${iplimit_arg[@]}" "${proto_arg[@]}" "${s_arg[@]}" "${sp_arg[@]}" "${d_arg[@]}" "${dp_arg[@]}" "${owner_arg[@]}" "${uid_arg[@]}" "${gid_arg[@]}" "${pid_arg[@]}" "${sid_arg[@]}" "${cmd_arg[@]}" "${addrtype_arg[@]}" "${stp_arg[@]}" "${dtp_arg[@]}" "${state_arg[@]}" "${mc_arg[@]}" "${mark_arg[@]}" "${tos_arg[@]}" "${dscp_arg[@]}") + + # log mode selection + local -a logopts_arg=() + if [ "${FIREHOL_LOG_MODE}" = "ULOG" ] + then +- local -a logopts_arg=("--ulog-prefix='${logtxt}:'") ++ local -a logopts_arg=("--ulog-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'") + else +- local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${logtxt}:'") ++ local -a logopts_arg=("--log-level" "${loglevel}" "--log-prefix='${FIREHOL_LOG_PREFIX}${logtxt}:'") + fi + + # log / loglimit +@@ -5005,8 +5266,8 @@ + stop) + test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored." + +- test -f /var/lock/subsys/firehol && ${RM_CMD} -f /var/lock/subsys/firehol +- test -f /var/lock/subsys/iptables && ${RM_CMD} -f /var/lock/subsys/iptables ++ test -f "${FIREHOL_LOCK_DIR}/firehol" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/firehol" ++ test -f "${FIREHOL_LOCK_DIR}/iptables" && ${RM_CMD} -f "${FIREHOL_LOCK_DIR}/iptables" + + echo -n $"FireHOL: Clearing Firewall:" + load_kernel_module ip_tables +@@ -5038,7 +5299,7 @@ + condrestart) + test ! -z "${1}" && softwarning "Arguments after parameter '${arg}' are ignored." + FIREHOL_TRY=0 +- if [ -f /var/lock/subsys/firehol ] ++ if [ -f "${FIREHOL_LOCK_DIR}/firehol" ] + then + exit 0 + fi +@@ -5154,7 +5415,7 @@ + else + + ${CAT_CMD} < + FireHOL is distributed under GPL. + +@@ -5340,7 +5601,7 @@ + + ${CAT_CMD} < + FireHOL is distributed under GPL. + Home Page: http://firehol.sourceforge.net +@@ -5459,6 +5720,13 @@ + + if [ ${FIREHOL_WIZARD} -eq 1 ] + then ++ # require commands for wizard mode ++ require_cmd ip ++ require_cmd netstat ++ require_cmd egrep ++ require_cmd date ++ require_cmd hostname ++ + wizard_ask() { + local prompt="${1}"; shift + local def="${1}"; shift +@@ -5603,7 +5871,12 @@ + local i4=${4} + local i5=${5:-32} + +- echo ${i1}.${i2}.${i3}.${i4}/${i5} ++ if [ "${i5}" = "32" ] ++ then ++ echo ${i1}.${i2}.${i3}.${i4} ++ else ++ echo ${i1}.${i2}.${i3}.${i4}/${i5} ++ fi + } + + ips2net() { +@@ -5634,7 +5907,7 @@ + + "${CAT_CMD}" >&2 < + FireHOL is distributed under GPL. + Home Page: http://firehol.sourceforge.net +@@ -5717,7 +5990,7 @@ + echo "# " + + ${CAT_CMD} < + # FireHOL is distributed under GPL. + # Home Page: http://firehol.sourceforge.net +@@ -6354,11 +6627,11 @@ + # Remove the saved firewall, so that the trap will not restore it. + ${RM_CMD} -f "${FIREHOL_SAVED}" + +-# RedHat startup service locking. +-if [ -d /var/lock/subsys ] ++# Startup service locking. ++if [ -d "${FIREHOL_LOCK_DIR}" ] + then +- ${TOUCH_CMD} /var/lock/subsys/iptables +- ${TOUCH_CMD} /var/lock/subsys/firehol ++ ${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/iptables" ++ ${TOUCH_CMD} "${FIREHOL_LOCK_DIR}/firehol" + fi + + diff --git a/net-firewall/firehol/files/firehol-1.250-printf.patch b/net-firewall/firehol/files/firehol-1.250-printf.patch new file mode 100644 index 000000000000..1222e15de65d --- /dev/null +++ b/net-firewall/firehol/files/firehol-1.250-printf.patch @@ -0,0 +1,47 @@ +--- firehol.sh 2006-12-27 14:34:58.000000000 +0100 ++++ firehol.new 2006-12-27 14:53:16.000000000 +0100 +@@ -2412,7 +2412,7 @@ + printf "runcmd '${check}' '${FIREHOL_LINEID}' " >>${FIREHOL_OUTPUT} + fi + +- printf "%q " "$@" >>${FIREHOL_OUTPUT} ++ printf "%b " "$@" >>${FIREHOL_OUTPUT} + printf "\n" >>${FIREHOL_OUTPUT} + + if [ ${FIREHOL_EXPLAIN} -eq 1 ] +@@ -4885,7 +4885,7 @@ + echo >&2 "WARNING" + echo >&2 "WHAT : ${work_function}" + echo >&2 "WHY :" "$@" +- printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2 ++ printf >&2 "COMMAND: "; printf >&2 "%b " "${work_realcmd[@]}"; echo >&2 + echo >&2 "SOURCE : line ${FIREHOL_LINEID} of ${FIREHOL_CONFIG}" + echo >&2 + +@@ -4906,7 +4906,7 @@ + echo >&2 "ERROR #: ${work_error}" + echo >&2 "WHAT : ${work_function}" + echo >&2 "WHY :" "$@" +- printf >&2 "COMMAND: "; printf >&2 "%q " "${work_realcmd[@]}"; echo >&2 ++ printf >&2 "COMMAND: "; printf >&2 "%b " "${work_realcmd[@]}"; echo >&2 + echo >&2 "SOURCE : line ${FIREHOL_LINEID} of ${FIREHOL_CONFIG}" + echo >&2 + +@@ -4960,7 +4960,7 @@ + echo >&2 "WHAT : A runtime command failed to execute (returned error ${ret})." + echo >&2 "SOURCE : line ${line} of ${FIREHOL_CONFIG}" + printf >&2 "COMMAND : " +- printf >&2 "%q " "$@" ++ printf >&2 "%b " "$@" + printf >&2 "\n" + echo >&2 "OUTPUT : " + echo >&2 +@@ -5157,7 +5157,7 @@ + *) ;; + esac + +- printf "%q " "${work_realcmd[@]}" ++ printf "%b " "${work_realcmd[@]}" + printf "\n\n" + ) >>${FIREHOL_OUTPUT} + } diff --git a/net-firewall/firehol/firehol-1.250.ebuild b/net-firewall/firehol/firehol-1.250.ebuild new file mode 100644 index 000000000000..40a31bb072b9 --- /dev/null +++ b/net-firewall/firehol/firehol-1.250.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2006 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-firewall/firehol/firehol-1.250.ebuild,v 1.1 2006/12/28 20:59:13 centic Exp $ + +inherit eutils + +DESCRIPTION="iptables firewall generator" +HOMEPAGE="http://firehol.sourceforge.net/" +SRC_URI="mirror://sourceforge/${PN}/${PN}-1.226.tar.bz2" + + +LICENSE="GPL-2" +SLOT="0" +IUSE="" +KEYWORDS="~amd64 ~ppc ~sparc ~x86" + +DEPEND="sys-apps/iproute2" +RDEPEND="net-firewall/iptables + sys-apps/iproute2 + virtual/modutils + || ( + net-misc/wget + net-misc/curl + )" + +S="${WORKDIR}/${PN}-1.226" + +pkg_setup() { + # Bug 81600 fail if iproute2 is built with minimal + if built_with_use sys-apps/iproute2 minimal; then + eerror "Firehol requires iproute2 to be emerged without" + eerror "the USE-Flag \"minimal\"." + eerror "Re-emerge iproute2 with" + eerror "USE=\"-minimal\" emerge sys-apps/iproute2" + die "sys-apps/iproute2 without USE=\"minimal\" needed" + fi +} + +# patch for embedded Gentoo - GNAP +# backport from firehol-CVS. +src_unpack() { + unpack ${A} + cd ${S} || die + epatch ${FILESDIR}/firehol-1.226-to-228.patch || die + epatch ${FILESDIR}/firehol-1.226-to-250.patch || die + epatch ${FILESDIR}/${P}-printf.patch || die +} + +src_install() { + newsbin firehol.sh firehol + + dodir /etc/firehol /etc/firehol/examples /etc/firehol/services + insinto /etc/firehol/examples + doins examples/* || die + + insinto /etc/conf.d + newins ${FILESDIR}/firehol.conf.d firehol || die + + dodoc ChangeLog README TODO WhatIsNew || die + dohtml doc/*.html doc/*.css || die + + docinto scripts + dodoc get-iana.sh adblock.sh || die + + doman man/*.1 man/*.5 || die + + exeinto /etc/init.d + newexe ${FILESDIR}/firehol.initrd firehol || die +} + +pkg_postinst() { + einfo "The default path to firehol's configuration file is /etc/firehol/firehol.conf" + einfo "See /etc/firehol/examples for configuration examples." + # + # Install a default configuration if none is available yet + if [[ ! -e "${ROOT}/etc/firehol/firehol.conf" ]]; then + einfo "Installing a sample configuration as ${ROOT}/etc/firehol/firehol.conf" + cp "${ROOT}/etc/firehol/examples/client-all.conf" "${ROOT}/etc/firehol/firehol.conf" + fi +} + -- 2.26.2