diff --git a/debian/changelog b/debian/changelog index 5939aed..638ac87 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +eofirewall (0.1+git20110704-squeeze0) stable; urgency=low + + * Use lsb init messages + * New version name + + -- Jérôme Schneider Mon, 04 Jul 2011 15:51:25 +0200 + eofirewall (0.1-20110623.1) unstable; urgency=low * Fix multiple port knocking diff --git a/firewall b/firewall index 677c4aa..f575662 100755 --- a/firewall +++ b/firewall @@ -17,9 +17,7 @@ NAME="firewall" abort() { message=$@ - echo >&2 - echo -e "$message" >&2 - echo >&2 + log_failure_msg "$message" exit 1 } @@ -57,14 +55,14 @@ test_config() { # FIXME: test if the interface and the ip exist if [ ! "$WAN_INT" -o ! "$IP" ]; then - abort "Bad configuration please check your /etc/firewall/firewall.conf" + abort "Bad configuration please check /etc/firewall/firewall.conf" fi } critical_return() { if [ `echo $?` != 0 ]; then - echo "!!! CRITICAL error on the last command firewall will be stop" + log_failure_msg "Error on the last command firewall will be stop" stop exit 1 fi @@ -73,7 +71,7 @@ critical_return() forward_port() { if [ $# != 4 ]; then - echo "! Bad syntax for port forward : $*" + log_warning_msg "Bad syntax for port forward : $*" return fi @@ -86,9 +84,9 @@ forward_port() dest_ip=$(echo $destination | cut -d ":" -f1) dest_port=$(echo $destination | cut -d ":" -f2) if [ ! "$LAN_INT" ]; then - echo "!! WARNING you must add a LAN interface (LAN_INT) for a port forward" + log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward" else - echo "+ Forward $port to $destination for protocol $proto" + log_action_msg "Forward $port to $destination for protocol $proto" $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination fi @@ -107,11 +105,10 @@ open_port() local proto=$2 local ports=$3 else - echo "!!! CRITICAL Open port bad syntax : $*" - stop && exit 1 + log_warning_msg "Open port bad syntax : $*" fi source=$1 - echo "+ Open port(s) $ports from $source to $destination for protocol $proto" + log_action_msg "Open port(s) $ports from $source to $destination for protocol $proto" for port in $(echo $ports | sed 's/,/ /g'); do $IPTABLES -A INPUT -i $WAN_INT -p $proto -s $source -d $destination --dport $port -m state --state NEW -j ACCEPT critical_return @@ -121,7 +118,7 @@ open_port() port_redirection() { if [ $# != 4 ]; then - echo "! Bad syntax for port redirection : $*" + log_warning_msg "Bad syntax for port redirection : $*" return fi @@ -130,14 +127,14 @@ port_redirection() local srcport=$3 local destport=$4 - echo "+ Redirect $if port $srcport to $destport for portocol $proto" + log_action_msg "Redirect $if port $srcport to $destport for portocol $proto" iptables -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport } port_knocking() { if [ $# != 3 ]; then - echo "! Bad syntax for port knocking : $*" + log_warning_msg "Bad syntax for port knocking : $*" return fi @@ -158,7 +155,7 @@ port_knocking() iptables -A INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name toc${tock_number} fi done - echo "+ Port knocking for $port with combinaison $knock_ports on $WAN_INT" + log_action_msg "Port knocking for $port with combinaison $knock_ports on $WAN_INT" iptables -A INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name toc${tock_number} -m state --state NEW -j ACCEPT } @@ -177,33 +174,33 @@ start() $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT - log_progress_msg "Allow WAN outgoing traffic" + log_action_msg "Allow WAN outgoing traffic" $IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT $IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT critical_return if [ $LAN == 1 ]; then - log_progress_msg "Allow WAN outgoing traffic from lan" + log_action_msg "Allow WAN outgoing traffic from lan" $IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT $IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT - log_progress_msg "Allow local network" + log_action_msg "Allow local network" $IPTABLES -A OUTPUT -o $LAN_INT -p all -j ACCEPT $IPTABLES -A INPUT -i $LAN_INT -p all -j ACCEPT for ALLOW_INT in $ALLOW_INTS; do - log_progress_msg "Allow WAN outgoing traffic for interface $ALLOW_INT" + log_action_msg "Allow WAN outgoing traffic for interface $ALLOW_INT" $IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT $IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT - log_progress_msg "+ Allow local network" + log_action_msg "Allow local network" $IPTABLES -A OUTPUT -o $ALLOW_INT -p all -j ACCEPT $IPTABLES -A INPUT -i $ALLOW_INT -p all -j ACCEPT done fi ## block spoofing - log_progress_msg "Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN" + log_action_msg "Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN" echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter ## NMAP FIN/URG/PSH $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4 @@ -224,19 +221,19 @@ start() $IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ## stop sync flood - log_progress_msg "Block Syn flood" + log_action_msg "Block Syn flood" echo "1" >/proc/sys/net/ipv4/tcp_syncookies echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog if [ $PING == 1 ]; then - log_progress_msg "PING allowed" + log_action_msg "PING allowed" iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT fi if [ $FTP == 1 ]; then - log_progress_msg "FTP allowed" + log_action_msg "FTP allowed" modprobe ip_conntrack_ftp $IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT @@ -277,7 +274,7 @@ start() ## NAT if [ $NAT == 1 ]; then - log_progress_msg "Activate nat" + log_action_msg "Activate nat" for proto in ftp irc sip h323; do modprobe nf_nat_$proto; done $IPTABLES -t nat -A POSTROUTING -o $WAN_INT -s $LAN_NETWORK -j SNAT --to-source $IP fi @@ -310,7 +307,7 @@ case "$1" in if [ -f /etc/network/iptables-save ]; then iptables-restore < /etc/network/iptables-save else - log_warning_msg "!! No iptables rules saved please use test and save script options" + log_warning_msg "No iptables rules saved please use test and save script options" fi log_end_msg 0 ;; @@ -320,24 +317,24 @@ case "$1" in log_end_msg 0 ;; test) - echo "You have 30 seconds to test your new rules" - log_daemon_msg "Starting new rules" + log_action_msg "Testing new rules" + log_action_msg "You have 30 seconds to test your new rules" start || exit 1 log_end_msg 0 - echo "... Please test your rules" + log_action_msg "... Please test your rules" sleep 30 - echo "---- The test is finished ----" + log_action_msg "---- The test is finished ----" if [ -f /etc/network/iptables-save ]; then iptables-restore < /etc/network/iptables-save - echo "Old rules restored" + log_action_msg "Old rules restored" else stop - echo "Rules flushed" + log_action_msg "Rules flushed" fi - echo "If you are happy with this new rules please use save option" + log_action_msg "If you are happy with this new rules please use save option" ;; save) - log_daemon_msg "Starting and saving new rules" + log_action_msg "Starting and saving new rules" start || exit 1 iptables-save > /etc/network/iptables-save log_end_msg 0