Menu
▾
▴
astlinux-commits
|
From: <abe...@us...> - 2011-12-18 23:07:09
|
Revision: 5316
http://astlinux.svn.sourceforge.net/astlinux/?rev=5316&view=rev
Author: abelbeck
Date: 2011-12-18 23:07:03 +0000 (Sun, 18 Dec 2011)
Log Message:
-----------
AIF, version bump to 2.0.1, also implement new AIF 'parse_rule' function in the dyndns-host-open plugin
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
branches/1.0/package/arnofw/arnofw.serial
branches/1.0/package/arnofw/dyndns-host-open/50dyndns-host-open.plugin.sh
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2011-12-17 19:33:12 UTC (rev 5315)
+++ branches/1.0/package/arnofw/arnofw.mk 2011-12-18 23:07:03 UTC (rev 5316)
@@ -3,7 +3,7 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER:=2.0.0c
+ARNOFW_VER:=2.0.1
ARNOFW_ROOT:=arno-iptables-firewall
ARNOFW_SOURCE:=$(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
ARNOFW_SITE:=http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2011-12-17 19:33:12 UTC (rev 5315)
+++ branches/1.0/package/arnofw/arnofw.serial 2011-12-18 23:07:03 UTC (rev 5316)
@@ -1 +1 @@
-0002~0012~0000~0000~0000~
+0002~0013~0000~0000~0000~
Modified: branches/1.0/package/arnofw/dyndns-host-open/50dyndns-host-open.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/dyndns-host-open/50dyndns-host-open.plugin.sh 2011-12-17 19:33:12 UTC (rev 5315)
+++ branches/1.0/package/arnofw/dyndns-host-open/50dyndns-host-open.plugin.sh 2011-12-18 23:07:03 UTC (rev 5316)
@@ -2,14 +2,14 @@
# -= Arno's iptables firewall - DynDNS Host Open plugin =-
#
PLUGIN_NAME="DynDNS Host Open plugin"
-PLUGIN_VERSION="1.00-astlinux BETA"
+PLUGIN_VERSION="1.01-astlinux BETA"
PLUGIN_CONF_FILE="dyndns-host-open.conf"
#
-# Last changed : April 4, 2011
-# Requirements : kernel 2.6 + AIF 2.0.0 or better
+# Last changed : December 18, 2011
+# Requirements : kernel 2.6 + AIF 2.0.1 or better
# Comments : This implements support to open ports for DynDNS IPv4 hosts
#
-# Author : (C) Copyright 2008-2011 by Arno van Amersfoort & Lonnie Abelbeck
+# Author : (C) Copyright 2008-2012 by Arno van Amersfoort & Lonnie Abelbeck
# Homepage : http://rocky.eld.leidenuniv.nl/
# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
@@ -42,23 +42,21 @@
##########################################
unset IFS
for rule in $DYNDNS_HOST_OPEN_TCP; do
- interfaces=$(get_ifs "$rule")
- destips=$(get_ips "$rule")
- hosts=$(get_hosts_ihp "$rule")
- ports=$(get_ports_ihp "$rule")
+ if parse_rule "$rule" DYNDNS_HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then
- echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for TCP port(s): $ports"
-
- IFS=','
- for host in $hosts; do
- for port in $ports; do
- for destip in $destips; do
- for interface in $interfaces; do
- echo "-A DYNDNS_CHAIN -i $interface -s $host -d $destip -p tcp --dport $port -j ACCEPT" >> "$rules_file"
+ echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for TCP port(s): $ports"
+
+ IFS=','
+ for host in $hosts; do
+ for port in $ports; do
+ for destip in $destips; do
+ for interface in $interfaces; do
+ echo "-A DYNDNS_CHAIN -i $interface -s $host -d $destip -p tcp --dport $port -j ACCEPT" >> "$rules_file"
+ done
done
done
done
- done
+ fi
done
@@ -66,23 +64,21 @@
##########################################
unset IFS
for rule in $DYNDNS_HOST_OPEN_UDP; do
- interfaces=$(get_ifs "$rule")
- destips=$(get_ips "$rule")
- hosts=$(get_hosts_ihp "$rule")
- ports=$(get_ports_ihp "$rule")
+ if parse_rule "$rule" DYNDNS_HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then
- echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for UDP port(s): $ports"
-
- IFS=','
- for host in $hosts; do
- for port in $ports; do
- for destip in $destips; do
- for interface in $interfaces; do
- echo "-A DYNDNS_CHAIN -i $interface -s $host -d $destip -p udp --dport $port -j ACCEPT" >> "$rules_file"
+ echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for UDP port(s): $ports"
+
+ IFS=','
+ for host in $hosts; do
+ for port in $ports; do
+ for destip in $destips; do
+ for interface in $interfaces; do
+ echo "-A DYNDNS_CHAIN -i $interface -s $host -d $destip -p udp --dport $port -j ACCEPT" >> "$rules_file"
+ done
done
done
done
- done
+ fi
done
@@ -90,23 +86,21 @@
#############################################
unset IFS
for rule in $DYNDNS_HOST_OPEN_IP; do
- interfaces=$(get_ifs "$rule")
- destips=$(get_ips "$rule")
- hosts=$(get_hosts_ihp "$rule")
- protos=$(get_ports_ihp "$rule")
+ if parse_rule "$rule" DYNDNS_HOST_OPEN_IP "interfaces-destips-hosts-protos"; then
- echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for IP protocol(s): $protos"
-
- IFS=','
- for host in $hosts; do
- for proto in $protos; do
- for destip in $destips; do
- for interface in $interfaces; do
- echo "-A DYNDNS_CHAIN -i $interface -s $host -d $destip -p $proto -j ACCEPT" >> "$rules_file"
+ echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for IP protocol(s): $protos"
+
+ IFS=','
+ for host in $hosts; do
+ for proto in $protos; do
+ for destip in $destips; do
+ for interface in $interfaces; do
+ echo "-A DYNDNS_CHAIN -i $interface -s $host -d $destip -p $proto -j ACCEPT" >> "$rules_file"
+ done
done
done
done
- done
+ fi
done
@@ -114,20 +108,19 @@
#####################################
unset IFS
for rule in $DYNDNS_HOST_OPEN_ICMP; do
- interfaces=$(get_ifs "$rule")
- destips=$(get_ips "$rule")
- hosts=$(get_hosts_ih "$rule")
+ if parse_rule "$rule" DYNDNS_HOST_OPEN_ICMP "interfaces-destips-hosts"; then
- echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for ICMP-requests(ping)"
-
- IFS=','
- for host in $hosts; do
- for destip in $destips; do
- for interface in $interfaces; do
- echo "-A DYNDNS_CHAIN -i $interface -s $host -d $destip -p icmp --icmp-type echo-request -j ACCEPT" >> "$rules_file"
+ echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for ICMP-requests(ping)"
+
+ IFS=','
+ for host in $hosts; do
+ for destip in $destips; do
+ for interface in $interfaces; do
+ echo "-A DYNDNS_CHAIN -i $interface -s $host -d $destip -p icmp --icmp-type echo-request -j ACCEPT" >> "$rules_file"
+ done
done
done
- done
+ fi
done
unset IFS
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2012-03-18 00:27:14
|
Revision: 5487
http://astlinux.svn.sourceforge.net/astlinux/?rev=5487&view=rev
Author: abelbeck
Date: 2012-03-18 00:27:07 +0000 (Sun, 18 Mar 2012)
Log Message:
-----------
AIF, version bump to 2.0.1b
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
branches/1.0/package/arnofw/arnofw.serial
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2012-03-17 19:01:37 UTC (rev 5486)
+++ branches/1.0/package/arnofw/arnofw.mk 2012-03-18 00:27:07 UTC (rev 5487)
@@ -3,7 +3,7 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER:=2.0.1
+ARNOFW_VER:=2.0.1b
ARNOFW_ROOT:=arno-iptables-firewall
ARNOFW_SOURCE:=$(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
ARNOFW_SITE:=http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
@@ -75,6 +75,8 @@
rm -f $(TARGET_DIR)$(ARNOFW_PLUGIN_SCRIPT_DIR)/??traffic-accounting.plugin \
$(TARGET_DIR)$(ARNOFW_PLUGIN_SCRIPT_DIR)/traffic-accounting-* \
$(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/traffic-accounting.conf
+ rm -f $(TARGET_DIR)$(ARNOFW_PLUGIN_SCRIPT_DIR)/??rpc.plugin \
+ $(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/rpc.conf
@echo
@echo "Clobber the config files from the tarball with our shim-friendly versions."
@echo
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2012-03-17 19:01:37 UTC (rev 5486)
+++ branches/1.0/package/arnofw/arnofw.serial 2012-03-18 00:27:07 UTC (rev 5487)
@@ -1 +1 @@
-0002~0013~0000~0000~0000~
+0002~0014~0000~0000~0000~
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2012-06-29 20:15:58
|
Revision: 5582
http://astlinux.svn.sourceforge.net/astlinux/?rev=5582&view=rev
Author: abelbeck
Date: 2012-06-29 20:15:51 +0000 (Fri, 29 Jun 2012)
Log Message:
-----------
AIF, version bump to 2.0.1c
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
Removed Paths:
-------------
branches/1.0/package/arnofw/arnofw-revision-639.patch
Deleted: branches/1.0/package/arnofw/arnofw-revision-639.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-revision-639.patch 2012-06-29 16:36:35 UTC (rev 5581)
+++ branches/1.0/package/arnofw/arnofw-revision-639.patch 2012-06-29 20:15:51 UTC (rev 5582)
@@ -1,16 +0,0 @@
---- arno-iptables-firewall_2.0.1b/bin/arno-iptables-firewall.orig (revision 638)
-+++ arno-iptables-firewall_2.0.1b/bin/arno-iptables-firewall (revision 639)
-@@ -1307,12 +1307,13 @@
- # Allow to send ICMP packets?
- #############################
- if [ "$DMZ_OPEN_ICMP" != "0" ]; then
- echo " Allowing ICMP-requests(ping)"
- iptables -A DMZ_INPUT_CHAIN -p icmp --icmp-type echo-request -m limit --limit 20/second --limit-burst 100 -j ACCEPT
- if [ "$IPV6_SUPPORT" = "1" ]; then
-+ unset IFS
- for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do
- ip6tables -A DMZ_INPUT_CHAIN -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT
- done
- fi
- fi
-
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2012-06-29 16:36:35 UTC (rev 5581)
+++ branches/1.0/package/arnofw/arnofw.mk 2012-06-29 20:15:51 UTC (rev 5582)
@@ -3,7 +3,7 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER:=2.0.1b
+ARNOFW_VER:=2.0.1c
ARNOFW_ROOT:=arno-iptables-firewall
ARNOFW_SOURCE:=$(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
ARNOFW_SITE:=http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2012-07-06 13:39:43
|
Revision: 5593
http://astlinux.svn.sourceforge.net/astlinux/?rev=5593&view=rev
Author: abelbeck
Date: 2012-07-06 13:39:37 +0000 (Fri, 06 Jul 2012)
Log Message:
-----------
AIF, add upstream patch r647 and adjust miniupnpd.plugin to not flush MINIUPNPD iptables nat table rules when AIF is restarted
Revision Links:
--------------
http://astlinux.svn.sourceforge.net/astlinux/?rev=647&view=rev
Modified Paths:
--------------
branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh
Added Paths:
-----------
branches/1.0/package/arnofw/arnofw-revision-647.patch
Added: branches/1.0/package/arnofw/arnofw-revision-647.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-revision-647.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-revision-647.patch 2012-07-06 13:39:37 UTC (rev 5593)
@@ -0,0 +1,18 @@
+--- arno-iptables-firewall_2.0.1c/bin/arno-iptables-firewall.orig
++++ arno-iptables-firewall_2.0.1c/bin/arno-iptables-firewall
+@@ -5128,9 +5128,13 @@
+ ip4tables -F OUTPUT
+ ip4tables -F FORWARD
+
+- # Flush rules in the nat/mangle tables
++ # Flush builtin IPv4 nat chains
++ ip4tables -t nat -F PREROUTING
++ ip4tables -t nat -F OUTPUT
++ ip4tables -t nat -F POSTROUTING
++
++ # Flush rules in the mangle table
+ ip4tables -t mangle -F
+- ip4tables -t nat -F
+
+ if [ "$IPV6_DETECTED" = "1" ]; then
+ # Flush builtin IPv6 chains
Modified: branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh 2012-07-05 21:53:14 UTC (rev 5592)
+++ branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh 2012-07-06 13:39:37 UTC (rev 5593)
@@ -5,7 +5,7 @@
PLUGIN_VERSION="1.0"
PLUGIN_CONF_FILE="miniupnpd.conf"
#
-# Last changed : July 4, 2012
+# Last changed : July 6, 2012
# Requirements : AIF 2.0.0+ with miniupnpd daemon
# Comments : Setup of the iptables chains that the miniupnpd daemon manages
#
@@ -33,21 +33,15 @@
# Plugin start function
plugin_start()
{
- local IFS
-
ip4tables -t nat -N MINIUPNPD 2>/dev/null
ip4tables -t nat -F MINIUPNPD
ip4tables -N MINIUPNPD 2>/dev/null
ip4tables -F MINIUPNPD
- IFS=' ,'
- for eif in $EXT_IF; do
- ip4tables -t nat -A POST_NAT_PREROUTING_CHAIN -i $eif -j MINIUPNPD
+ # Connect both MINIUPNPD chains
+ plugin_restart
- ip4tables -A POST_FORWARD_CHAIN -i $eif ! -o $eif -j MINIUPNPD
- done
-
return 0
}
@@ -55,10 +49,18 @@
# Plugin restart function
plugin_restart()
{
+ local eif IFS
# Skip plugin_stop on a restart
- plugin_start
+ # Reconnect both MINIUPNPD chains, flushed on a restart
+ IFS=' ,'
+ for eif in $EXT_IF; do
+ ip4tables -t nat -A POST_NAT_PREROUTING_CHAIN -i $eif -j MINIUPNPD
+
+ ip4tables -A POST_FORWARD_CHAIN -i $eif ! -o $eif -j MINIUPNPD
+ done
+
return 0
}
@@ -66,7 +68,7 @@
# Plugin stop function
plugin_stop()
{
- local IFS
+ local eif IFS
IFS=' ,'
for eif in $EXT_IF; do
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2012-07-18 16:23:54
|
Revision: 5617
http://astlinux.svn.sourceforge.net/astlinux/?rev=5617&view=rev
Author: abelbeck
Date: 2012-07-18 16:23:48 +0000 (Wed, 18 Jul 2012)
Log Message:
-----------
AIF, include upstream rev. 650 patch, adding non-automatic default policy support
https://rocky.eld.leidenuniv.nl/trac/aif/changeset/650/
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.serial
Added Paths:
-----------
branches/1.0/package/arnofw/arnofw-revision-650.patch
Added: branches/1.0/package/arnofw/arnofw-revision-650.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-revision-650.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-revision-650.patch 2012-07-18 16:23:48 UTC (rev 5617)
@@ -0,0 +1,110 @@
+--- arno-iptables-firewall_2.0.1c/bin/arno-iptables-firewall.orig
++++ arno-iptables-firewall_2.0.1c/bin/arno-iptables-firewall
+@@ -2005,13 +2005,14 @@
+ iptables -A DMZ_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP
+
+ # Set the default policy (switch to DROP for a protocol when xxx_OPEN_xxx variable is used)
+ ###########################################################################################
+ if [ -z "$DMZ_INET_OPEN_TCP" -a -z "$DMZ_INET_HOST_OPEN_TCP" -a \
+ -z "$DMZ_INET_OPEN_UDP" -a -z "$DMZ_INET_HOST_OPEN_UDP" -a \
+- -z "$DMZ_INET_OPEN_IP" -a -z "$DMZ_INET_HOST_OPEN_IP" ]; then
++ -z "$DMZ_INET_OPEN_IP" -a -z "$DMZ_INET_HOST_OPEN_IP" -a -z "$DMZ_INET_DEFAULT_POLICY_DROP" ] \
++ || [ "$DMZ_INET_DEFAULT_POLICY_DROP" = "0" ]; then
+ echo " Allowing all (other) ports/protocols"
+ iptables -A DMZ_INET_FORWARD_CHAIN -j ACCEPT
+ else
+ if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then
+ iptables -A DMZ_INET_FORWARD_CHAIN -p tcp -m limit \
+ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: "
+@@ -2231,13 +2232,14 @@
+ iptables -A INT_INPUT_CHAIN -p icmp --icmp-type echo-request -j DROP
+
+ # Set the default policy
+ ########################
+ if [ -z "$LAN_OPEN_TCP" -a -z "$LAN_HOST_OPEN_TCP" -a \
+ -z "$LAN_OPEN_UDP" -a -z "$LAN_HOST_OPEN_UDP" -a \
+- -z "$LAN_OPEN_IP" -a -z "$LAN_HOST_OPEN_IP" ]; then
++ -z "$LAN_OPEN_IP" -a -z "$LAN_HOST_OPEN_IP" -a -z "$LAN_DEFAULT_POLICY_DROP" ] \
++ || [ "$LAN_DEFAULT_POLICY_DROP" = "0" ]; then
+ echo " Allowing all (other) ports/protocols"
+ iptables -A INT_INPUT_CHAIN -j ACCEPT
+ else
+ echo " Denying all (other) ports/protocols"
+ if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
+ iptables -A INT_INPUT_CHAIN -m limit \
+@@ -2526,13 +2528,14 @@
+ iptables -A LAN_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP
+
+ # Set the default policy (switch to DROP for a protocol when xxx_OPEN_xxx variable is used)
+ ###########################################################################################
+ if [ -z "$LAN_INET_OPEN_TCP" -a -z "$LAN_INET_HOST_OPEN_TCP" -a \
+ -z "$LAN_INET_OPEN_UDP" -a -z "$LAN_INET_HOST_OPEN_UDP" -a \
+- -z "$LAN_INET_OPEN_IP" -a -z "$LAN_INET_HOST_OPEN_IP" ]; then
++ -z "$LAN_INET_OPEN_IP" -a -z "$LAN_INET_HOST_OPEN_IP" -a -z "$LAN_INET_DEFAULT_POLICY_DROP" ] \
++ || [ "$LAN_INET_DEFAULT_POLICY_DROP" = "0" ]; then
+ echo " Allowing all (other) ports/protocols"
+ iptables -A LAN_INET_FORWARD_CHAIN -j ACCEPT
+ else
+ if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then
+ iptables -A LAN_INET_FORWARD_CHAIN -p tcp -m limit \
+ --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: "
+--- arno-iptables-firewall_2.0.1c/etc/arno-iptables-firewall/firewall.conf.orig
++++ arno-iptables-firewall_2.0.1c/etc/arno-iptables-firewall/firewall.conf
+@@ -638,12 +638,18 @@
+ # #
+ # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the #
+ # default policy for this chain is accept (unless denied through #
+ # LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! #
+ ###############################################################################
+
++# Disable this (set to "") to automatically set default policy as above.
++# When set to "1" the LAN->localhost default policy will always be DROP
++# When set to "0" the LAN->localhost default policy will always be ACCEPT
++# -----------------------------------------------------------------------------
++LAN_DEFAULT_POLICY_DROP=""
++
+ # Enable this to allow for ICMP-requests(ping) from your LAN
+ # -----------------------------------------------------------------------------
+ LAN_OPEN_ICMP=1
+
+ # Put in the following variables the TCP/UDP ports or IP protocols TO
+ # (remote end-point) which the LAN hosts are permitted to connect to.
+@@ -691,12 +697,18 @@
+ # LAN_INET_xxx = LAN->internet access rules (forward) #
+ # #
+ # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are #
+ # NOT used, the default policy will be accept for LAN->INET (unless denied #
+ # through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! #
+ ###############################################################################
++
++# Disable this (set to "") to automatically set default policy as above.
++# When set to "1" the LAN->INET default policy will always be DROP
++# When set to "0" the LAN->INET default policy will always be ACCEPT
++# -----------------------------------------------------------------------------
++LAN_INET_DEFAULT_POLICY_DROP=""
+
+ # Enable this to allow for ICMP-requests(ping) for LAN->INET
+ # -----------------------------------------------------------------------------
+ LAN_INET_OPEN_ICMP=1
+
+ # Put in the following variables the TCP/UDP ports or IP
+@@ -899,12 +911,18 @@
+ # #
+ # Note that when the DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx variables are #
+ # NOT used, the default policy will be accept for DMZ->INET (unless denied #
+ # through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! #
+ ###############################################################################
+
++# Disable this (set to "") to automatically set default policy as above.
++# When set to "1" the DMZ->INET default policy will always be DROP
++# When set to "0" the DMZ->INET default policy will always be ACCEPT
++# -----------------------------------------------------------------------------
++DMZ_INET_DEFAULT_POLICY_DROP=""
++
+ # Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
+ # -----------------------------------------------------------------------------
+ DMZ_INET_OPEN_ICMP=1
+
+ # Put in the following variables the TCP/UDP ports or IP
+ # protocols TO (remote end-point) which the DMZ hosts are
+
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2012-07-17 23:04:18 UTC (rev 5616)
+++ branches/1.0/package/arnofw/arnofw.serial 2012-07-18 16:23:48 UTC (rev 5617)
@@ -1 +1 @@
-0002~0015~0000~0000~0000~
+0002~0016~0000~0000~0000~
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2012-10-28 21:00:35
|
Revision: 5725
http://astlinux.svn.sourceforge.net/astlinux/?rev=5725&view=rev
Author: abelbeck
Date: 2012-10-28 21:00:24 +0000 (Sun, 28 Oct 2012)
Log Message:
-----------
arnofw, add openvpn-server plugin
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
branches/1.0/package/arnofw/arnofw.serial
Added Paths:
-----------
branches/1.0/package/arnofw/openvpn-server/
branches/1.0/package/arnofw/openvpn-server/50openvpn-server.plugin.sh
branches/1.0/package/arnofw/openvpn-server/openvpn-server-astlinux.conf
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2012-10-28 19:49:31 UTC (rev 5724)
+++ branches/1.0/package/arnofw/arnofw.mk 2012-10-28 21:00:24 UTC (rev 5725)
@@ -112,6 +112,13 @@
$(INSTALL) -m 0644 package/arnofw/traffic-shaper/traffic-shaper-astlinux.conf \
$(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/traffic-shaper.conf
@echo
+ @echo "Install local version of OpenVPN Server plugin."
+ @echo
+ $(INSTALL) -m 0644 package/arnofw/openvpn-server/50openvpn-server.plugin.sh \
+ $(TARGET_DIR)$(ARNOFW_PLUGIN_SCRIPT_DIR)/50openvpn-server.plugin
+ $(INSTALL) -m 0644 package/arnofw/openvpn-server/openvpn-server-astlinux.conf \
+ $(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/openvpn-server.conf
+ @echo
@echo "Install local version of PPTP VPN plugin."
@echo
$(INSTALL) -m 0644 package/arnofw/pptp-vpn/50pptp-vpn.plugin.sh \
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2012-10-28 19:49:31 UTC (rev 5724)
+++ branches/1.0/package/arnofw/arnofw.serial 2012-10-28 21:00:24 UTC (rev 5725)
@@ -1 +1 @@
-0002~0016~0000~0000~0000~
+0002~0017~0000~0000~0000~
Added: branches/1.0/package/arnofw/openvpn-server/50openvpn-server.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/openvpn-server/50openvpn-server.plugin.sh (rev 0)
+++ branches/1.0/package/arnofw/openvpn-server/50openvpn-server.plugin.sh 2012-10-28 21:00:24 UTC (rev 5725)
@@ -0,0 +1,137 @@
+# ------------------------------------------------------------------------------
+# -= Arno's iptables firewall - OpenVPN Server plugin =-
+#
+PLUGIN_NAME="OpenVPN Server plugin"
+PLUGIN_VERSION="1.00 BETA"
+PLUGIN_CONF_FILE="openvpn-server.conf"
+#
+# Last changed : October 28, 2012
+# Requirements : AIF 2.0.0+
+# Comments : This plugin allows access to an OpenVPN Server.
+#
+# Author : (C) Copyright 2012 by Lonnie Abelbeck & Arno van Amersfoort
+# Homepage : http://rocky.eld.leidenuniv.nl/
+# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
+# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
+# (note: you must remove all spaces and substitute the @ and the .
+# at the proper locations!)
+# ------------------------------------------------------------------------------
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# ------------------------------------------------------------------------------
+
+# Plugin start function
+plugin_start()
+{
+ local host proto port IFS
+
+ if [ -z "$OPENVPN_SERVER_TUNNEL_HOSTS" ]; then
+ OPENVPN_SERVER_TUNNEL_HOSTS="0/0"
+ fi
+
+ echo "${INDENT}Allowing internet hosts $OPENVPN_SERVER_TUNNEL_HOSTS to access the OpenVPN Server service"
+ port="$OPENVPN_SERVER_PORT"
+ case $OPENVPN_SERVER_PROTOCOL in
+ udp|UDP) proto="udp" ;;
+ tcp*|TCP*) proto="tcp" ;;
+ esac
+ IFS=' ,'
+ for host in $(ip_range "$OPENVPN_SERVER_TUNNEL_HOSTS"); do
+ iptables -A EXT_INPUT_CHAIN -p $proto --dport $port -s $host -j ACCEPT
+ done
+
+ return 0
+}
+
+
+# Plugin restart function
+plugin_restart()
+{
+
+ # Skip plugin_stop on a restart
+ plugin_start
+
+ return 0
+}
+
+
+# Plugin stop function
+plugin_stop()
+{
+
+ return 0
+}
+
+
+# Plugin status function
+plugin_status()
+{
+ return 0
+}
+
+
+# Check sanity of eg. environment
+plugin_sanity_check()
+{
+ # Sanity check
+ if [ -z "$OPENVPN_SERVER_PORT" -o -z "$OPENVPN_SERVER_PROTOCOL" ]; then
+ printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2
+ return 1
+ fi
+
+ return 0
+}
+
+
+############
+# Mainline #
+############
+
+# Check where to find the config file
+CONF_FILE=""
+if [ -n "$PLUGIN_CONF_PATH" ]; then
+ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
+fi
+
+# Check if the config file exists
+if [ ! -e "$CONF_FILE" ]; then
+ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
+ PLUGIN_RET_VAL=0
+else
+ # Source the plugin config file
+ . "$CONF_FILE"
+
+ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
+ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
+ # Show who we are:
+ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
+
+ # Increment indention
+ INDENT="$INDENT "
+
+ # Only proceed if environment ok
+ if plugin_sanity_check; then
+ case $PLUGIN_CMD in
+ start|'') plugin_start; PLUGIN_RET_VAL=$?;;
+ restart ) plugin_restart; PLUGIN_RET_VAL=$?;;
+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;;
+ status ) plugin_status; PLUGIN_RET_VAL=$?;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
+ esac
+ fi
+ else
+ PLUGIN_RET_VAL=0
+ fi
+fi
Added: branches/1.0/package/arnofw/openvpn-server/openvpn-server-astlinux.conf
===================================================================
--- branches/1.0/package/arnofw/openvpn-server/openvpn-server-astlinux.conf (rev 0)
+++ branches/1.0/package/arnofw/openvpn-server/openvpn-server-astlinux.conf 2012-10-28 21:00:24 UTC (rev 5725)
@@ -0,0 +1,34 @@
+# ------------------------------------------------------------------------------
+# -= Arno's iptables firewall - OpenVPN Server plugin =-
+# ------------------------------------------------------------------------------
+
+# To actually enable this plugin make ENABLED=1:
+# ------------------------------------------------------------------------------
+# Automatically enabled when AstLinux OpenVPN Server is enabled.
+ENABLED=0
+
+# ------------------------------------------------------------------------------
+# *** Do Not Edit Below Here ***
+# AstLinux specific mappings, either edit your /mnt/kd/rc.conf file
+# or, use Network tab -> OpenVPN Server - [OpenVPN Configuration]
+# from the web interface.
+# ------------------------------------------------------------------------------
+# Indent script section so script variables won't be merged
+
+ ENABLED=0
+ OPENVPN_SERVER_PORT="$OVPN_PORT"
+ OPENVPN_SERVER_PROTOCOL="$OVPN_PROTOCOL"
+ OPENVPN_SERVER_TUNNEL_HOSTS="$OVPN_TUNNEL_HOSTS"
+ vpntype_openvpn=0
+
+ unset IFS
+ for vpntype in $VPN; do
+ case $vpntype in
+ openvpn) vpntype_openvpn=1 ;;
+ esac
+ done
+
+ if [ $vpntype_openvpn -eq 1 ]; then
+ ENABLED=1
+ fi
+
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2012-11-18 23:57:20
|
Revision: 5767
http://astlinux.svn.sourceforge.net/astlinux/?rev=5767&view=rev
Author: abelbeck
Date: 2012-11-18 23:57:13 +0000 (Sun, 18 Nov 2012)
Log Message:
-----------
arnofw, version bump to 2.0.1d. Note: 2.0.1d has been officially tagged, but Arno has not yet built the official image, so files.astlinux.org hosts it for now
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
branches/1.0/package/arnofw/arnofw.serial
Removed Paths:
-------------
branches/1.0/package/arnofw/arnofw-revision-647.patch
branches/1.0/package/arnofw/arnofw-revision-650.patch
branches/1.0/package/arnofw/arnofw-revision-676.patch
Deleted: branches/1.0/package/arnofw/arnofw-revision-647.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-revision-647.patch 2012-11-15 00:13:50 UTC (rev 5766)
+++ branches/1.0/package/arnofw/arnofw-revision-647.patch 2012-11-18 23:57:13 UTC (rev 5767)
@@ -1,18 +0,0 @@
---- arno-iptables-firewall_2.0.1c/bin/arno-iptables-firewall.orig
-+++ arno-iptables-firewall_2.0.1c/bin/arno-iptables-firewall
-@@ -5128,9 +5128,13 @@
- ip4tables -F OUTPUT
- ip4tables -F FORWARD
-
-- # Flush rules in the nat/mangle tables
-+ # Flush builtin IPv4 nat chains
-+ ip4tables -t nat -F PREROUTING
-+ ip4tables -t nat -F OUTPUT
-+ ip4tables -t nat -F POSTROUTING
-+
-+ # Flush rules in the mangle table
- ip4tables -t mangle -F
-- ip4tables -t nat -F
-
- if [ "$IPV6_DETECTED" = "1" ]; then
- # Flush builtin IPv6 chains
Deleted: branches/1.0/package/arnofw/arnofw-revision-650.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-revision-650.patch 2012-11-15 00:13:50 UTC (rev 5766)
+++ branches/1.0/package/arnofw/arnofw-revision-650.patch 2012-11-18 23:57:13 UTC (rev 5767)
@@ -1,110 +0,0 @@
---- arno-iptables-firewall_2.0.1c/bin/arno-iptables-firewall.orig
-+++ arno-iptables-firewall_2.0.1c/bin/arno-iptables-firewall
-@@ -2005,13 +2005,14 @@
- iptables -A DMZ_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP
-
- # Set the default policy (switch to DROP for a protocol when xxx_OPEN_xxx variable is used)
- ###########################################################################################
- if [ -z "$DMZ_INET_OPEN_TCP" -a -z "$DMZ_INET_HOST_OPEN_TCP" -a \
- -z "$DMZ_INET_OPEN_UDP" -a -z "$DMZ_INET_HOST_OPEN_UDP" -a \
-- -z "$DMZ_INET_OPEN_IP" -a -z "$DMZ_INET_HOST_OPEN_IP" ]; then
-+ -z "$DMZ_INET_OPEN_IP" -a -z "$DMZ_INET_HOST_OPEN_IP" -a -z "$DMZ_INET_DEFAULT_POLICY_DROP" ] \
-+ || [ "$DMZ_INET_DEFAULT_POLICY_DROP" = "0" ]; then
- echo " Allowing all (other) ports/protocols"
- iptables -A DMZ_INET_FORWARD_CHAIN -j ACCEPT
- else
- if [ "$DMZ_OUTPUT_DENY_LOG" != "0" ]; then
- iptables -A DMZ_INET_FORWARD_CHAIN -p tcp -m limit \
- --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:DMZ->INET denied: "
-@@ -2231,13 +2232,14 @@
- iptables -A INT_INPUT_CHAIN -p icmp --icmp-type echo-request -j DROP
-
- # Set the default policy
- ########################
- if [ -z "$LAN_OPEN_TCP" -a -z "$LAN_HOST_OPEN_TCP" -a \
- -z "$LAN_OPEN_UDP" -a -z "$LAN_HOST_OPEN_UDP" -a \
-- -z "$LAN_OPEN_IP" -a -z "$LAN_HOST_OPEN_IP" ]; then
-+ -z "$LAN_OPEN_IP" -a -z "$LAN_HOST_OPEN_IP" -a -z "$LAN_DEFAULT_POLICY_DROP" ] \
-+ || [ "$LAN_DEFAULT_POLICY_DROP" = "0" ]; then
- echo " Allowing all (other) ports/protocols"
- iptables -A INT_INPUT_CHAIN -j ACCEPT
- else
- echo " Denying all (other) ports/protocols"
- if [ "$LAN_INPUT_DENY_LOG" != "0" ]; then
- iptables -A INT_INPUT_CHAIN -m limit \
-@@ -2526,13 +2528,14 @@
- iptables -A LAN_INET_FORWARD_CHAIN -p icmp --icmp-type echo-request -j DROP
-
- # Set the default policy (switch to DROP for a protocol when xxx_OPEN_xxx variable is used)
- ###########################################################################################
- if [ -z "$LAN_INET_OPEN_TCP" -a -z "$LAN_INET_HOST_OPEN_TCP" -a \
- -z "$LAN_INET_OPEN_UDP" -a -z "$LAN_INET_HOST_OPEN_UDP" -a \
-- -z "$LAN_INET_OPEN_IP" -a -z "$LAN_INET_HOST_OPEN_IP" ]; then
-+ -z "$LAN_INET_OPEN_IP" -a -z "$LAN_INET_HOST_OPEN_IP" -a -z "$LAN_INET_DEFAULT_POLICY_DROP" ] \
-+ || [ "$LAN_INET_DEFAULT_POLICY_DROP" = "0" ]; then
- echo " Allowing all (other) ports/protocols"
- iptables -A LAN_INET_FORWARD_CHAIN -j ACCEPT
- else
- if [ "$LAN_OUTPUT_DENY_LOG" != "0" ]; then
- iptables -A LAN_INET_FORWARD_CHAIN -p tcp -m limit \
- --limit 1/s --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:LAN->INET denied: "
---- arno-iptables-firewall_2.0.1c/etc/arno-iptables-firewall/firewall.conf.orig
-+++ arno-iptables-firewall_2.0.1c/etc/arno-iptables-firewall/firewall.conf
-@@ -638,12 +638,18 @@
- # #
- # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the #
- # default policy for this chain is accept (unless denied through #
- # LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! #
- ###############################################################################
-
-+# Disable this (set to "") to automatically set default policy as above.
-+# When set to "1" the LAN->localhost default policy will always be DROP
-+# When set to "0" the LAN->localhost default policy will always be ACCEPT
-+# -----------------------------------------------------------------------------
-+LAN_DEFAULT_POLICY_DROP=""
-+
- # Enable this to allow for ICMP-requests(ping) from your LAN
- # -----------------------------------------------------------------------------
- LAN_OPEN_ICMP=1
-
- # Put in the following variables the TCP/UDP ports or IP protocols TO
- # (remote end-point) which the LAN hosts are permitted to connect to.
-@@ -691,12 +697,18 @@
- # LAN_INET_xxx = LAN->internet access rules (forward) #
- # #
- # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are #
- # NOT used, the default policy will be accept for LAN->INET (unless denied #
- # through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! #
- ###############################################################################
-+
-+# Disable this (set to "") to automatically set default policy as above.
-+# When set to "1" the LAN->INET default policy will always be DROP
-+# When set to "0" the LAN->INET default policy will always be ACCEPT
-+# -----------------------------------------------------------------------------
-+LAN_INET_DEFAULT_POLICY_DROP=""
-
- # Enable this to allow for ICMP-requests(ping) for LAN->INET
- # -----------------------------------------------------------------------------
- LAN_INET_OPEN_ICMP=1
-
- # Put in the following variables the TCP/UDP ports or IP
-@@ -899,12 +911,18 @@
- # #
- # Note that when the DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx variables are #
- # NOT used, the default policy will be accept for DMZ->INET (unless denied #
- # through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! #
- ###############################################################################
-
-+# Disable this (set to "") to automatically set default policy as above.
-+# When set to "1" the DMZ->INET default policy will always be DROP
-+# When set to "0" the DMZ->INET default policy will always be ACCEPT
-+# -----------------------------------------------------------------------------
-+DMZ_INET_DEFAULT_POLICY_DROP=""
-+
- # Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
- # -----------------------------------------------------------------------------
- DMZ_INET_OPEN_ICMP=1
-
- # Put in the following variables the TCP/UDP ports or IP
- # protocols TO (remote end-point) which the DMZ hosts are
-
Deleted: branches/1.0/package/arnofw/arnofw-revision-676.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-revision-676.patch 2012-11-15 00:13:50 UTC (rev 5766)
+++ branches/1.0/package/arnofw/arnofw-revision-676.patch 2012-11-18 23:57:13 UTC (rev 5767)
@@ -1,43 +0,0 @@
---- arno-iptables-firewall_2.0.1c/share/arno-iptables-firewall/environment.orig
-+++ arno-iptables-firewall_2.0.1c/share/arno-iptables-firewall/environment
-@@ -307,13 +307,19 @@
- # Show any (error) messages in red
- printf "\033[40m\033[1;31m${IP4TABLES} $*\nERROR ($retval): ${result}\033[0m\n" >&2
- if note_iptables_error "$@"; then
- RULE_WARNING=1
- fi
- elif [ -n "$result" ]; then
-- echo "${INDENT}$result"
-+ # Filter successful, informational results
-+ case "$result" in
-+ 'WARNING: '*' match is obsolete'*)
-+ ;;
-+ *) echo "${INDENT}$result"
-+ ;;
-+ esac
- fi
-
- return $retval
- }
-
-
-@@ -328,13 +334,19 @@
- # Show any (error) messages in red
- printf "\033[40m\033[1;31m${IP6TABLES} $*\nERROR ($retval): ${result}\033[0m\n" >&2
- if note_iptables_error "$@"; then
- RULE_WARNING=1
- fi
- elif [ -n "$result" ]; then
-- echo "${INDENT}$result"
-+ # Filter successful, informational results
-+ case "$result" in
-+ 'WARNING: '*' match is obsolete'*)
-+ ;;
-+ *) echo "${INDENT}$result"
-+ ;;
-+ esac
- fi
-
- return $retval
- }
-
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2012-11-15 00:13:50 UTC (rev 5766)
+++ branches/1.0/package/arnofw/arnofw.mk 2012-11-18 23:57:13 UTC (rev 5767)
@@ -3,11 +3,11 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER:=2.0.1c
+ARNOFW_VER:=2.0.1d
ARNOFW_ROOT:=arno-iptables-firewall
ARNOFW_SOURCE:=$(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
-ARNOFW_SITE:=http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
-#ARNOFW_SITE:=http://lonnie.abelbeck.com/astlinux/aif
+#ARNOFW_SITE:=http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
+ARNOFW_SITE:=http://files.astlinux.org
ARNOFW_DIR:=$(BUILD_DIR)/$(ARNOFW_ROOT)_$(ARNOFW_VER)
ARNOFW_CAT:=zcat
ARNOFW_TARGET_BINARY:=/usr/sbin/arno-iptables-firewall
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2012-11-15 00:13:50 UTC (rev 5766)
+++ branches/1.0/package/arnofw/arnofw.serial 2012-11-18 23:57:13 UTC (rev 5767)
@@ -1 +1 @@
-0002~0017~0000~0000~0000~
+0002~0018~0000~0000~0000~
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2013-05-07 23:30:41
|
Revision: 6076
http://sourceforge.net/p/astlinux/code/6076
Author: abelbeck
Date: 2013-05-07 23:30:35 +0000 (Tue, 07 May 2013)
Log Message:
-----------
arnofw, time-schedule-host-block plugin, add TIME_SCHEDULE_HOST_BLOCK_LOG logging option
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.serial
branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh
branches/1.0/package/arnofw/time-schedule-host-block/time-schedule-host-block.conf
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2013-05-07 17:32:25 UTC (rev 6075)
+++ branches/1.0/package/arnofw/arnofw.serial 2013-05-07 23:30:35 UTC (rev 6076)
@@ -1 +1 @@
-0002~0019~0000~0000~0000~
+0002~0020~0000~0000~0000~
Modified: branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh 2013-05-07 17:32:25 UTC (rev 6075)
+++ branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh 2013-05-07 23:30:35 UTC (rev 6076)
@@ -32,8 +32,11 @@
# Plugin start function
plugin_start()
{
- local rule type data addr timestart timestop weekdays i DAYS SHOWRULE IFS
+ local rule type data addr timestart timestop weekdays i DAYS SHOWRULE LOG LOG_PREFIX IFS
+ LOG="-m limit --limit 3/m --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix"
+ LOG_PREFIX="AIF:Time Schedule Host Block:"
+
IFS=$EOL
for rule in $TIME_SCHEDULE_HOST_BLOCK_MAC; do
unset IFS
@@ -83,16 +86,28 @@
case $type in
LAN-EXT|lan-ext)
echo "$SHOWRULE"
+ if [ "$TIME_SCHEDULE_HOST_BLOCK_LOG" = "1" ]; then
+ iptables -A LAN_INET_FORWARD_CHAIN -m mac --mac-source $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS $LOG "$LOG_PREFIX"
+ fi
iptables -A LAN_INET_FORWARD_CHAIN -m mac --mac-source $addr \
-m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
;;
DMZ-EXT|dmz-ext)
echo "$SHOWRULE"
+ if [ "$TIME_SCHEDULE_HOST_BLOCK_LOG" = "1" ]; then
+ iptables -A DMZ_INET_FORWARD_CHAIN -m mac --mac-source $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS $LOG "$LOG_PREFIX"
+ fi
iptables -A DMZ_INET_FORWARD_CHAIN -m mac --mac-source $addr \
-m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
;;
ANY|any)
echo "$SHOWRULE"
+ if [ "$TIME_SCHEDULE_HOST_BLOCK_LOG" = "1" ]; then
+ iptables -A FORWARD_CHAIN -m mac --mac-source $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS $LOG "$LOG_PREFIX"
+ fi
iptables -A FORWARD_CHAIN -m mac --mac-source $addr \
-m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
;;
@@ -131,16 +146,28 @@
case $type in
LAN-EXT|lan-ext)
echo "$SHOWRULE"
+ if [ "$TIME_SCHEDULE_HOST_BLOCK_LOG" = "1" ]; then
+ iptables -A LAN_INET_FORWARD_CHAIN -s $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS $LOG "$LOG_PREFIX"
+ fi
iptables -A LAN_INET_FORWARD_CHAIN -s $addr \
-m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
;;
DMZ-EXT|dmz-ext)
echo "$SHOWRULE"
+ if [ "$TIME_SCHEDULE_HOST_BLOCK_LOG" = "1" ]; then
+ iptables -A DMZ_INET_FORWARD_CHAIN -s $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS $LOG "$LOG_PREFIX"
+ fi
iptables -A DMZ_INET_FORWARD_CHAIN -s $addr \
-m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
;;
ANY|any)
echo "$SHOWRULE"
+ if [ "$TIME_SCHEDULE_HOST_BLOCK_LOG" = "1" ]; then
+ iptables -A FORWARD_CHAIN -s $addr \
+ -m time --timestart $timestart --timestop $timestop $DAYS $LOG "$LOG_PREFIX"
+ fi
iptables -A FORWARD_CHAIN -s $addr \
-m time --timestart $timestart --timestop $timestop $DAYS -j REJECT
;;
@@ -152,6 +179,12 @@
esac
done
+ if [ "$TIME_SCHEDULE_HOST_BLOCK_LOG" = "1" ]; then
+ echo "${INDENT}Logging of Time Schedule Host Block packets: Enabled"
+ else
+ echo "${INDENT}Logging of Time Schedule Host Block packets: Disabled"
+ fi
+
return 0
}
Modified: branches/1.0/package/arnofw/time-schedule-host-block/time-schedule-host-block.conf
===================================================================
--- branches/1.0/package/arnofw/time-schedule-host-block/time-schedule-host-block.conf 2013-05-07 17:32:25 UTC (rev 6075)
+++ branches/1.0/package/arnofw/time-schedule-host-block/time-schedule-host-block.conf 2013-05-07 23:30:35 UTC (rev 6076)
@@ -47,3 +47,8 @@
#DMZ-EXT|192.168.1.1/24~21:00~7:00
"
+# Enable logging for both TIME_SCHEDULE_HOST_BLOCK_MAC and
+# TIME_SCHEDULE_HOST_BLOCK variables when set to "1"
+# ------------------------------------------------------------------------------
+TIME_SCHEDULE_HOST_BLOCK_LOG=0
+
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2013-08-22 19:46:39
|
Revision: 6176
http://sourceforge.net/p/astlinux/code/6176
Author: abelbeck
Date: 2013-08-22 19:46:33 +0000 (Thu, 22 Aug 2013)
Log Message:
-----------
arnofw, Adaptive Ban plugin, add support for 'prosody' and remove old 'mini_httpd' support
Modified Paths:
--------------
branches/1.0/package/arnofw/adaptive-ban/95adaptive-ban.plugin.sh
branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh
branches/1.0/package/arnofw/adaptive-ban/adaptive-ban.conf
branches/1.0/package/arnofw/arnofw.serial
Modified: branches/1.0/package/arnofw/adaptive-ban/95adaptive-ban.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/adaptive-ban/95adaptive-ban.plugin.sh 2013-08-22 19:00:25 UTC (rev 6175)
+++ branches/1.0/package/arnofw/adaptive-ban/95adaptive-ban.plugin.sh 2013-08-22 19:46:33 UTC (rev 6176)
@@ -2,10 +2,10 @@
# -= Arno's iptables firewall - Adaptive Ban plugin =-
#
PLUGIN_NAME="Adaptive Ban plugin"
-PLUGIN_VERSION="1.06"
+PLUGIN_VERSION="1.07"
PLUGIN_CONF_FILE="adaptive-ban.conf"
#
-# Last changed : July 19, 2013
+# Last changed : August 22, 2013
# Requirements : AIF 2.0.0+
# Comments : Parse a log file for failed access with offending IP addresses
# Ban the IP address after multiple failed attempts
Modified: branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh
===================================================================
--- branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh 2013-08-22 19:00:25 UTC (rev 6175)
+++ branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh 2013-08-22 19:46:33 UTC (rev 6176)
@@ -134,7 +134,7 @@
;;
lighttpd) filter_lighttpd "$file" "$PREFIX" "$HOST"
;;
- mini_httpd) filter_mini_httpd "$file" "$PREFIX" "$HOST"
+ prosody) filter_prosody "$file" "$PREFIX" "$HOST"
;;
pptpd) filter_pptpd "$file" "$PREFIX" "$HOST"
;;
@@ -185,11 +185,11 @@
"$file" >"$TEMPFILE"
}
-filter_mini_httpd()
+filter_prosody()
{
local file="$1" PREFIX="$2" HOST="$3"
- sed -n -r -e "s/^${PREFIX}${HOST} authentication failure - access denied$/\1/p" \
+ sed -n -r -e "s/^${PREFIX}.* Failed authentication attempt \(.*\) from IP: ${HOST}[[:space:]]*$/\1/p" \
"$file" >"$TEMPFILE"
}
Modified: branches/1.0/package/arnofw/adaptive-ban/adaptive-ban.conf
===================================================================
--- branches/1.0/package/arnofw/adaptive-ban/adaptive-ban.conf 2013-08-22 19:00:25 UTC (rev 6175)
+++ branches/1.0/package/arnofw/adaptive-ban/adaptive-ban.conf 2013-08-22 19:46:33 UTC (rev 6176)
@@ -19,7 +19,7 @@
ADAPTIVE_BAN_COUNT=6
# A list of analysis types that are applied
-# Choose from: sshd asterisk lighttpd mini_httpd pptpd
+# Choose from: sshd asterisk lighttpd prosody pptpd
# ------------------------------------------------------------------------------
ADAPTIVE_BAN_TYPES="sshd asterisk"
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2013-08-22 19:00:25 UTC (rev 6175)
+++ branches/1.0/package/arnofw/arnofw.serial 2013-08-22 19:46:33 UTC (rev 6176)
@@ -1 +1 @@
-0002~0020~0000~0000~0000~
+0002~0021~0000~0000~0000~
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2014-02-02 14:07:26
|
Revision: 6395
http://sourceforge.net/p/astlinux/code/6395
Author: abelbeck
Date: 2014-02-02 14:07:23 +0000 (Sun, 02 Feb 2014)
Log Message:
-----------
arnofw, version bump to 2.0.1e
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
Removed Paths:
-------------
branches/1.0/package/arnofw/arnofw-remove-trace-2-0-1e.patch
Deleted: branches/1.0/package/arnofw/arnofw-remove-trace-2-0-1e.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-remove-trace-2-0-1e.patch 2014-01-31 19:09:51 UTC (rev 6394)
+++ branches/1.0/package/arnofw/arnofw-remove-trace-2-0-1e.patch 2014-02-02 14:07:23 UTC (rev 6395)
@@ -1,150 +0,0 @@
---- arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/environment.orig
-+++ arno-iptables-firewall_2.0.1d/share/arno-iptables-firewall/environment
-@@ -4,10 +4,8 @@
- #
- # ~ In memory of my dear father ~
- #
--# (C) Copyright 2001-2012 by Arno van Amersfoort
--# Co-authors : Lonnie Abelbeck & Philip Prindeville
-+# (C) Copyright 2001-2014 by Arno van Amersfoort & Lonnie Abelbeck
- # Homepage : http://rocky.eld.leidenuniv.nl/
--# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
- # Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
- # (note: you must remove all spaces and substitute the @ and the .
- # at the proper locations!)
-@@ -46,16 +44,6 @@
-
- ################################# Functions ####################################
-
--trace()
--{
-- if [ -n "$TRACEFILE" ]; then
-- ((PS4='' ; set -x ; : "$@" >/dev/null) 2>&1 ) | sed 's/^: //' >> $TRACEFILE
-- else
-- "$@"
-- fi
--}
--
--
- # Find command path with '/hint/path/command' as the argument
- find_command()
- {
-@@ -303,7 +291,7 @@
- {
- local result retval IFS=' '
-
-- result=`trace $IP4TABLES "$@" 2>&1`
-+ result=`$IP4TABLES "$@" 2>&1`
- retval=$?
-
- if [ $retval -ne 0 ]; then
-@@ -330,7 +318,7 @@
- {
- local result retval IFS=' '
-
-- result=`trace $IP6TABLES "$@" 2>&1`
-+ result=`$IP6TABLES "$@" 2>&1`
- retval=$?
-
- if [ $retval -ne 0 ]; then
-@@ -429,7 +417,7 @@
- {
- local IFS=' '
-
-- trace $IP4TABLES "$@" >/dev/null 2>&1
-+ $IP4TABLES "$@" >/dev/null 2>&1
- }
-
-
-@@ -437,7 +425,7 @@
- {
- local IFS=' '
-
-- trace $IP6TABLES "$@" >/dev/null 2>&1
-+ $IP6TABLES "$@" >/dev/null 2>&1
- }
-
-
-@@ -452,7 +440,7 @@
- # Make sure environment variable is not set
- MODPROBE_OPTIONS=""
-
-- result=`trace $MODPROBE $@ 2>&1`
-+ result=`$MODPROBE $@ 2>&1`
- retval=$?
-
- if [ $retval -ne 0 ]; then
-@@ -514,7 +502,7 @@
- modprobe_commandline="$modprobe_commandline $module"
-
- IFS=' '
-- result=`trace $modprobe_commandline 2>&1`
-+ result=`$modprobe_commandline 2>&1`
- retval=$?
-
- if [ $retval -ne 0 ]; then
-@@ -554,7 +542,7 @@
- {
- local result retval IFS=' '
-
-- result=`trace $SYSCTL "$@" 2>&1`
-+ result=`$SYSCTL "$@" 2>&1`
- retval=$?
-
- if [ $retval -ne 0 ]; then
-@@ -594,7 +582,7 @@
- fi
- sysctl_commandline="$sysctl_commandline $variable"
-
-- result=`trace $sysctl_commandline 2>&1`
-+ result=`$sysctl_commandline 2>&1`
- retval=$?
-
- if [ $retval -eq 0 ]; then
-@@ -645,7 +633,7 @@
- ###################
- tc()
- {
-- trace $TC "$@"
-+ $TC "$@"
- }
-
-
-@@ -653,7 +641,7 @@
- ###################
- ip()
- {
-- trace $IP "$@"
-+ $IP "$@"
- }
-
-
-@@ -767,7 +755,7 @@
- case $if1 in
- *+)
- if1="${if1%+}"
-- if1="$($IP link | awk "\$2 ~ /${if1}[0-9]+:/ { print substr(\$2, 1, length(\$2)-1); }" | tr '\n' ' ')"
-+ if1="$(ip link | awk "\$2 ~ /${if1}[0-9]+:/ { print substr(\$2, 1, length(\$2)-1); }" | tr '\n' ' ')"
- if [ -z "$if1" ]; then
- echo "wildcard: $if0 unmatched!" >&2
- continue
-@@ -1654,14 +1642,6 @@
- IPV6_SUPPORT=0
- fi
-
--# check for tracing
--###################
--if [ "$TRACE" = "1" ]; then
-- TRACEFILE="/tmp/aif-trace.`date '+%Y%m%d-%H:%M:%S'`"
-- cp /dev/null $TRACEFILE
-- DISABLE_IPTABLES_BATCH=1
--fi
--
- # Default NAT_INTERNAL_NET to INTERNAL_NET, if not specified
- ############################################################
- if [ -z "$NAT_INTERNAL_NET" ]; then
-@@ -1689,3 +1669,4 @@
- PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"
- fi
- fi
-+
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2014-01-31 19:09:51 UTC (rev 6394)
+++ branches/1.0/package/arnofw/arnofw.mk 2014-02-02 14:07:23 UTC (rev 6395)
@@ -3,7 +3,7 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER:=2.0.1d
+ARNOFW_VER:=2.0.1e
ARNOFW_ROOT:=arno-iptables-firewall
ARNOFW_SOURCE:=$(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
ARNOFW_SITE:=http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2014-09-02 12:59:06
|
Revision: 6686
http://sourceforge.net/p/astlinux/code/6686
Author: abelbeck
Date: 2014-09-02 12:58:58 +0000 (Tue, 02 Sep 2014)
Log Message:
-----------
arnofw, adaptive-ban plugin, add 'kamailio' analysis type. Note: requires 'WITH_ANTIFLOOD' enabled in kamailio for the logs to be generated
Modified Paths:
--------------
branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh
branches/1.0/package/arnofw/adaptive-ban/adaptive-ban.conf
branches/1.0/package/arnofw/arnofw.serial
Modified: branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh
===================================================================
--- branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh 2014-09-01 19:16:29 UTC (rev 6685)
+++ branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh 2014-09-02 12:58:58 UTC (rev 6686)
@@ -132,6 +132,8 @@
;;
asterisk) filter_asterisk "$file" "$PREFIX" "$HOST"
;;
+ kamailio) filter_kamailio "$file" "$PREFIX" "$HOST"
+ ;;
lighttpd) filter_lighttpd "$file" "$PREFIX" "$HOST"
;;
prosody) filter_prosody "$file" "$PREFIX" "$HOST"
@@ -176,6 +178,14 @@
"$file" >"$TEMPFILE"
}
+filter_kamailio()
+{
+ local file="$1" PREFIX="$2" HOST="$3"
+
+ sed -n -r -e "s/^${PREFIX}.* pike blocking .* from .* \(IP:${HOST}:[0-9]+\)$/\1/p" \
+ "$file" >"$TEMPFILE"
+}
+
filter_lighttpd()
{
local file="$1" PREFIX="$2" HOST="$3"
Modified: branches/1.0/package/arnofw/adaptive-ban/adaptive-ban.conf
===================================================================
--- branches/1.0/package/arnofw/adaptive-ban/adaptive-ban.conf 2014-09-01 19:16:29 UTC (rev 6685)
+++ branches/1.0/package/arnofw/adaptive-ban/adaptive-ban.conf 2014-09-02 12:58:58 UTC (rev 6686)
@@ -19,7 +19,7 @@
ADAPTIVE_BAN_COUNT=6
# A list of analysis types that are applied
-# Choose from: sshd asterisk lighttpd prosody pptpd
+# Choose from: sshd asterisk kamailio lighttpd prosody pptpd
# ------------------------------------------------------------------------------
ADAPTIVE_BAN_TYPES="sshd asterisk"
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2014-09-01 19:16:29 UTC (rev 6685)
+++ branches/1.0/package/arnofw/arnofw.serial 2014-09-02 12:58:58 UTC (rev 6686)
@@ -1 +1 @@
-0002~0021~0000~0000~0000~
+0002~0022~0000~0000~0000~
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2014-09-15 00:49:27
|
Revision: 6706
http://sourceforge.net/p/astlinux/code/6706
Author: abelbeck
Date: 2014-09-15 00:49:22 +0000 (Mon, 15 Sep 2014)
Log Message:
-----------
arnofw, add new SIP User-Agent plugin
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
branches/1.0/package/arnofw/arnofw.serial
Added Paths:
-----------
branches/1.0/package/arnofw/sip-user-agent/
branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh
branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2014-09-13 17:24:18 UTC (rev 6705)
+++ branches/1.0/package/arnofw/arnofw.mk 2014-09-15 00:49:22 UTC (rev 6706)
@@ -126,6 +126,13 @@
$(INSTALL) -m 0644 package/arnofw/time-schedule-host-block/time-schedule-host-block.conf \
$(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/time-schedule-host-block.conf
@echo
+ @echo "Install local version of SIP User-Agent plugin."
+ @echo
+ $(INSTALL) -m 0644 package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh \
+ $(TARGET_DIR)$(ARNOFW_PLUGIN_SCRIPT_DIR)/30sip-user-agent.plugin
+ $(INSTALL) -m 0644 package/arnofw/sip-user-agent/sip-user-agent.conf \
+ $(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/sip-user-agent.conf
+ @echo
@echo "Install local version of PPTP VPN plugin."
@echo
$(INSTALL) -m 0644 package/arnofw/pptp-vpn/50pptp-vpn.plugin.sh \
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2014-09-13 17:24:18 UTC (rev 6705)
+++ branches/1.0/package/arnofw/arnofw.serial 2014-09-15 00:49:22 UTC (rev 6706)
@@ -1 +1 @@
-0002~0022~0000~0000~0000~
+0002~0023~0000~0000~0000~
Added: branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh (rev 0)
+++ branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh 2014-09-15 00:49:22 UTC (rev 6706)
@@ -0,0 +1,183 @@
+# ------------------------------------------------------------------------------
+# -= Arno's iptables firewall - SIP User-Agent plugin =-
+#
+PLUGIN_NAME="SIP User-Agent plugin"
+PLUGIN_VERSION="1.00"
+PLUGIN_CONF_FILE="sip-user-agent.conf"
+#
+# Last changed : September 14, 2014
+# Requirements : kernel 2.6 + AIF 2.0.1 or better
+# Comments : This filters SIP packets via inspection of the User-Agent field.
+#
+# Author : (C) Copyright 2008-2014 by Arno van Amersfoort & Lonnie Abelbeck
+# Homepage : http://rocky.eld.leidenuniv.nl/
+# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
+# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
+# (note: you must remove all spaces and substitute the @ and the .
+# at the proper locations!)
+# ------------------------------------------------------------------------------
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# ------------------------------------------------------------------------------
+
+# Plugin start function
+plugin_start()
+{
+ local user_agent user_agents mode ACTION port ports_udp ports_tcp IFS
+
+ # Create new chains:
+ iptables -N SIP_USER_AGENT 2>/dev/null
+ iptables -F SIP_USER_AGENT
+
+ iptables -N SIP_USER_AGENT_DROP 2>/dev/null
+ iptables -F SIP_USER_AGENT_DROP
+
+ if [ -n "$SIP_USER_AGENT_PASS_TYPES" ]; then
+ user_agents="$SIP_USER_AGENT_PASS_TYPES"
+ mode="pass"
+ ACTION="RETURN"
+ else
+ user_agents="${SIP_USER_AGENT_DROP_TYPES:-friendly-scanner sipcli}"
+ mode="drop"
+ ACTION="SIP_USER_AGENT_DROP"
+ fi
+
+ ports_udp="$SIP_USER_AGENT_PORTS_UDP"
+ ports_tcp="$SIP_USER_AGENT_PORTS_TCP"
+
+ if [ -z "$ports_udp" -a -z "$ports_tcp" ]; then
+ ports_udp="5060"
+ fi
+
+ echo "${INDENT}SIP User-Agent(s): $user_agents ($mode mode)"
+ if [ -n "$ports_udp" ]; then
+ echo "${INDENT}SIP User-Agent for EXT->Local UDP Port(s): $ports_udp"
+ fi
+ if [ -n "$ports_tcp" ]; then
+ echo "${INDENT}SIP User-Agent for EXT->Local TCP Port(s): $ports_tcp"
+ fi
+
+ if [ "$SIP_USER_AGENT_LOG" = "1" ]; then
+ echo "${INDENT}Logging of SIP User-Agent Dropped packets: Enabled"
+ iptables -A SIP_USER_AGENT_DROP -m limit --limit 1/m --limit-burst 1 -j LOG \
+ --log-level $LOGLEVEL --log-prefix "AIF:SIP User-Agent Dropped: "
+ else
+ echo "${INDENT}Logging of SIP User-Agent Dropped packets: Disabled"
+ fi
+ iptables -A SIP_USER_AGENT_DROP -j DROP
+
+ unset IFS
+ for user_agent in $user_agents; do
+ iptables -A SIP_USER_AGENT -m string --string "User-Agent: $user_agent" --algo bm --icase -j $ACTION
+ done
+
+ if [ "$mode" = "pass" ]; then
+ iptables -A SIP_USER_AGENT -j SIP_USER_AGENT_DROP
+ fi
+
+ # Insert rules into the main chain:
+ IFS=' ,'
+ for port in $ports_udp; do
+ iptables -A EXT_INPUT_CHAIN -p udp --dport $port -j SIP_USER_AGENT
+ done
+ for port in $ports_tcp; do
+ iptables -A EXT_INPUT_CHAIN -p tcp --dport $port -j SIP_USER_AGENT
+ done
+
+ return 0
+}
+
+
+# Plugin restart function
+plugin_restart()
+{
+
+ # Skip plugin_stop on a restart
+ plugin_start
+
+ return 0
+}
+
+
+# Plugin stop function
+plugin_stop()
+{
+
+ iptables -F SIP_USER_AGENT_DROP
+ iptables -X SIP_USER_AGENT_DROP 2>/dev/null
+
+ iptables -F SIP_USER_AGENT
+ iptables -X SIP_USER_AGENT 2>/dev/null
+
+ return 0
+}
+
+
+# Plugin status function
+plugin_status()
+{
+
+ #iptables -xnvL SIP_USER_AGENT
+ return 0
+}
+
+
+# Check sanity of eg. environment
+plugin_sanity_check()
+{
+ return 0
+}
+
+
+############
+# Mainline #
+############
+
+# Check where to find the config file
+CONF_FILE=""
+if [ -n "$PLUGIN_CONF_PATH" ]; then
+ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
+fi
+
+# Check if the config file exists
+if [ ! -e "$CONF_FILE" ]; then
+ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
+ PLUGIN_RET_VAL=0
+else
+ # Source the plugin config file
+ . "$CONF_FILE"
+
+ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
+ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
+ # Show who we are:
+ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
+
+ # Increment indention
+ INDENT="$INDENT "
+
+ # Only proceed if environment ok
+ if plugin_sanity_check; then
+ case $PLUGIN_CMD in
+ start|'') plugin_start; PLUGIN_RET_VAL=$?;;
+ restart ) plugin_restart; PLUGIN_RET_VAL=$?;;
+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;;
+ status ) plugin_status; PLUGIN_RET_VAL=$?;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
+ esac
+ fi
+ else
+ PLUGIN_RET_VAL=0
+ fi
+fi
Added: branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf
===================================================================
--- branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf (rev 0)
+++ branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf 2014-09-15 00:49:22 UTC (rev 6706)
@@ -0,0 +1,42 @@
+# ------------------------------------------------------------------------------
+# -= Arno's iptables firewall - SIP User-Agent plugin =-
+# ------------------------------------------------------------------------------
+
+# To actually enable this plugin make ENABLED=1:
+# ------------------------------------------------------------------------------
+ENABLED=0
+
+# This plugin monitors inbound (EXT->Local) SIP sessions on specified ports
+# by inspecting the User-Agent field.
+# No packets are allowed by this plugin, only denied.
+
+# Specify the left-most match of the SIP User-Agent: field, case insensitive.
+# Multiple User-Agent matches are space separated.
+# If matched, the packet continues the evaluation of firewall rules.
+# If not matched, the packet is dropped.
+#
+# Note: If defined, SIP_USER_AGENT_DROP_TYPES is ignored.
+# ------------------------------------------------------------------------------
+SIP_USER_AGENT_PASS_TYPES=""
+
+# Specify the left-most match of the SIP User-Agent: field, case insensitive.
+# Multiple User-Agent matches are space separated.
+# If matched, the packet is dropped.
+# If not matched, the packet continues the evaluation of firewall rules.
+#
+# Note: Ignored if SIP_USER_AGENT_PASS_TYPES is defined.
+# ------------------------------------------------------------------------------
+SIP_USER_AGENT_DROP_TYPES="friendly-scanner sipcli"
+
+# Specify the monitored UDP ports (5060 default)
+# ------------------------------------------------------------------------------
+SIP_USER_AGENT_PORTS_UDP="5060"
+
+# Specify the monitored TCP ports (no default)
+# ------------------------------------------------------------------------------
+SIP_USER_AGENT_PORTS_TCP=""
+
+# Enable logging for dropped packets when set to "1"
+# ------------------------------------------------------------------------------
+SIP_USER_AGENT_LOG=0
+
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2014-09-24 14:15:39
|
Revision: 6721
http://sourceforge.net/p/astlinux/code/6721
Author: abelbeck
Date: 2014-09-24 14:15:36 +0000 (Wed, 24 Sep 2014)
Log Message:
-----------
arnofw, sip-user-agent plugin, add VaxSIPUserAgent blacklist user-agent
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.serial
branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh
branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2014-09-23 17:15:40 UTC (rev 6720)
+++ branches/1.0/package/arnofw/arnofw.serial 2014-09-24 14:15:36 UTC (rev 6721)
@@ -1 +1 @@
-0002~0023~0000~0000~0000~
+0002~0024~0000~0000~0000~
Modified: branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh 2014-09-23 17:15:40 UTC (rev 6720)
+++ branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh 2014-09-24 14:15:36 UTC (rev 6721)
@@ -47,7 +47,7 @@
mode="whitelist"
ACTION="RETURN"
else
- user_agents="${SIP_USER_AGENT_DROP_TYPES:-friendly-scanner sipcli}"
+ user_agents="${SIP_USER_AGENT_DROP_TYPES:-friendly-scanner sipcli VaxSIPUserAgent}"
mode="blacklist"
ACTION="SIP_USER_AGENT_DROP"
fi
Modified: branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf
===================================================================
--- branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf 2014-09-23 17:15:40 UTC (rev 6720)
+++ branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf 2014-09-24 14:15:36 UTC (rev 6721)
@@ -26,7 +26,7 @@
#
# Note: Ignored if SIP_USER_AGENT_PASS_TYPES is defined.
# ------------------------------------------------------------------------------
-SIP_USER_AGENT_DROP_TYPES="friendly-scanner sipcli"
+SIP_USER_AGENT_DROP_TYPES="friendly-scanner sipcli VaxSIPUserAgent"
# Specify the monitored UDP ports (5060 default)
# ------------------------------------------------------------------------------
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2015-08-02 14:21:22
|
Revision: 7172
http://sourceforge.net/p/astlinux/code/7172
Author: abelbeck
Date: 2015-08-02 14:21:20 +0000 (Sun, 02 Aug 2015)
Log Message:
-----------
arnofw, add -w (enable iptables lock wait) option, added to iptables 1.4.20
Modified Paths:
--------------
branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh
branches/1.0/package/arnofw/dyndns-host-open/dyndns-host-open-helper.sh
Added Paths:
-----------
branches/1.0/package/arnofw/arnofw-enable-iptables-lock-wait.patch
Modified: branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh
===================================================================
--- branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh 2015-07-31 16:41:13 UTC (rev 7171)
+++ branches/1.0/package/arnofw/adaptive-ban/adaptive-ban-helper.sh 2015-08-02 14:21:20 UTC (rev 7172)
@@ -286,7 +286,7 @@
{
local result retval
- result="$($IP4TABLES "$@" 2>&1)"
+ result="$($IP4TABLES -w "$@" 2>&1)"
retval=$?
if [ $retval -ne 0 ]; then
@@ -302,7 +302,7 @@
{
local result retval
- result="$($IP6TABLES "$@" 2>&1)"
+ result="$($IP6TABLES -w "$@" 2>&1)"
retval=$?
if [ $retval -ne 0 ]; then
Added: branches/1.0/package/arnofw/arnofw-enable-iptables-lock-wait.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-enable-iptables-lock-wait.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-enable-iptables-lock-wait.patch 2015-08-02 14:21:20 UTC (rev 7172)
@@ -0,0 +1,38 @@
+--- arno-iptables-firewall_2.0.1e/share/arno-iptables-firewall/environment.orig 2015-08-02 08:31:33.000000000 -0500
++++ arno-iptables-firewall_2.0.1e/share/arno-iptables-firewall/environment 2015-08-02 08:33:37.000000000 -0500
+@@ -291,7 +291,7 @@
+ {
+ local result retval IFS=' '
+
+- result=`$IP4TABLES "$@" 2>&1`
++ result=`$IP4TABLES -w "$@" 2>&1`
+ retval=$?
+
+ if [ $retval -ne 0 ]; then
+@@ -318,7 +318,7 @@
+ {
+ local result retval IFS=' '
+
+- result=`$IP6TABLES "$@" 2>&1`
++ result=`$IP6TABLES -w "$@" 2>&1`
+ retval=$?
+
+ if [ $retval -ne 0 ]; then
+@@ -417,7 +417,7 @@
+ {
+ local IFS=' '
+
+- $IP4TABLES "$@" >/dev/null 2>&1
++ $IP4TABLES -w "$@" >/dev/null 2>&1
+ }
+
+
+@@ -425,7 +425,7 @@
+ {
+ local IFS=' '
+
+- $IP6TABLES "$@" >/dev/null 2>&1
++ $IP6TABLES -w "$@" >/dev/null 2>&1
+ }
+
+
Modified: branches/1.0/package/arnofw/dyndns-host-open/dyndns-host-open-helper.sh
===================================================================
--- branches/1.0/package/arnofw/dyndns-host-open/dyndns-host-open-helper.sh 2015-07-31 16:41:13 UTC (rev 7171)
+++ branches/1.0/package/arnofw/dyndns-host-open/dyndns-host-open-helper.sh 2015-08-02 14:21:20 UTC (rev 7172)
@@ -142,7 +142,7 @@
{
local result retval
- result="$($IP4TABLES "$@" 2>&1)"
+ result="$($IP4TABLES -w "$@" 2>&1)"
retval=$?
if [ $retval -ne 0 ]; then
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2015-08-13 22:43:37
|
Revision: 7190
http://sourceforge.net/p/astlinux/code/7190
Author: abelbeck
Date: 2015-08-13 22:43:35 +0000 (Thu, 13 Aug 2015)
Log Message:
-----------
arnofw, version bump to pre-release 2.0.1f
Modified Paths:
--------------
branches/1.0/package/arnofw/adaptive-ban/95adaptive-ban.plugin.sh
branches/1.0/package/arnofw/arnofw.mk
branches/1.0/package/arnofw/arnofw.serial
branches/1.0/package/arnofw/dyndns-host-open/50dyndns-host-open.plugin.sh
branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh
branches/1.0/package/arnofw/openvpn-server/50openvpn-server.plugin.sh
branches/1.0/package/arnofw/pptp-vpn/50pptp-vpn.plugin.sh
branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh
branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh
branches/1.0/package/arnofw/traffic-shaper/60traffic-shaper.plugin.sh
Removed Paths:
-------------
branches/1.0/package/arnofw/arnofw-NAT_LOCAL_REDIRECT.patch
branches/1.0/package/arnofw/arnofw-enable-iptables-lock-wait.patch
Modified: branches/1.0/package/arnofw/adaptive-ban/95adaptive-ban.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/adaptive-ban/95adaptive-ban.plugin.sh 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/adaptive-ban/95adaptive-ban.plugin.sh 2015-08-13 22:43:35 UTC (rev 7190)
@@ -164,10 +164,12 @@
CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
fi
+# Preinit to success:
+PLUGIN_RET_VAL=0
+
# Check if the config file exists
if [ ! -e "$CONF_FILE" ]; then
printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
- PLUGIN_RET_VAL=0
else
# Source the plugin config file
. "$CONF_FILE"
@@ -182,16 +184,15 @@
INDENT="$INDENT "
# Only proceed if environment ok
- if plugin_sanity_check; then
+ if ! plugin_sanity_check; then
+ PLUGIN_RET_VAL=1
+ else
case $PLUGIN_CMD in
- start|'') plugin_start; PLUGIN_RET_VAL=$?;;
- stop ) plugin_stop; PLUGIN_RET_VAL=$?;;
- status ) plugin_status; PLUGIN_RET_VAL=$?;;
- * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
+ stop ) plugin_stop; PLUGIN_RET_VAL=$? ;;
+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
esac
fi
- else
- PLUGIN_RET_VAL=0
fi
fi
-
Deleted: branches/1.0/package/arnofw/arnofw-NAT_LOCAL_REDIRECT.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-NAT_LOCAL_REDIRECT.patch 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/arnofw-NAT_LOCAL_REDIRECT.patch 2015-08-13 22:43:35 UTC (rev 7190)
@@ -1,44 +0,0 @@
-From efc3c82552ec009a20252ed3e412aff3ef983fa2 Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Mon, 28 Jul 2014 08:19:47 -0500
-Subject: [PATCH] fixed: Move NAT_LOCAL_REDIRECT to be applied before the drop
- logs, Issue #13
-
----
- bin/arno-iptables-firewall | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index 0f74051..1e52ec8 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -3373,6 +3373,13 @@ setup_ext_input_chain()
- ip6tables -A EXT_INPUT_CHAIN -d ff00::/8 -j EXT_MULTICAST_CHAIN
- fi
-
-+ # Allow all packets that have been locally redirected
-+ #####################################################
-+ if [ "$NAT_LOCAL_REDIRECT" = "1" ]; then
-+ echo " Enabling support for NAT local redirect"
-+ ip4tables -A EXT_INPUT_CHAIN -m conntrack --ctstate DNAT -j ACCEPT
-+ fi
-+
- # Log packets to privileged TCP ports?
- ##################################################
- if [ "$PRIV_TCP_LOG" != "0" ]; then
-@@ -3439,13 +3446,6 @@ setup_ext_input_chain()
- echo " Logging of IPv4 IGMP packets disabled"
- fi
-
-- # Allow all packets that have been locally redirected
-- #####################################################
-- if [ "$NAT_LOCAL_REDIRECT" = "1" ]; then
-- echo " Enabling support for NAT local redirect"
-- ip4tables -A EXT_INPUT_CHAIN -m conntrack --ctstate DNAT -j ACCEPT
-- fi
--
- # Finally drop all in the broadcast chain
- iptables -A EXT_BROADCAST_CHAIN -j DROP
-
---
-2.0.3
Deleted: branches/1.0/package/arnofw/arnofw-enable-iptables-lock-wait.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-enable-iptables-lock-wait.patch 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/arnofw-enable-iptables-lock-wait.patch 2015-08-13 22:43:35 UTC (rev 7190)
@@ -1,64 +0,0 @@
-From 8a5f13173cbc21b4c21b0fc97370f9882ef4cd94 Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Mon, 3 Aug 2015 17:11:00 -0500
-Subject: [PATCH] fixed: Issue #17, Enable xtables lock "wait" option found in
- iptables 1.4.20+
-
----
- share/arno-iptables-firewall/environment | 15 +++++++++++----
- 1 file changed, 11 insertions(+), 4 deletions(-)
-
-diff --git a/share/arno-iptables-firewall/environment b/share/arno-iptables-firewall/environment
-index 0fe708f..bc2d24e 100644
---- a/share/arno-iptables-firewall/environment
-+++ b/share/arno-iptables-firewall/environment
-@@ -296,7 +296,7 @@ ip4tables()
- {
- local result retval IFS=' '
-
-- result=`$IP4TABLES "$@" 2>&1`
-+ result=`$IP4TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" 2>&1`
- retval=$?
-
- if [ $retval -ne 0 ]; then
-@@ -323,7 +323,7 @@ ip6tables()
- {
- local result retval IFS=' '
-
-- result=`$IP6TABLES "$@" 2>&1`
-+ result=`$IP6TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" 2>&1`
- retval=$?
-
- if [ $retval -ne 0 ]; then
-@@ -422,7 +422,7 @@ try_ip4tables()
- {
- local IFS=' '
-
-- $IP4TABLES "$@" >/dev/null 2>&1
-+ $IP4TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" >/dev/null 2>&1
- }
-
-
-@@ -430,7 +430,7 @@ try_ip6tables()
- {
- local IFS=' '
-
-- $IP6TABLES "$@" >/dev/null 2>&1
-+ $IP6TABLES${IPTABLES_OPTIONS:+ $IPTABLES_OPTIONS} "$@" >/dev/null 2>&1
- }
-
-
-@@ -1672,6 +1672,13 @@ if [ -z "$DIG" ]; then
- NSLOOKUP="$(find_command /usr/bin/nslookup)"
- fi
-
-+# Enable xtables lock "wait" option found in iptables 1.4.20+
-+if $IP4TABLES -w --version >/dev/null 2>&1; then
-+ IPTABLES_OPTIONS="-w"
-+else
-+ IPTABLES_OPTIONS=""
-+fi
-+
- # Setup IPv6 detected environment variable
- if sysctl_key net.ipv6.conf; then
- IPV6_DETECTED=1
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/arnofw.mk 2015-08-13 22:43:35 UTC (rev 7190)
@@ -3,20 +3,20 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER:=2.0.1e
-ARNOFW_ROOT:=arno-iptables-firewall
-ARNOFW_SOURCE:=$(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
-ARNOFW_SITE:=http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
-#ARNOFW_SITE:=http://files.astlinux.org
-ARNOFW_DIR:=$(BUILD_DIR)/$(ARNOFW_ROOT)_$(ARNOFW_VER)
-ARNOFW_CAT:=zcat
-ARNOFW_TARGET_BINARY:=/usr/sbin/arno-iptables-firewall
-ARNOFW_CONFIG_DIR:=/etc/arno-iptables-firewall
-ARNOFW_SCRIPT_DIR:=/usr/share/arno-iptables-firewall
-ARNOFW_PLUGIN_CONFIG_DIR:=$(ARNOFW_CONFIG_DIR)/plugins
-ARNOFW_PLUGIN_SCRIPT_DIR:=$(ARNOFW_SCRIPT_DIR)/plugins
-ARNOFW_CONFIG_SHIM:=$(ARNOFW_SCRIPT_DIR)/astlinux.shim
-ARNOFW_CONFIG_SERIAL:=$(ARNOFW_CONFIG_DIR)/serial
+ARNOFW_VER := 2.0.1f-DEVEL
+ARNOFW_ROOT := arno-iptables-firewall
+ARNOFW_SOURCE := $(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
+#ARNOFW_SITE := http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
+ARNOFW_SITE := http://files.astlinux.org
+ARNOFW_DIR := $(BUILD_DIR)/$(ARNOFW_ROOT)_$(ARNOFW_VER)
+ARNOFW_CAT := zcat
+ARNOFW_TARGET_BINARY := /usr/sbin/arno-iptables-firewall
+ARNOFW_CONFIG_DIR := /etc/arno-iptables-firewall
+ARNOFW_SCRIPT_DIR := /usr/share/arno-iptables-firewall
+ARNOFW_PLUGIN_CONFIG_DIR := $(ARNOFW_CONFIG_DIR)/plugins
+ARNOFW_PLUGIN_SCRIPT_DIR := $(ARNOFW_SCRIPT_DIR)/plugins
+ARNOFW_CONFIG_SHIM := $(ARNOFW_SCRIPT_DIR)/astlinux.shim
+ARNOFW_CONFIG_SERIAL := $(ARNOFW_CONFIG_DIR)/serial
$(DL_DIR)/$(ARNOFW_SOURCE):
$(WGET) -P $(DL_DIR) $(ARNOFW_SITE)/$(ARNOFW_SOURCE)
@@ -50,8 +50,6 @@
-e 's:^ENV_FILE="[^"]*":ENV_FILE="$(ARNOFW_SCRIPT_DIR)/environment":' \
-e 's:^ENV_FILE=[^"]*$$:ENV_FILE="$(ARNOFW_SCRIPT_DIR)/environment":' \
-e 's:^LOCAL_CONFIG_FILE="":LOCAL_CONFIG_FILE="$(ARNOFW_CONFIG_SHIM)":' \
- -e 's:^IP4TABLES="[^"]*":IP4TABLES="$(IPTABLES_BIN)":' \
- -e 's:^IP6TABLES="[^"]*":IP6TABLES="$(IP6TABLES_BIN)":' \
-e 's:^(INT_IF|EXT_IF|MODEM_IF|INTERNAL_NET|NAT|NAT_INTERNAL_NET|EXT_IF_DHCP_IP)=:#&:' \
-e 's:^NAT_LOCAL_REDIRECT=0$$:NAT_LOCAL_REDIRECT=1:' \
-e 's:^IGMP_LOG=1$$:IGMP_LOG=0:' \
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/arnofw.serial 2015-08-13 22:43:35 UTC (rev 7190)
@@ -1 +1 @@
-0002~0024~0000~0000~0000~
+0002~0025~0000~0000~0000~
Modified: branches/1.0/package/arnofw/dyndns-host-open/50dyndns-host-open.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/dyndns-host-open/50dyndns-host-open.plugin.sh 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/dyndns-host-open/50dyndns-host-open.plugin.sh 2015-08-13 22:43:35 UTC (rev 7190)
@@ -243,10 +243,12 @@
CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
fi
+# Preinit to success:
+PLUGIN_RET_VAL=0
+
# Check if the config file exists
if [ ! -e "$CONF_FILE" ]; then
printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
- PLUGIN_RET_VAL=0
else
# Source the plugin config file
. "$CONF_FILE"
@@ -262,16 +264,16 @@
INDENT="$INDENT "
# Only proceed if environment ok
- if plugin_sanity_check; then
+ if ! plugin_sanity_check; then
+ PLUGIN_RET_VAL=1
+ else
case $PLUGIN_CMD in
- start|'') plugin_start; PLUGIN_RET_VAL=$?;;
- restart ) plugin_restart; PLUGIN_RET_VAL=$?;;
- stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;;
- status ) plugin_status; PLUGIN_RET_VAL=$?;;
- * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
+ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
esac
fi
- else
- PLUGIN_RET_VAL=0
fi
fi
Modified: branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh 2015-08-13 22:43:35 UTC (rev 7190)
@@ -129,10 +129,12 @@
CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
fi
+# Preinit to success:
+PLUGIN_RET_VAL=0
+
# Check if the config file exists
if [ ! -e "$CONF_FILE" ]; then
printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
- PLUGIN_RET_VAL=0
else
# Source the plugin config file
. "$CONF_FILE"
@@ -148,17 +150,16 @@
INDENT="$INDENT "
# Only proceed if environment ok
- if plugin_sanity_check; then
+ if ! plugin_sanity_check; then
+ PLUGIN_RET_VAL=1
+ else
case $PLUGIN_CMD in
- start|'') plugin_start; PLUGIN_RET_VAL=$?;;
- restart ) plugin_restart; PLUGIN_RET_VAL=$?;;
- stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;;
- status ) plugin_status; PLUGIN_RET_VAL=$?;;
- * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
+ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
esac
fi
- else
- PLUGIN_RET_VAL=0
fi
fi
-
Modified: branches/1.0/package/arnofw/openvpn-server/50openvpn-server.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/openvpn-server/50openvpn-server.plugin.sh 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/openvpn-server/50openvpn-server.plugin.sh 2015-08-13 22:43:35 UTC (rev 7190)
@@ -102,10 +102,12 @@
CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
fi
+# Preinit to success:
+PLUGIN_RET_VAL=0
+
# Check if the config file exists
if [ ! -e "$CONF_FILE" ]; then
printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
- PLUGIN_RET_VAL=0
else
# Source the plugin config file
. "$CONF_FILE"
@@ -121,16 +123,16 @@
INDENT="$INDENT "
# Only proceed if environment ok
- if plugin_sanity_check; then
+ if ! plugin_sanity_check; then
+ PLUGIN_RET_VAL=1
+ else
case $PLUGIN_CMD in
- start|'') plugin_start; PLUGIN_RET_VAL=$?;;
- restart ) plugin_restart; PLUGIN_RET_VAL=$?;;
- stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;;
- status ) plugin_status; PLUGIN_RET_VAL=$?;;
- * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
+ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
esac
fi
- else
- PLUGIN_RET_VAL=0
fi
fi
Modified: branches/1.0/package/arnofw/pptp-vpn/50pptp-vpn.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/pptp-vpn/50pptp-vpn.plugin.sh 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/pptp-vpn/50pptp-vpn.plugin.sh 2015-08-13 22:43:35 UTC (rev 7190)
@@ -185,10 +185,12 @@
CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
fi
+# Preinit to success:
+PLUGIN_RET_VAL=0
+
# Check if the config file exists
if [ ! -e "$CONF_FILE" ]; then
printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
- PLUGIN_RET_VAL=0
else
# Source the plugin config file
. "$CONF_FILE"
@@ -204,16 +206,16 @@
INDENT="$INDENT "
# Only proceed if environment ok
- if plugin_sanity_check; then
+ if ! plugin_sanity_check; then
+ PLUGIN_RET_VAL=1
+ else
case $PLUGIN_CMD in
- start|'') plugin_start; PLUGIN_RET_VAL=$?;;
- restart ) plugin_restart; PLUGIN_RET_VAL=$?;;
- stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;;
- status ) plugin_status; PLUGIN_RET_VAL=$?;;
- * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
+ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
esac
fi
- else
- PLUGIN_RET_VAL=0
fi
fi
Modified: branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh 2015-08-13 22:43:35 UTC (rev 7190)
@@ -150,10 +150,12 @@
CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
fi
+# Preinit to success:
+PLUGIN_RET_VAL=0
+
# Check if the config file exists
if [ ! -e "$CONF_FILE" ]; then
printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
- PLUGIN_RET_VAL=0
else
# Source the plugin config file
. "$CONF_FILE"
@@ -169,16 +171,16 @@
INDENT="$INDENT "
# Only proceed if environment ok
- if plugin_sanity_check; then
+ if ! plugin_sanity_check; then
+ PLUGIN_RET_VAL=1
+ else
case $PLUGIN_CMD in
- start|'') plugin_start; PLUGIN_RET_VAL=$?;;
- restart ) plugin_restart; PLUGIN_RET_VAL=$?;;
- stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;;
- status ) plugin_status; PLUGIN_RET_VAL=$?;;
- * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
+ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
esac
fi
- else
- PLUGIN_RET_VAL=0
fi
fi
Modified: branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/time-schedule-host-block/30time-schedule-host-block.plugin.sh 2015-08-13 22:43:35 UTC (rev 7190)
@@ -234,10 +234,12 @@
CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
fi
+# Preinit to success:
+PLUGIN_RET_VAL=0
+
# Check if the config file exists
if [ ! -e "$CONF_FILE" ]; then
printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
- PLUGIN_RET_VAL=0
else
# Source the plugin config file
. "$CONF_FILE"
@@ -253,16 +255,16 @@
INDENT="$INDENT "
# Only proceed if environment ok
- if plugin_sanity_check; then
+ if ! plugin_sanity_check; then
+ PLUGIN_RET_VAL=1
+ else
case $PLUGIN_CMD in
- start|'') plugin_start; PLUGIN_RET_VAL=$?;;
- restart ) plugin_restart; PLUGIN_RET_VAL=$?;;
- stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;;
- status ) plugin_status; PLUGIN_RET_VAL=$?;;
- * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
+ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
esac
fi
- else
- PLUGIN_RET_VAL=0
fi
fi
Modified: branches/1.0/package/arnofw/traffic-shaper/60traffic-shaper.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/traffic-shaper/60traffic-shaper.plugin.sh 2015-08-08 14:07:11 UTC (rev 7189)
+++ branches/1.0/package/arnofw/traffic-shaper/60traffic-shaper.plugin.sh 2015-08-13 22:43:35 UTC (rev 7190)
@@ -438,10 +438,12 @@
CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
fi
+# Preinit to success:
+PLUGIN_RET_VAL=0
+
# Check if the config file exists
if [ ! -e "$CONF_FILE" ]; then
printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
- PLUGIN_RET_VAL=0
else
# Source the plugin config file
. "$CONF_FILE"
@@ -456,15 +458,15 @@
INDENT="$INDENT "
# Only proceed if environment ok
- if plugin_sanity_check; then
+ if ! plugin_sanity_check; then
+ PLUGIN_RET_VAL=1
+ else
case $PLUGIN_CMD in
- start|'') plugin_start; PLUGIN_RET_VAL=$?;;
- stop ) plugin_stop; PLUGIN_RET_VAL=$?;;
- status ) plugin_status; PLUGIN_RET_VAL=$?;;
+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
+ stop ) plugin_stop; PLUGIN_RET_VAL=$? ;;
+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
* ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
esac
fi
- else
- PLUGIN_RET_VAL=0
fi
fi
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2016-01-09 17:51:25
|
Revision: 7451
http://sourceforge.net/p/astlinux/code/7451
Author: abelbeck
Date: 2016-01-09 17:51:22 +0000 (Sat, 09 Jan 2016)
Log Message:
-----------
arnofw, add new PPTP VPN Passthrough plugin from upstream
Ref: https://github.com/arno-iptables-firewall/aif/commit/ade2e3fd17771b861f97dd3adb5307e4da16dc4e
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.serial
Added Paths:
-----------
branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch
Added: branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch 2016-01-09 17:51:22 UTC (rev 7451)
@@ -0,0 +1,186 @@
+From ade2e3fd17771b861f97dd3adb5307e4da16dc4e Mon Sep 17 00:00:00 2001
+From: Lonnie Abelbeck <lo...@ab...>
+Date: Sat, 9 Jan 2016 10:04:46 -0600
+Subject: [PATCH] added: PPTP VPN Passthrough plugin, Issue #27
+
+---
+ .../plugins/pptp-vpn-passthrough.conf | 14 +++
+ .../plugins/50pptp-vpn-passthrough.plugin | 135 +++++++++++++++++++++
+ .../plugins/pptp-vpn-passthrough.CHANGELOG | 4 +
+ 3 files changed, 153 insertions(+)
+ create mode 100644 etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
+ create mode 100644 share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
+ create mode 100644 share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
+
+diff --git a/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
+new file mode 100644
+index 0000000..250bc0d
+--- /dev/null
++++ b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
+@@ -0,0 +1,14 @@
++# ------------------------------------------------------------------------------
++# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
++# ------------------------------------------------------------------------------
++
++# To actually enable this plugin make ENABLED=1:
++# ------------------------------------------------------------------------------
++ENABLED=0
++
++# PPTP uses the GRE protocol for transport, as such, when PPTP VPN clients
++# have NAT between them and the PPTP VPN server special packet handling must be performed.
++# This plugin loads the required Linux Kernel modules to handle that situation.
++#
++# No configuration options
++# ------------------------------------------------------------------------------
+diff --git a/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
+new file mode 100644
+index 0000000..379a1dd
+--- /dev/null
++++ b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
+@@ -0,0 +1,135 @@
++# ------------------------------------------------------------------------------
++# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
++#
++PLUGIN_NAME="PPTP VPN Passthrough plugin"
++PLUGIN_VERSION="1.00"
++PLUGIN_CONF_FILE="pptp-vpn-passthrough.conf"
++#
++# Last changed : January 9, 2016
++# Requirements : AIF 2.0.0+ and ip_nat_pptp
++# Comments : This plugin loads the required kernel modules for PPTP VPN Clients
++# to access remote PPTP VPN Server(s) when NAT is enabled.
++#
++# Author : (C) Copyright 2016 by Lonnie Abelbeck & Arno van Amersfoort
++# Homepage : http://rocky.eld.leidenuniv.nl/
++# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
++# (note: you must remove all spaces and substitute the @ and the .
++# at the proper locations!)
++# ------------------------------------------------------------------------------
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# version 2 as published by the Free Software Foundation.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++# ------------------------------------------------------------------------------
++
++# Plugin start function
++plugin_start()
++{
++
++ if [ "$NAT" = "1" ]; then
++ echo "${INDENT}Enable PPTP NAT helper module"
++ modprobe_multi nf_nat_pptp ip_nat_pptp
++ else
++ echo "${INDENT}ERROR: NAT is not enabled, this plugin will be ignored."
++ fi
++
++ return 0
++}
++
++
++# Plugin restart function
++plugin_restart()
++{
++
++ # Skip plugin_stop on a restart
++ plugin_start
++
++ return 0
++}
++
++
++# Plugin stop function
++plugin_stop()
++{
++
++ if [ "$NAT" = "1" ]; then
++ if [ -e /proc/modules -a -x "$MODPROBE" ]; then
++ if ! $MODPROBE -r nf_nat_pptp >/dev/null 2>&1; then
++ $MODPROBE -r ip_nat_pptp >/dev/null 2>&1
++ fi
++ if [ $? -eq 0 ]; then
++ echo "${INDENT}Disabled PPTP NAT helper module"
++ fi
++ fi
++ fi
++
++ return 0
++}
++
++
++# Plugin status function
++plugin_status()
++{
++ return 0
++}
++
++
++# Check sanity of eg. environment
++plugin_sanity_check()
++{
++ return 0
++}
++
++
++############
++# Mainline #
++############
++
++# Check where to find the config file
++CONF_FILE=""
++if [ -n "$PLUGIN_CONF_PATH" ]; then
++ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
++fi
++
++# Preinit to success:
++PLUGIN_RET_VAL=0
++
++# Check if the config file exists
++if [ ! -e "$CONF_FILE" ]; then
++ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
++else
++ # Source the plugin config file
++ . "$CONF_FILE"
++
++ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
++ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
++ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
++ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
++ # Show who we are:
++ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
++
++ # Increment indention
++ INDENT="$INDENT "
++
++ # Only proceed if environment ok
++ if ! plugin_sanity_check; then
++ PLUGIN_RET_VAL=1
++ else
++ case $PLUGIN_CMD in
++ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
++ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
++ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
++ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
++ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
++ esac
++ fi
++ fi
++fi
+diff --git a/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
+new file mode 100644
+index 0000000..042b789
+--- /dev/null
++++ b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
+@@ -0,0 +1,4 @@
++Version 1.00 (January 9, 2016)
++-----------------------------------
+++ Initial version
++
+
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2016-01-09 15:16:38 UTC (rev 7450)
+++ branches/1.0/package/arnofw/arnofw.serial 2016-01-09 17:51:22 UTC (rev 7451)
@@ -1 +1 @@
-0002~0025~0000~0000~0000~
+0002~0026~0000~0000~0000~
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2016-06-11 20:31:28
|
Revision: 7716
http://sourceforge.net/p/astlinux/code/7716
Author: abelbeck
Date: 2016-06-11 20:31:25 +0000 (Sat, 11 Jun 2016)
Log Message:
-----------
arnofw, Add LAN to LAN filtering rules (AIF issue #28), bump serial number for updated default firewall.conf
Ref: https://github.com/arno-iptables-firewall/aif/issues/28
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.serial
Added Paths:
-----------
branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch
branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch
branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch
branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
Removed Paths:
-------------
branches/1.0/package/arnofw/arnofw-do-not-reset-accept_ra.patch
branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch
branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch
Copied: branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch (from rev 7715, branches/1.0/package/arnofw/arnofw-do-not-reset-accept_ra.patch)
===================================================================
--- branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -0,0 +1,11 @@
+--- arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall.orig 2015-10-30 15:52:23.000000000 -0500
++++ arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall 2015-10-30 16:00:37.000000000 -0500
+@@ -495,7 +495,7 @@
+ sysctl_set_all "net.ipv6.conf" "forwarding" 1
+ echo " Disabling Local IPv6 Auto-Configuration"
+ sysctl_set_all "net.ipv6.conf" "autoconf" 0
+- sysctl_set_all "net.ipv6.conf" "accept_ra" 0
++ ## Setting accept_ra=0 is not needed with forwarding=1, don't overwrite any existing accept_ra=2 values
+ fi
+ elif [ "$IP_FORWARDING" = "0" ]; then
+ echo " DISABLING packet forwarding"
Copied: branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch (from rev 7715, branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch)
===================================================================
--- branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -0,0 +1,75 @@
+From 7bd64927a401050769b7da18fd2ae52370cc2390 Mon Sep 17 00:00:00 2001
+From: Lonnie Abelbeck <lo...@ab...>
+Date: Sat, 13 Feb 2016 16:16:16 -0600
+Subject: [PATCH] changed: added support for ICMPv6 Multicast Listener
+ Discovery, disabled by default with OPEN_ICMPV6_MLD=0. Additionally make sure
+ all un-needed ICMPv6 packets are dropped so they don't appear as annoying
+ logs, more common with native IPv6 support by ISP's. Thanks to David Kerr for
+ pointing out the issue and testing a solution.
+
+---
+ bin/arno-iptables-firewall | 10 ++++++++++
+ etc/arno-iptables-firewall/firewall.conf | 6 ++++++
+ share/arno-iptables-firewall/environment | 4 ++++
+ 3 files changed, 20 insertions(+)
+
+diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
+index f5095a5..b02a85f 100755
+--- a/bin/arno-iptables-firewall
++++ b/bin/arno-iptables-firewall
+@@ -4574,6 +4574,11 @@ setup_firewall_rules()
+ for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do
+ ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT
+ done
++ if [ "$OPEN_ICMPV6_MLD" = "1" ]; then
++ for icmpv6_type in $ICMPV6_MLD_TYPES; do
++ ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
++ done
++ fi
+ fi
+
+ # Apply external (internet) interface policy for the input chain:
+@@ -4592,6 +4597,11 @@ setup_firewall_rules()
+
+ # ICMP traffic (flood)
+ iptables -A INPUT -i $interface -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
++
++ # Drop any remaining ICMPv6 traffic
++ if [ "$IPV6_SUPPORT" = "1" ]; then
++ ip6tables -A INPUT -i $interface -p icmpv6 -j POST_INPUT_DROP_CHAIN
++ fi
+ done
+
+
+diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
+index 9e80e20..2291916 100644
+--- a/etc/arno-iptables-firewall/firewall.conf
++++ b/etc/arno-iptables-firewall/firewall.conf
+@@ -1158,6 +1158,12 @@ OPEN_ICMP=0
+ # -----------------------------------------------------------------------------
+ OPEN_ICMPV6=1
+
++# Enable (1) to make the default policy allow IPv6 ICMPv6
++# Multicast Listener Discovery (RFC 2710, 3810) for INET access
++# Note: Requires setting OPEN_ICMPV6=1 to apply.
++# -----------------------------------------------------------------------------
++OPEN_ICMPV6_MLD=0
++
+ # Put in the following variables which ports or IP protocols you want to leave
+ # open to the whole world.
+ # -----------------------------------------------------------------------------
+diff --git a/share/arno-iptables-firewall/environment b/share/arno-iptables-firewall/environment
+index 5728e4c..616c29c 100644
+--- a/share/arno-iptables-firewall/environment
++++ b/share/arno-iptables-firewall/environment
+@@ -1698,6 +1698,10 @@ fi
+ ######################################################################
+ ICMPV6_SPECIAL_TYPES="133 134 135 136"
+
++# IPv6 ICMPv6 Multicast Listener Discovery (RFC 2710, 3810)
++######################################################################
++ICMPV6_MLD_TYPES="130 131 132 143"
++
+ # Check plugin bin path and fallback in case it's empty
+ #######################################################
+ if [ -z "$PLUGIN_BIN_PATH" ]; then
Copied: branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch (from rev 7715, branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch)
===================================================================
--- branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -0,0 +1,186 @@
+From ade2e3fd17771b861f97dd3adb5307e4da16dc4e Mon Sep 17 00:00:00 2001
+From: Lonnie Abelbeck <lo...@ab...>
+Date: Sat, 9 Jan 2016 10:04:46 -0600
+Subject: [PATCH] added: PPTP VPN Passthrough plugin, Issue #27
+
+---
+ .../plugins/pptp-vpn-passthrough.conf | 14 +++
+ .../plugins/50pptp-vpn-passthrough.plugin | 135 +++++++++++++++++++++
+ .../plugins/pptp-vpn-passthrough.CHANGELOG | 4 +
+ 3 files changed, 153 insertions(+)
+ create mode 100644 etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
+ create mode 100644 share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
+ create mode 100644 share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
+
+diff --git a/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
+new file mode 100644
+index 0000000..250bc0d
+--- /dev/null
++++ b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
+@@ -0,0 +1,14 @@
++# ------------------------------------------------------------------------------
++# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
++# ------------------------------------------------------------------------------
++
++# To actually enable this plugin make ENABLED=1:
++# ------------------------------------------------------------------------------
++ENABLED=0
++
++# PPTP uses the GRE protocol for transport, as such, when PPTP VPN clients
++# have NAT between them and the PPTP VPN server special packet handling must be performed.
++# This plugin loads the required Linux Kernel modules to handle that situation.
++#
++# No configuration options
++# ------------------------------------------------------------------------------
+diff --git a/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
+new file mode 100644
+index 0000000..379a1dd
+--- /dev/null
++++ b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
+@@ -0,0 +1,135 @@
++# ------------------------------------------------------------------------------
++# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
++#
++PLUGIN_NAME="PPTP VPN Passthrough plugin"
++PLUGIN_VERSION="1.00"
++PLUGIN_CONF_FILE="pptp-vpn-passthrough.conf"
++#
++# Last changed : January 9, 2016
++# Requirements : AIF 2.0.0+ and ip_nat_pptp
++# Comments : This plugin loads the required kernel modules for PPTP VPN Clients
++# to access remote PPTP VPN Server(s) when NAT is enabled.
++#
++# Author : (C) Copyright 2016 by Lonnie Abelbeck & Arno van Amersfoort
++# Homepage : http://rocky.eld.leidenuniv.nl/
++# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
++# (note: you must remove all spaces and substitute the @ and the .
++# at the proper locations!)
++# ------------------------------------------------------------------------------
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# version 2 as published by the Free Software Foundation.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++# ------------------------------------------------------------------------------
++
++# Plugin start function
++plugin_start()
++{
++
++ if [ "$NAT" = "1" ]; then
++ echo "${INDENT}Enable PPTP NAT helper module"
++ modprobe_multi nf_nat_pptp ip_nat_pptp
++ else
++ echo "${INDENT}ERROR: NAT is not enabled, this plugin will be ignored."
++ fi
++
++ return 0
++}
++
++
++# Plugin restart function
++plugin_restart()
++{
++
++ # Skip plugin_stop on a restart
++ plugin_start
++
++ return 0
++}
++
++
++# Plugin stop function
++plugin_stop()
++{
++
++ if [ "$NAT" = "1" ]; then
++ if [ -e /proc/modules -a -x "$MODPROBE" ]; then
++ if ! $MODPROBE -r nf_nat_pptp >/dev/null 2>&1; then
++ $MODPROBE -r ip_nat_pptp >/dev/null 2>&1
++ fi
++ if [ $? -eq 0 ]; then
++ echo "${INDENT}Disabled PPTP NAT helper module"
++ fi
++ fi
++ fi
++
++ return 0
++}
++
++
++# Plugin status function
++plugin_status()
++{
++ return 0
++}
++
++
++# Check sanity of eg. environment
++plugin_sanity_check()
++{
++ return 0
++}
++
++
++############
++# Mainline #
++############
++
++# Check where to find the config file
++CONF_FILE=""
++if [ -n "$PLUGIN_CONF_PATH" ]; then
++ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
++fi
++
++# Preinit to success:
++PLUGIN_RET_VAL=0
++
++# Check if the config file exists
++if [ ! -e "$CONF_FILE" ]; then
++ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
++else
++ # Source the plugin config file
++ . "$CONF_FILE"
++
++ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
++ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
++ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
++ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
++ # Show who we are:
++ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
++
++ # Increment indention
++ INDENT="$INDENT "
++
++ # Only proceed if environment ok
++ if ! plugin_sanity_check; then
++ PLUGIN_RET_VAL=1
++ else
++ case $PLUGIN_CMD in
++ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
++ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
++ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
++ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
++ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
++ esac
++ fi
++ fi
++fi
+diff --git a/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
+new file mode 100644
+index 0000000..042b789
+--- /dev/null
++++ b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
+@@ -0,0 +1,4 @@
++Version 1.00 (January 9, 2016)
++-----------------------------------
+++ Initial version
++
+
Added: branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -0,0 +1,173 @@
+diff --git a/README b/README
+index 093151a..93641a4 100644
+--- a/README
++++ b/README
+@@ -480,6 +480,7 @@ INT_FORWARD_IN_CHAIN - Internal-net FORWARD chain for INcoming traffic
+ INT_FORWARD_OUT_CHAIN - Internal-net FORWARD chain for OUTcoming traffic
+ INT_INPUT_CHAIN - Internal-net INPUT chain
+ INT_OUTPUT_CHAIN - Internal-net OUTPUT chain
++LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain
+ LAN_INET_FORWARD_CHAIN - LAN to internet (external net) forward chain
+ POST_INPUT_CHAIN - This chain is always processed last(post) in the
+ INPUT chain
+diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
+index b02a85f..67d79ec 100755
+--- a/bin/arno-iptables-firewall
++++ b/bin/arno-iptables-firewall
+@@ -2263,6 +2263,72 @@ setup_int_input_chain()
+ }
+
+
++##################################################
++# Setup chain for the LAN-to-LAN forward traffic #
++##################################################
++setup_lan_lan_forward_chain()
++{
++ echo " Setting up LAN->LAN policy"
++
++ # TCP ports to ALLOW for certain Inter-LAN hosts
++ ################################################
++ unset IFS
++ for rule in $LAN_LAN_HOST_OPEN_TCP; do
++ if parse_rule "$rule" LAN_LAN_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
++
++ echo " Allowing $shosts(LAN) to $dhosts(LAN) for TCP port(s): $ports"
++
++ IFS=','
++ for shost in `ip_range "$shosts"`; do
++ for dhost in `ip_range "$dhosts"`; do
++ for port in $ports; do
++ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
++ done
++ done
++ done
++ fi
++ done
++
++ # UDP ports to ALLOW for certain Inter-LAN hosts
++ ################################################
++ unset IFS
++ for rule in $LAN_LAN_HOST_OPEN_UDP; do
++ if parse_rule "$rule" LAN_LAN_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
++
++ echo " Allowing $shosts(LAN) to $dhosts(LAN) for UDP port(s): $ports"
++
++ IFS=','
++ for shost in `ip_range "$shosts"`; do
++ for dhost in `ip_range "$dhosts"`; do
++ for port in $ports; do
++ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT
++ done
++ done
++ done
++ fi
++ done
++
++ # IP protocol(s) to ALLOW for certain Inter-LAN hosts
++ #####################################################
++ unset IFS
++ for rule in $LAN_LAN_HOST_OPEN_IP; do
++ if parse_rule "$rule" LAN_LAN_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then
++
++ echo " Allowing $shosts(LAN) to $dhosts(LAN) for IP protocol(s): $protos"
++
++ IFS=','
++ for shost in `ip_range "$shosts"`; do
++ for dhost in `ip_range "$dhosts"`; do
++ for proto in $protos; do
++ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT
++ done
++ done
++ done
++ fi
++ done
++}
++
++
+ ###################################################
+ # Setup chain for the LAN-to-INET forward traffic #
+ ###################################################
+@@ -4803,7 +4869,8 @@ setup_firewall_rules()
+ echo " Logging of denied LAN->INET FORWARD connections disabled"
+ fi
+
+- # Setup helper chain for the LAN:
++ # Setup helper chains for the LAN:
++ setup_lan_lan_forward_chain;
+ setup_lan_inet_forward_chain;
+
+ IFS=' ,'
+@@ -4813,6 +4880,12 @@ setup_firewall_rules()
+ # Always make subnets on the SAME interface trust each other
+ iptables -A FORWARD -i $iif -o $iif -j ACCEPT
+
++ for output_if in $INT_IF; do
++ if [ "$iif" != "$output_if" ]; then
++ iptables -A FORWARD -i $iif -o $output_if -j LAN_LAN_FORWARD_CHAIN
++ fi
++ done
++
+ for eif in $EXT_IF; do
+ iptables -A FORWARD -i $iif -o $eif -j LAN_INET_FORWARD_CHAIN
+ done
+@@ -5035,6 +5108,7 @@ create_user_chains()
+ iptables -N DMZ_LAN_FORWARD_CHAIN
+ iptables -N INET_DMZ_FORWARD_CHAIN
+ iptables -N DMZ_INET_FORWARD_CHAIN
++ iptables -N LAN_LAN_FORWARD_CHAIN
+ iptables -N LAN_INET_FORWARD_CHAIN
+
+ # Chains for the external interface
+@@ -5091,6 +5165,7 @@ flush_user_chains()
+ iptables -F DMZ_LAN_FORWARD_CHAIN
+ iptables -F INET_DMZ_FORWARD_CHAIN
+ iptables -F DMZ_INET_FORWARD_CHAIN
++ iptables -F LAN_LAN_FORWARD_CHAIN
+ iptables -F LAN_INET_FORWARD_CHAIN
+
+ # Chains for the external interface
+diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
+index 2291916..73554d2 100644
+--- a/etc/arno-iptables-firewall/firewall.conf
++++ b/etc/arno-iptables-firewall/firewall.conf
+@@ -696,6 +696,40 @@ LAN_HOST_DENY_IP=""
+
+
+ ###############################################################################
++# LAN_LAN_xxx = LAN->LAN access rules (forward) #
++###############################################################################
++
++# Put in the following variables which LAN hosts you want to allow to certain
++# hosts/services on a different LAN (net).
++#
++# TCP/UDP form:
++# "SRCIP1,SRCIP2,...>DESTIP1~port \
++# SRCIP3,...>DESTIP2~port"
++#
++# IP form:
++# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
++# SRCIP3,...>DESTIP2~protocol"
++#
++# TCP/UDP examples:
++# Simple (Allow port 80 to LAN host 1.2.3.4 from all other LAN hosts(0/0)):
++# LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
++# Advanced (Allow port 20 & 21 to LAN host 1.2.3.4 from all other LAN hosts (0/0) and
++# allow port 80 from LAN host 5.6.7.8 (only) to LAN host 1.2.3.4):
++# LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
++#
++# IP protocol example:
++# (Allow protocols 47 & 48 to LAN host 1.2.3.4 from all other LAN hosts(0/0)):
++# LAN_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
++#
++# NOTE 1: If no SRCIPx is specified, any source host is used
++# NOTE 2: If no port is specified, any port is used
++# -----------------------------------------------------------------------------
++LAN_LAN_HOST_OPEN_TCP=""
++LAN_LAN_HOST_OPEN_UDP=""
++LAN_LAN_HOST_OPEN_IP=""
++
++
++###############################################################################
+ # LAN_INET_xxx = LAN->internet access rules (forward) #
+ # #
+ # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are #
Deleted: branches/1.0/package/arnofw/arnofw-do-not-reset-accept_ra.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-do-not-reset-accept_ra.patch 2016-06-10 13:54:37 UTC (rev 7715)
+++ branches/1.0/package/arnofw/arnofw-do-not-reset-accept_ra.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -1,11 +0,0 @@
---- arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall.orig 2015-10-30 15:52:23.000000000 -0500
-+++ arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall 2015-10-30 16:00:37.000000000 -0500
-@@ -495,7 +495,7 @@
- sysctl_set_all "net.ipv6.conf" "forwarding" 1
- echo " Disabling Local IPv6 Auto-Configuration"
- sysctl_set_all "net.ipv6.conf" "autoconf" 0
-- sysctl_set_all "net.ipv6.conf" "accept_ra" 0
-+ ## Setting accept_ra=0 is not needed with forwarding=1, don't overwrite any existing accept_ra=2 values
- fi
- elif [ "$IP_FORWARDING" = "0" ]; then
- echo " DISABLING packet forwarding"
Deleted: branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch 2016-06-10 13:54:37 UTC (rev 7715)
+++ branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -1,75 +0,0 @@
-From 7bd64927a401050769b7da18fd2ae52370cc2390 Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Sat, 13 Feb 2016 16:16:16 -0600
-Subject: [PATCH] changed: added support for ICMPv6 Multicast Listener
- Discovery, disabled by default with OPEN_ICMPV6_MLD=0. Additionally make sure
- all un-needed ICMPv6 packets are dropped so they don't appear as annoying
- logs, more common with native IPv6 support by ISP's. Thanks to David Kerr for
- pointing out the issue and testing a solution.
-
----
- bin/arno-iptables-firewall | 10 ++++++++++
- etc/arno-iptables-firewall/firewall.conf | 6 ++++++
- share/arno-iptables-firewall/environment | 4 ++++
- 3 files changed, 20 insertions(+)
-
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index f5095a5..b02a85f 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -4574,6 +4574,11 @@ setup_firewall_rules()
- for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do
- ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT
- done
-+ if [ "$OPEN_ICMPV6_MLD" = "1" ]; then
-+ for icmpv6_type in $ICMPV6_MLD_TYPES; do
-+ ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
-+ done
-+ fi
- fi
-
- # Apply external (internet) interface policy for the input chain:
-@@ -4592,6 +4597,11 @@ setup_firewall_rules()
-
- # ICMP traffic (flood)
- iptables -A INPUT -i $interface -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-+
-+ # Drop any remaining ICMPv6 traffic
-+ if [ "$IPV6_SUPPORT" = "1" ]; then
-+ ip6tables -A INPUT -i $interface -p icmpv6 -j POST_INPUT_DROP_CHAIN
-+ fi
- done
-
-
-diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
-index 9e80e20..2291916 100644
---- a/etc/arno-iptables-firewall/firewall.conf
-+++ b/etc/arno-iptables-firewall/firewall.conf
-@@ -1158,6 +1158,12 @@ OPEN_ICMP=0
- # -----------------------------------------------------------------------------
- OPEN_ICMPV6=1
-
-+# Enable (1) to make the default policy allow IPv6 ICMPv6
-+# Multicast Listener Discovery (RFC 2710, 3810) for INET access
-+# Note: Requires setting OPEN_ICMPV6=1 to apply.
-+# -----------------------------------------------------------------------------
-+OPEN_ICMPV6_MLD=0
-+
- # Put in the following variables which ports or IP protocols you want to leave
- # open to the whole world.
- # -----------------------------------------------------------------------------
-diff --git a/share/arno-iptables-firewall/environment b/share/arno-iptables-firewall/environment
-index 5728e4c..616c29c 100644
---- a/share/arno-iptables-firewall/environment
-+++ b/share/arno-iptables-firewall/environment
-@@ -1698,6 +1698,10 @@ fi
- ######################################################################
- ICMPV6_SPECIAL_TYPES="133 134 135 136"
-
-+# IPv6 ICMPv6 Multicast Listener Discovery (RFC 2710, 3810)
-+######################################################################
-+ICMPV6_MLD_TYPES="130 131 132 143"
-+
- # Check plugin bin path and fallback in case it's empty
- #######################################################
- if [ -z "$PLUGIN_BIN_PATH" ]; then
Deleted: branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch 2016-06-10 13:54:37 UTC (rev 7715)
+++ branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -1,186 +0,0 @@
-From ade2e3fd17771b861f97dd3adb5307e4da16dc4e Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Sat, 9 Jan 2016 10:04:46 -0600
-Subject: [PATCH] added: PPTP VPN Passthrough plugin, Issue #27
-
----
- .../plugins/pptp-vpn-passthrough.conf | 14 +++
- .../plugins/50pptp-vpn-passthrough.plugin | 135 +++++++++++++++++++++
- .../plugins/pptp-vpn-passthrough.CHANGELOG | 4 +
- 3 files changed, 153 insertions(+)
- create mode 100644 etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
- create mode 100644 share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
- create mode 100644 share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-
-diff --git a/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
-new file mode 100644
-index 0000000..250bc0d
---- /dev/null
-+++ b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
-@@ -0,0 +1,14 @@
-+# ------------------------------------------------------------------------------
-+# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
-+# ------------------------------------------------------------------------------
-+
-+# To actually enable this plugin make ENABLED=1:
-+# ------------------------------------------------------------------------------
-+ENABLED=0
-+
-+# PPTP uses the GRE protocol for transport, as such, when PPTP VPN clients
-+# have NAT between them and the PPTP VPN server special packet handling must be performed.
-+# This plugin loads the required Linux Kernel modules to handle that situation.
-+#
-+# No configuration options
-+# ------------------------------------------------------------------------------
-diff --git a/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
-new file mode 100644
-index 0000000..379a1dd
---- /dev/null
-+++ b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
-@@ -0,0 +1,135 @@
-+# ------------------------------------------------------------------------------
-+# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
-+#
-+PLUGIN_NAME="PPTP VPN Passthrough plugin"
-+PLUGIN_VERSION="1.00"
-+PLUGIN_CONF_FILE="pptp-vpn-passthrough.conf"
-+#
-+# Last changed : January 9, 2016
-+# Requirements : AIF 2.0.0+ and ip_nat_pptp
-+# Comments : This plugin loads the required kernel modules for PPTP VPN Clients
-+# to access remote PPTP VPN Server(s) when NAT is enabled.
-+#
-+# Author : (C) Copyright 2016 by Lonnie Abelbeck & Arno van Amersfoort
-+# Homepage : http://rocky.eld.leidenuniv.nl/
-+# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
-+# (note: you must remove all spaces and substitute the @ and the .
-+# at the proper locations!)
-+# ------------------------------------------------------------------------------
-+# This program is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU General Public License
-+# version 2 as published by the Free Software Foundation.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; if not, write to the Free Software
-+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-+# ------------------------------------------------------------------------------
-+
-+# Plugin start function
-+plugin_start()
-+{
-+
-+ if [ "$NAT" = "1" ]; then
-+ echo "${INDENT}Enable PPTP NAT helper module"
-+ modprobe_multi nf_nat_pptp ip_nat_pptp
-+ else
-+ echo "${INDENT}ERROR: NAT is not enabled, this plugin will be ignored."
-+ fi
-+
-+ return 0
-+}
-+
-+
-+# Plugin restart function
-+plugin_restart()
-+{
-+
-+ # Skip plugin_stop on a restart
-+ plugin_start
-+
-+ return 0
-+}
-+
-+
-+# Plugin stop function
-+plugin_stop()
-+{
-+
-+ if [ "$NAT" = "1" ]; then
-+ if [ -e /proc/modules -a -x "$MODPROBE" ]; then
-+ if ! $MODPROBE -r nf_nat_pptp >/dev/null 2>&1; then
-+ $MODPROBE -r ip_nat_pptp >/dev/null 2>&1
-+ fi
-+ if [ $? -eq 0 ]; then
-+ echo "${INDENT}Disabled PPTP NAT helper module"
-+ fi
-+ fi
-+ fi
-+
-+ return 0
-+}
-+
-+
-+# Plugin status function
-+plugin_status()
-+{
-+ return 0
-+}
-+
-+
-+# Check sanity of eg. environment
-+plugin_sanity_check()
-+{
-+ return 0
-+}
-+
-+
-+############
-+# Mainline #
-+############
-+
-+# Check where to find the config file
-+CONF_FILE=""
-+if [ -n "$PLUGIN_CONF_PATH" ]; then
-+ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
-+fi
-+
-+# Preinit to success:
-+PLUGIN_RET_VAL=0
-+
-+# Check if the config file exists
-+if [ ! -e "$CONF_FILE" ]; then
-+ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
-+else
-+ # Source the plugin config file
-+ . "$CONF_FILE"
-+
-+ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
-+ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
-+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
-+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
-+ # Show who we are:
-+ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
-+
-+ # Increment indention
-+ INDENT="$INDENT "
-+
-+ # Only proceed if environment ok
-+ if ! plugin_sanity_check; then
-+ PLUGIN_RET_VAL=1
-+ else
-+ case $PLUGIN_CMD in
-+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
-+ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
-+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
-+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
-+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
-+ esac
-+ fi
-+ fi
-+fi
-diff --git a/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-new file mode 100644
-index 0000000..042b789
---- /dev/null
-+++ b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-@@ -0,0 +1,4 @@
-+Version 1.00 (January 9, 2016)
-+-----------------------------------
-++ Initial version
-+
-
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2016-06-10 13:54:37 UTC (rev 7715)
+++ branches/1.0/package/arnofw/arnofw.serial 2016-06-11 20:31:25 UTC (rev 7716)
@@ -1 +1 @@
-0002~0026~0000~0000~0000~
+0002~0027~0000~0000~0000~
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2016-07-12 15:57:53
|
Revision: 7751
http://sourceforge.net/p/astlinux/code/7751
Author: abelbeck
Date: 2016-07-12 15:57:50 +0000 (Tue, 12 Jul 2016)
Log Message:
-----------
arnofw, add support for new NAT_IF variable in AIF, tracks EXT_IF interfaces that are NAT'ed
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.wrapper
branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh
Modified: branches/1.0/package/arnofw/arnofw.wrapper
===================================================================
--- branches/1.0/package/arnofw/arnofw.wrapper 2016-07-11 13:55:09 UTC (rev 7750)
+++ branches/1.0/package/arnofw/arnofw.wrapper 2016-07-12 15:57:50 UTC (rev 7751)
@@ -160,17 +160,22 @@
if [ -z "$PPPOEIF" ]; then
EXT_IF=""
+ NAT_IF=""
unset IFS
for intf in $EXTIF $EXT2IF; do
EXT_IF="$EXT_IF${EXT_IF:+ }$intf"
+ NAT_IF="$NAT_IF${NAT_IF:+ }$intf"
done
else
EXT_IF="${PPPOE_EXTIF:-ppp+}"
+ NAT_IF="${PPPOE_EXTIF:-ppp+}"
unset IFS
for intf in $EXTIF $EXT2IF; do
case "$intf" in
ppp[0-9]*) ;;
- *) EXT_IF="$EXT_IF $intf" ;;
+ *) EXT_IF="$EXT_IF $intf"
+ NAT_IF="$NAT_IF $intf"
+ ;;
esac
done
fi
Modified: branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh 2016-07-11 13:55:09 UTC (rev 7750)
+++ branches/1.0/package/arnofw/miniupnpd/50miniupnpd.plugin.sh 2016-07-12 15:57:50 UTC (rev 7751)
@@ -2,14 +2,14 @@
# -= Arno's iptables firewall - MiniUPnPd plugin =-
#
PLUGIN_NAME="MiniUPnPd plugin"
-PLUGIN_VERSION="1.0"
+PLUGIN_VERSION="1.01"
PLUGIN_CONF_FILE="miniupnpd.conf"
#
-# Last changed : July 6, 2012
+# Last changed : July 12, 2016
# Requirements : AIF 2.0.0+ with miniupnpd daemon
# Comments : Setup of the iptables chains that the miniupnpd daemon manages
#
-# Author : (C) Copyright 2012 by Lonnie Abelbeck & Arno van Amersfoort
+# Author : (C) Copyright 2012-2016 by Lonnie Abelbeck & Arno van Amersfoort
# Homepage : http://rocky.eld.leidenuniv.nl/
# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
@@ -67,7 +67,7 @@
# Reconnect both MINIUPNPD chains, flushed on a restart
IFS=' ,'
- for eif in $EXT_IF; do
+ for eif in ${NAT_IF:-$EXT_IF}; do
ip4tables -t nat -A POST_NAT_PREROUTING_CHAIN -i $eif -j MINIUPNPD
ip4tables -A POST_FORWARD_CHAIN -i $eif ! -o $eif -j MINIUPNPD
@@ -89,7 +89,7 @@
fi
IFS=' ,'
- for eif in $EXT_IF; do
+ for eif in ${NAT_IF:-$EXT_IF}; do
ip4tables -t nat -D POST_NAT_PREROUTING_CHAIN -i $eif -j MINIUPNPD
ip4tables -D POST_FORWARD_CHAIN -i $eif ! -o $eif -j MINIUPNPD
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2016-07-13 19:31:58
|
Revision: 7753
http://sourceforge.net/p/astlinux/code/7753
Author: abelbeck
Date: 2016-07-13 19:31:55 +0000 (Wed, 13 Jul 2016)
Log Message:
-----------
arnofw, version bump to 2.0.1g-RC1, remove all our patches
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
Removed Paths:
-------------
branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch
branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch
branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch
branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch
Deleted: branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch 2016-07-13 19:31:55 UTC (rev 7753)
@@ -1,11 +0,0 @@
---- arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall.orig 2015-10-30 15:52:23.000000000 -0500
-+++ arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall 2015-10-30 16:00:37.000000000 -0500
-@@ -495,7 +495,7 @@
- sysctl_set_all "net.ipv6.conf" "forwarding" 1
- echo " Disabling Local IPv6 Auto-Configuration"
- sysctl_set_all "net.ipv6.conf" "autoconf" 0
-- sysctl_set_all "net.ipv6.conf" "accept_ra" 0
-+ ## Setting accept_ra=0 is not needed with forwarding=1, don't overwrite any existing accept_ra=2 values
- fi
- elif [ "$IP_FORWARDING" = "0" ]; then
- echo " DISABLING packet forwarding"
Deleted: branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch 2016-07-13 19:31:55 UTC (rev 7753)
@@ -1,75 +0,0 @@
-From 7bd64927a401050769b7da18fd2ae52370cc2390 Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Sat, 13 Feb 2016 16:16:16 -0600
-Subject: [PATCH] changed: added support for ICMPv6 Multicast Listener
- Discovery, disabled by default with OPEN_ICMPV6_MLD=0. Additionally make sure
- all un-needed ICMPv6 packets are dropped so they don't appear as annoying
- logs, more common with native IPv6 support by ISP's. Thanks to David Kerr for
- pointing out the issue and testing a solution.
-
----
- bin/arno-iptables-firewall | 10 ++++++++++
- etc/arno-iptables-firewall/firewall.conf | 6 ++++++
- share/arno-iptables-firewall/environment | 4 ++++
- 3 files changed, 20 insertions(+)
-
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index f5095a5..b02a85f 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -4574,6 +4574,11 @@ setup_firewall_rules()
- for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do
- ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT
- done
-+ if [ "$OPEN_ICMPV6_MLD" = "1" ]; then
-+ for icmpv6_type in $ICMPV6_MLD_TYPES; do
-+ ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
-+ done
-+ fi
- fi
-
- # Apply external (internet) interface policy for the input chain:
-@@ -4592,6 +4597,11 @@ setup_firewall_rules()
-
- # ICMP traffic (flood)
- iptables -A INPUT -i $interface -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-+
-+ # Drop any remaining ICMPv6 traffic
-+ if [ "$IPV6_SUPPORT" = "1" ]; then
-+ ip6tables -A INPUT -i $interface -p icmpv6 -j POST_INPUT_DROP_CHAIN
-+ fi
- done
-
-
-diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
-index 9e80e20..2291916 100644
---- a/etc/arno-iptables-firewall/firewall.conf
-+++ b/etc/arno-iptables-firewall/firewall.conf
-@@ -1158,6 +1158,12 @@ OPEN_ICMP=0
- # -----------------------------------------------------------------------------
- OPEN_ICMPV6=1
-
-+# Enable (1) to make the default policy allow IPv6 ICMPv6
-+# Multicast Listener Discovery (RFC 2710, 3810) for INET access
-+# Note: Requires setting OPEN_ICMPV6=1 to apply.
-+# -----------------------------------------------------------------------------
-+OPEN_ICMPV6_MLD=0
-+
- # Put in the following variables which ports or IP protocols you want to leave
- # open to the whole world.
- # -----------------------------------------------------------------------------
-diff --git a/share/arno-iptables-firewall/environment b/share/arno-iptables-firewall/environment
-index 5728e4c..616c29c 100644
---- a/share/arno-iptables-firewall/environment
-+++ b/share/arno-iptables-firewall/environment
-@@ -1698,6 +1698,10 @@ fi
- ######################################################################
- ICMPV6_SPECIAL_TYPES="133 134 135 136"
-
-+# IPv6 ICMPv6 Multicast Listener Discovery (RFC 2710, 3810)
-+######################################################################
-+ICMPV6_MLD_TYPES="130 131 132 143"
-+
- # Check plugin bin path and fallback in case it's empty
- #######################################################
- if [ -z "$PLUGIN_BIN_PATH" ]; then
Deleted: branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch 2016-07-13 19:31:55 UTC (rev 7753)
@@ -1,186 +0,0 @@
-From ade2e3fd17771b861f97dd3adb5307e4da16dc4e Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Sat, 9 Jan 2016 10:04:46 -0600
-Subject: [PATCH] added: PPTP VPN Passthrough plugin, Issue #27
-
----
- .../plugins/pptp-vpn-passthrough.conf | 14 +++
- .../plugins/50pptp-vpn-passthrough.plugin | 135 +++++++++++++++++++++
- .../plugins/pptp-vpn-passthrough.CHANGELOG | 4 +
- 3 files changed, 153 insertions(+)
- create mode 100644 etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
- create mode 100644 share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
- create mode 100644 share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-
-diff --git a/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
-new file mode 100644
-index 0000000..250bc0d
---- /dev/null
-+++ b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
-@@ -0,0 +1,14 @@
-+# ------------------------------------------------------------------------------
-+# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
-+# ------------------------------------------------------------------------------
-+
-+# To actually enable this plugin make ENABLED=1:
-+# ------------------------------------------------------------------------------
-+ENABLED=0
-+
-+# PPTP uses the GRE protocol for transport, as such, when PPTP VPN clients
-+# have NAT between them and the PPTP VPN server special packet handling must be performed.
-+# This plugin loads the required Linux Kernel modules to handle that situation.
-+#
-+# No configuration options
-+# ------------------------------------------------------------------------------
-diff --git a/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
-new file mode 100644
-index 0000000..379a1dd
---- /dev/null
-+++ b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
-@@ -0,0 +1,135 @@
-+# ------------------------------------------------------------------------------
-+# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
-+#
-+PLUGIN_NAME="PPTP VPN Passthrough plugin"
-+PLUGIN_VERSION="1.00"
-+PLUGIN_CONF_FILE="pptp-vpn-passthrough.conf"
-+#
-+# Last changed : January 9, 2016
-+# Requirements : AIF 2.0.0+ and ip_nat_pptp
-+# Comments : This plugin loads the required kernel modules for PPTP VPN Clients
-+# to access remote PPTP VPN Server(s) when NAT is enabled.
-+#
-+# Author : (C) Copyright 2016 by Lonnie Abelbeck & Arno van Amersfoort
-+# Homepage : http://rocky.eld.leidenuniv.nl/
-+# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
-+# (note: you must remove all spaces and substitute the @ and the .
-+# at the proper locations!)
-+# ------------------------------------------------------------------------------
-+# This program is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU General Public License
-+# version 2 as published by the Free Software Foundation.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; if not, write to the Free Software
-+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-+# ------------------------------------------------------------------------------
-+
-+# Plugin start function
-+plugin_start()
-+{
-+
-+ if [ "$NAT" = "1" ]; then
-+ echo "${INDENT}Enable PPTP NAT helper module"
-+ modprobe_multi nf_nat_pptp ip_nat_pptp
-+ else
-+ echo "${INDENT}ERROR: NAT is not enabled, this plugin will be ignored."
-+ fi
-+
-+ return 0
-+}
-+
-+
-+# Plugin restart function
-+plugin_restart()
-+{
-+
-+ # Skip plugin_stop on a restart
-+ plugin_start
-+
-+ return 0
-+}
-+
-+
-+# Plugin stop function
-+plugin_stop()
-+{
-+
-+ if [ "$NAT" = "1" ]; then
-+ if [ -e /proc/modules -a -x "$MODPROBE" ]; then
-+ if ! $MODPROBE -r nf_nat_pptp >/dev/null 2>&1; then
-+ $MODPROBE -r ip_nat_pptp >/dev/null 2>&1
-+ fi
-+ if [ $? -eq 0 ]; then
-+ echo "${INDENT}Disabled PPTP NAT helper module"
-+ fi
-+ fi
-+ fi
-+
-+ return 0
-+}
-+
-+
-+# Plugin status function
-+plugin_status()
-+{
-+ return 0
-+}
-+
-+
-+# Check sanity of eg. environment
-+plugin_sanity_check()
-+{
-+ return 0
-+}
-+
-+
-+############
-+# Mainline #
-+############
-+
-+# Check where to find the config file
-+CONF_FILE=""
-+if [ -n "$PLUGIN_CONF_PATH" ]; then
-+ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
-+fi
-+
-+# Preinit to success:
-+PLUGIN_RET_VAL=0
-+
-+# Check if the config file exists
-+if [ ! -e "$CONF_FILE" ]; then
-+ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
-+else
-+ # Source the plugin config file
-+ . "$CONF_FILE"
-+
-+ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
-+ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
-+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
-+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
-+ # Show who we are:
-+ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
-+
-+ # Increment indention
-+ INDENT="$INDENT "
-+
-+ # Only proceed if environment ok
-+ if ! plugin_sanity_check; then
-+ PLUGIN_RET_VAL=1
-+ else
-+ case $PLUGIN_CMD in
-+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
-+ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
-+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
-+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
-+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
-+ esac
-+ fi
-+ fi
-+fi
-diff --git a/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-new file mode 100644
-index 0000000..042b789
---- /dev/null
-+++ b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-@@ -0,0 +1,4 @@
-+Version 1.00 (January 9, 2016)
-+-----------------------------------
-++ Initial version
-+
-
Deleted: branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch 2016-07-13 19:31:55 UTC (rev 7753)
@@ -1,253 +0,0 @@
-diff --git a/README b/README
-index 093151a..802ce61 100644
---- a/README
-+++ b/README
-@@ -480,6 +480,7 @@ INT_FORWARD_IN_CHAIN - Internal-net FORWARD chain for INcoming traffic
- INT_FORWARD_OUT_CHAIN - Internal-net FORWARD chain for OUTcoming traffic
- INT_INPUT_CHAIN - Internal-net INPUT chain
- INT_OUTPUT_CHAIN - Internal-net OUTPUT chain
-+LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain (AIF private use only)
- LAN_INET_FORWARD_CHAIN - LAN to internet (external net) forward chain
- POST_INPUT_CHAIN - This chain is always processed last(post) in the
- INPUT chain
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index b02a85f..beee62d 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -2263,6 +2263,79 @@ setup_int_input_chain()
- }
-
-
-+##################################################
-+# Setup chain for the LAN-to-LAN forward traffic #
-+##################################################
-+setup_lan_lan_forward_chain()
-+{
-+ local rtn_val=1
-+
-+ echo " Setting up LAN->LAN policy"
-+
-+ # TCP ports to ALLOW for certain Inter-LAN hosts
-+ ################################################
-+ unset IFS
-+ for rule in $LAN_LAN_HOST_OPEN_TCP; do
-+ if parse_rule "$rule" LAN_LAN_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
-+
-+ echo " Allowing $shosts(LAN) to $dhosts(LAN) for TCP port(s): $ports"
-+
-+ IFS=','
-+ for shost in `ip_range "$shosts"`; do
-+ for dhost in `ip_range "$dhosts"`; do
-+ for port in $ports; do
-+ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
-+ rtn_val=0
-+ done
-+ done
-+ done
-+ fi
-+ done
-+
-+ # UDP ports to ALLOW for certain Inter-LAN hosts
-+ ################################################
-+ unset IFS
-+ for rule in $LAN_LAN_HOST_OPEN_UDP; do
-+ if parse_rule "$rule" LAN_LAN_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
-+
-+ echo " Allowing $shosts(LAN) to $dhosts(LAN) for UDP port(s): $ports"
-+
-+ IFS=','
-+ for shost in `ip_range "$shosts"`; do
-+ for dhost in `ip_range "$dhosts"`; do
-+ for port in $ports; do
-+ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT
-+ rtn_val=0
-+ done
-+ done
-+ done
-+ fi
-+ done
-+
-+ # IP protocol(s) to ALLOW for certain Inter-LAN hosts
-+ #####################################################
-+ unset IFS
-+ for rule in $LAN_LAN_HOST_OPEN_IP; do
-+ if parse_rule "$rule" LAN_LAN_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then
-+
-+ echo " Allowing $shosts(LAN) to $dhosts(LAN) for IP protocol(s): $protos"
-+
-+ IFS=','
-+ for shost in `ip_range "$shosts"`; do
-+ for dhost in `ip_range "$dhosts"`; do
-+ for proto in $protos; do
-+ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT
-+ rtn_val=0
-+ done
-+ done
-+ done
-+ fi
-+ done
-+
-+ return $rtn_val
-+}
-+
-+
- ###################################################
- # Setup chain for the LAN-to-INET forward traffic #
- ###################################################
-@@ -4803,7 +4876,10 @@ setup_firewall_rules()
- echo " Logging of denied LAN->INET FORWARD connections disabled"
- fi
-
-- # Setup helper chain for the LAN:
-+ # Setup helper chains for the LAN:
-+ setup_lan_lan_forward_chain;
-+ lan_lan_forward_result=$?
-+
- setup_lan_inet_forward_chain;
-
- IFS=' ,'
-@@ -4813,10 +4889,20 @@ setup_firewall_rules()
- # Always make subnets on the SAME interface trust each other
- iptables -A FORWARD -i $iif -o $iif -j ACCEPT
-
-+ # Optimize by only adding to FORWARD if LAN_LAN_FORWARD_CHAIN contains rules
-+ if [ $lan_lan_forward_result -eq 0 ]; then
-+ for output_if in $INT_IF; do
-+ if [ "$iif" != "$output_if" ]; then
-+ iptables -A FORWARD -i $iif -o $output_if -j LAN_LAN_FORWARD_CHAIN
-+ fi
-+ done
-+ fi
-+
- for eif in $EXT_IF; do
- iptables -A FORWARD -i $iif -o $eif -j LAN_INET_FORWARD_CHAIN
- done
- done
-+ unset lan_lan_forward_result
- fi
-
-
-@@ -5035,6 +5121,7 @@ create_user_chains()
- iptables -N DMZ_LAN_FORWARD_CHAIN
- iptables -N INET_DMZ_FORWARD_CHAIN
- iptables -N DMZ_INET_FORWARD_CHAIN
-+ iptables -N LAN_LAN_FORWARD_CHAIN
- iptables -N LAN_INET_FORWARD_CHAIN
-
- # Chains for the external interface
-@@ -5091,6 +5178,7 @@ flush_user_chains()
- iptables -F DMZ_LAN_FORWARD_CHAIN
- iptables -F INET_DMZ_FORWARD_CHAIN
- iptables -F DMZ_INET_FORWARD_CHAIN
-+ iptables -F LAN_LAN_FORWARD_CHAIN
- iptables -F LAN_INET_FORWARD_CHAIN
-
- # Chains for the external interface
-diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
-index 2291916..73554d2 100644
---- a/etc/arno-iptables-firewall/firewall.conf
-+++ b/etc/arno-iptables-firewall/firewall.conf
-@@ -696,6 +696,40 @@ LAN_HOST_DENY_IP=""
-
-
- ###############################################################################
-+# LAN_LAN_xxx = LAN->LAN access rules (forward) #
-+###############################################################################
-+
-+# Put in the following variables which LAN hosts you want to allow to certain
-+# hosts/services on a different LAN (net).
-+#
-+# TCP/UDP form:
-+# "SRCIP1,SRCIP2,...>DESTIP1~port \
-+# SRCIP3,...>DESTIP2~port"
-+#
-+# IP form:
-+# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
-+# SRCIP3,...>DESTIP2~protocol"
-+#
-+# TCP/UDP examples:
-+# Simple (Allow port 80 to LAN host 1.2.3.4 from all other LAN hosts(0/0)):
-+# LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
-+# Advanced (Allow port 20 & 21 to LAN host 1.2.3.4 from all other LAN hosts (0/0) and
-+# allow port 80 from LAN host 5.6.7.8 (only) to LAN host 1.2.3.4):
-+# LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
-+#
-+# IP protocol example:
-+# (Allow protocols 47 & 48 to LAN host 1.2.3.4 from all other LAN hosts(0/0)):
-+# LAN_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
-+#
-+# NOTE 1: If no SRCIPx is specified, any source host is used
-+# NOTE 2: If no port is specified, any port is used
-+# -----------------------------------------------------------------------------
-+LAN_LAN_HOST_OPEN_TCP=""
-+LAN_LAN_HOST_OPEN_UDP=""
-+LAN_LAN_HOST_OPEN_IP=""
-+
-+
-+###############################################################################
- # LAN_INET_xxx = LAN->internet access rules (forward) #
- # #
- # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are #
-
-
-From dd4ac2ea35da58eb625a3e1bb87dc707044f13a6 Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Wed, 22 Jun 2016 14:55:37 -0500
-Subject: [PATCH] removed: unused INT_FORWARD_IN_CHAIN and
- INT_FORWARD_OUT_CHAIN user chains, related #28
-
----
- README | 2 --
- bin/arno-iptables-firewall | 12 ------------
- 2 files changed, 14 deletions(-)
-
-diff --git a/README b/README
-index 802ce61..3f88069 100644
---- a/README
-+++ b/README
-@@ -476,8 +476,6 @@ HOST_BLOCK_DST - Chain containing the list of destination based
- blocked hosts
- HOST_BLOCK_SRC - Chain containing the list of source based blocked
- hosts
--INT_FORWARD_IN_CHAIN - Internal-net FORWARD chain for INcoming traffic
--INT_FORWARD_OUT_CHAIN - Internal-net FORWARD chain for OUTcoming traffic
- INT_INPUT_CHAIN - Internal-net INPUT chain
- INT_OUTPUT_CHAIN - Internal-net OUTPUT chain
- LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain (AIF private use only)
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index beee62d..99735ee 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -4769,14 +4769,6 @@ setup_firewall_rules()
- iptables -A FORWARD -o $eif -j EXT_FORWARD_OUT_CHAIN
- done
-
-- # Source the IN/OUT chains for the internal interface(s)
-- ########################################################
-- IFS=' ,'
-- for iif in $INT_IF; do
-- iptables -A FORWARD -i $iif -j INT_FORWARD_IN_CHAIN
-- iptables -A FORWARD -o $iif -j INT_FORWARD_OUT_CHAIN
-- done
--
- # Source the IN/OUT chains for the dmz interface(s)
- ########################################################
- IFS=' ,'
-@@ -5135,8 +5127,6 @@ create_user_chains()
-
- # INT(LAN) chains
- iptables -N INT_INPUT_CHAIN
-- iptables -N INT_FORWARD_IN_CHAIN
-- iptables -N INT_FORWARD_OUT_CHAIN
- iptables -N INT_OUTPUT_CHAIN
-
- # DMZ chains
-@@ -5192,8 +5182,6 @@ flush_user_chains()
-
- # INT(LAN) chains
- iptables -F INT_INPUT_CHAIN
-- iptables -F INT_FORWARD_IN_CHAIN
-- iptables -F INT_FORWARD_OUT_CHAIN
- iptables -F INT_OUTPUT_CHAIN
-
- # DMZ chains
Deleted: branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw-0005-add-LAN_DMZ_ALLOW_IF.patch 2016-07-13 19:31:55 UTC (rev 7753)
@@ -1,46 +0,0 @@
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index 0cb5cba..d825c0b 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -4814,6 +4814,8 @@ setup_firewall_rules()
- setup_dmz_inet_forward_chain;
- setup_dmz_lan_forward_chain;
-
-+ echo " Allowing LAN->DMZ for LAN interface(s): ${LAN_DMZ_ALLOW_IF:-$INT_IF}"
-+
- IFS=' ,'
- for dif in $DMZ_IF; do
- echo "Applying DMZ FORWARD policy to interface: $dif"
-@@ -4834,8 +4836,13 @@ setup_firewall_rules()
- # Apply policy for DMZ->LAN
- iptables -A FORWARD -i $dif -o $iif -j DMZ_LAN_FORWARD_CHAIN
-
-- # Apply policy for LAN->DMZ (allow all)
-- iptables -A FORWARD -i $iif -o $dif -j ACCEPT
-+ # Apply policy for LAN->DMZ (allow all INT_IF when LAN_DMZ_ALLOW_IF is not defined)
-+ for interface in ${LAN_DMZ_ALLOW_IF:-$INT_IF}; do
-+ if [ "$iif" = "$interface" ]; then
-+ iptables -A FORWARD -i $iif -o $dif -j ACCEPT
-+ break
-+ fi
-+ done
- done
- done
- fi
-diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
-index 83ef1dc..6d3bd19 100644
---- a/etc/arno-iptables-firewall/firewall.conf
-+++ b/etc/arno-iptables-firewall/firewall.conf
-@@ -125,6 +125,12 @@ DMZ_IF=""
- # -----------------------------------------------------------------------------
- DMZ_NET=""
-
-+# Specify the LAN (INT_IF) interfaces that are allowed full access to the
-+# DMZ interface(s). (LAN to DMZ forwarding policy)
-+# If LAN_DMZ_ALLOW_IF is not defined, all the INT_IF interfaces will be allowed.
-+# -----------------------------------------------------------------------------
-+LAN_DMZ_ALLOW_IF=""
-+
- # Set this variable to 0 to disable antispoof checking for the dmz nets
- # (EXPERT SETTING!)
- # -----------------------------------------------------------------------------
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2016-07-12 17:02:11 UTC (rev 7752)
+++ branches/1.0/package/arnofw/arnofw.mk 2016-07-13 19:31:55 UTC (rev 7753)
@@ -3,11 +3,11 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER := 2.0.1f
+ARNOFW_VER := 2.0.1g-RC1
ARNOFW_ROOT := arno-iptables-firewall
ARNOFW_SOURCE := $(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
-ARNOFW_SITE := http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
-#ARNOFW_SITE := http://files.astlinux-project.org
+#ARNOFW_SITE := http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
+ARNOFW_SITE := http://files.astlinux-project.org
ARNOFW_DIR := $(BUILD_DIR)/$(ARNOFW_ROOT)_$(ARNOFW_VER)
ARNOFW_CAT := zcat
ARNOFW_TARGET_BINARY := /usr/sbin/arno-iptables-firewall
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2016-09-10 16:31:30
|
Revision: 7828
http://sourceforge.net/p/astlinux/code/7828
Author: abelbeck
Date: 2016-09-10 16:31:27 +0000 (Sat, 10 Sep 2016)
Log Message:
-----------
arnofw, version bump to 2.0.1g-RC2, added support for 'ipset'
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
branches/1.0/package/arnofw/arnofw.wrapper
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2016-09-09 17:09:18 UTC (rev 7827)
+++ branches/1.0/package/arnofw/arnofw.mk 2016-09-10 16:31:27 UTC (rev 7828)
@@ -3,7 +3,7 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER := 2.0.1g-RC1
+ARNOFW_VER := 2.0.1g-RC2
ARNOFW_ROOT := arno-iptables-firewall
ARNOFW_SOURCE := $(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
#ARNOFW_SITE := http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
Modified: branches/1.0/package/arnofw/arnofw.wrapper
===================================================================
--- branches/1.0/package/arnofw/arnofw.wrapper 2016-09-09 17:09:18 UTC (rev 7827)
+++ branches/1.0/package/arnofw/arnofw.wrapper 2016-09-10 16:31:27 UTC (rev 7828)
@@ -155,6 +155,8 @@
{
local intf lan lans extCIDR ovpnIF ovpnIP ovpnNM allowif allowifs denyif count IFS
+ IPTABLES_IPSET=1
+
MANGLE_TOS=0
if [ "$IPV6" = "yes" ]; then
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2016-09-14 18:15:58
|
Revision: 7832
http://sourceforge.net/p/astlinux/code/7832
Author: abelbeck
Date: 2016-09-14 18:15:56 +0000 (Wed, 14 Sep 2016)
Log Message:
-----------
arnofw, version bump to 2.0.1g-RC3, added BLOCK_NETSET_DIR which efficiently creates ipset's for blocklists using .netset files. Additionally added reload-blocklist-netset script to generate the .netset files
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
Added Paths:
-----------
branches/1.0/package/arnofw/reload-blocklist-netset
Removed Paths:
-------------
branches/1.0/package/arnofw/arnofw-0001-handle-ipset-errors.patch
Deleted: branches/1.0/package/arnofw/arnofw-0001-handle-ipset-errors.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0001-handle-ipset-errors.patch 2016-09-11 19:08:52 UTC (rev 7831)
+++ branches/1.0/package/arnofw/arnofw-0001-handle-ipset-errors.patch 2016-09-14 18:15:56 UTC (rev 7832)
@@ -1,81 +0,0 @@
-From d06e18113b683ff6b19810eae25db5e4dd11ce2e Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Sun, 11 Sep 2016 13:26:55 -0500
-Subject: [PATCH] added: handle errors for ipset BLOCK_HOSTS and
- BLOCK_HOSTS_FILE
-
----
- bin/arno-iptables-firewall | 30 +++++++++++++++++++++++++++---
- 1 file changed, 27 insertions(+), 3 deletions(-)
-
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index aacf489..0e8739b 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -4158,7 +4158,7 @@ setup_output_log()
- ######################################
- setup_hostblock_chain()
- {
-- local hashsize maxelem
-+ local hashsize maxelem swap4_err=0 swap6_err=0
-
- if iptables -F HOST_BLOCK_SRC 2>&1 |grep -q "No chain" || \
- iptables -F HOST_BLOCK_DST 2>&1 |grep -q "No chain"; then
-@@ -4216,10 +4216,18 @@ if ipset_check; then
- case $? in
- 4)
- ipset add -exist aif_blocklist_tmp $host
-+ if [ $? -ne 0 ]; then
-+ swap4_err=1
-+ RULE_WARNING=$((RULE_WARNING + 1))
-+ fi
- ;;
- 6)
- if [ "$IPV6_SUPPORT" = "1" ]; then
- ipset add -exist aif_blocklist6_tmp $host
-+ if [ $? -ne 0 ]; then
-+ swap6_err=1
-+ RULE_WARNING=$((RULE_WARNING + 1))
-+ fi
- fi
- ;;
- esac
-@@ -4273,9 +4281,17 @@ if ipset_check; then
- echo "$total_cnt host line(s) read"
-
- ipset restore < "$IP4TABLES_BATCH_FILE"
-+ if [ $? -ne 0 ]; then
-+ swap4_err=1
-+ RULE_WARNING=$((RULE_WARNING + 1))
-+ fi
- rm -f "$IP4TABLES_BATCH_FILE"
- if [ "$IPV6_SUPPORT" = "1" ]; then
- ipset restore < "$IP6TABLES_BATCH_FILE"
-+ if [ $? -ne 0 ]; then
-+ swap6_err=1
-+ RULE_WARNING=$((RULE_WARNING + 1))
-+ fi
- rm -f "$IP6TABLES_BATCH_FILE"
- fi
- else
-@@ -4283,10 +4299,18 @@ if ipset_check; then
- fi
- fi
-
-- ipset swap aif_blocklist aif_blocklist_tmp
-+ if [ $swap4_err -eq 0 ]; then
-+ ipset swap aif_blocklist aif_blocklist_tmp
-+ else
-+ printf "\033[40m\033[1;31mERROR: IPv4 \"ipset swap ...\" not applied.\033[0m\n" >&2
-+ fi
- ipset destroy aif_blocklist_tmp
- if [ "$IPV6_SUPPORT" = "1" ]; then
-- ipset swap aif_blocklist6 aif_blocklist6_tmp
-+ if [ $swap6_err -eq 0 ]; then
-+ ipset swap aif_blocklist6 aif_blocklist6_tmp
-+ else
-+ printf "\033[40m\033[1;31mERROR: IPv6 \"ipset swap ...\" not applied.\033[0m\n" >&2
-+ fi
- ipset destroy aif_blocklist6_tmp
- fi
- else
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2016-09-11 19:08:52 UTC (rev 7831)
+++ branches/1.0/package/arnofw/arnofw.mk 2016-09-14 18:15:56 UTC (rev 7832)
@@ -3,7 +3,7 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER := 2.0.1g-RC2
+ARNOFW_VER := 2.0.1g-RC3
ARNOFW_ROOT := arno-iptables-firewall
ARNOFW_SOURCE := $(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
#ARNOFW_SITE := http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
@@ -64,6 +64,8 @@
$(TARGET_DIR)$(ARNOFW_CONFIG_SHIM)
$(INSTALL) -D -m 0755 package/arnofw/reload-spamhaus-drop \
$(TARGET_DIR)/usr/sbin/reload-spamhaus-drop
+ $(INSTALL) -D -m 0755 package/arnofw/reload-blocklist-netset \
+ $(TARGET_DIR)/usr/sbin/reload-blocklist-netset
@rm -f $(TARGET_DIR)$(ARNOFW_PLUGIN_SCRIPT_DIR)/*.CHANGELOG
@echo
@echo "Remove plugins that don't apply."
Added: branches/1.0/package/arnofw/reload-blocklist-netset
===================================================================
--- branches/1.0/package/arnofw/reload-blocklist-netset (rev 0)
+++ branches/1.0/package/arnofw/reload-blocklist-netset 2016-09-14 18:15:56 UTC (rev 7832)
@@ -0,0 +1,173 @@
+#!/bin/sh
+##
+## reload-blocklist-netset
+##
+## Cron may be used to run this script once or twice every day. Example:
+## 05 05,15 * * * reload-blocklist-netset /mnt/kd/blocklists firehol_level1 spamhaus_dropv6 >/dev/null 2>&1
+##
+## Multiple netset entries may be space or comma separated.
+##
+## In this example, a /mnt/kd/blocklists/firehol_level1.netset
+## and a /mnt/kd/blocklists/spamhaus_dropv6.netset file will be created.
+## Note: The specified directory must pre-exist, it will not be created.
+##
+## This script prevents any netset from being updated more often than
+## the defined 'AGE' value.
+##
+
+DIR="$1"
+
+UPDATES=0
+
+list_netsets()
+{
+ cat <<EOF
+
+Available IPv4 Blocklist Netsets:
+ firehol_level1: Blacklist composed from IP lists, providing maximum protection with minimum false positives.
+ firehol_level2: Blacklist that track attacks, during about the last 48 hours.
+ firehol_level3: Blacklist that track attacks, spyware, viruses, reported or detected in the last 30 days.
+ spamhaus_drop: Spamhaus DROP (Don't Route Or Peer), consisting of netblocks that are "hijacked" by cyber-crime operations.
+ spamhaus_edrop: Spamhaus EDROP is an extension of the DROP list that includes suballocated netblocks.
+
+Available IPv6 Blocklist Netsets:
+spamhaus_dropv6: Spamhaus DROPv6 list includes IPv6 ranges allocated to spammers or cyber criminals.
+
+EOF
+}
+
+netset_url()
+{
+ local netset="$1"
+
+ case $netset in
+ ## IPv4
+ firehol_level1)
+ URL="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset"
+ ALT_URL=""
+ AGE=3600
+ ;;
+ firehol_level2)
+ URL="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset"
+ ALT_URL=""
+ AGE=3600
+ ;;
+ firehol_level3)
+ URL="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset"
+ ALT_URL=""
+ AGE=3600
+ ;;
+ spamhaus_drop)
+ URL="https://www.spamhaus.org/drop/drop.txt"
+ ALT_URL="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_drop.netset"
+ AGE=43200
+ ;;
+ spamhaus_edrop)
+ URL="https://www.spamhaus.org/drop/edrop.txt"
+ ALT_URL="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_edrop.netset"
+ AGE=43200
+ ;;
+
+ ## IPv6
+ spamhaus_dropv6)
+ URL="https://www.spamhaus.org/drop/dropv6.txt"
+ ALT_URL=""
+ AGE=43200
+ ;;
+
+ *)
+ URL=""
+ ALT_URL=""
+ AGE=0
+ ;;
+ esac
+}
+
+download_file()
+{
+ local file="$1" url="$2"
+
+ curl -sSfL --globoff --retry 1 --connect-timeout 15 --max-time 1800 -o "$file" "$url" >/dev/null
+}
+
+valid_update_age()
+{
+ local netset="$1" age="$2" file
+
+ file="$DIR/$netset.netset"
+
+ if [ -f "$file" ]; then
+ if [ $(( $(date +%s) - $(date -r "$file" +%s) )) -lt $age ]; then
+ return 1
+ fi
+ fi
+ return 0
+}
+
+blocklist_netset()
+{
+ local netset tmp_file count mesg IFS
+
+ IFS=' ,'
+ for netset in $*; do
+ unset IFS
+ netset_url $netset
+ if [ -z "$URL" ]; then
+ echo "reload-blocklist-netset: Unknown Netset: $netset" >&2
+ continue
+ fi
+ if ! valid_update_age $netset $AGE; then
+ echo "reload-blocklist-netset: The file '$netset.netset' has been updated within $AGE seconds, skipping." >&2
+ continue
+ fi
+ tmp_file="$(mktemp "/tmp/reload_blocklist.XXXXXX")"
+ if ! download_file "$tmp_file" "$URL"; then
+ if [ -z "$ALT_URL" ] || ! download_file "$tmp_file" "$ALT_URL"; then
+ rm -f "$tmp_file"
+ mesg="Retrieving '$netset' netset failed for '$URL', skipping."
+ logger -s -t reload-blocklist-netset -p kern.info "$mesg"
+ continue
+ fi
+ fi
+ if grep -q -i -e '^<!DOCTYPE HTML' -e '^<HTML' "$tmp_file"; then
+ rm -f "$tmp_file"
+ mesg="Netset '$netset' text format is invalid for '$URL', skipping."
+ logger -s -t reload-blocklist-netset -p kern.info "$mesg"
+ continue
+ fi
+
+ cp "$tmp_file" "$DIR/$netset.netset"
+ rm -f "$tmp_file"
+ UPDATES=$((UPDATES + 1))
+
+ count=$(grep -c '^[1-9a-fA-F]' "$DIR/$netset.netset")
+ mesg="Netset '$netset' has been updated. Contains $count addresses/nets."
+ logger -t reload-blocklist-netset -p kern.info "$mesg"
+ echo "$mesg"
+ done
+}
+
+if [ -z "$DIR" ]; then
+ echo "Usage: reload-blocklist-netset netset_dir netset_1 [ netset_2 ... ]"
+ list_netsets
+ exit 1
+fi
+
+if [ ! -d "$DIR" ]; then
+ echo "reload-blocklist-netset: Directory not found: $DIR"
+ exit 1
+fi
+
+shift 1
+
+if [ -z "$1" ]; then
+ list_netsets
+ exit 1
+fi
+
+blocklist_netset "$@"
+
+if [ $UPDATES -gt 0 ]; then
+ arno-iptables-firewall force-reload
+fi
+
Property changes on: branches/1.0/package/arnofw/reload-blocklist-netset
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2016-09-23 15:23:55
|
Revision: 7860
http://sourceforge.net/p/astlinux/code/7860
Author: abelbeck
Date: 2016-09-23 15:23:53 +0000 (Fri, 23 Sep 2016)
Log Message:
-----------
arnofw, version bump to 2.0.1g-RC7, minor tweaks
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
branches/1.0/package/arnofw/arnofw.serial
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2016-09-22 18:17:07 UTC (rev 7859)
+++ branches/1.0/package/arnofw/arnofw.mk 2016-09-23 15:23:53 UTC (rev 7860)
@@ -3,7 +3,7 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER := 2.0.1g-RC6
+ARNOFW_VER := 2.0.1g-RC7
ARNOFW_ROOT := arno-iptables-firewall
ARNOFW_SOURCE := $(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
#ARNOFW_SITE := http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2016-09-22 18:17:07 UTC (rev 7859)
+++ branches/1.0/package/arnofw/arnofw.serial 2016-09-23 15:23:53 UTC (rev 7860)
@@ -1 +1 @@
-0002~0027~0000~0000~0000~
+0002~0028~0000~0000~0000~
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2016-11-19 15:20:07
|
Revision: 7967
http://sourceforge.net/p/astlinux/code/7967
Author: abelbeck
Date: 2016-11-19 15:20:05 +0000 (Sat, 19 Nov 2016)
Log Message:
-----------
arnofw, for strongswan IPsec (VPN contains ipsec) add new rc.conf variables: IPSEC_ALLOWED_ENDPOINTS and IPSEC_ALLOWED_VPN_NETS
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.serial
branches/1.0/package/arnofw/ipsec-vpn-astlinux.conf
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2016-11-19 13:15:07 UTC (rev 7966)
+++ branches/1.0/package/arnofw/arnofw.serial 2016-11-19 15:20:05 UTC (rev 7967)
@@ -1 +1 @@
-0002~0029~0000~0000~0000~
+0002~0030~0000~0000~0000~
Modified: branches/1.0/package/arnofw/ipsec-vpn-astlinux.conf
===================================================================
--- branches/1.0/package/arnofw/ipsec-vpn-astlinux.conf 2016-11-19 13:15:07 UTC (rev 7966)
+++ branches/1.0/package/arnofw/ipsec-vpn-astlinux.conf 2016-11-19 15:20:05 UTC (rev 7967)
@@ -67,8 +67,8 @@
if [ $vpntype_ipsec -eq 1 ]; then
ENABLED=1
- IPSEC_ALLOWED_HOSTS="0/0"
- IPSEC_VPN_NETS=""
+ IPSEC_ALLOWED_HOSTS="${IPSEC_ALLOWED_ENDPOINTS:-0/0}"
+ IPSEC_VPN_NETS="$IPSEC_ALLOWED_VPN_NETS"
IPSEC_NAT_TRAVERSAL=1
fi
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2017-05-09 14:07:45
|
Revision: 8291
http://sourceforge.net/p/astlinux/code/8291
Author: abelbeck
Date: 2017-05-09 14:07:42 +0000 (Tue, 09 May 2017)
Log Message:
-----------
arnofw, add support for EXT_IF_DHCPV6_IPV6 config variable, AIF Issue #34
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.wrapper
Added Paths:
-----------
branches/1.0/package/arnofw/arnofw-0002-EXT_IF_DHCPV6_IPV6.patch
Added: branches/1.0/package/arnofw/arnofw-0002-EXT_IF_DHCPV6_IPV6.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0002-EXT_IF_DHCPV6_IPV6.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-0002-EXT_IF_DHCPV6_IPV6.patch 2017-05-09 14:07:42 UTC (rev 8291)
@@ -0,0 +1,39 @@
+diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
+index 50b024c..1ee713f 100755
+--- a/bin/arno-iptables-firewall
++++ b/bin/arno-iptables-firewall
+@@ -2698,9 +2698,11 @@ setup_ext_input_chain()
+ echo " Enabling support for DHCP-assigned-IP (DHCP client)"
+ # Allow this host to be an DHCP client:
+ ip4tables -A EXT_INPUT_CHAIN -p udp --sport 67 --dport 68 -j ACCEPT
++ fi
++ if [ "$EXT_IF_DHCP_IP" = "1" -o "$EXT_IF_DHCPV6_IPV6" = "1" ]; then
+ if [ "$IPV6_SUPPORT" = "1" ]; then
+ # Allow this host to be an DHCPv6 client:
+- ip6tables -A EXT_INPUT_CHAIN -p udp --sport 547 --dport 546 -j ACCEPT
++ ip6tables -A EXT_INPUT_CHAIN -s fe80::/10 -p udp --sport 547 --dport 546 -j ACCEPT
+ fi
+ fi
+
+diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
+index e3c8894..766cbdd 100644
+--- a/etc/arno-iptables-firewall/firewall.conf
++++ b/etc/arno-iptables-firewall/firewall.conf
+@@ -39,10 +39,16 @@
+ EXT_IF=""
+
+ # Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
+-# and/or (IPv6) DHCPv6 (from your ISP)
++# and possibly (IPv6) DHCPv6 (from your ISP)
+ # ------------------------------------------------------------------------------
+ EXT_IF_DHCP_IP=0
+
++# Enable if THIS machines (dynamically) obtains its IP through (IPv6) DHCPv6
++# and not (IPv4) DHCP. Applies only when EXT_IF_DHCP_IP is set to "0".
++# (IPv6 Only)
++# ------------------------------------------------------------------------------
++EXT_IF_DHCPV6_IPV6=0
++
+ # (EXPERT SETTING!) Here you can override your external(!) IPv4 subnet(s).
+ # Normally these are (attempted to be) autodetected, so leaving this empty
+ # should work for most scenarios. This setting is used when eg. running a DHCP
Modified: branches/1.0/package/arnofw/arnofw.wrapper
===================================================================
--- branches/1.0/package/arnofw/arnofw.wrapper 2017-05-09 00:57:44 UTC (rev 8290)
+++ branches/1.0/package/arnofw/arnofw.wrapper 2017-05-09 14:07:42 UTC (rev 8291)
@@ -222,11 +222,20 @@
fi
EXT_IF_DHCP_IP=0
- if [ -n "$EXTIF" -a -z "$EXTIP" ] && [ "$EXTIF" != "ppp0" -o -z "$PPPOEIF" ]; then
- EXT_IF_DHCP_IP=1
+ EXT_IF_DHCPV6_IPV6=0
+ if [ -n "$EXTIF" ] && [ "$EXTIF" != "ppp0" -o -z "$PPPOEIF" ]; then
+ if [ -z "$EXTIP" ]; then
+ EXT_IF_DHCP_IP=1
+ elif [ "$IPV6" = "yes" -a "$DHCPV6_CLIENT_ENABLE" = "yes" ]; then
+ EXT_IF_DHCPV6_IPV6=1
+ fi
fi
- if [ -n "$EXT2IF" -a -z "$EXT2IP" ] && [ "$EXT2IF" != "ppp0" -o -z "$PPPOEIF" ]; then
- EXT_IF_DHCP_IP=1
+ if [ -n "$EXT2IF" ] && [ "$EXT2IF" != "ppp0" -o -z "$PPPOEIF" ]; then
+ if [ -z "$EXT2IP" ]; then
+ EXT_IF_DHCP_IP=1
+ elif [ "$IPV6" = "yes" -a "$EXT2DHCPV6_CLIENT_ENABLE" = "yes" ]; then
+ EXT_IF_DHCPV6_IPV6=1
+ fi
fi
if [ "$EXTDHCP" = "yes" -a -n "$EXTIP" -a -n "$EXTGW" -a -z "$EXT2IF" -a -z "$PPPOEIF" ]; then
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2017-05-29 16:04:50
|
Revision: 8353
http://sourceforge.net/p/astlinux/code/8353
Author: abelbeck
Date: 2017-05-29 16:04:48 +0000 (Mon, 29 May 2017)
Log Message:
-----------
arnofw, add 'Network Prefix Translation' plugin (NPTv6)
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
branches/1.0/package/arnofw/arnofw.serial
Added Paths:
-----------
branches/1.0/package/arnofw/net-prefix-translation/
branches/1.0/package/arnofw/net-prefix-translation/20net-prefix-translation.plugin.sh
branches/1.0/package/arnofw/net-prefix-translation/net-prefix-translation.conf
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2017-05-28 18:37:02 UTC (rev 8352)
+++ branches/1.0/package/arnofw/arnofw.mk 2017-05-29 16:04:48 UTC (rev 8353)
@@ -163,6 +163,13 @@
$(TARGET_DIR)$(ARNOFW_PLUGIN_SCRIPT_DIR)/50miniupnpd.plugin
$(INSTALL) -m 0644 package/arnofw/miniupnpd/miniupnpd-astlinux.conf \
$(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/miniupnpd.conf
+ @echo
+ @echo "Install local version of net-prefix-translation plugin."
+ @echo
+ $(INSTALL) -m 0644 package/arnofw/net-prefix-translation/20net-prefix-translation.plugin.sh \
+ $(TARGET_DIR)$(ARNOFW_PLUGIN_SCRIPT_DIR)/20net-prefix-translation.plugin
+ $(INSTALL) -m 0644 package/arnofw/net-prefix-translation/net-prefix-translation.conf \
+ $(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/net-prefix-translation.conf
arnofw: $(TARGET_DIR)$(ARNOFW_TARGET_BINARY)
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2017-05-28 18:37:02 UTC (rev 8352)
+++ branches/1.0/package/arnofw/arnofw.serial 2017-05-29 16:04:48 UTC (rev 8353)
@@ -1 +1 @@
-0002~0032~0000~0000~0000~
+0002~0033~0000~0000~0000~
Added: branches/1.0/package/arnofw/net-prefix-translation/20net-prefix-translation.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/net-prefix-translation/20net-prefix-translation.plugin.sh (rev 0)
+++ branches/1.0/package/arnofw/net-prefix-translation/20net-prefix-translation.plugin.sh 2017-05-29 16:04:48 UTC (rev 8353)
@@ -0,0 +1,286 @@
+# ------------------------------------------------------------------------------
+# -= Arno's iptables firewall - Network Prefix Translation plugin =-
+#
+PLUGIN_NAME="Network Prefix Translation plugin"
+PLUGIN_VERSION="1.00"
+PLUGIN_CONF_FILE="net-prefix-translation.conf"
+#
+# Last changed : May 28, 2017
+# Requirements : AIF 2.0.1g+, ip6tables NETMAP support
+# Comments : NPTv6 (Network Prefix Translation) for IPv6
+# Perform a 1:1 mapping of ULA <-> GUA prefixes
+# via the external interface.
+#
+# Author : (C) Copyright 2017 by Lonnie Abelbeck & Arno van Amersfoort
+# Homepage : http://rocky.eld.leidenuniv.nl/
+# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
+# (note: you must remove all spaces and substitute the @ and the .
+# at the proper locations!)
+# ------------------------------------------------------------------------------
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# ------------------------------------------------------------------------------
+
+NET_PREFIX_TRANSLATION_GLOBAL_IPV6="/var/tmp/aif-net-prefix-translation-global-ipv6"
+
+net_prefix_translation_global_ipv6()
+{
+ local lan IFS
+
+ IFS=' ,'
+ for lan in $NET_PREFIX_TRANSLATION_IF; do
+ ip -6 -o addr show dev $lan scope global 2>/dev/null \
+ | awk '$3 == "inet6" { print $4; }'
+ done
+}
+
+net_prefix_translation_global_prefix()
+{
+ local global_prefix prefix len cut_chars prefix_label prefix_len ipv6 ipv6_ex IFS
+
+ global_prefix=""
+ if [ -n "$NET_PREFIX_TRANSLATION_IF" ]; then
+ prefix_len="$(echo "$NET_PREFIX_TRANSLATION_GLOBAL_PREFIX" | cut -s -d'/' -f2)"
+ case $prefix_len in
+ 64) cut_chars="1-19"
+ prefix_label="::/64"
+ ;;
+ 60) cut_chars="1-18"
+ prefix_label="0::/60"
+ ;;
+ 56) cut_chars="1-17"
+ prefix_label="00::/56"
+ ;;
+ 52) cut_chars="1-16"
+ prefix_label="000::/52"
+ ;;
+ 48) cut_chars="1-15"
+ prefix_label="0000::/48"
+ ;;
+ *) cut_chars=""
+ prefix_label=""
+ ;;
+ esac
+
+ if [ -n "$cut_chars" -a -n "$prefix_label" ]; then
+ unset IFS
+ for prefix in $(net_prefix_translation_global_ipv6); do
+ len="$(echo "$prefix" | sed -n -r -e 's/^[0-9a-fA-F:]+\/([0-9]+)$/\1/p')"
+ if [ -n "$len" ]; then
+ if [ $len -ge 32 -a $len -le 64 ]; then
+ ipv6="$(echo "$prefix" | cut -d'/' -f1)"
+ ipv6_ex="$(netcalc "$ipv6" | sed -n -r -e 's/^Expanded IPv6 *: *([0-9a-fA-F:]+).*$/\1/p')"
+ global_prefix="$(echo "$ipv6_ex" | cut -c $cut_chars)"
+ if [ -n "$global_prefix" ]; then
+ global_prefix="$global_prefix$prefix_label"
+ break
+ fi
+ fi
+ fi
+ done
+ fi
+ else
+ global_prefix="$NET_PREFIX_TRANSLATION_GLOBAL_PREFIX"
+ fi
+
+ echo "$global_prefix"
+}
+
+# Plugin start function
+plugin_start()
+{
+ local global_prefix local_prefix eif IFS
+
+ #### remove when in main script ####
+ ip6tables -t nat -F
+ ip6tables -t nat -X
+ ####
+
+ ip6tables -t nat -N NET_PREFIX_TRANSLATION_IN 2>/dev/null
+ ip6tables -t nat -F NET_PREFIX_TRANSLATION_IN
+
+ ip6tables -t nat -N NET_PREFIX_TRANSLATION_OUT 2>/dev/null
+ ip6tables -t nat -F NET_PREFIX_TRANSLATION_OUT
+
+ global_prefix="$(net_prefix_translation_global_prefix)"
+
+ if [ -z "$global_prefix" ]; then
+ echo "${INDENT}Network Prefix Translation Global Prefix: Not Found"
+ return 1
+ fi
+
+ local_prefix="$NET_PREFIX_TRANSLATION_LOCAL_PREFIX"
+
+ echo "${INDENT}Network Prefix Translation Global Prefix: $global_prefix"
+ echo "${INDENT}Network Prefix Translation Local Prefix: $local_prefix"
+
+ IFS=' ,'
+ for eif in $EXT_IF; do
+ ip6tables -t nat -A NET_PREFIX_TRANSLATION_IN -i $eif -d $global_prefix -j NETMAP --to $local_prefix
+ ip6tables -t nat -A NET_PREFIX_TRANSLATION_OUT -o $eif -s $local_prefix -j NETMAP --to $global_prefix
+ done
+
+ echo "$global_prefix" > "$NET_PREFIX_TRANSLATION_GLOBAL_IPV6"
+
+ ip6tables -t nat -A PREROUTING -j NET_PREFIX_TRANSLATION_IN
+ ip6tables -t nat -A POSTROUTING -j NET_PREFIX_TRANSLATION_OUT
+
+ return 0
+}
+
+
+# Plugin restart function
+plugin_restart()
+{
+
+ # Skip plugin_stop on a restart
+ plugin_start
+
+ return 0
+}
+
+
+# Plugin stop function
+plugin_stop()
+{
+
+ ip6tables -t nat -D PREROUTING -j NET_PREFIX_TRANSLATION_IN
+ ip6tables -t nat -D POSTROUTING -j NET_PREFIX_TRANSLATION_OUT
+
+ ip6tables -t nat -F NET_PREFIX_TRANSLATION_IN
+ ip6tables -t nat -X NET_PREFIX_TRANSLATION_IN 2>/dev/null
+
+ ip6tables -t nat -F NET_PREFIX_TRANSLATION_OUT
+ ip6tables -t nat -X NET_PREFIX_TRANSLATION_OUT 2>/dev/null
+
+ rm -f "$NET_PREFIX_TRANSLATION_GLOBAL_IPV6"
+
+ return 0
+}
+
+
+# Plugin status function
+plugin_status()
+{
+ local old_prefix global_prefix local_prefix eif IFS
+
+ if [ -f "$NET_PREFIX_TRANSLATION_GLOBAL_IPV6" ]; then
+ old_prefix="$(cat "$NET_PREFIX_TRANSLATION_GLOBAL_IPV6")"
+ else
+ old_prefix=""
+ fi
+
+ global_prefix="$(net_prefix_translation_global_prefix)"
+
+ if [ -z "$global_prefix" ]; then
+ echo " Network Prefix Translation Global Prefix: Not Found"
+ return 0
+ fi
+
+ if [ "$old_prefix" = "$global_prefix" ]; then
+ echo " Network Prefix Translation Global Prefix did not change: $global_prefix"
+ return 0
+ fi
+
+ local_prefix="$NET_PREFIX_TRANSLATION_LOCAL_PREFIX"
+
+ if [ "$NET_PREFIX_TRANSLATION_UPDATE_ON_STATUS" != "0" ]; then
+ # update rules
+
+ ip6tables -t nat -F NET_PREFIX_TRANSLATION_IN
+ ip6tables -t nat -F NET_PREFIX_TRANSLATION_OUT
+
+ IFS=' ,'
+ for eif in $EXT_IF; do
+ ip6tables -t nat -A NET_PREFIX_TRANSLATION_IN -i $eif -d $global_prefix -j NETMAP --to $local_prefix
+ ip6tables -t nat -A NET_PREFIX_TRANSLATION_OUT -o $eif -s $local_prefix -j NETMAP --to $global_prefix
+ done
+
+ echo "$global_prefix" > "$NET_PREFIX_TRANSLATION_GLOBAL_IPV6"
+ echo " Network Prefix Translation Global Prefix (updated): $global_prefix"
+ else
+ echo " Network Prefix Translation Global Prefix needs updating to: $global_prefix"
+ fi
+
+ return 0
+}
+
+
+# Check sanity of eg. environment
+plugin_sanity_check()
+{
+ # Sanity check
+
+ if [ -z "$(echo "$NET_PREFIX_TRANSLATION_GLOBAL_PREFIX" | cut -s -d'/' -f2)" ]; then
+ printf "\033[40m\033[1;31m${INDENT}ERROR: NET_PREFIX_TRANSLATION_GLOBAL_PREFIX is missing a /nn prefix!\033[0m\n" >&2
+ return 1
+ fi
+
+ if [ -z "$(echo "$NET_PREFIX_TRANSLATION_LOCAL_PREFIX" | cut -s -d'/' -f2)" ]; then
+ printf "\033[40m\033[1;31m${INDENT}ERROR: NET_PREFIX_TRANSLATION_LOCAL_PREFIX is missing a /nn prefix!\033[0m\n" >&2
+ return 1
+ fi
+
+ if [ -n "$NET_PREFIX_TRANSLATION_IF" ] && ! check_command netcalc; then
+ printf "\033[40m\033[1;31m${INDENT}ERROR: Required binary \"netcalc\" is not available!\033[0m\n" >&2
+ return 1
+ fi
+
+ return 0
+}
+
+
+############
+# Mainline #
+############
+
+# Check where to find the config file
+CONF_FILE=""
+if [ -n "$PLUGIN_CONF_PATH" ]; then
+ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
+fi
+
+# Preinit to success:
+PLUGIN_RET_VAL=0
+
+# Check if the config file exists
+if [ ! -e "$CONF_FILE" ]; then
+ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
+else
+ # Source the plugin config file
+ . "$CONF_FILE"
+
+ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
+ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
+ # Show who we are:
+ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
+
+ # Increment indention
+ INDENT="$INDENT "
+
+ # Only proceed if environment ok
+ if ! plugin_sanity_check; then
+ PLUGIN_RET_VAL=1
+ else
+ case $PLUGIN_CMD in
+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
+ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
+ esac
+ fi
+ fi
+fi
Added: branches/1.0/package/arnofw/net-prefix-translation/net-prefix-translation.conf
===================================================================
--- branches/1.0/package/arnofw/net-prefix-translation/net-prefix-translation.conf (rev 0)
+++ branches/1.0/package/arnofw/net-prefix-translation/net-prefix-translation.conf 2017-05-29 16:04:48 UTC (rev 8353)
@@ -0,0 +1,56 @@
+# ------------------------------------------------------------------------------
+# -= Arno's iptables firewall - Network Prefix Translation plugin =-
+# ------------------------------------------------------------------------------
+
+# To actually enable this plugin make ENABLED=1:
+# ------------------------------------------------------------------------------
+ENABLED=0
+
+# NPTv6 (Network Prefix Translation) for IPv6
+#
+# Commonly used to assign fixed ULA (Unique Local IPv6 Unicast Addresses)
+# (RFC4193) prefixes to local networks and perform a 1:1 mapping to a
+# GUA (IPv6 Global Unicast Address) (RFC3587) prefix provided by your ISP.
+# Should the GUA prefix change, the local ULA prefix can remain the same.
+#
+# The simplest case is where the GUA prefix is static, or seldom changes,
+# specify the global prefix with NET_PREFIX_TRANSLATION_GLOBAL_PREFIX.
+#
+# Example:
+# NET_PREFIX_TRANSLATION_GLOBAL_PREFIX="2001:db8:abcd:1230::/60"
+# (IPv6 Only)
+# ------------------------------------------------------------------------------
+NET_PREFIX_TRANSLATION_GLOBAL_PREFIX="::/60"
+
+# The more common case is where the GUA prefix is dynamic, using DHCPv6-PD.
+# In this case monitor an interface that is automatically assgined a prefix.
+# The value of NET_PREFIX_TRANSLATION_GLOBAL_PREFIX is used only to determine
+# the prefix length. When NET_PREFIX_TRANSLATION_IF is not defined,
+# NET_PREFIX_TRANSLATION_GLOBAL_PREFIX is used, and must be fully specified.
+#
+# Example: (first INT_IF interface will be used)
+# NET_PREFIX_TRANSLATION_IF="$INT_IF"
+# ------------------------------------------------------------------------------
+NET_PREFIX_TRANSLATION_IF="$INT_IF"
+
+# You must define NET_PREFIX_TRANSLATION_LOCAL_PREFIX by generating a ULA,
+# using a script or web site, whatever you are most comfortable with.
+#
+# Example: (generate your own, random, ULA)
+# NET_PREFIX_TRANSLATION_LOCAL_PREFIX="fd04:928b:f87e::/48"
+# (IPv6 Only)
+# ------------------------------------------------------------------------------
+NET_PREFIX_TRANSLATION_LOCAL_PREFIX="fd04:928b:f87e::/48"
+
+# When this plugin's status is called, if the global IPv6 prefix has changed,
+# noted by the IPv6 prefix associated with NET_PREFIX_TRANSLATION_IF, the
+# rules will be updated. Set NET_PREFIX_TRANSLATION_UPDATE_ON_STATUS to "0"
+# to disable this automatic update on status.
+#
+# Example:
+# $ arno-iptables-firewall status-plugins net-prefix-translation
+#
+# Defaults to update on status if not set to "0"
+# ------------------------------------------------------------------------------
+NET_PREFIX_TRANSLATION_UPDATE_ON_STATUS=1
+
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X