Menu
▾
▴
Re: [Sshguard-users] Scripting firewall backends
|
From: Willem J. W. <wj...@di...> - 2015-06-30 09:12:08
|
On 28-6-2015 12:46, Kevin Zheng wrote: > The current 'command' backend uses the shell to construct and > execute firewall commands. Those are hard-coded in the binary and > runs in the context of the SSHGuard process via the system() call. > > As the aix, ipf, and iptables backends show, those commands can get > quite complex. In the interest of making life easier, I've created a > new branch that delegates executing firewall commands to a separate > 'sshg-fw' binary, currently implemented as a shell script. The > script reads commands from standard input and issues the appropriate > commands to the system firewall. This is a step towards privilege > separation. > > Lots of work remains, in particular, doing this in a portable way, > and actually re-implementing the aix, ipf, iptables, and hosts > backends. Currently only null, pf, and ipfw are supported, and > external commands simply aren't executed for the time being. I'm doing more or less the same but using the NULL firewall... and then use the option -s to tell it what to really do.... /usr/local/sbin/sshguard -e /usr/local/sbin/sshguard-ipfwtable Does the above mean that you are going to "kill" this facility for the time being? --WjW |
