summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOlivier Blin <oblin@mandriva.org>2005-09-01 19:50:59 +0000
committerOlivier Blin <oblin@mandriva.org>2005-09-01 19:50:59 +0000
commit97edb2dd92bb48ec85cdd082da1af1ef7235d644 (patch)
treeab04061755790fc25d80c04fe09490ad0d55a3a8
parentcd6afee0de52086ee24b1c83d3d67cfec03e12f5 (diff)
downloaddrakx-97edb2dd92bb48ec85cdd082da1af1ef7235d644.tar
drakx-97edb2dd92bb48ec85cdd082da1af1ef7235d644.tar.gz
drakx-97edb2dd92bb48ec85cdd082da1af1ef7235d644.tar.bz2
drakx-97edb2dd92bb48ec85cdd082da1af1ef7235d644.tar.xz
drakx-97edb2dd92bb48ec85cdd082da1af1ef7235d644.zip
install and configure Interface Firewall in drakfirewall
-rw-r--r--perl-install/network/drakfirewall.pm69
-rw-r--r--perl-install/network/shorewall.pm23
-rw-r--r--perl-install/share/rpmsrate2
3 files changed, 78 insertions, 16 deletions
diff --git a/perl-install/network/drakfirewall.pm b/perl-install/network/drakfirewall.pm
index 9e9367369..eef489801 100644
--- a/perl-install/network/drakfirewall.pm
+++ b/perl-install/network/drakfirewall.pm
@@ -69,6 +69,13 @@ my @all_servers =
},
);
+my @ifw_rules = (
+ {
+ name => N_("Port scan detection"),
+ ifw_rule => 'psd',
+ },
+);
+
sub port2server {
my ($port) = @_;
find {
@@ -170,7 +177,7 @@ drakconnect before going any further."), 1) or return;
}
}
-sub choose {
+sub choose_allowed_services {
my ($in, $disabled, $servers, $unlisted) = @_;
$_->{on} = 0 foreach @all_servers;
@@ -202,7 +209,60 @@ You can also give a range of ports (eg: 24300:24350/udp)", $invalid_port));
{ label => N("Other ports"), val => \$unlisted, advanced => 1, disabled => sub { $disabled } }
]) or return;
- $disabled, to_ports([ grep { $_->{on} } @l ], $unlisted);
+ $disabled, [ grep { $_->{on} } @l ], $unlisted;
+}
+
+sub set_ifw {
+ my ($do_pkgs, $enabled, $rules, $ports) = @_;
+ $do_pkgs->ensure_is_installed('mandi-ifw', '/etc/ifw/start', $::isInstall) or return;
+
+ my $ports_by_proto = network::shorewall::ports_by_proto($ports);
+ output_with_perm("$::prefix/etc/ifw/rules", 0644, map { "$_\n" } (
+ (map { "source /etc/ifw/rules.d/$_" } @$rules),
+ map {
+ my $proto = $_;
+ map {
+ my $multiport = /:/ && " -m multiport";
+ "iptables -A Ifw -m state --state NEW -p $proto$multiport --dport $_ -j IFWLOG --log-prefix NEW\n";
+ } @{$ports_by_proto->{$proto}};
+ } keys %$ports_by_proto,
+ ));
+
+ my $set_in_file = sub {
+ my ($file, @list) = @_;
+ substInFile {
+ foreach my $l (@list) { s|^$l\n|| }
+ $_ .= join("\n", @list) . "\n" if eof && $enabled;
+ } "$::prefix/etc/shorewall/$file";
+ };
+ $set_in_file->('start', "INCLUDE /etc/ifw/start", "INCLUDE /etc/ifw/rules", "iptables -I INPUT 2 -j Ifw");
+ $set_in_file->('stop', "iptables -D INPUT -j Ifw", "INCLUDE /etc/ifw/stop");
+}
+
+sub choose_watched_services {
+ my ($in, $servers, $unlisted) = @_;
+
+ my @l = (@ifw_rules, @$servers, map { { ports => $_ } } split(' ', $unlisted));
+ my $enabled = 1;
+ $_->{ifw} = 1 foreach @l;
+
+ $in->ask_from_({
+ messages =>
+ N("Interactive Firewall") . "\n\n" .
+ N("You can be warned when someone access to a service or tries to intrude into your computer.
+Please select which network activity should be watched."),
+ title => N("Interactive Firewall"),
+ },
+ [
+ { text => N("Use Interactive Firewall"), val => \$enabled, type => 'bool' },
+ map { my $e = $_; {
+ text => (exists $_->{name} ? translate($_->{name}) : $_->{ports}),
+ val => \$_->{ifw},
+ type => 'bool', disabled => sub { !member($e, @ifw_rules) || !$enabled },
+ } } @l,
+ ]) or return;
+ my ($rules, $ports) = partition { exists $_->{ifw_rule} } grep { $_->{ifw} } @l;
+ set_ifw($in->do_pkgs, $enabled, [ map { $_->{ifw_rule} } @$rules ], to_ports($ports));
}
sub main {
@@ -210,8 +270,11 @@ sub main {
($disabled, my $servers, my $unlisted) = get_conf($in, $disabled) or return;
- ($disabled, my $ports) = choose($in, $disabled, $servers, $unlisted) or return;
+ ($disabled, $servers, $unlisted) = choose_allowed_services($in, $disabled, $servers, $unlisted) or return;
+
+ choose_watched_services($in, $servers, $unlisted) unless $disabled;
+ my $ports = to_ports($servers, $unlisted);
set_ports($in->do_pkgs, $disabled, $ports, $in) or return;
($disabled, $ports);
diff --git a/perl-install/network/shorewall.pm b/perl-install/network/shorewall.pm
index 7e5d97363..463d64a62 100644
--- a/perl-install/network/shorewall.pm
+++ b/perl-install/network/shorewall.pm
@@ -1,8 +1,5 @@
package network::shorewall; # $Id$
-
-
-
use detect_devices;
use network::ethernet;
use network::network;
@@ -10,7 +7,6 @@ use run_program;
use common;
use log;
-
sub check_iptables() {
-f "$::prefix/etc/sysconfig/iptables" ||
$::isStandalone && do {
@@ -101,16 +97,21 @@ sub read {
$conf{net_interface} && \%conf;
}
+sub ports_by_proto {
+ my ($ports) = @_;
+ my %ports_by_proto;
+ foreach (split ' ', $ports) {
+ m!^(\d+(?:\d+)?)/(udp|tcp|icmp)$! or die "bad port $_\n";
+ push @{$ports_by_proto{$2}}, $1;
+ }
+ \%ports_by_proto;
+}
+
sub write {
my ($conf) = @_;
my $default_intf = get_ifcfg_interface();
my $use_pptp = $default_intf =~ /^ppp/ && cat_("$::prefix/etc/ppp/peers/$default_intf") =~ /pptp/;
-
- my %ports_by_proto;
- foreach (split ' ', $conf->{ports}) {
- m!^(\d+(:\d+)?)/(udp|tcp|icmp)$! or die "bad port $_\n";
- push @{$ports_by_proto{$3}}, $1;
- }
+ my $ports_by_proto = ports_by_proto($conf->{ports});
my $interface_settings = sub {
my ($zone, $interface) = @_;
@@ -134,7 +135,7 @@ sub write {
set_config_file('rules',
if_($use_pptp, [ 'ACCEPT', 'fw', 'loc:10.0.0.138', 'tcp', '1723' ]),
if_($use_pptp, [ 'ACCEPT', 'fw', 'loc:10.0.0.138', 'gre' ]),
- (map_each { [ 'ACCEPT', 'net', 'fw', $::a, join(',', @$::b), '-' ] } %ports_by_proto),
+ (map_each { [ 'ACCEPT', 'net', 'fw', $::a, join(',', @$::b), '-' ] } %$ports_by_proto),
(map {
map_each { [ 'REDIRECT', 'loc', $::a, $_, $::b, '-' ] } %{$conf->{redirects}{$_}};
} keys %{$conf->{redirects}}),
diff --git a/perl-install/share/rpmsrate b/perl-install/share/rpmsrate
index a9c254eb2..28e47236a 100644
--- a/perl-install/share/rpmsrate
+++ b/perl-install/share/rpmsrate
@@ -650,8 +650,6 @@ CAT_SYSTEM
5 dmidecode setarch
- 5 mandi-ifw
-
5 HIGH_SECURITY libsafe kernel-secure lads
5 BIGMEM kernel
5 SMP kernel-smp