diff options
author | Olivier Blin <oblin@mandriva.org> | 2005-09-01 19:50:59 +0000 |
---|---|---|
committer | Olivier Blin <oblin@mandriva.org> | 2005-09-01 19:50:59 +0000 |
commit | 97edb2dd92bb48ec85cdd082da1af1ef7235d644 (patch) | |
tree | ab04061755790fc25d80c04fe09490ad0d55a3a8 | |
parent | cd6afee0de52086ee24b1c83d3d67cfec03e12f5 (diff) | |
download | drakx-97edb2dd92bb48ec85cdd082da1af1ef7235d644.tar drakx-97edb2dd92bb48ec85cdd082da1af1ef7235d644.tar.gz drakx-97edb2dd92bb48ec85cdd082da1af1ef7235d644.tar.bz2 drakx-97edb2dd92bb48ec85cdd082da1af1ef7235d644.tar.xz drakx-97edb2dd92bb48ec85cdd082da1af1ef7235d644.zip |
install and configure Interface Firewall in drakfirewall
-rw-r--r-- | perl-install/network/drakfirewall.pm | 69 | ||||
-rw-r--r-- | perl-install/network/shorewall.pm | 23 | ||||
-rw-r--r-- | perl-install/share/rpmsrate | 2 |
3 files changed, 78 insertions, 16 deletions
diff --git a/perl-install/network/drakfirewall.pm b/perl-install/network/drakfirewall.pm index 9e9367369..eef489801 100644 --- a/perl-install/network/drakfirewall.pm +++ b/perl-install/network/drakfirewall.pm @@ -69,6 +69,13 @@ my @all_servers = }, ); +my @ifw_rules = ( + { + name => N_("Port scan detection"), + ifw_rule => 'psd', + }, +); + sub port2server { my ($port) = @_; find { @@ -170,7 +177,7 @@ drakconnect before going any further."), 1) or return; } } -sub choose { +sub choose_allowed_services { my ($in, $disabled, $servers, $unlisted) = @_; $_->{on} = 0 foreach @all_servers; @@ -202,7 +209,60 @@ You can also give a range of ports (eg: 24300:24350/udp)", $invalid_port)); { label => N("Other ports"), val => \$unlisted, advanced => 1, disabled => sub { $disabled } } ]) or return; - $disabled, to_ports([ grep { $_->{on} } @l ], $unlisted); + $disabled, [ grep { $_->{on} } @l ], $unlisted; +} + +sub set_ifw { + my ($do_pkgs, $enabled, $rules, $ports) = @_; + $do_pkgs->ensure_is_installed('mandi-ifw', '/etc/ifw/start', $::isInstall) or return; + + my $ports_by_proto = network::shorewall::ports_by_proto($ports); + output_with_perm("$::prefix/etc/ifw/rules", 0644, map { "$_\n" } ( + (map { "source /etc/ifw/rules.d/$_" } @$rules), + map { + my $proto = $_; + map { + my $multiport = /:/ && " -m multiport"; + "iptables -A Ifw -m state --state NEW -p $proto$multiport --dport $_ -j IFWLOG --log-prefix NEW\n"; + } @{$ports_by_proto->{$proto}}; + } keys %$ports_by_proto, + )); + + my $set_in_file = sub { + my ($file, @list) = @_; + substInFile { + foreach my $l (@list) { s|^$l\n|| } + $_ .= join("\n", @list) . "\n" if eof && $enabled; + } "$::prefix/etc/shorewall/$file"; + }; + $set_in_file->('start', "INCLUDE /etc/ifw/start", "INCLUDE /etc/ifw/rules", "iptables -I INPUT 2 -j Ifw"); + $set_in_file->('stop', "iptables -D INPUT -j Ifw", "INCLUDE /etc/ifw/stop"); +} + +sub choose_watched_services { + my ($in, $servers, $unlisted) = @_; + + my @l = (@ifw_rules, @$servers, map { { ports => $_ } } split(' ', $unlisted)); + my $enabled = 1; + $_->{ifw} = 1 foreach @l; + + $in->ask_from_({ + messages => + N("Interactive Firewall") . "\n\n" . + N("You can be warned when someone access to a service or tries to intrude into your computer. +Please select which network activity should be watched."), + title => N("Interactive Firewall"), + }, + [ + { text => N("Use Interactive Firewall"), val => \$enabled, type => 'bool' }, + map { my $e = $_; { + text => (exists $_->{name} ? translate($_->{name}) : $_->{ports}), + val => \$_->{ifw}, + type => 'bool', disabled => sub { !member($e, @ifw_rules) || !$enabled }, + } } @l, + ]) or return; + my ($rules, $ports) = partition { exists $_->{ifw_rule} } grep { $_->{ifw} } @l; + set_ifw($in->do_pkgs, $enabled, [ map { $_->{ifw_rule} } @$rules ], to_ports($ports)); } sub main { @@ -210,8 +270,11 @@ sub main { ($disabled, my $servers, my $unlisted) = get_conf($in, $disabled) or return; - ($disabled, my $ports) = choose($in, $disabled, $servers, $unlisted) or return; + ($disabled, $servers, $unlisted) = choose_allowed_services($in, $disabled, $servers, $unlisted) or return; + + choose_watched_services($in, $servers, $unlisted) unless $disabled; + my $ports = to_ports($servers, $unlisted); set_ports($in->do_pkgs, $disabled, $ports, $in) or return; ($disabled, $ports); diff --git a/perl-install/network/shorewall.pm b/perl-install/network/shorewall.pm index 7e5d97363..463d64a62 100644 --- a/perl-install/network/shorewall.pm +++ b/perl-install/network/shorewall.pm @@ -1,8 +1,5 @@ package network::shorewall; # $Id$ - - - use detect_devices; use network::ethernet; use network::network; @@ -10,7 +7,6 @@ use run_program; use common; use log; - sub check_iptables() { -f "$::prefix/etc/sysconfig/iptables" || $::isStandalone && do { @@ -101,16 +97,21 @@ sub read { $conf{net_interface} && \%conf; } +sub ports_by_proto { + my ($ports) = @_; + my %ports_by_proto; + foreach (split ' ', $ports) { + m!^(\d+(?:\d+)?)/(udp|tcp|icmp)$! or die "bad port $_\n"; + push @{$ports_by_proto{$2}}, $1; + } + \%ports_by_proto; +} + sub write { my ($conf) = @_; my $default_intf = get_ifcfg_interface(); my $use_pptp = $default_intf =~ /^ppp/ && cat_("$::prefix/etc/ppp/peers/$default_intf") =~ /pptp/; - - my %ports_by_proto; - foreach (split ' ', $conf->{ports}) { - m!^(\d+(:\d+)?)/(udp|tcp|icmp)$! or die "bad port $_\n"; - push @{$ports_by_proto{$3}}, $1; - } + my $ports_by_proto = ports_by_proto($conf->{ports}); my $interface_settings = sub { my ($zone, $interface) = @_; @@ -134,7 +135,7 @@ sub write { set_config_file('rules', if_($use_pptp, [ 'ACCEPT', 'fw', 'loc:10.0.0.138', 'tcp', '1723' ]), if_($use_pptp, [ 'ACCEPT', 'fw', 'loc:10.0.0.138', 'gre' ]), - (map_each { [ 'ACCEPT', 'net', 'fw', $::a, join(',', @$::b), '-' ] } %ports_by_proto), + (map_each { [ 'ACCEPT', 'net', 'fw', $::a, join(',', @$::b), '-' ] } %$ports_by_proto), (map { map_each { [ 'REDIRECT', 'loc', $::a, $_, $::b, '-' ] } %{$conf->{redirects}{$_}}; } keys %{$conf->{redirects}}), diff --git a/perl-install/share/rpmsrate b/perl-install/share/rpmsrate index a9c254eb2..28e47236a 100644 --- a/perl-install/share/rpmsrate +++ b/perl-install/share/rpmsrate @@ -650,8 +650,6 @@ CAT_SYSTEM 5 dmidecode setarch - 5 mandi-ifw - 5 HIGH_SECURITY libsafe kernel-secure lads 5 BIGMEM kernel 5 SMP kernel-smp |