9.7-3 commit

IronChroni · Oct 5, 2013 · b604403 · b604403
1 parent 75c1e9c
commit b604403
Show file tree

Hide file tree

Showing 13 changed files with 156 additions and 201 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,9 +1,31 @@
 - 9.7
-(rev:2)
+(rev:3)
 [Change] dshield, spamhaus and projecthoneypot drop lists now only filter traffic sourced
          from addresses in the respective lists to reduce rule counts instead of to/from
          (src & dst)
 [New] added SET_EXPIRE configuration option for controlling deny_hosts ban expiration time
+[Change] internalize a list of local ip addresses and ignore generic to/from allow trust rules
+         on said local ip list to prevent firewall loopholes due to misconfiguration
+[Change] modified tospre/post route function into consolidated tosroute function
+[Change] modified preroute/postroute.rules files to remove callouts to tos functions which
+         are now called prior to the pre/post route file inclusions
+[Change] modified cli allow/deny trust functions for improved sanity checks through consolidated
+         validation callouts
+[Change] preroute rules now load before implicit trust on loopback interface traffic so rules can be
+         applied against loopback traffic if so desired
+[Fix] SYSCTL_CONNTRACK better handles varied kernel and iptables versions to apply value on correct sysctl
+      hook file; nf_conntrack_max or ip_conntrack_max
+[Fix] trust rules refresh cronjob modified to remove MAILTO & SHELL variables which were causing crond
+      'bad minute' errors on some systems
+[Fix] reordered chain flushes on refresh() to avoid any possible packet loss or loss of connectivity
+      from hosts in the allow tables
+[Change] consolidated TMP_DROP and TMP_ALLOW chains into REFRESH_TEMP
+[Fix] restarts in some situations can cause 'iptables: Resource temporarily unavailable' errors, added 2sec
+      sleep delay on restarts between flush() and start() to prevent resource errors
+[Fix] block rules for BLK_PRVNET and BLK_RESNET were being added with no interface modifier and as such had
+      the potential to block traffic over private and loopback interfaces when it was otherwise not intended
+
+(rev:2)
 [Fix] xt/ipt_recent module path changed under RHEL/CentOS 6
 [Fix] kernel version tests for 2.4/2.6 kernel modules failed under kernel 3.x
 [Change] RAB should default to a minimal level of sensitivity; lowered RAB_PSCAN_LEVEL to 1

diff --git a/files/VERSION b/files/VERSION
@@ -1 +1 @@
-version: 9.7-2
+version: 9.7-3
diff --git a/files/allow_hosts.rules b/files/allow_hosts.rules
@@ -4,32 +4,35 @@
 # Trust based rule file to define addresses that are granted all or specific
 # access through the firewall.
 #
-# Format of this file is line-seperated addresses, IP masking is supported.
-# Example:
+# Format of this file is line-seperated FQDN/CIDR addresses.
+# Examples:
 # 192.168.2.1
 # 192.168.5.0/24
-# 
-# advanced usage
+# domain.com
 #
-# The trust rules can be made in advanced format with 4 options
-# (proto:flow:port:ip);
-# 1) protocol: [packet protocol tcp/udp]
-# 2) flow in/out: [packet direction, inbound or outbound]
-# 3) s/d=port: [packet source or destination port]
-# 4) s/d=ip(/xx) [packet source or destination address, masking supported]
-#
-# Syntax:
-# proto:flow:[s/d]=port:[s/d]=ip(/mask)
-# s - source , d - destination , flow - packet flow in/out
+# The trust system supports an advanced rule syntax to allow for more specific
+# trust rules to be created based on protocol, flow, port and address.
 #
+# The advanced syntax format is as follows:
+# protocol	flow	port	        address
+# tcp|udp|any	in|out  src|dst:1-65535 src|dst:FQDN/CIDR address
+# 
+# Protocol:	ip protocl tcp, udp or any
+# Flow: 	traffic flow representing inbound (in) or outbound (out) communication
+# Port:		network port (1-65535); defaults as destination port
+# Address:	network address; defaults as source address
+# Modifier:	src: and dst: can be prefixed on port and address values
+# 
 # Examples:
 # inbound to destination port 22 from 192.168.2.1
-# tcp:in:d=22:s=192.168.2.1
+# tcp in dst:22 src:192.168.2.1
 #
 # outbound to destination port 23 to destination host 192.168.2.1
-# out:d=23:d=192.168.2.1
+# tcp out dst:23 dst:192.168.2.1
 #
 # inbound to destination port 3306 from 192.168.5.0/24
-# d=3306:s=192.168.5.0/24
-#
+# tcp in dst:3306 src:192.168.5.0/24
 ##
+#
+# protocol	flow	port	        address
+# tcp|udp|any	in|out  src|dst:1-65535 src|dst:FQDN/CIDR address
diff --git a/files/apf b/files/apf
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# APF 9.7 [[email protected]]
+# APF 9.7-3 [[email protected]]
 ###
 # Copyright (C) 2002-2011, R-fx Networks <[email protected]>
 # Copyright (C) 2011, Ryan MacDonald <[email protected]>
@@ -20,13 +20,13 @@
 #    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 ###
 #
-VER="9.7"
+VER="9.7-3"
 CNF="/etc/apf/conf.apf"
 
 head() {
-echo "APF version $VER <apf@r-fx.org>"
-echo "Copyright (C) 2002-2011, R-fx Networks <proj@r-fx.org>"
-echo "Copyright (C) 2011, Ryan MacDonald <ryan@r-fx.org>"
+echo "Advanced Policy Firewall (APF) v$VER <apf@rfxn.org>"
+echo "      Copyright (C) 2002-2012, R-fx Networks <proj@rfxn.org>"
+echo "      Copyright (C) 2012, Ryan MacDonald <ryan@rfxn.org>"
 echo "This program may be freely redistributed under the terms of the GNU GPL"
 echo ""
 }
@@ -148,7 +148,7 @@ if [ ! -f "$ALLOW_HOSTS" ]; then
         touch $ALLOW_HOSTS
         chmod 600 $ALLOW_HOSTS
 fi
-# check devel mode
+# check dev mode
 devm
 # generate vnet rules
 $INSTALL_PATH/vnet/vnetgen
@@ -190,6 +190,7 @@ case "$1" in
 
 -r|--restart)
 	$0 --flush
+	sleep 2
 	$0 --start
 	;;
 -a|--allow)

diff --git a/files/conf.apf b/files/conf.apf
@@ -70,12 +70,6 @@ SET_ADDIFACE="0"
 # scale APF to unique situations.
 SET_MONOKERN="0"
 
-# The expiry interval, in seconds, that bans will be expired out of the trust
-# system. This only applies to local bans from deny_hosts.rules and not global
-# import rules. The value must not be less than equiv. seconds of SET_REFRESH.
-# [value in seconds, 0 to disable, recommended 600]
-SET_EXPIRE="0"
-
 # This controls how often, if at all, we want the trust system to refresh rules.
 # The firewall will flush & reload all static rules, redownload global rules and
 # re-resolve any dns names in the rules. This is ideal when using dynamic dns

diff --git a/files/deny_hosts.rules b/files/deny_hosts.rules
@@ -1,34 +1,35 @@
 ##
 # deny_hosts
 #
-# Trust based rule file to define addresses that are implicitly denied.
+# Trust based rule file to define addresses that are denied traffic through the firewall.
 #
-# Format of this file is line-seperated addresses, IP masking is supported.
-# Example:
+# Format of this file is line-seperated FQDN/CIDR addresses.
+# Examples:
 # 192.168.2.1
 # 192.168.5.0/24
-# 
-# advanced usage
+# domain.com
 #
-# The trust rules can be made in advanced format with 4 options
-# (proto:flow:port:ip);
-# 1) protocol: [packet protocol tcp/udp]
-# 2) flow in/out: [packet direction, inbound or outbound]
-# 3) s/d=port: [packet source or destination port]
-# 4) s/d=ip(/xx) [packet source or destination address, masking supported]
+# The trust system supports an advanced rule syntax to allow for more specific
+# trust rules to be created based on protocol, flow, port and address.
 #
-# Syntax:
-# proto:flow:[s/d]=port:[s/d]=ip(/mask)
-# s - source , d - destination , flow - packet flow in/out
+# The advanced syntax format is as follows:
+# protocol	flow	port	address
+# tcp|udp|any	in|out  1-65535 FQDN/CIDR address
+# 
+# Protocol:	ip protocl tcp, udp or any
+# Flow: 	traffic flow representing inbound (in) or outbound (out) communication
+# Port:		network port (1-65535) that the communication will take place on
+# Address:	network address that communication will take place to/from
 #
 # Examples:
 # inbound to destination port 22 from 192.168.2.1
-# tcp:in:d=22:s=192.168.2.1
+# tcp in 22 192.168.2.1
 #
 # outbound to destination port 23 to destination host 192.168.2.1
-# out:d=23:d=192.168.2.1
+# tcp out 23 192.168.2.1
 #
 # inbound to destination port 3306 from 192.168.5.0/24
-# d=3306:s=192.168.5.0/24
-#
+# tcp in 3306 192.168.5.0/24
 ##
+#
+# protocol      flow    port    address
diff --git a/files/firewall b/files/firewall
@@ -80,6 +80,10 @@ fi
 eout "{glob} determined (IFACE_IN) $IFACE_IN has address $NET"
 eout "{glob} determined (IFACE_OUT) $IFACE_OUT has address $NET"
 
+# Load our PREROUTE rules
+tosroute PREROUTING
+. $PRERT
+
 # Allow all traffic on the loopback interface
 $IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
 $IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT
@@ -110,9 +114,6 @@ $IPT -A PROHIBIT -j REJECT --reject-with icmp-host-prohibited
 # Fix MTU/MSS Problems
 $IPT -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
-# Load our PREROUTE rules
-. $PRERT
-
 # Block common nonroutable IP networks
 if [ "$BLK_MCATNET" = "1" ]; then
 	dnet $MCATNET
@@ -137,10 +138,10 @@ $IPT -A INPUT -j REFRESH_TEMP
 $IPT -A OUTPUT -j REFRESH_TEMP
 $IPT -A INPUT -j TALLOW
 $IPT -A OUTPUT -j TALLOW
-$IPT -A INPUT -j TDENY
-$IPT -A OUTPUT -j TDENY
 $IPT -A INPUT -j TGALLOW
 $IPT -A OUTPUT -j TGALLOW
+$IPT -A INPUT -j TDENY
+$IPT -A OUTPUT -j TDENY
 $IPT -A INPUT -j TGDENY
 $IPT -A OUTPUT -j TGDENY
 
@@ -298,6 +299,7 @@ if [ "$SYSCTL_ECN" == "1" ]; then
 fi
 
 # Load our POSTROUTE rules
+tosroute POSTROUTING
 . $POSTRT
 
 # Default Output Policies