...
 
Commits (29)
# Installer Makefile for Alpine Wall
# Copyright (C) 2012-2017 Kaarle Ritvanen
# Copyright (C) 2012-2018 Kaarle Ritvanen
# See LICENSE file for license details
ROOT_DIR := /
......@@ -34,7 +34,8 @@ files += $(2)
endef
$(eval $(call copy,awall,usr/share/lua/$(LUA_VERSION)/awall,lua))
$(eval $(call copy,json,$(resdir)/mandatory,json))
$(eval $(call copy,mandatory,$(resdir)/mandatory,json))
$(eval $(call copy,optional,$(resdir)/optional,json))
$(eval $(call rename,awall-cli,usr/sbin/awall,755))
$(eval $(call rename,sample-policy.json,$(resdir)/sample/sample-policy.json,644))
......
......@@ -455,13 +455,14 @@ whether to consider the source (**src**, default) or destination
defaults to **pass** and cannot be set to any other value.
Filter objects may have an attribute named **dnat**, the value of
which is an IPv4 address. If defined, this enables destination NAT for
all IPv4 packets matching the rule, such that the specified address
replaces the original destination address. If also port translation is
desired, the attribute may be defined as an object consisting of
attributes **addr** and **port**. The format of the **port** attribute
is similar to that of the **to-port** attribute of [NAT
rules](#nat). This option has no effect on IPv6 packets.
which is an IPv4 address or a DNS name resolving to a single IPv4
address. If defined, this enables destination NAT for all IPv4 packets
matching the rule, such that the specified address replaces the
original destination address. If also port translation is desired, the
attribute may be defined as an object consisting of attributes
**addr** and **port**. The format of the **port** attribute is similar
to that of the **to-port** attribute of [NAT rules](#nat). This option
has no effect on IPv6 packets.
Filter objects may have a boolean attribute named **no-track**. If set
to **true**, connection tracking is bypassed for the matching
......
......@@ -2,7 +2,7 @@
--[[
Alpine Wall
Copyright (C) 2012-2018 Kaarle Ritvanen
Copyright (C) 2012-2019 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -11,6 +11,7 @@ lpc = require('lpc')
posix = require('posix')
signal = posix.signal
stat = posix.stat
stringy = require('stringy')
......@@ -20,7 +21,7 @@ if not table.unpack then table.unpack = unpack end
function help()
io.stderr:write([[
Alpine Wall
Copyright (C) 2012-2018 Kaarle Ritvanen
Copyright (C) 2012-2019 Kaarle Ritvanen
This is free software with ABSOLUTELY NO WARRANTY,
available under the terms of the GNU General Public License, version 2
......@@ -147,11 +148,12 @@ end
if dev_mode then
util.setdefault(pol_paths, 'mandatory', {'/etc/awall'})
table.insert(pol_paths.mandatory, basedir..'/json')
table.insert(pol_paths.mandatory, basedir..'/mandatory')
end
uerror = require('awall.uerror')
call = uerror.call
raise = uerror.raise
if not call(
function()
......@@ -194,7 +196,7 @@ if not call(
repeat
local name = arg[opind]
local policy = policyset.policies[name]
if not policy then uerror.raise('No such policy: '..name) end
if not policy then raise('No such policy: '..name) end
policy[mode](policy)
opind = opind + 1
until opind > #arg
......@@ -202,6 +204,22 @@ if not call(
end
local iptables = require('awall.iptables')
if mode == 'fallback' then
for _, sig in ipairs{'HUP', 'INT', 'PIPE'} do
signal(posix['SIG'..sig], 'SIG_IGN')
end
posix.sleep(10)
printmsg('\nTimeout, reverting to the old configuration')
iptables.revert()
os.exit()
end
local input = policyset:load()
if mode == 'dump' then level = 0 + (arg[opind] or 0) end
......@@ -284,13 +302,10 @@ if not call(
local dumpfile = outputdir and outputdir..'/dump' or sysdumpfile
local iptables = require('awall.iptables')
if mode == 'dump' then dump(level)
elseif mode == 'diff' then
if not posix.stat(dumpfile) then
if not stat(dumpfile) then
printmsg('Please translate or activate first')
os.exit(2)
end
......@@ -320,18 +335,15 @@ if not call(
elseif mode == 'activate' then
iptables.backup()
local function translate()
config:dump()
filedump(sysdumpfile)
end
local pid, interrupted
local interrupted
if not force then
signal(
posix.SIGCHLD,
function()
if pid and lpc.wait(pid, 1) then os.exit(1) end
end
)
for i, sig in ipairs({'INT', 'TERM'}) do
for _, sig in ipairs{'INT', 'TERM'} do
signal(
posix['SIG'..sig],
function()
......@@ -340,11 +352,44 @@ if not call(
end
)
end
end
if not iptables.isenabled() then
local INIT = '/usr/libexec/awall-init'
if not force and stat(INIT) then
printmsg('Firewall is not active')
io.stderr:write(
'Press RETURN to perform initial configuration and activation: '
)
if io.read() then
translate()
for _, family in ipairs(require('awall.family').ACTIVE) do
os.execute(
INIT..' '..
({inet='iptables', inet6='ip6tables'})[family]
)
end
os.exit(0)
end
printmsg('\nCanceled')
os.exit(2)
end
raise('Firewall not enabled in kernel')
end
local stdio, stdout
pid, stdio, stdout = lpc.run(arg[0], 'fallback')
stdio:close()
stdout:close()
iptables.backup()
local pid
if not force then
signal(
posix.SIGCHLD,
function()
if pid and lpc.wait(pid, 1) then os.exit(1) end
end
)
pid = util.run(arg[0], 'fallback')
end
local function kill()
......@@ -375,8 +420,7 @@ if not call(
end
end
config:dump()
filedump(sysdumpfile)
translate()
else
if not force then kill() end
......@@ -384,17 +428,6 @@ if not call(
end
elseif mode == 'fallback' then
for i, sig in ipairs({'HUP', 'PIPE'}) do
signal(posix['SIG'..sig], 'SIG_IGN')
end
posix.sleep(10)
printmsg('\nTimeout, reverting to the old configuration')
iptables.revert()
elseif mode == 'flush' then iptables.flush()
else assert(false) end
......
--[[
Dependency order resolver for Alpine Wall
Copyright (C) 2012-2014 Kaarle Ritvanen
Copyright (C) 2012-2018 Kaarle Ritvanen
See LICENSE file for license details
]]--
local util = require('awall.util')
local contains = util.contains
local sortedkeys = util.sortedkeys
return function(items)
local visited = {}
......@@ -17,8 +18,8 @@ return function(items)
visited[key] = true
local after = util.list(items[key].after)
for k, v in pairs(items) do
if contains(v.before, key) then table.insert(after, k) end
for _, k in sortedkeys(items) do
if contains(items[k].before, key) then table.insert(after, k) end
end
for i, k in ipairs(after) do
if items[k] then
......@@ -30,7 +31,7 @@ return function(items)
table.insert(res, key)
end
for i, k in util.sortedkeys(items) do
for _, k in sortedkeys(items) do
local ek = visit(k)
if ek ~= nil then return ek end
end
......
--[[
Address family module for Alpine Wall
Copyright (C) 2012-2019 Kaarle Ritvanen
See LICENSE file for license details
]]--
local M = {ACTIVE={}, ALL={}}
local stat = require('posix').stat
for family, procfile in pairs{inet='raw', inet6='raw6'} do
table.insert(M.ALL, family)
if stat('/proc/net/'..procfile) then table.insert(M.ACTIVE, family) end
end
return M
--[[
Host address resolver for Alpine Wall
Copyright (C) 2012-2017 Kaarle Ritvanen
Copyright (C) 2012-2019 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -29,21 +29,20 @@ function M.resolve(host, context)
if not dnscache[host] then
dnscache[host] = {}
for rec in io.popen('dig -t ANY '..host):lines() do
local name, rtype, addr =
rec:match(
'^('..familypatterns.domain..')%s+%d+%s+IN%s+(A+)%s+(.+)'
)
if name and name:sub(1, host:len() + 1) == host..'.' then
if rtype == 'A' then family = 'inet'
elseif rtype == 'AAAA' then family = 'inet6'
else family = nil end
if family then
assert(getfamily(addr, context) == family)
table.insert(dnscache[host], {family, addr})
end
for family, rtype in pairs{inet='A', inet6='AAAA'} do
local answer
for rec in io.popen('drill '..host..' '..rtype):lines() do
if answer then
if rec == '' then break end
local addr = rec:match(
'^'..familypatterns.domain..'%s+%d+%s+IN%s+'..rtype..
'%s+(.+)'
)
if addr then
assert(getfamily(addr, context) == family)
table.insert(dnscache[host], {family, addr})
end
elseif rec == ';; ANSWER SECTION:' then answer = true end
end
end
if not dnscache[host][1] then
......
--[[
Ipset file dumper for Alpine Wall
Copyright (C) 2012-2016 Kaarle Ritvanen
Copyright (C) 2012-2019 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -20,10 +20,11 @@ end
function IPSet:create()
for name, ipset in pairs(self.config) do
local pid = lpc.run(
'ipset', '-!', 'create', name, table.unpack(ipset.options)
)
if lpc.wait(pid) ~= 0 then
if not lpc.wait(
util.run(
'ipset', '-!', 'create', name, table.unpack(ipset.options)
)
) ~= 0 then
util.printmsg('ipset creation failed: '..name)
end
end
......
--[[
Iptables file dumper for Alpine Wall
Copyright (C) 2012-2016 Kaarle Ritvanen
Copyright (C) 2012-2019 Kaarle Ritvanen
See LICENSE file for license details
]]--
local class = require('awall.class')
local ACTIVE = require('awall.family').ACTIVE
local raise = require('awall.uerror').raise
local util = require('awall.util')
......@@ -13,8 +14,8 @@ local printmsg = util.printmsg
local sortedkeys = util.sortedkeys
local mkdir = require('posix').mkdir
local lpc = require('lpc')
local posix = require('posix')
local M = {}
......@@ -37,6 +38,21 @@ M.builtin = {
local backupdir = '/var/run/awall'
local _actfamilies
local function actfamilies()
if _actfamilies then return _actfamilies end
_actfamilies = {}
for _, family in ipairs(ACTIVE) do
if posix.stat(families[family].procfile) then
table.insert(_actfamilies, family)
else printmsg('Warning: firewall not enabled for '..family) end
end
return _actfamilies
end
function M.isenabled() return #actfamilies() > 0 end
local BaseIPTables = class()
function BaseIPTables:print()
......@@ -55,27 +71,15 @@ function BaseIPTables:dump(dir)
end
function BaseIPTables:restore(test)
local disabled = true
for family, params in pairs(families) do
local file = io.open(params.procfile)
if file then
io.close(file)
local pid, stdin, stdout = lpc.run(
params.cmd..'-restore', table.unpack{test and '-t' or nil}
)
stdout:close()
self:dumpfile(family, stdin)
stdin:close()
assert(lpc.wait(pid) == 0)
disabled = false
elseif test then printmsg('Warning: '..family..' rules not tested') end
for _, family in ipairs(actfamilies()) do
local pid, stdin, stdout = lpc.run(
families[family].cmd..'-restore', table.unpack{test and '-t' or nil}
)
stdout:close()
self:dumpfile(family, stdin)
stdin:close()
assert(lpc.wait(pid) == 0)
end
if disabled then raise('Firewall not enabled in kernel') end
end
function BaseIPTables:activate()
......@@ -142,7 +146,7 @@ end
function M.backup()
mkdir(backupdir)
posix.mkdir(backupdir)
Current():dump(backupdir)
end
......@@ -150,16 +154,13 @@ function M.revert() Backup():activate() end
function M.flush()
local empty = M.IPTables()
for family, params in pairs(families) do
local success, lines = pcall(io.lines, params.procfile)
if success then
for tbl in lines do
if M.builtin[tbl] then
for i, chain in ipairs(M.builtin[tbl]) do
empty.config[family][tbl][chain] = {}
end
else printmsg('Warning: not flushing unknown table: '..tbl) end
end
for _, family in pairs(actfamilies()) do
for tbl in io.lines(families[family].procfile) do
if M.builtin[tbl] then
for _, chain in ipairs(M.builtin[tbl]) do
empty.config[family][tbl][chain] = {}
end
else printmsg('Warning: not flushing unknown table: '..tbl) end
end
end
empty:restore(false)
......
--[[
Base data model for Alpine Wall
Copyright (C) 2012-2017 Kaarle Ritvanen
Copyright (C) 2012-2019 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -10,11 +10,11 @@ local M = {}
local loadclass = require('awall').loadclass
M.class = require('awall.class')
local FAMILIES = require('awall.family').ALL
local resolvelist = require('awall.host').resolvelist
local builtin = require('awall.iptables').builtin
local optfrag = require('awall.optfrag')
local FAMILIES = optfrag.FAMILIES
local combinations = optfrag.combinations
local prune = optfrag.prune
......@@ -125,7 +125,7 @@ function M.Zone:optfrags(dir)
local aopts = nil
if self.addr then
aopts = {}
for _, addr in resolvelist(self.addr) do
for _, addr in resolvelist(self.addr, self) do
table.insert(
aopts,
{family=addr[1], [aprop]=addr[2], match='-'..aopt..' '..addr[2]}
......@@ -591,7 +591,7 @@ function M.Rule:trules()
end
ofrags = filter(
combinations(ofrags, optfrag.FAMILYFRAGS),
combinations(ofrags, optfrag.FAMILIES),
function(r) return self:trulefilter(r) end
)
......
--[[
Filter module for Alpine Wall
Copyright (C) 2012-2017 Kaarle Ritvanen
Copyright (C) 2012-2019 Kaarle Ritvanen
See LICENSE file for license details
]]--
local loadclass = require('awall').loadclass
local FAMILIES = require('awall.family').ALL
local resolve = require('awall.host').resolve
local model = require('awall.model')
local class = model.class
local Rule = model.Rule
local optfrag = require('awall.optfrag')
local combinations = optfrag.combinations
local combinations = require('awall.optfrag').combinations
local util = require('awall.util')
local contains = util.contains
......@@ -100,7 +100,34 @@ local TranslatingRule = class(Rule)
function TranslatingRule:init(...)
TranslatingRule.super(self):init(...)
if type(self.dnat) == 'string' then self.dnat = {addr=self.dnat} end
if self.dnat then
if self.ipset then
self:error('dnat and ipset options cannot be used simultaneously')
end
if type(self.dnat) == 'string' then self.dnat = {addr=self.dnat} end
if self.dnat.addr:find('/') then
self:error('DNAT target cannot be a network address')
end
local dnataddr
for _, addr in ipairs(resolve(self.dnat.addr, self)) do
if addr[1] == 'inet' then
if dnataddr then
self:error(
self.dnat.addr..' resolves to multiple IPv4 addresses'
)
end
dnataddr = addr[2]
end
end
if not dnataddr then
self:error(self.dnat.addr..' does not resolve to any IPv4 address')
end
self.dnat.addr = dnataddr
end
end
function TranslatingRule:destoptfrags()
......@@ -274,34 +301,12 @@ function Filter:extratrules()
if self['no-track'] then
self:error('dnat option not allowed with no-track')
end
if self.ipset then
self:error('dnat and ipset options cannot be used simultaneously')
end
if self.dnat.addr:find('/') then
self:error('DNAT target cannot be a network address')
end
local dnataddr
for i, addr in ipairs(resolve(self.dnat.addr, self)) do
if addr[1] == 'inet' then
if dnataddr then
self:error(
self.dnat.addr..' resolves to multiple IPv4 addresses'
)
end
dnataddr = addr[2]
end
end
if not dnataddr then
self:error(self.dnat.addr..' does not resolve to any IPv4 address')
end
extrarules(
'dnat',
'dnat',
{
update={['to-addr']=dnataddr, ['to-port']=self.dnat.port},
update={['to-addr']=self.dnat.addr, ['to-port']=self.dnat.port},
discard='out'
}
)
......@@ -444,7 +449,7 @@ local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}
local function stateful(config)
local res = {}
for _, family in ipairs(optfrag.FAMILIES) do
for _, family in ipairs(FAMILIES) do
local er = combinations(
fchains,
......
......@@ -54,29 +54,31 @@ function Log:optfrags()
local targets = {}
if mode then
local optmap = {
log={level='level', prefix='prefix'},
nflog={
group='group',
prefix='prefix',
range='size',
threshold='threshold'
},
ulog={
group='nlgroup',
prefix='prefix',
range='cprange',
threshold='qthreshold'
local optmap = (
{
log={level='level', prefix='prefix'},
nflog={
group='group',
prefix='prefix',
range='size',
threshold='threshold'
},
ulog={
group='nlgroup',
prefix='prefix',
range='cprange',
threshold='qthreshold'
}
}
}
if not optmap[mode] then self:error('Invalid logging mode: '..mode) end
)[mode]
if not optmap then self:error('Invalid logging mode: '..mode) end
local target = mode:upper()
for s, t in pairs(optmap[mode]) do
for _, s in util.sortedkeys(optmap) do
local value = self[s]
if value then
if s == 'prefix' then value = util.quote(value) end
target = target..' --'..mode..'-'..t..' '..value
target = target..' --'..mode..'-'..optmap[s]..' '..value
end
end
......@@ -85,7 +87,7 @@ function Log:optfrags()
)
end
for _, addr in resolvelist(self.mirror) do
for _, addr in resolvelist(self.mirror, self) do
table.insert(targets, {family=addr[1], target='TEE --gateway '..addr[2]})
end
......
--[[
Packet marking module for Alpine Wall
Copyright (C) 2012-2017 Kaarle Ritvanen
Copyright (C) 2012-2019 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -40,7 +40,7 @@ end
local function restoremark(config)
if list(config['route-track'])[1] then
return combinations(
optfrag.FAMILYFRAGS,
optfrag.FAMILIES,
{{chain='OUTPUT'}, {chain='PREROUTING'}},
{
{
......
--[[
Transparent proxy module for Alpine Wall
Copyright (C) 2012-2017 Kaarle Ritvanen
Copyright (C) 2012-2019 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -59,7 +59,7 @@ local function divert(config)
ofrags,
{chain='PREROUTING', match='-m socket', target='divert'}
)
return combinations(optfrag.FAMILYFRAGS, {{table='mangle'}}, ofrags)
return combinations(optfrag.FAMILIES, {{table='mangle'}}, ofrags)
end
end
......
--[[
Option fragment module for Alpine Wall
Copyright (C) 2012-2017 Kaarle Ritvanen
Copyright (C) 2012-2019 Kaarle Ritvanen
See LICENSE file for license details
]]--
local M = {}
local FAMILIES = require('awall.family').ALL
local util = require('awall.util')
local map = util.map
......@@ -14,8 +16,7 @@ local function ffrags(families)
return map(families, function(f) return {family=f} end)
end
M.FAMILIES = {'inet', 'inet6'}
M.FAMILYFRAGS = ffrags(M.FAMILIES)
M.FAMILIES = ffrags(FAMILIES)
function M.combinations(of1, ...)
local arg = {...}
......
--[[
Utility module for Alpine Wall
Copyright (C) 2012-2017 Kaarle Ritvanen
Copyright (C) 2012-2019 Kaarle Ritvanen
See LICENSE file for license details
]]--
local M = {}
local lpc = require('lpc')
function M.split(s, sep)
if s == '' then return {} end
local res = {}
......@@ -150,4 +153,12 @@ function M.printtabular(tbl) M.printtabulars({tbl}) end
function M.printmsg(msg) io.stderr:write(msg..'\n') end
function M.run(...)
local pid, stdin, stdout = lpc.run(...)
stdin:close()
stdout:close()
return pid
end
return M
......@@ -84,6 +84,7 @@
{ "proto": "udp", "port": 139 }
],
"ntp": { "proto": "udp", "port": 123 },
"openvpn": { "proto": "udp", "port": 1194 },
"ospf": { "proto": "ospf" },
"pgsql": { "proto": "tcp", "port": 5432 },
"ping": [
......
{
"description": "Allow DHCP",
"filter": [
{ "in": "$adp_dhcp_zones", "out": "_fw", "service": "dhcp" },
{ "in": "_fw", "out": "$adp_dhcp_zones", "service": "dhcp" }
]
}
{
"description": "HTTP server",
"filter": [ { "out": "_fw", "service": "http" } ]
}
{
"description": "NTP client",
"filter": [
{ "in": "_fw", "out": "adp-wan", "service": [ "dns", "ntp" ] }
]
}
{
"description": "Allow ICMP echo request",
"after": "adp-router",
"filter": [
{ "in": "adp-wan", "service": "ping", "flow-limit": 3 },
{ "service": "ping" }
]
}
{
"description": "Router",
"before": "adp-config",
"variable": { "adp_router_policy": "accept" },
"zone": {
"adp-lan": {
"iface": "$adp_lan_ifaces", "addr": "$adp_lan_addrs"
}
},
"filter": [
{
"in": "adp-wan",
"dest": "$adp_lan_private_addrs",
"action": "drop"
}
],
"policy": [
{
"in": "adp-lan",
"out": "adp-wan",
"action": "$adp_router_policy"
}
],
"snat": [ { "out": "adp-wan", "src": "$adp_lan_private_addrs" } ]
}
{
"description": "SSH server",
"filter": [
{
"in": "adp-wan",
"out": "_fw",
"service": "ssh",
"conn-limit": { "count": 1, "interval": 10 }
},
{ "out": "_fw", "service": "ssh" }
]
}
{
"description": "Web client",
"before": "adp-config",
"variable": { "adp_web_client_zones": "_fw" },
"filter": [
{
"in": "$adp_web_client_zones",
"out": "adp-wan",
"service": [ "dns", "http", "https" ]
}
]
}
......@@ -2,12 +2,14 @@
"log": {
"dual": { "mode": "log", "mirror": "fc00::1" },
"mirror": { "mirror": [ "10.0.0.1", "10.0.0.2", "fc00::2" ] },
"nflog": { "mode": "nflog", "group": 1, "range": 128 },
"none": { "mode": "none" },
"ulog": { "mode": "ulog", "limit": { "interval": 5 } }
},
"packet-log": [
{ "out": "_fw" },
{ "out": "_fw", "log": "mirror" },
{ "out": "_fw", "log": "nflog" },
{ "out": "_fw", "log": "ulog" }
],
"filter": [
......
{
"filter": [
{
"in": "A",
"dest": "192.168.0.1",
"service": "smtp",
"dnat": "10.0.0.1"
},
{
"in": "A",
"dest": "192.168.0.2",
"service": "http",
"dnat": { "addr": "10.0.0.2", "port": 8080 }
}
]
}
......@@ -8085,6 +8085,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"}
(log)
......@@ -8141,7 +8144,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"}
Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG
......@@ -8251,6 +8259,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"}
(services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"}
(services)
......@@ -10306,6 +10317,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -13186,6 +13198,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -1950,6 +1950,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......
......@@ -571,6 +571,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
This diff is collapsed.
# ipset awall-masquerade
hash:net family inet
# rules-save generated by awall
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-2 - [0:0]
:logpass-3 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
-A FORWARD
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-0
-A FORWARD -j logdrop-1
-A FORWARD -j logpass-0
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-2
-A FORWARD -j logpass-1
-A FORWARD -j logaccept-2
-A FORWARD -j logdrop-3
-A FORWARD -j logpass-2
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-4
-A FORWARD -j logpass-3
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth0 -o eth4 -j ACCEPT
-A FORWARD -i eth0 -o eth5 -j ACCEPT
-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
-A FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
-A FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth4 -o eth0 -j ACCEPT
-A FORWARD -i eth5 -o eth0 -j ACCEPT
-A FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -i eth4 -o eth4 -j ACCEPT
-A FORWARD -i eth4 -o eth5 -j ACCEPT
-A FORWARD -i eth5 -o eth4 -j ACCEPT
-A FORWARD -i eth5 -o eth5 -j ACCEPT
-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 25 -d 10.0.0.1 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8080 -d 10.0.0.2 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j logdrop-0
-A INPUT
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-0
-A INPUT -j logdrop-1
-A INPUT -j logpass-0
-A INPUT -j logaccept-1
-A INPUT -j logdrop-2
-A INPUT -j logpass-1
-A INPUT -j logaccept-2
-A INPUT -j logdrop-3
-A INPUT -j logpass-2
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-3
-A INPUT -j logdrop-4
-A INPUT -j logpass-3
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmp -j icmp-routing
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j logdrop-0
-A OUTPUT
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-0
-A OUTPUT -j logdrop-1
-A OUTPUT -j logpass-0
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-2
-A OUTPUT -j logpass-1
-A OUTPUT -j logaccept-2
-A OUTPUT -j logdrop-3
-A OUTPUT -j logpass-2
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-4
-A OUTPUT -j logpass-3
-A OUTPUT -m limit --limit 12/minute -j ULOG
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A OUTPUT -p icmp -j icmp-routing
-A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A icmp-routing -p icmp --icmp-type 12 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -j LOG
-A logaccept-1 -j ACCEPT
-A logaccept-2 -j TEE --gateway 10.0.0.1
-A logaccept-2 -j TEE --gateway 10.0.0.2
-A logaccept-2 -j ACCEPT
-A logaccept-3 -m limit --limit 12/minute -j ULOG
-A logaccept-3 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -j LOG
-A logdrop-2 -j DROP
-A logdrop-3 -j TEE --gateway 10.0.0.1
-A logdrop-3 -j TEE --gateway 10.0.0.2
-A logdrop-3 -j DROP
-A logdrop-4 -m limit --limit 12/minute -j ULOG
-A logdrop-4 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -j LOG
-A logpass-2 -j TEE --gateway 10.0.0.1
-A logpass-2 -j TEE --gateway 10.0.0.2
-A logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2
-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2
-A INPUT -j MARK --set-mark 3
-A OUTPUT -j MARK --set-mark 1
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3
-A PREROUTING -i eth0 -j MARK --set-mark 1
COMMIT
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:awall-masquerade - [0:0]
-A INPUT -j MASQUERADE
-A OUTPUT -j REDIRECT
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
-A POSTROUTING -m set --match-set awall-masquerade src -j awall-masquerade
-A PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.0.1 -j DNAT --to-destination 10.0.0.1
-A PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.0.2 -j DNAT --to-destination 10.0.0.2:8080
-A PREROUTING -i eth0 -j REDIRECT
-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-A awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A OUTPUT -j CT --notrack
-A PREROUTING -i eth0 -j CT --notrack
-A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
COMMIT
# rules6-save generated by awall
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:icmp-routing - [0:0]
:logaccept-0 - [0:0]
:logaccept-1 - [0:0]
:logaccept-2 - [0:0]
:logaccept-3 - [0:0]
:logdrop-0 - [0:0]
:logdrop-1 - [0:0]
:logdrop-2 - [0:0]
:logdrop-3 - [0:0]
:logdrop-4 - [0:0]
:logpass-0 - [0:0]
:logpass-1 - [0:0]
:logpass-2 - [0:0]
-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A FORWARD -j ACCEPT
-A FORWARD -j logdrop-0
-A FORWARD
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-0
-A FORWARD -j logdrop-1
-A FORWARD -j logpass-0
-A FORWARD -j logaccept-1
-A FORWARD -j logdrop-2
-A FORWARD -j logpass-1
-A FORWARD -j logaccept-2
-A FORWARD -j logdrop-3
-A FORWARD -j logpass-2
-A FORWARD -j ACCEPT
-A FORWARD -j DROP
-A FORWARD
-A FORWARD -j logaccept-3
-A FORWARD -j logdrop-4
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth0 -o eth4 -j ACCEPT
-A FORWARD -i eth0 -o eth5 -j ACCEPT
-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
-A FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth4 -o eth0 -j ACCEPT
-A FORWARD -i eth5 -o eth0 -j ACCEPT
-A FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -i eth4 -o eth4 -j ACCEPT
-A FORWARD -i eth4 -o eth5 -j ACCEPT
-A FORWARD -i eth5 -o eth4 -j ACCEPT
-A FORWARD -i eth5 -o eth5 -j ACCEPT
-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -j logdrop-0
-A INPUT
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-0
-A INPUT -j logdrop-1
-A INPUT -j logpass-0
-A INPUT -j logaccept-1
-A INPUT -j logdrop-2
-A INPUT -j logpass-1
-A INPUT -j logaccept-2
-A INPUT -j logdrop-3
-A INPUT -j logpass-2
-A INPUT -j ACCEPT
-A INPUT -j DROP
-A INPUT
-A INPUT -j logaccept-3
-A INPUT -j logdrop-4
-A INPUT -i eth0 -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j logdrop-0
-A OUTPUT
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-0
-A OUTPUT -j logdrop-1
-A OUTPUT -j logpass-0
-A OUTPUT -j logaccept-1
-A OUTPUT -j logdrop-2
-A OUTPUT -j logpass-1
-A OUTPUT -j logaccept-2
-A OUTPUT -j logdrop-3
-A OUTPUT -j logpass-2
-A OUTPUT -j ACCEPT
-A OUTPUT -j DROP
-A OUTPUT
-A OUTPUT -j logaccept-3
-A OUTPUT -j logdrop-4
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A OUTPUT -p icmpv6 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
-A logaccept-0 -m limit --limit 1/second -j LOG
-A logaccept-0 -j ACCEPT
-A logaccept-1 -j LOG
-A logaccept-1 -j TEE --gateway fc00::1
-A logaccept-1 -j ACCEPT
-A logaccept-2 -j TEE --gateway fc00::2
-A logaccept-2 -j ACCEPT
-A logaccept-3 -j ACCEPT
-A logdrop-0 -m limit --limit 1/second -j LOG
-A logdrop-0 -j DROP
-A logdrop-1 -m limit --limit 1/second -j LOG
-A logdrop-1 -j DROP
-A logdrop-2 -j LOG
-A logdrop-2 -j TEE --gateway fc00::1
-A logdrop-2 -j DROP
-A logdrop-3 -j TEE --gateway fc00::2
-A logdrop-3 -j DROP
-A logdrop-4 -j DROP
-A logpass-0 -m limit --limit 1/second -j LOG
-A logpass-1 -j LOG
-A logpass-1 -j TEE --gateway fc00::1
-A logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A INPUT -j MARK --set-mark 3
-A OUTPUT -j MARK --set-mark 1
-A POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3
-A PREROUTING -i eth0 -j MARK --set-mark 1
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A OUTPUT -j CT --notrack
-A PREROUTING -i eth0 -j CT --notrack
-A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
COMMIT
......@@ -59513,6 +59513,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"}
(log)
......@@ -59569,7 +59572,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"}
Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG
......@@ -59679,6 +59687,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"}
(services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"}
(services)
......@@ -68693,6 +68704,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -100475,6 +100487,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
......@@ -8909,6 +8909,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -8882,6 +8882,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
......@@ -433,6 +433,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"}
(log)
......@@ -489,7 +492,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"}
Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG
......@@ -599,6 +607,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"}
(services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"}
(services)
......@@ -804,6 +815,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -1022,6 +1034,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -100,6 +100,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......
......@@ -73,6 +73,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -429,6 +429,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"}
(log)
......@@ -485,7 +488,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"}
Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG
......@@ -595,6 +603,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"}
(services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"}
(services)
......@@ -796,6 +807,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG
......@@ -1018,6 +1030,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
......@@ -96,6 +96,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2