...
 
Commits (8)
...@@ -202,6 +202,22 @@ if not call( ...@@ -202,6 +202,22 @@ if not call(
end end
local iptables = require('awall.iptables')
if mode == 'fallback' then
for _, sig in ipairs{'HUP', 'INT', 'PIPE'} do
signal(posix['SIG'..sig], 'SIG_IGN')
end
posix.sleep(10)
printmsg('\nTimeout, reverting to the old configuration')
iptables.revert()
os.exit()
end
local input = policyset:load() local input = policyset:load()
if mode == 'dump' then level = 0 + (arg[opind] or 0) end if mode == 'dump' then level = 0 + (arg[opind] or 0) end
...@@ -284,9 +300,6 @@ if not call( ...@@ -284,9 +300,6 @@ if not call(
local dumpfile = outputdir and outputdir..'/dump' or sysdumpfile local dumpfile = outputdir and outputdir..'/dump' or sysdumpfile
local iptables = require('awall.iptables')
if mode == 'dump' then dump(level) if mode == 'dump' then dump(level)
elseif mode == 'diff' then elseif mode == 'diff' then
...@@ -384,17 +397,6 @@ if not call( ...@@ -384,17 +397,6 @@ if not call(
end end
elseif mode == 'fallback' then
for i, sig in ipairs({'HUP', 'PIPE'}) do
signal(posix['SIG'..sig], 'SIG_IGN')
end
posix.sleep(10)
printmsg('\nTimeout, reverting to the old configuration')
iptables.revert()
elseif mode == 'flush' then iptables.flush() elseif mode == 'flush' then iptables.flush()
else assert(false) end else assert(false) end
......
--[[ --[[
Dependency order resolver for Alpine Wall Dependency order resolver for Alpine Wall
Copyright (C) 2012-2014 Kaarle Ritvanen Copyright (C) 2012-2018 Kaarle Ritvanen
See LICENSE file for license details See LICENSE file for license details
]]-- ]]--
local util = require('awall.util') local util = require('awall.util')
local contains = util.contains local contains = util.contains
local sortedkeys = util.sortedkeys
return function(items) return function(items)
local visited = {} local visited = {}
...@@ -17,8 +18,8 @@ return function(items) ...@@ -17,8 +18,8 @@ return function(items)
visited[key] = true visited[key] = true
local after = util.list(items[key].after) local after = util.list(items[key].after)
for k, v in pairs(items) do for _, k in sortedkeys(items) do
if contains(v.before, key) then table.insert(after, k) end if contains(items[k].before, key) then table.insert(after, k) end
end end
for i, k in ipairs(after) do for i, k in ipairs(after) do
if items[k] then if items[k] then
...@@ -30,7 +31,7 @@ return function(items) ...@@ -30,7 +31,7 @@ return function(items)
table.insert(res, key) table.insert(res, key)
end end
for i, k in util.sortedkeys(items) do for _, k in sortedkeys(items) do
local ek = visit(k) local ek = visit(k)
if ek ~= nil then return ek end if ek ~= nil then return ek end
end end
......
--[[ --[[
Host address resolver for Alpine Wall Host address resolver for Alpine Wall
Copyright (C) 2012-2017 Kaarle Ritvanen Copyright (C) 2012-2018 Kaarle Ritvanen
See LICENSE file for license details See LICENSE file for license details
]]-- ]]--
...@@ -29,7 +29,7 @@ function M.resolve(host, context) ...@@ -29,7 +29,7 @@ function M.resolve(host, context)
if not dnscache[host] then if not dnscache[host] then
dnscache[host] = {} dnscache[host] = {}
for rec in io.popen('dig -t ANY '..host):lines() do for rec in io.popen('dig '..host..' A '..host..' AAAA'):lines() do
local name, rtype, addr = local name, rtype, addr =
rec:match( rec:match(
'^('..familypatterns.domain..')%s+%d+%s+IN%s+(A+)%s+(.+)' '^('..familypatterns.domain..')%s+%d+%s+IN%s+(A+)%s+(.+)'
......
--[[ --[[
Base data model for Alpine Wall Base data model for Alpine Wall
Copyright (C) 2012-2017 Kaarle Ritvanen Copyright (C) 2012-2018 Kaarle Ritvanen
See LICENSE file for license details See LICENSE file for license details
]]-- ]]--
...@@ -125,7 +125,7 @@ function M.Zone:optfrags(dir) ...@@ -125,7 +125,7 @@ function M.Zone:optfrags(dir)
local aopts = nil local aopts = nil
if self.addr then if self.addr then
aopts = {} aopts = {}
for _, addr in resolvelist(self.addr) do for _, addr in resolvelist(self.addr, self) do
table.insert( table.insert(
aopts, aopts,
{family=addr[1], [aprop]=addr[2], match='-'..aopt..' '..addr[2]} {family=addr[1], [aprop]=addr[2], match='-'..aopt..' '..addr[2]}
......
...@@ -54,29 +54,31 @@ function Log:optfrags() ...@@ -54,29 +54,31 @@ function Log:optfrags()
local targets = {} local targets = {}
if mode then if mode then
local optmap = { local optmap = (
log={level='level', prefix='prefix'}, {
nflog={ log={level='level', prefix='prefix'},
group='group', nflog={
prefix='prefix', group='group',
range='size', prefix='prefix',
threshold='threshold' range='size',
}, threshold='threshold'
ulog={ },
group='nlgroup', ulog={
prefix='prefix', group='nlgroup',
range='cprange', prefix='prefix',
threshold='qthreshold' range='cprange',
threshold='qthreshold'
}
} }
} )[mode]
if not optmap[mode] then self:error('Invalid logging mode: '..mode) end if not optmap then self:error('Invalid logging mode: '..mode) end
local target = mode:upper() local target = mode:upper()
for s, t in pairs(optmap[mode]) do for _, s in util.sortedkeys(optmap) do
local value = self[s] local value = self[s]
if value then if value then
if s == 'prefix' then value = util.quote(value) end if s == 'prefix' then value = util.quote(value) end
target = target..' --'..mode..'-'..t..' '..value target = target..' --'..mode..'-'..optmap[s]..' '..value
end end
end end
...@@ -85,7 +87,7 @@ function Log:optfrags() ...@@ -85,7 +87,7 @@ function Log:optfrags()
) )
end end
for _, addr in resolvelist(self.mirror) do for _, addr in resolvelist(self.mirror, self) do
table.insert(targets, {family=addr[1], target='TEE --gateway '..addr[2]}) table.insert(targets, {family=addr[1], target='TEE --gateway '..addr[2]})
end end
......
...@@ -84,6 +84,7 @@ ...@@ -84,6 +84,7 @@
{ "proto": "udp", "port": 139 } { "proto": "udp", "port": 139 }
], ],
"ntp": { "proto": "udp", "port": 123 }, "ntp": { "proto": "udp", "port": 123 },
"openvpn": { "proto": "udp", "port": 1194 },
"ospf": { "proto": "ospf" }, "ospf": { "proto": "ospf" },
"pgsql": { "proto": "tcp", "port": 5432 }, "pgsql": { "proto": "tcp", "port": 5432 },
"ping": [ "ping": [
......
...@@ -2,12 +2,14 @@ ...@@ -2,12 +2,14 @@
"log": { "log": {
"dual": { "mode": "log", "mirror": "fc00::1" }, "dual": { "mode": "log", "mirror": "fc00::1" },
"mirror": { "mirror": [ "10.0.0.1", "10.0.0.2", "fc00::2" ] }, "mirror": { "mirror": [ "10.0.0.1", "10.0.0.2", "fc00::2" ] },
"nflog": { "mode": "nflog", "group": 1, "range": 128 },
"none": { "mode": "none" }, "none": { "mode": "none" },
"ulog": { "mode": "ulog", "limit": { "interval": 5 } } "ulog": { "mode": "ulog", "limit": { "interval": 5 } }
}, },
"packet-log": [ "packet-log": [
{ "out": "_fw" }, { "out": "_fw" },
{ "out": "_fw", "log": "mirror" }, { "out": "_fw", "log": "mirror" },
{ "out": "_fw", "log": "nflog" },
{ "out": "_fw", "log": "ulog" } { "out": "_fw", "log": "ulog" }
], ],
"filter": [ "filter": [
......
...@@ -8085,6 +8085,9 @@ Log dual {"mirror":"fc00::1","mode":"log"} ...@@ -8085,6 +8085,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]} Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log) (log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"} Log none {"mode":"none"}
(log) (log)
...@@ -8141,7 +8144,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"} ...@@ -8141,7 +8144,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2 inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2 inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"} Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log) (log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG inet/filter/INPUT -m limit --limit 12/minute -j ULOG
...@@ -8251,6 +8259,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}] ...@@ -8251,6 +8259,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"} Service ntp {"port":123,"proto":"udp"}
(services) (services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"} Service ospf {"proto":"ospf"}
(services) (services)
...@@ -10306,6 +10317,7 @@ hash:net family inet ...@@ -10306,6 +10317,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
...@@ -13186,6 +13198,7 @@ COMMIT ...@@ -13186,6 +13198,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
...@@ -1950,6 +1950,7 @@ ...@@ -1950,6 +1950,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
......
...@@ -571,6 +571,7 @@ ...@@ -571,6 +571,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
...@@ -59513,6 +59513,9 @@ Log dual {"mirror":"fc00::1","mode":"log"} ...@@ -59513,6 +59513,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]} Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log) (log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"} Log none {"mode":"none"}
(log) (log)
...@@ -59569,7 +59572,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"} ...@@ -59569,7 +59572,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2 inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2 inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"} Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log) (log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG inet/filter/INPUT -m limit --limit 12/minute -j ULOG
...@@ -59679,6 +59687,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}] ...@@ -59679,6 +59687,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"} Service ntp {"port":123,"proto":"udp"}
(services) (services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"} Service ospf {"proto":"ospf"}
(services) (services)
...@@ -68693,6 +68704,7 @@ hash:net family inet ...@@ -68693,6 +68704,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
...@@ -100475,6 +100487,7 @@ COMMIT ...@@ -100475,6 +100487,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A INPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
...@@ -8909,6 +8909,7 @@ ...@@ -8909,6 +8909,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
...@@ -8882,6 +8882,7 @@ ...@@ -8882,6 +8882,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set -A INPUT -m recent --name user:B --rdest --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --set
...@@ -433,6 +433,9 @@ Log dual {"mirror":"fc00::1","mode":"log"} ...@@ -433,6 +433,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]} Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log) (log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"} Log none {"mode":"none"}
(log) (log)
...@@ -489,7 +492,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"} ...@@ -489,7 +492,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2 inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2 inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"} Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log) (log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG inet/filter/INPUT -m limit --limit 12/minute -j ULOG
...@@ -599,6 +607,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}] ...@@ -599,6 +607,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"} Service ntp {"port":123,"proto":"udp"}
(services) (services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"} Service ospf {"proto":"ospf"}
(services) (services)
...@@ -804,6 +815,7 @@ hash:net family inet ...@@ -804,6 +815,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
...@@ -1022,6 +1034,7 @@ COMMIT ...@@ -1022,6 +1034,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
...@@ -100,6 +100,7 @@ ...@@ -100,6 +100,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
......
...@@ -73,6 +73,7 @@ ...@@ -73,6 +73,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
...@@ -429,6 +429,9 @@ Log dual {"mirror":"fc00::1","mode":"log"} ...@@ -429,6 +429,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]} Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log) (log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"} Log none {"mode":"none"}
(log) (log)
...@@ -485,7 +488,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"} ...@@ -485,7 +488,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2 inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2 inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"} Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log) (log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG inet/filter/INPUT -m limit --limit 12/minute -j ULOG
...@@ -595,6 +603,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}] ...@@ -595,6 +603,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"} Service ntp {"port":123,"proto":"udp"}
(services) (services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"} Service ospf {"proto":"ospf"}
(services) (services)
...@@ -796,6 +807,7 @@ hash:net family inet ...@@ -796,6 +807,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
...@@ -1018,6 +1030,7 @@ COMMIT ...@@ -1018,6 +1030,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
...@@ -96,6 +96,7 @@ ...@@ -96,6 +96,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
......
...@@ -63,6 +63,7 @@ ...@@ -63,6 +63,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
...@@ -363,6 +363,9 @@ Log dual {"mirror":"fc00::1","mode":"log"} ...@@ -363,6 +363,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]} Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log) (log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"} Log none {"mode":"none"}
(log) (log)
...@@ -419,7 +422,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"} ...@@ -419,7 +422,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2 inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2 inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"} Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log) (log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG inet/filter/INPUT -m limit --limit 12/minute -j ULOG
...@@ -541,6 +549,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}] ...@@ -541,6 +549,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"} Service ntp {"port":123,"proto":"udp"}
(services) (services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"} Service ospf {"proto":"ospf"}
(services) (services)
...@@ -736,6 +747,7 @@ hash:net family inet ...@@ -736,6 +747,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
...@@ -928,6 +940,7 @@ COMMIT ...@@ -928,6 +940,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
...@@ -90,6 +90,7 @@ ...@@ -90,6 +90,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
......
...@@ -63,6 +63,7 @@ ...@@ -63,6 +63,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
...@@ -363,6 +363,9 @@ Log dual {"mirror":"fc00::1","mode":"log"} ...@@ -363,6 +363,9 @@ Log dual {"mirror":"fc00::1","mode":"log"}
Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]} Log mirror {"mirror":["10.0.0.1","10.0.0.2","fc00::2"]}
(log) (log)
Log nflog {"group":1,"mode":"nflog","range":128}
(log)
Log none {"mode":"none"} Log none {"mode":"none"}
(log) (log)
...@@ -419,7 +422,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"} ...@@ -419,7 +422,12 @@ Packet-log 2 {"log":"mirror","out":"_fw"}
inet/filter/INPUT -j TEE --gateway 10.0.0.2 inet/filter/INPUT -j TEE --gateway 10.0.0.2
inet6/filter/INPUT -j TEE --gateway fc00::2 inet6/filter/INPUT -j TEE --gateway fc00::2
Packet-log 3 {"log":"ulog","out":"_fw"} Packet-log 3 {"log":"nflog","out":"_fw"}
(log)
inet/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
inet6/filter/INPUT -j NFLOG --nflog-group 1 --nflog-size 128
Packet-log 4 {"log":"ulog","out":"_fw"}
(log) (log)
inet/filter/INPUT -m limit --limit 12/minute -j ULOG inet/filter/INPUT -m limit --limit 12/minute -j ULOG
...@@ -529,6 +537,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}] ...@@ -529,6 +537,9 @@ Service netbios-ssn [{"port":139,"proto":"tcp"},{"port":139,"proto":"udp"}]
Service ntp {"port":123,"proto":"udp"} Service ntp {"port":123,"proto":"udp"}
(services) (services)
Service openvpn {"port":1194,"proto":"udp"}
(services)
Service ospf {"proto":"ospf"} Service ospf {"proto":"ospf"}
(services) (services)
...@@ -730,6 +741,7 @@ hash:net family inet ...@@ -730,6 +741,7 @@ hash:net family inet
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
...@@ -921,6 +933,7 @@ COMMIT ...@@ -921,6 +933,7 @@ COMMIT
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......
...@@ -90,6 +90,7 @@ ...@@ -90,6 +90,7 @@
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmp -j icmp-routing -A FORWARD -p icmp -j icmp-routing
-A INPUT -m limit --limit 12/minute -j ULOG -A INPUT -m limit --limit 12/minute -j ULOG
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway 10.0.0.2 -A INPUT -j TEE --gateway 10.0.0.2
-A INPUT -j TEE --gateway 10.0.0.1 -A INPUT -j TEE --gateway 10.0.0.1
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
......
...@@ -63,6 +63,7 @@ ...@@ -63,6 +63,7 @@
-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -p icmpv6 -j icmp-routing -A FORWARD -p icmpv6 -j icmp-routing
-A INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A INPUT -j TEE --gateway fc00::2 -A INPUT -j TEE --gateway fc00::2
-A INPUT -m limit --limit 1/second -j LOG -A INPUT -m limit --limit 1/second -j LOG
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
......