apf-firewall/apf-arch.patch

   1 diff -aur apf-9.7-2/files/firewall apf-9.7-2-arch/files/firewall
   2 --- apf-9.7-2/files/firewall    2011-11-10 19:53:16.000000000 -0500
   3 +++ apf-9.7-2-arch/files/firewall       2012-01-09 05:53:31.617196010 -0500
   4 @@ -87,7 +87,7 @@
   5  # Allow all traffic on trusted interfaces
   6  if [ ! "$IFACE_TRUSTED" == "" ]; then
   7  for i in `echo $IFACE_TRUSTED | tr ',' ' '`; do
   8 -VAL_IF=`/sbin/ip addr list | grep -w $i`
   9 +VAL_IF=`$ip addr list | grep -w $i`
  10  if [ "$VAL_IF" == "" ]; then
  11          eout "{glob} unable to verify status of interface $i; assuming untrusted"
  12  else
  13 @@ -105,7 +105,7 @@
  14  $IPT -A PROHIBIT -j REJECT --reject-with icmp-host-prohibited
  15
  16  # Load our SYSCTL rules
  17 -. $INSTALL_PATH/sysctl.rules >> /dev/null 2>&1
  18 +. $INSTALL_PATH/sysctl.rules >> /dev/null # 2>&1
  19
  20  # Fix MTU/MSS Problems
  21  $IPT -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  22 diff -aur apf-9.7-2/files/internals/functions.apf apf-9.7-2-arch/files/internals/functions.apf
  23 --- apf-9.7-2/files/internals/functions.apf     2011-12-15 21:30:14.000000000 -0500
  24 +++ apf-9.7-2-arch/files/internals/functions.apf        2012-01-10 01:01:48.040861894 -0500
  25 @@ -62,104 +62,35 @@
  26  fi
  27  }
  28
  29 -ml() {
  30 -MOD=$1
  31 -VALMOD=$2
  32 -if [ "$KREL" == "2.4" ]; then
  33 -       MEXT="o"
  34 -elif [ "$KREL" == "2.6" ]; then
  35 -       MEXT="ko"
  36 -elif [[ "$KREL" =~ "3." ]]; then
  37 -       MEXT="ko"
  38 -elif [ ! "$KREL" == "2.4" ] && [ ! "$KREL" == "2.6" ] && [[ ! "$KREL" =~ "3." ]]; then
  39 -       if [ ! "$SET_VERBOSE" == "1" ]; then
  40 -               echo "kernel version not compatible or netfilter support missing, aborting."
  41 -       fi
  42 -        eout "{glob} kernel version not compatible or netfilter support missing, aborting."
  43 -        exit 1
  44 -else
  45 -        if [ ! "$SET_VERBOSE" == "1" ]; then
  46 -               echo "kernel version not compatible or netfilter support missing, aborting."
  47 -       fi
  48 -        eout "{glob} kernel version not compatible or netfilter support missing, aborting."
  49 -        exit 1
  50 -fi
  51 +modinit() {
  52 +    [ "$SET_MONOKERN" == "1" ] && return 0
  53
  54 -if [ "$VALMOD" == "1" ] && [ ! -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/$1.$MEXT" ]; then
  55 -        if [ ! "$SET_VERBOSE" == "1" ]; then
  56 -               echo "Unable to load iptables module ($1), aborting."
  57 -       fi
  58 -        eout "{glob} unable to load iptables module ($1), aborting."
  59 -        exit 1
  60 -fi
  61 -if [ -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/$1.$MEXT" ] || [ -f "/lib/modules/$(uname -r)/kernel/net/netfilter/$1.$MEXT" ]; then
  62 -        $MPB $1 >> /dev/null 2>&1 &
  63 -fi
  64 -}
  65 +    local modules m
  66
  67 -modinit() {
  68 -# Remove ipchains module if loaded
  69 -IPC_VAL=`$LSM | grep ipchains`
  70 -if [ ! "$IPC_VAL" == "" ]; then
  71 -        $RMM ipchains
  72 -fi
  73 -
  74 -if [ ! "$SET_MONOKERN" == "1" ]; then
  75 -# Loading Kernel Modules
  76 -ml ip_tables 1
  77 -ml iptable_filter
  78 -ml iptable_mangle
  79 -ml ip_conntrack
  80 -ml ip_conntrack_irc
  81 -ml ip_conntrack_ftp
  82 -ml ipt_state
  83 -ml ipt_multiport
  84 -ml ipt_limit
  85 -ml ipt_recent
  86 -ml ipt_LOG
  87 -ml ipt_REJECT
  88 -ml ipt_ecn
  89 -ml ipt_length
  90 -ml ipt_mac
  91 -ml ipt_multiport
  92 -ml ipt_owner
  93 -ml ipt_state
  94 -ml ipt_ttl
  95 -ml ipt_TOS
  96 -ml ipt_TCPMSS
  97 -ml ipt_ULOG
  98 -ml xt_conntrack
  99 -ml xt_conntrack_irc
 100 -ml xt_conntrack_ftp
 101 -ml xt_state
 102 -ml xt_multiport
 103 -ml xt_limit
 104 -ml xt_recent
 105 -ml xt_LOG
 106 -ml xt_REJECT
 107 -ml xt_ecn
 108 -ml xt_length
 109 -ml xt_mac
 110 -ml xt_multiport
 111 -ml xt_owner
 112 -ml xt_state
 113 -ml xt_ttl
 114 -ml xt_TOS
 115 -ml xt_TCPMSS
 116 -ml xt_ULOG
 117 -ml nf_conntrack
 118 -ml nf_conntrack_irc
 119 -ml nf_conntrack_ftp
 120 -fi
 121 +    case "$KREL" in
 122 +        2.[46]) ;;
 123 +        3.[0-9]) ;;
 124 +        *) eout "{glob} kernel version not equal to 2.4.x or 2.6.x, aborting."; exit 1;;
 125 +    esac
 126 +
 127 +    modules="ip_tables iptable_filter iptable_mangle ip_conntrack ip_conntrack_ftp ipt_state ipt_multiport ipt_limit ipt_recent
 128 +             ipt_LOG ipt_REJECT ipt_ecn ipt_length ipt_mac ipt_multiport ipt_owner ipt_state ipt_ttl ipt_TOS ipt_TCPMSS ipt_ULOG
 129 +            xt_TCPMSS xt_conntrack xt_state xt_multiport xt_limit xt_recent xt_length xt_mac xt_multiport xt_owner xt_state nf_conntrack
 130 +             nf_conntrack_irc nf_conntrack_ftp "
 131 +
 132 +    # failed to load: xt_ULOG xt_TOS xt_conntrack_irc xt_conntrack_ftp xt_LOG xt_REJECT xt_ecn xt_ttl ip_conntrack_irc
 133 +
 134 +    for m in $modules; do
 135 +        $MPB $m >/dev/null 2>&1 || { eout "{glob} unable to load iptables module ($m), aborting."; return 1; }
 136 +    done
 137 +    return 0
 138  }
 139
 140  check_rab() {
 141 -if [ ! -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_recent.$MEXT" ] && [ ! -f "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/xt_recent.$MEXT" ]; then
 142 - if [ "$RAB" == "1" ]; then
 143 -       RAB="0"
 144 -       eout "{rab} force set RAB disabled, kernel module xt/ipt_recent not found."
 145 - fi
 146 -fi
 147 +    if [ "$RAB" = "1" ] && [ -z "$(cat /proc/net/ip_tables_matches | grep '^recent')" ]; then
 148 +        RAB="0"
 149 +        eout "{rab} force set RAB disabled, kernel module ipt_recent not found."
 150 +    fi
 151  }
 152
 153  get_state() {
 154 @@ -287,7 +218,7 @@
 155          val_rev=`cat $ALLOW_HOSTS | grep -w $HOST`
 156          val_rev2=`cat $GALLOW_HOSTS | grep -w $HOST`
 157          val_rev3=`cat $GDENY_HOSTS | grep -w $HOST`
 158 -        val_rev4=`/sbin/ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $HOST`
 159 +        val_rev4=`$ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $HOST`
 160          if [ ! "$val" == "" ]; then
 161                  echo "$HOST already exists in $DENY_HOSTS"
 162          elif [ ! "$val_rev" == "" ]; then
 163 @@ -328,7 +259,7 @@
 164          val_rev=`cat $ALLOW_HOSTS | grep -w $HOST`
 165         val_rev2=`cat $GALLOW_HOSTS | grep -w $HOST`
 166         val_rev3=`cat $GDENY_HOSTS | grep -w $HOST`
 167 -        val_rev4=`/sbin/ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $HOST`
 168 +        val_rev4=`$ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $HOST`
 169          if [ ! "$val" == "" ]; then
 170                         echo "$HOST already exists in $DENY_HOSTS"
 171         elif [ ! "$val_rev" == "" ]; then
 172 @@ -396,8 +327,8 @@
 173         /usr/bin/pico -w $iptc
 174  elif [ -f "/usr/bin/nano" ]; then
 175         /usr/bin/nano -w $iptc
 176 -elif [ -f "/bin/vi" ]; then
 177 -       /bin/vi $iptc
 178 +elif [ -f "/usr/bin/vi" ]; then
 179 +       /usr/bin/vi $iptc
 180  fi
 181  clear
 182  rm -f $iptc
 183 @@ -550,7 +481,7 @@
 184          #
 185          #
 186          for i in `cat $ALLOW_HOSTS | grep -v "#" | grep -v ":" | grep -v "="`; do
 187 -                val=`/sbin/ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $i`
 188 +                val=`$ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $i`
 189                  if [ ! "$val" ]; then
 190                   if [ ! "$i" == "" ] && [ -f "$ALLOW_HOSTS" ]; then
 191                          eout "{trust} allow all to/from $i"
 192 @@ -842,7 +773,7 @@
 193          #
 194          #
 195          for i in `cat $DENY_HOSTS | grep -v "#" | grep -v ":" | grep -v "="`; do
 196 -                val=`/sbin/ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $i`
 197 +                val=`$ip addr list $IFACE_IN | grep -w inet | grep -v inet6 | tr '/' ' ' | awk '{print$2}' | grep -w $i`
 198                  if [ ! "$val" ]; then
 199                   if [ ! "$i" == "" ] && [ -f "$DENY_HOSTS" ]; then
 200                          eout "{trust} deny all to/from $i"
 201 @@ -1501,7 +1432,7 @@
 202
 203  refresh() {
 204         eout "{glob} refreshing trust system rules."
 205 -       /sbin/iptables-save | grep -E "TDENY|TGDENY" | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print$4}' | sort -n | uniq  | sort > /etc/apf/internals/refresh.drop.temp
 206 +       $IPTS | grep -E "TDENY|TGDENY" | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print$4}' | sort -n | uniq  | sort > /etc/apf/internals/refresh.drop.temp
 207         $IPT -F TMP_DROP
 208          for i in `cat /etc/apf/internals/refresh.drop.temp | grep -v "#"`; do
 209                 if [ ! "$i" == "" ]; then
 210 diff -aur apf-9.7-2/files/internals/internals.conf apf-9.7-2-arch/files/internals/internals.conf
 211 --- apf-9.7-2/files/internals/internals.conf    2009-03-17 08:37:05.000000000 -0400
 212 +++ apf-9.7-2-arch/files/internals/internals.conf       2012-01-09 03:55:05.000000000 -0500
 213 @@ -7,13 +7,13 @@
 214  APPN="apf"
 215
 216  ifconfig=/sbin/ifconfig
 217 -ip=/sbin/ip
 218 -IPT="/sbin/iptables"
 219 +ip=/usr/sbin/ip
 220 +IPT="/usr/sbin/iptables"
 221  MPB="/sbin/modprobe"
 222 -LSM="/sbin/lsmod"
 223 +LSM="/bin/lsmod"
 224  RMM="/sbin/rmmod"
 225 -IPTS="/sbin/iptables-save"
 226 -IPTR="/sbin/iptables-restore"
 227 +IPTS="/usr/sbin/iptables-save"
 228 +IPTR="/usr/sbin/iptables-restore"
 229  DIFF="/usr/bin/diff"
 230  WGET="/usr/bin/wget"
 231  MD5="/usr/bin/md5sum"
 232 diff -aur apf-9.7-2/files/sysctl.rules apf-9.7-2-arch/files/sysctl.rules
 233 --- apf-9.7-2/files/sysctl.rules        2011-10-19 01:45:35.000000000 -0400
 234 +++ apf-9.7-2-arch/files/sysctl.rules   2012-01-09 05:53:13.844571069 -0500
 235 @@ -6,7 +6,9 @@
 236         SYSCTL_CONNTRACK = 28000
 237  fi
 238
 239 -echo $SYSCTL_CONNTRACK > /proc/sys/net/ipv4/ip_conntrack_max
 240 +#echo $SYSCTL_CONNTRACK > /proc/sys/net/ipv4/ip_conntrack_max
 241 +echo $SYSCTL_CONNTRACK > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
 242 +
 243  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
 244  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 245
 246 diff -aur apf-9.7-2/files/vnet/vnetgen apf-9.7-2-arch/files/vnet/vnetgen
 247 --- apf-9.7-2/files/vnet/vnetgen        2011-11-10 19:53:16.000000000 -0500
 248 +++ apf-9.7-2-arch/files/vnet/vnetgen   2012-01-09 04:11:34.000000000 -0500
 249 @@ -41,7 +41,7 @@
 250         echo "$ip and $ifconfig not found; aborting"
 251          exit 1
 252  elif [ -f "$ip" ]; then
 253 - for addr in `/sbin/ip addr list | tr '/' ' ' | grep -w inet | grep -w $IF | grep -v 127.0.0.1 | grep -vw $NET | awk '{print$2}'`; do
 254 + for addr in `$ip addr list | tr '/' ' ' | grep -w inet | grep -w $IF | grep -v 127.0.0.1 | grep -vw $NET | awk '{print$2}'`; do
 255    if [ ! -f "$INSTALL_PATH/vnet/$addr.rules" ]; then
 256          touch $INSTALL_PATH/vnet/$addr.rules
 257          chmod 600 $INSTALL_PATH/vnet/$addr.rules
 258 @@ -67,7 +67,7 @@
 259    if [ -f "$ip" ]; then
 260    valtif=`echo $TIF | grep $anet`
 261     if [ "$valtif" == "" ]; then
 262 -    for addr in `/sbin/ip addr list | tr '/' ' ' | grep -w inet | grep -w $anet | grep -v 127.0.0.1 | grep -vw $NET | awk '{print$2}'`; do
 263 +    for addr in `$ip addr list | tr '/' ' ' | grep -w inet | grep -w $anet | grep -v 127.0.0.1 | grep -vw $NET | awk '{print$2}'`; do
 264       if [ ! -f "$INSTALL_PATH/vnet/$addr.rules" ]; then
 265          touch $INSTALL_PATH/vnet/$addr.rules
 266          chmod 600 $INSTALL_PATH/vnet/$addr.rules