pve-firewall.git
6 years agoreally stop daemon on write error
Dietmar Maurer [Fri, 14 Mar 2014 13:05:55 +0000 (14:05 +0100)]
really stop daemon on write error

And a bunch of white-space cleanups.

6 years agoadditionally log status messages to syslog
Dietmar Maurer [Fri, 14 Mar 2014 12:59:22 +0000 (13:59 +0100)]
additionally log status messages to syslog

6 years agouse phydev numbers if name lookup fails
Dietmar Maurer [Fri, 14 Mar 2014 12:33:01 +0000 (13:33 +0100)]
use phydev numbers if name lookup fails

6 years agoimprove log format
Dietmar Maurer [Fri, 14 Mar 2014 12:15:03 +0000 (13:15 +0100)]
improve log format

6 years agoadd simple nflog daemon
Dietmar Maurer [Thu, 13 Mar 2014 12:08:47 +0000 (13:08 +0100)]
add simple nflog daemon

6 years agofix 110.fw example
Alexandre Derumier [Tue, 11 Mar 2014 08:58:46 +0000 (09:58 +0100)]
fix 110.fw example

we can't parse [OPTIONS] if a comment is on the same line

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoadd ifupdown helper to setup MASQUERADE on veth device
Dietmar Maurer [Mon, 10 Mar 2014 11:49:02 +0000 (12:49 +0100)]
add ifupdown helper to setup MASQUERADE on veth device

6 years agoavoid use of --physdev-is-bridged whenever possible
Dietmar Maurer [Mon, 10 Mar 2014 09:29:25 +0000 (10:29 +0100)]
avoid use of --physdev-is-bridged whenever possible

Option physdev-is-bridged only match when both ports are bridged.
But we also want to check IN/OUT rules if only one port is bridged.

6 years agouse correct mac for veth containers
Dietmar Maurer [Mon, 10 Mar 2014 09:15:09 +0000 (10:15 +0100)]
use correct mac for veth containers

6 years agoadd reminder that we should use ULOG
Dietmar Maurer [Mon, 10 Mar 2014 09:13:10 +0000 (10:13 +0100)]
add reminder that we should use ULOG

6 years agoadd documentation for masqueraded setup
Dietmar Maurer [Mon, 10 Mar 2014 09:12:03 +0000 (10:12 +0100)]
add documentation for masqueraded setup

6 years agodo not use multiport for single port range
Dietmar Maurer [Fri, 7 Mar 2014 06:38:44 +0000 (07:38 +0100)]
do not use multiport for single port range

6 years agoifupdown.sh: correctly use ifup instead of ifconfig
Dietmar Maurer [Thu, 6 Mar 2014 17:00:53 +0000 (18:00 +0100)]
ifupdown.sh: correctly use ifup instead of ifconfig

6 years agoifupdown.sh: improve error handling
Dietmar Maurer [Thu, 6 Mar 2014 15:54:27 +0000 (16:54 +0100)]
ifupdown.sh: improve error handling

6 years agoadd ifupdown helper to create veth devices plugged into bridges
Dietmar Maurer [Thu, 6 Mar 2014 12:15:07 +0000 (13:15 +0100)]
add ifupdown helper to create veth devices plugged into bridges

6 years agoupdate documentation
Dietmar Maurer [Thu, 6 Mar 2014 10:31:12 +0000 (11:31 +0100)]
update documentation

6 years agoimplement allow_bridge_route feature
Dietmar Maurer [Thu, 6 Mar 2014 08:46:12 +0000 (09:46 +0100)]
implement allow_bridge_route feature

6 years agouse perl taint mode
Dietmar Maurer [Thu, 6 Mar 2014 07:22:00 +0000 (08:22 +0100)]
use perl taint mode

6 years agodo not use perl -w
Dietmar Maurer [Thu, 6 Mar 2014 07:21:05 +0000 (08:21 +0100)]
do not use perl -w

6 years agouse RETURN instead of ACCEPT to allow further processing
Dietmar Maurer [Thu, 6 Mar 2014 07:18:59 +0000 (08:18 +0100)]
use RETURN instead of ACCEPT to allow further processing

6 years agoonly update nf_conntrack_max if firewall is started
Dietmar Maurer [Thu, 6 Mar 2014 07:02:45 +0000 (08:02 +0100)]
only update nf_conntrack_max if firewall is started

6 years agoplug venet0 chains into PVEFW-INPUT and PVEFW-OUTPUT
Dietmar Maurer [Wed, 5 Mar 2014 12:28:34 +0000 (13:28 +0100)]
plug venet0 chains into PVEFW-INPUT and PVEFW-OUTPUT

Container firewall should be fully functional now.

6 years agoplug venet0 chains into PVEFW-FORWARD
Dietmar Maurer [Wed, 5 Mar 2014 11:49:57 +0000 (12:49 +0100)]
plug venet0 chains into PVEFW-FORWARD

We can now partly filter container traffic. Still need to add checks
in PVEFW-INPUT and PVEFW-OUTPUT chains.

6 years agoadd optimization as last step
Dietmar Maurer [Wed, 5 Mar 2014 10:49:52 +0000 (11:49 +0100)]
add optimization as last step

6 years agouse parse_address_list to validate IP list
Dietmar Maurer [Wed, 5 Mar 2014 10:43:35 +0000 (11:43 +0100)]
use parse_address_list to validate IP list

6 years agogenerate chains for openvz venet
Dietmar Maurer [Wed, 5 Mar 2014 10:33:23 +0000 (11:33 +0100)]
generate chains for openvz venet

This is not fully functional, because we need to connect with uper level chains.

6 years agoadd veth chain to is_pvefw_chain()
Dietmar Maurer [Wed, 5 Mar 2014 09:49:16 +0000 (10:49 +0100)]
add veth chain to is_pvefw_chain()

6 years agostart openvz support
Dietmar Maurer [Wed, 5 Mar 2014 09:43:32 +0000 (10:43 +0100)]
start openvz support

Seems we can reuse generate_tap_rules_direction for bridged devices.

6 years agouse underscore instead of hyphen for fw options
Dietmar Maurer [Wed, 5 Mar 2014 08:01:44 +0000 (09:01 +0100)]
use underscore instead of hyphen for fw options

6 years agoadd nf_conntrack_max to example config
Dietmar Maurer [Wed, 5 Mar 2014 07:50:04 +0000 (08:50 +0100)]
add nf_conntrack_max to example config

6 years agoimplement nf_conntrack_max option
Dietmar Maurer [Wed, 5 Mar 2014 07:08:51 +0000 (08:08 +0100)]
implement nf_conntrack_max option

6 years agocleanup - avoid warning about undefined value
Dietmar Maurer [Wed, 5 Mar 2014 06:36:25 +0000 (07:36 +0100)]
cleanup - avoid warning about undefined value

6 years agocleanups - use better names
Dietmar Maurer [Wed, 5 Mar 2014 06:30:11 +0000 (07:30 +0100)]
cleanups - use better names

6 years agoimprove logging
Dietmar Maurer [Tue, 4 Mar 2014 11:54:52 +0000 (12:54 +0100)]
improve logging

Also log dropped inter-bridge traffic.

6 years agocorrectly init PVEFW-FORWARD chain
Dietmar Maurer [Tue, 4 Mar 2014 11:23:19 +0000 (12:23 +0100)]
correctly init PVEFW-FORWARD chain

We generate that chain by default, so the old code never triggered.

6 years agoadd $bridge-OUT chain to PVEFW-INPUT
Dietmar Maurer [Tue, 4 Mar 2014 10:48:22 +0000 (11:48 +0100)]
add $bridge-OUT chain to PVEFW-INPUT

6 years agoclear mark when entering tapXZY-OUT chain
Dietmar Maurer [Tue, 4 Mar 2014 10:46:24 +0000 (11:46 +0100)]
clear mark when entering tapXZY-OUT chain

6 years agocorrectly implement policy for host firewall
Dietmar Maurer [Tue, 4 Mar 2014 10:00:35 +0000 (11:00 +0100)]
correctly implement policy for host firewall

6 years agofactor out code to produce policy rules
Dietmar Maurer [Tue, 4 Mar 2014 09:45:27 +0000 (10:45 +0100)]
factor out code to produce policy rules

6 years agofix comment
Dietmar Maurer [Tue, 4 Mar 2014 09:23:07 +0000 (10:23 +0100)]
fix comment

6 years agoremove unnecessary rule
Dietmar Maurer [Tue, 4 Mar 2014 09:19:02 +0000 (10:19 +0100)]
remove unnecessary rule

6 years agos/enablehostfw/enable_host_firewall/
Dietmar Maurer [Tue, 4 Mar 2014 09:09:59 +0000 (10:09 +0100)]
s/enablehostfw/enable_host_firewall/

6 years agomake sure syncookies are enabled
Dietmar Maurer [Tue, 4 Mar 2014 08:56:34 +0000 (09:56 +0100)]
make sure syncookies are enabled

6 years agouse PVE::ProcFSTools::write_proc_entry instead of system("echo ...")
Dietmar Maurer [Tue, 4 Mar 2014 08:27:26 +0000 (09:27 +0100)]
use PVE::ProcFSTools::write_proc_entry instead of system("echo ...")

6 years agocleanup ruleset_generate_rule()
Dietmar Maurer [Tue, 4 Mar 2014 08:19:08 +0000 (09:19 +0100)]
cleanup ruleset_generate_rule()

6 years agoimprove clean target
Dietmar Maurer [Tue, 4 Mar 2014 08:07:23 +0000 (09:07 +0100)]
improve clean target

delete emacs tmp files in all subdirs

6 years agoremove stale file
Dietmar Maurer [Tue, 4 Mar 2014 08:04:37 +0000 (09:04 +0100)]
remove stale file

6 years agomerge IN/OUT section into RULES section
Dietmar Maurer [Mon, 3 Mar 2014 14:19:38 +0000 (15:19 +0100)]
merge IN/OUT section into RULES section

6 years agoassemble debian package
Dietmar Maurer [Mon, 3 Mar 2014 08:40:04 +0000 (09:40 +0100)]
assemble debian package

6 years agoimplement log_level_in and log_level_out options
Dietmar Maurer [Fri, 28 Feb 2014 11:47:34 +0000 (12:47 +0100)]
implement log_level_in and log_level_out options

6 years agoimplement log level options
Dietmar Maurer [Fri, 28 Feb 2014 11:25:18 +0000 (12:25 +0100)]
implement log level options

6 years agouse a file to store firewall status persistently.
Dietmar Maurer [Fri, 28 Feb 2014 09:50:44 +0000 (10:50 +0100)]
use a file to store firewall status persistently.

Start/stop saves state into a file. So the firewall remembers that status
even if the host is rebooted.

Also added helpers to update firewall rules and get current status.

6 years agoignoreZ source/destination port if no protocol specified
Dietmar Maurer [Fri, 28 Feb 2014 09:36:28 +0000 (10:36 +0100)]
ignoreZ source/destination port if no protocol specified

6 years agouse defined() to check fot undefined value
Dietmar Maurer [Thu, 27 Feb 2014 11:54:11 +0000 (12:54 +0100)]
use defined() to check fot undefined value

6 years agoimprove multiport rule generator
Dietmar Maurer [Thu, 27 Feb 2014 11:52:05 +0000 (12:52 +0100)]
improve multiport rule generator

It is not allowed to use --sports and --dports together!

6 years agofix Ping macro
Dietmar Maurer [Thu, 27 Feb 2014 11:40:37 +0000 (12:40 +0100)]
fix Ping macro

6 years agoimprove example
Dietmar Maurer [Thu, 27 Feb 2014 11:12:45 +0000 (12:12 +0100)]
improve example

6 years agoallow to disable single rules, and add ability to add comments
Dietmar Maurer [Thu, 27 Feb 2014 10:15:09 +0000 (11:15 +0100)]
allow to disable single rules, and add ability to add comments

6 years agoadd 'dhcp' option (enabled by default)
Dietmar Maurer [Thu, 27 Feb 2014 08:40:23 +0000 (09:40 +0100)]
add 'dhcp' option (enabled by default)

6 years agouse PVEFW-reject instead of REJECT
Dietmar Maurer [Thu, 27 Feb 2014 08:37:17 +0000 (09:37 +0100)]
use PVEFW-reject instead of REJECT

6 years agoaccept traffic to unmanaged bridge ports
Dietmar Maurer [Thu, 27 Feb 2014 07:54:11 +0000 (08:54 +0100)]
accept traffic to unmanaged bridge ports

6 years agocorrectly apply macros
Dietmar Maurer [Thu, 27 Feb 2014 06:23:42 +0000 (07:23 +0100)]
correctly apply macros

Allow to set additional parameters if they do not conflict with macros settings.

6 years agoimplement nosmurfs options (enabled by default)
Dietmar Maurer [Wed, 26 Feb 2014 13:29:53 +0000 (14:29 +0100)]
implement nosmurfs options (enabled by default)

6 years agoimplement option 'tcpflags' to log illegal combinations of TCP flags
Dietmar Maurer [Wed, 26 Feb 2014 12:59:25 +0000 (13:59 +0100)]
implement option 'tcpflags' to log illegal combinations of TCP flags

6 years agomake mac address filtering optional (default enabled)
Dietmar Maurer [Wed, 26 Feb 2014 12:42:48 +0000 (13:42 +0100)]
make mac address filtering optional (default enabled)

6 years agouse chains from previous commit to reduce logging
Dietmar Maurer [Wed, 26 Feb 2014 12:00:43 +0000 (13:00 +0100)]
use chains from previous commit to reduce logging

6 years agoadd some useful chains
Dietmar Maurer [Wed, 26 Feb 2014 11:43:04 +0000 (12:43 +0100)]
add some useful chains

Those chains implement basically the same rules as related shorewall action.

6 years agoadd a way to define some default chains
Dietmar Maurer [Wed, 26 Feb 2014 11:40:53 +0000 (12:40 +0100)]
add a way to define some default chains

6 years agofix multiport rules and add icmp type names
Dietmar Maurer [Wed, 26 Feb 2014 11:35:05 +0000 (12:35 +0100)]
fix multiport rules and add icmp type names

Multiport module needs --dports/--sports (instead of --dport/--sport).
Also, a single port Range does not require --multiport.

Also added the ability to use icmp type name as 'dport' when proto is icmp.

6 years agocleanups
Dietmar Maurer [Wed, 26 Feb 2014 09:02:39 +0000 (10:02 +0100)]
cleanups

6 years agoalways use PVEFW-SET-ACCEPT-MARK for OUT chain
Dietmar Maurer [Wed, 26 Feb 2014 06:22:02 +0000 (07:22 +0100)]
always use PVEFW-SET-ACCEPT-MARK for OUT chain

That way we can re-use chains for the host firewall.

6 years agobridge rules : -j ACCEPT for physical interfaces
Alexandre Derumier [Tue, 25 Feb 2014 12:47:52 +0000 (13:47 +0100)]
bridge rules : -j ACCEPT for physical interfaces

We need to accept traffic at the end of bridge rules for outgoing packets from tap->ethX,
as we don't do ACCEPT in tap-out rules.

IN=vmbr0 OUT=vmbr0 PHYSIN=tap110i0 PHYSOUT=eth0

-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-bridged -j vmbr0-FW
-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-bridged -j vmbr0-FW

-A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
-A vmbr0-FW -j ACCEPT

-A PVEFW-FORWARD -o vmbr0 -j DROP
-A PVEFW-FORWARD -i vmbr0 -j DROP

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agouse RETURN instead ACCEPT for tap-out rules
Alexandre Derumier [Tue, 25 Feb 2014 12:24:06 +0000 (13:24 +0100)]
use RETURN instead ACCEPT for tap-out rules

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoimplement VM policy option
Dietmar Maurer [Tue, 25 Feb 2014 11:16:33 +0000 (12:16 +0100)]
implement VM policy option

6 years agoimplement 'enable' option
Dietmar Maurer [Tue, 25 Feb 2014 10:54:38 +0000 (11:54 +0100)]
implement 'enable' option

And pass whole VM firewall config to generate_tap_rules_direction. That way we
have acces to {options} section.

6 years agocompile: use verbose output when started from CLI
Dietmar Maurer [Tue, 25 Feb 2014 10:42:32 +0000 (11:42 +0100)]
compile: use verbose output when started from CLI

6 years agorename chain $bridge to $bridge-FW
Dietmar Maurer [Tue, 25 Feb 2014 10:29:22 +0000 (11:29 +0100)]
rename chain $bridge to $bridge-FW

and fix the activation bug.

6 years agooptimize bridge chains
Alexandre Derumier [Tue, 25 Feb 2014 08:44:54 +0000 (09:44 +0100)]
optimize bridge chains

fixme : I have this error "unable to update chain vmbrX".

But if I remove this check, the rules applying fine.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoparse_port_name_number_or_range fix range check
Alexandre Derumier [Tue, 25 Feb 2014 08:44:53 +0000 (09:44 +0100)]
parse_port_name_number_or_range fix range check

for port range  a:b,

we need to check that b > a

this kind of range is invalid

80:22
80:ssh
http:ssh

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agodo not delete PVEFW-INPUT, PVEFW-OUTPUT and PVEFW-FORWARD chain.
Dietmar Maurer [Fri, 21 Feb 2014 10:01:17 +0000 (11:01 +0100)]
do not delete PVEFW-INPUT, PVEFW-OUTPUT and PVEFW-FORWARD chain.

6 years agoimplement simple option parser
Dietmar Maurer [Fri, 21 Feb 2014 09:39:13 +0000 (10:39 +0100)]
implement simple option parser

6 years agouse conntrack instead of state
Dietmar Maurer [Thu, 20 Feb 2014 12:14:58 +0000 (13:14 +0100)]
use conntrack instead of state

-m state --state is deprecated

6 years agoallow traffic from lo (PVEFW-INPUT)
Dietmar Maurer [Thu, 20 Feb 2014 11:39:38 +0000 (12:39 +0100)]
allow traffic from lo (PVEFW-INPUT)

6 years agodefine more macros (converted most shorewall macros)
Dietmar Maurer [Thu, 20 Feb 2014 10:35:51 +0000 (11:35 +0100)]
define more macros (converted most shorewall macros)

6 years agouse $rule->{dest} instead of $rule->{destination}
Dietmar Maurer [Thu, 20 Feb 2014 10:06:55 +0000 (11:06 +0100)]
use $rule->{dest} instead of $rule->{destination}

6 years agoimplement macros
Dietmar Maurer [Thu, 20 Feb 2014 08:02:17 +0000 (09:02 +0100)]
implement macros

6 years agoonly use --mark for OUT chain
Dietmar Maurer [Wed, 19 Feb 2014 16:01:11 +0000 (17:01 +0100)]
only use --mark for OUT chain

6 years agojump to ACCEPT for IN rules
Dietmar Maurer [Wed, 19 Feb 2014 10:24:49 +0000 (11:24 +0100)]
jump to ACCEPT for IN rules

6 years agoimprove parser
Dietmar Maurer [Wed, 19 Feb 2014 09:59:37 +0000 (10:59 +0100)]
improve parser

Also avoid that we read the group file multiple times.
group file does not need to specify interfaces.

6 years agouse accept mark for security groups
Dietmar Maurer [Wed, 19 Feb 2014 07:30:15 +0000 (08:30 +0100)]
use accept mark for security groups

6 years agocorrectly remove stale chains
Dietmar Maurer [Wed, 19 Feb 2014 07:26:22 +0000 (08:26 +0100)]
correctly remove stale chains

6 years agopass $ruleset instead of $rule
Dietmar Maurer [Tue, 18 Feb 2014 15:01:29 +0000 (16:01 +0100)]
pass $ruleset instead of $rule

6 years agocheck chain name length (max 28 chars)
Dietmar Maurer [Tue, 18 Feb 2014 11:40:02 +0000 (12:40 +0100)]
check chain name length (max 28 chars)

6 years agouse --comment to store SHA1 signature
Dietmar Maurer [Tue, 18 Feb 2014 11:27:03 +0000 (12:27 +0100)]
use --comment to store SHA1 signature

6 years agosplit compile from apply
Dietmar Maurer [Tue, 18 Feb 2014 11:15:26 +0000 (12:15 +0100)]
split compile from apply

And renamed compile_and_start into apply_ruleset.

6 years agoavoid perl warning
Dietmar Maurer [Tue, 18 Feb 2014 11:08:19 +0000 (12:08 +0100)]
avoid perl warning

6 years agoenable proc/sys/net/bridge/bridge-nf-call-iptables
Dietmar Maurer [Tue, 18 Feb 2014 11:07:40 +0000 (12:07 +0100)]
enable proc/sys/net/bridge/bridge-nf-call-iptables

6 years agoadd MAC filter
Dietmar Maurer [Tue, 18 Feb 2014 10:59:01 +0000 (11:59 +0100)]
add MAC filter

6 years agocleanup chain names
Dietmar Maurer [Tue, 18 Feb 2014 09:59:21 +0000 (10:59 +0100)]
cleanup chain names

Try to use PVEFW prefix. I do not add that prefix to chains containing device names,
because chain name lenght is limiteZd.

6 years agotest if BRIDGEFW-OUT and BRIDGEFW-IN exist
Alexandre Derumier [Mon, 17 Feb 2014 12:50:26 +0000 (13:50 +0100)]
test if BRIDGEFW-OUT and BRIDGEFW-IN exist

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>