diff options
Diffstat (limited to 'security/doorman/files/ipf_add.before_block')
| -rw-r--r-- | security/doorman/files/ipf_add.before_block | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/security/doorman/files/ipf_add.before_block b/security/doorman/files/ipf_add.before_block new file mode 100644 index 000000000000..12e89c0f45cc --- /dev/null +++ b/security/doorman/files/ipf_add.before_block @@ -0,0 +1,67 @@ +#!/bin/sh +# +# ********************************************************************* +# This script is used with IPFilter if the ruleset (/etc/ipf.rules) +# contains an explicit drop rule that masks a rule added at the end. +# It expects block rules for both input and output filters. This +# works e.g. with rule sets generated by fwbuilder. +# +# The script will insert it's rule before the drop rule. The drop rules +# are expected to look like the $inblock and $outblock variables +# defined below. +# +# Note that it does not use locking, so concurrent accesses may +# interfere with each other. +# ********************************************************************* +# +# file "ipf_add.before_block" +# IPFilter add script, called by "doormand". +# This add two "pass in quick" rules to the firewall. +# +# Called with five arguments: +# +# $1 : name of the interface (e.g. ne0) +# $2 : source IP; i.e. dotted-decimal address of the 'knock' client +# $3 : source port; when this script is called for the first time +# for a connection (man 8 doormand), this argument will be set +# to a single "0" (0x30) character. This means that the source +# port is not yet known, and a broad rule allowing any source +# port is required. +# $4 : destination IP; that is, the IP address of the interface +# in argument 1. +# $5 : The port number of the requested service (e.g. 22 for ssh, etc.) +# + +# This script expects the IPFilter ruleset to have two rules like this: +inblock="block in log quick on $1 from any to any" +outblock="block out log quick on $1 from any to any" +# The new rules will be inserted just before these blocking rules. + +if [ $3 = 0 ]; then + inrule="pass in quick on $1 proto TCP from $2 to $4 port = $5" + outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2" +else + inrule="pass in quick on $1 proto TCP from $2 port = $3 to $4 port = $5" + outrule="pass out quick on $1 proto TCP from $4 port = $5 to $2 port = $3" +fi + +# +# acquire lock (not implemented) +# + +# Find the rule numbers of the block rules. +inruleno=`ipfstat -in | sed -n -e "s/@\([0-9]*\) $inblock/\1/p"` +outruleno=`ipfstat -on | sed -n -e "s/@\([0-9]*\) $outblock/\1/p"` + +# Insert new rules. +ret=`(echo @$inruleno $inrule; echo @$outruleno $outrule) | /sbin/ipf -f - 2>&1` + +# +# release lock (not implemented) +# + +if [ -z "$ret" ]; then + echo 0 +else + echo -1 3 $ret +fi |