fukawi2 / husk Goto Github PK

tank ~ # fir -d
/usr/local/sbin/fire: illegal option -- d
/usr/local/sbin/fire: line 191: OPTARG: unbound variable

If husk is run without any settings in the config file (either empty, or everything commented) then it dies with the error:

'_SYNTAX' is not defined at blib/lib/Config/Simple.pm (autosplit into blib/lib/auto/Config/Simple/vars.al) line 1324, <FH> line 10.

Add support for hooks in fire script to execute preset commands before/after compiling/applying rulesets.

Use case example: restart fail2ban after reloading rules to ensure fail2ban rules are in place.

There are often erroneous logs generated by the LATE DROP feature.

These occur for TCP packets where they are no valid NEW packets, I presume from script kiddies.

Note the mix of ACK FIN, ACK SYN and ACK RST flags in the packets which makes them invalid "NEW" connections so are not processed by a cross-zone block (eg, x_NET_ME):

Mar 13 12:57:03 www1 kernel: [LATE DROP] IN=eth0 OUT= MAC=f2:3c:91:70:43:9b:c8:4c:75:f5:d6:3f:08:00 SRC=8.28.16.254 DST=50.116.xx.xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=41572 PROTO=TCP SPT=45295 DPT=80 WINDOW=1032 RES=0x00 ACK FIN URGP=0 
Mar 13 12:58:07 www1 kernel: [LATE DROP] IN=eth0 OUT= MAC=f2:3c:91:70:43:9b:c8:4c:75:f5:d6:3f:08:00 SRC=8.28.16.254 DST=50.116.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=65011 PROTO=TCP SPT=45295 DPT=80 WINDOW=1032 RES=0x00 ACK RST URGP=0 
Mar 13 13:19:40 www1 kernel: [LATE DROP] IN=eth0 OUT= MAC=f2:3c:91:70:43:9b:c8:4c:75:f5:d6:3f:08:00 SRC=198.1.68.147 DST=50.116.xx.xx LEN=44 TOS=0x00 PREC=0x00 TTL=57 ID=64735 PROTO=TCP SPT=80 DPT=29193 WINDOW=16384 RES=0x00 ACK SYN URGP=0 

Example:

drop protocol tcp port ssh not source address jumpbox.example.com

nftables is being merged in the 3.13 kernel, and while it may be a quite a while before iptables/ip6tables is fully depreciated, we should look to add support for nftables.

http://kernelnewbies.org/nftables_examples

The following is accepting by husk as valid, however rejected by netfilter due to "protocol" missing (port is only valid with protocol TCP or UDP)

accept destination address foobar.example.com port 123

Should be one of:

accept destination address foobar.example.com protocol tcp port 123
accept destination address foobar.example.com protocol udp port 123

There is an upstream bug in ip6tables that causes segmentation faults. Refer http://bugzilla.netfilter.org/show_bug.cgi?id=766

There are certain protective rules commented in the helper at the moment.

They need to be uncommented when upstream fixes the issue.

In addr_groups.conf, [bogons] section

1. In "192.0.0.0/24" probably netmask is incorrect - in http://tools.ietf.org/html/rfc6333 it is /29 not /24
2. in RFC 6598 is added "provider's net" - 100.64.0.0/10

Support for ipset; Need I say more?

Certain ICMP packets are critical for various aspects of IPv6 such as Neighbour/Router Discovery/Advertisements.

husk should have a built-in to automatically put accept rules in (with the right/sane criteria) if IPv6 rules are being built.

Add command line options to switch out between targets (eg, accept, reject, drop or custom)

Hi,
Since last upgrade in archlinux, the filename /usr/bin/fire is part of mesa-demos package. It's then conflicting with /usr/bin/fire provided by husk.

As a workaround, I've added this line in the PKGBUILD in the package function:
mv $pkgdir/usr/bin/fire $pkgdir/usr/bin/husk-fire

Is there any option to rename the fire command into something different ?
Thanks

The latest iptables-restore on CentOS 5.9 rejects the LOG syntax generated by husk:

/tmp # fire
ERROR: The following line was not accepted by the kernel
-A x_NET_ME -m limit --limit 4/minute --limit-burst 3 -j LOG --log-prefix="[x_NET_ME] "

Feeding iptables-restore manually shows the problem is with the LOG target

/tmp # husk -4 | iptables-restore 
iptables-restore v1.3.5: Unknown arg `LOG'
Error occurred at line: 26

It appears RHEL 5.9 has completely removed connection tracking from the distribution:

~ # ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables v1.3.5: Couldn't load match `conntrack':/lib64/iptables/libip6t_conntrack.so: cannot open shared object file: No such file or directory

Connection Tracking has always been troublesome; this is probably the final straw for husk support of IPv6 on RHEL 5

Adding support for the TRACE target would be useful to debugging rulesets.

Since TRACE is only valid in the raw table, and we don't usually touch it that, TRACE syntax should probably exist outside a define rules block (similar to 'common' rules).

Core husk system needs to be rewritten to use IPTables::Rule once it is complete.

https://github.com/fukawi2/IPTables-Rule