fukawi2 / husk Goto Github PK
View Code? Open in Web Editor NEWNatural-language DSL for iptables/netfilter firewall rules.
Home Page: http://huskfw.info
Natural-language DSL for iptables/netfilter firewall rules.
Home Page: http://huskfw.info
tank ~ # fir -d
/usr/local/sbin/fire: illegal option -- d
/usr/local/sbin/fire: line 191: OPTARG: unbound variable
If husk is run without any settings in the config file (either empty, or everything commented) then it dies with the error:
'_SYNTAX' is not defined at blib/lib/Config/Simple.pm (autosplit into blib/lib/auto/Config/Simple/vars.al) line 1324, <FH> line 10.
Add support for hooks in fire script to execute preset commands before/after compiling/applying rulesets.
Use case example: restart fail2ban after reloading rules to ensure fail2ban rules are in place.
There are often erroneous logs generated by the LATE DROP feature.
These occur for TCP packets where they are no valid NEW packets, I presume from script kiddies.
Note the mix of ACK FIN
, ACK SYN
and ACK RST
flags in the packets which makes them invalid "NEW" connections so are not processed by a cross-zone block (eg, x_NET_ME):
Mar 13 12:57:03 www1 kernel: [LATE DROP] IN=eth0 OUT= MAC=f2:3c:91:70:43:9b:c8:4c:75:f5:d6:3f:08:00 SRC=8.28.16.254 DST=50.116.xx.xx LEN=52 TOS=0x00 PREC=0x00 TTL=53 ID=41572 PROTO=TCP SPT=45295 DPT=80 WINDOW=1032 RES=0x00 ACK FIN URGP=0
Mar 13 12:58:07 www1 kernel: [LATE DROP] IN=eth0 OUT= MAC=f2:3c:91:70:43:9b:c8:4c:75:f5:d6:3f:08:00 SRC=8.28.16.254 DST=50.116.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=65011 PROTO=TCP SPT=45295 DPT=80 WINDOW=1032 RES=0x00 ACK RST URGP=0
Mar 13 13:19:40 www1 kernel: [LATE DROP] IN=eth0 OUT= MAC=f2:3c:91:70:43:9b:c8:4c:75:f5:d6:3f:08:00 SRC=198.1.68.147 DST=50.116.xx.xx LEN=44 TOS=0x00 PREC=0x00 TTL=57 ID=64735 PROTO=TCP SPT=80 DPT=29193 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Example:
drop protocol tcp port ssh not source address jumpbox.example.com
nftables is being merged in the 3.13 kernel, and while it may be a quite a while before iptables/ip6tables is fully depreciated, we should look to add support for nftables.
The following is accepting by husk as valid, however rejected by netfilter due to "protocol" missing (port is only valid with protocol TCP or UDP)
accept destination address foobar.example.com port 123
Should be one of:
accept destination address foobar.example.com protocol tcp port 123
accept destination address foobar.example.com protocol udp port 123
There is an upstream bug in ip6tables that causes segmentation faults. Refer http://bugzilla.netfilter.org/show_bug.cgi?id=766
There are certain protective rules commented in the helper at the moment.
They need to be uncommented when upstream fixes the issue.
In addr_groups.conf, [bogons] section
Support for ipset; Need I say more?
Certain ICMP packets are critical for various aspects of IPv6 such as Neighbour/Router Discovery/Advertisements.
husk should have a built-in to automatically put accept rules in (with the right/sane criteria) if IPv6 rules are being built.
Add command line options to switch out between targets (eg, accept, reject, drop or custom)
Hi,
Since last upgrade in archlinux, the filename /usr/bin/fire is part of mesa-demos package. It's then conflicting with /usr/bin/fire provided by husk.
As a workaround, I've added this line in the PKGBUILD in the package function:
mv $pkgdir/usr/bin/fire $pkgdir/usr/bin/husk-fire
Is there any option to rename the fire command into something different ?
Thanks
The latest iptables-restore on CentOS 5.9 rejects the LOG syntax generated by husk:
/tmp # fire
ERROR: The following line was not accepted by the kernel
-A x_NET_ME -m limit --limit 4/minute --limit-burst 3 -j LOG --log-prefix="[x_NET_ME] "
Feeding iptables-restore manually shows the problem is with the LOG target
/tmp # husk -4 | iptables-restore
iptables-restore v1.3.5: Unknown arg `LOG'
Error occurred at line: 26
It appears RHEL 5.9 has completely removed connection tracking from the distribution:
~ # ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables v1.3.5: Couldn't load match `conntrack':/lib64/iptables/libip6t_conntrack.so: cannot open shared object file: No such file or directory
Connection Tracking has always been troublesome; this is probably the final straw for husk support of IPv6 on RHEL 5
Adding support for the TRACE target would be useful to debugging rulesets.
Since TRACE is only valid in the raw table, and we don't usually touch it that, TRACE syntax should probably exist outside a define rules block (similar to 'common' rules).
Core husk system needs to be rewritten to use IPTables::Rule once it is complete.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.