* [PATCH] IDS: Allow to inspect traffic from or to OpenVPN
@ 2019-12-17 12:06 Stefan Schantl
0 siblings, 0 replies; only message in thread
From: Stefan Schantl @ 2019-12-17 12:06 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 3054 bytes --]
This commit allows to configure suricata to monitor traffic from or to
OpenVPN tunnels. This includes the RW server and all established N2N
connections.
Because the RW server and/or each N2N connection uses it's own tun?
device, it is only possible to enable monitoring all of them or to disable
monitoring entirely.
Fixes #12111.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
html/cgi-bin/ids.cgi | 10 ++++++++--
src/initscripts/system/suricata | 18 +++++++++++++++++-
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index da009f891..2a8a7cb26 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -49,6 +49,11 @@ my %ignored=();
# the list of zones in an array.
my @network_zones = &IDS::get_available_network_zones();
+# Check if openvpn is started and add it to the array of network zones.
+if ( -e "/var/run/openvpn.pid") {
+ push(@network_zones, "ovpn");
+}
+
my $errormessage;
# Create files if they does not exist yet.
@@ -59,7 +64,8 @@ my %colourhash = (
'red' => $Header::colourred,
'green' => $Header::colourgreen,
'blue' => $Header::colourblue,
- 'orange' => $Header::colourorange
+ 'orange' => $Header::colourorange,
+ 'ovpn' => $Header::colourovpn
);
&Header::showhttpheaders();
@@ -839,7 +845,7 @@ END
$checked_input = "checked = 'checked'";
}
- print "<td class='base' width='25%'>\n";
+ print "<td class='base' width='20%'>\n";
print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>\n";
print " $Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>\n";
print "</td>\n";
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 27ab2e4e8..29e58a7e2 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -29,7 +29,7 @@ IPS_OUTPUT_CHAIN="IPS_OUTPUT"
NFQ_OPTS="--queue-bypass "
# Array containing the 4 possible network zones.
-network_zones=( red green blue orange )
+network_zones=( red green blue orange ovpn )
# Array to store the network zones weather the IPS is enabled for.
enabled_ips_zones=()
@@ -86,6 +86,22 @@ function generate_fw_rules {
if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
# Set device name to ppp0.
network_device="ppp0"
+ elif [ "$zone" == "ovpn" ]; then
+ # Get all virtual net devices because the RW server and each
+ # N2N connection creates it's own tun device.
+ for virt_dev in /sys/devices/virtual/net/*; do
+ # Cut-off the directory.
+ dev="${virt_dev##*/}"
+
+ # Only process tun devices.
+ if [[ $dev =~ "tun" ]]; then
+ # Add the network device to the array of enabled zones.
+ enabled_ips_zones+=( "$dev" )
+ fi
+ done
+
+ # Process next zone.
+ continue
else
# Generate variable name which contains the device name.
zone_name="$zone_upper"
--
2.24.0
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-12-17 12:06 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-17 12:06 [PATCH] IDS: Allow to inspect traffic from or to OpenVPN Stefan Schantl
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox