From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH] IDS: Allow to inspect traffic from or to OpenVPN Date: Tue, 17 Dec 2019 13:06:29 +0100 Message-ID: <20191217120629.2679-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1256413100966999108==" List-Id: --===============1256413100966999108== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This commit allows to configure suricata to monitor traffic from or to OpenVPN tunnels. This includes the RW server and all established N2N connections. Because the RW server and/or each N2N connection uses it's own tun? device, it is only possible to enable monitoring all of them or to disable monitoring entirely. Fixes #12111. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 10 ++++++++-- src/initscripts/system/suricata | 18 +++++++++++++++++- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index da009f891..2a8a7cb26 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -49,6 +49,11 @@ my %ignored=3D(); # the list of zones in an array. my @network_zones =3D &IDS::get_available_network_zones(); =20 +# Check if openvpn is started and add it to the array of network zones. +if ( -e "/var/run/openvpn.pid") { + push(@network_zones, "ovpn"); +} + my $errormessage; =20 # Create files if they does not exist yet. @@ -59,7 +64,8 @@ my %colourhash =3D ( 'red' =3D> $Header::colourred, 'green' =3D> $Header::colourgreen, 'blue' =3D> $Header::colourblue, - 'orange' =3D> $Header::colourorange + 'orange' =3D> $Header::colourorange, + 'ovpn' =3D> $Header::colourovpn ); =20 &Header::showhttpheaders(); @@ -839,7 +845,7 @@ END $checked_input =3D "checked =3D 'checked'"; } =20 - print "\n"; + print "\n"; print "\n"; print " $Lang::tr{'enabled on'} $L= ang::tr{$zone_name}\n"; print "\n"; diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 27ab2e4e8..29e58a7e2 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -29,7 +29,7 @@ IPS_OUTPUT_CHAIN=3D"IPS_OUTPUT" NFQ_OPTS=3D"--queue-bypass " =20 # Array containing the 4 possible network zones. -network_zones=3D( red green blue orange ) +network_zones=3D( red green blue orange ovpn ) =20 # Array to store the network zones weather the IPS is enabled for. enabled_ips_zones=3D() @@ -86,6 +86,22 @@ function generate_fw_rules { if [ "$zone" =3D=3D "red" ] && [ "$RED_TYPE" =3D=3D "PPPOE" ]; then # Set device name to ppp0. network_device=3D"ppp0" + elif [ "$zone" =3D=3D "ovpn" ]; then + # Get all virtual net devices because the RW server and each + # N2N connection creates it's own tun device. + for virt_dev in /sys/devices/virtual/net/*; do + # Cut-off the directory. + dev=3D"${virt_dev##*/}" + + # Only process tun devices. + if [[ $dev =3D~ "tun" ]]; then + # Add the network device to the array of enabled zones. + enabled_ips_zones+=3D( "$dev" ) + fi + done + + # Process next zone. + continue else # Generate variable name which contains the device name. zone_name=3D"$zone_upper" --=20 2.24.0 --===============1256413100966999108==--