This commit allows to configure suricata to monitor traffic from or to OpenVPN tunnels. This includes the RW server and all established N2N connections.
Because the RW server and/or each N2N connection uses it's own tun? device, it is only possible to enable monitoring all of them or to disable monitoring entirely.
Fixes #12111.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- html/cgi-bin/ids.cgi | 10 ++++++++-- src/initscripts/system/suricata | 18 +++++++++++++++++- 2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index da009f891..2a8a7cb26 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -49,6 +49,11 @@ my %ignored=(); # the list of zones in an array. my @network_zones = &IDS::get_available_network_zones();
+# Check if openvpn is started and add it to the array of network zones. +if ( -e "/var/run/openvpn.pid") { + push(@network_zones, "ovpn"); +} + my $errormessage;
# Create files if they does not exist yet. @@ -59,7 +64,8 @@ my %colourhash = ( 'red' => $Header::colourred, 'green' => $Header::colourgreen, 'blue' => $Header::colourblue, - 'orange' => $Header::colourorange + 'orange' => $Header::colourorange, + 'ovpn' => $Header::colourovpn );
&Header::showhttpheaders(); @@ -839,7 +845,7 @@ END $checked_input = "checked = 'checked'"; }
- print "<td class='base' width='25%'>\n"; + print "<td class='base' width='20%'>\n"; print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>\n"; print " $Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>\n"; print "</td>\n"; diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 27ab2e4e8..29e58a7e2 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -29,7 +29,7 @@ IPS_OUTPUT_CHAIN="IPS_OUTPUT" NFQ_OPTS="--queue-bypass "
# Array containing the 4 possible network zones. -network_zones=( red green blue orange ) +network_zones=( red green blue orange ovpn )
# Array to store the network zones weather the IPS is enabled for. enabled_ips_zones=() @@ -86,6 +86,22 @@ function generate_fw_rules { if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then # Set device name to ppp0. network_device="ppp0" + elif [ "$zone" == "ovpn" ]; then + # Get all virtual net devices because the RW server and each + # N2N connection creates it's own tun device. + for virt_dev in /sys/devices/virtual/net/*; do + # Cut-off the directory. + dev="${virt_dev##*/}" + + # Only process tun devices. + if [[ $dev =~ "tun" ]]; then + # Add the network device to the array of enabled zones. + enabled_ips_zones+=( "$dev" ) + fi + done + + # Process next zone. + continue else # Generate variable name which contains the device name. zone_name="$zone_upper"
-
Stefan Schantl