This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, fifteen has been updated via 303c90a4c16cbc4f1453b4b1a8fa4c47449830a7 (commit) via 27ba58fb46cc5c91618d6c5e70d521b0a381afe8 (commit) via d69bf6191aaae1a92ff7dd6012135b15509bc7b4 (commit) via 409cd018c51fc4b866b2c8ae78597bc88c3b5c17 (commit) from 270c0c0ef03de6b912aeee63d117df6fb64a37e4 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 303c90a4c16cbc4f1453b4b1a8fa4c47449830a7 Merge: 27ba58f 270c0c0 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Sep 7 16:11:10 2013 +0200
Merge branch 'fifteen' of ssh://git.ipfire.org/pub/git/ipfire-2.x into fifteen
commit 27ba58fb46cc5c91618d6c5e70d521b0a381afe8 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Sep 7 16:10:02 2013 +0200
wirelessctrl: Silence error messages when no BLUE device is configured.
commit d69bf6191aaae1a92ff7dd6012135b15509bc7b4 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Sep 7 15:21:40 2013 +0200
wirelessctrl: Re-indent the code.
commit 409cd018c51fc4b866b2c8ae78597bc88c3b5c17 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Sep 7 15:04:41 2013 +0200
optionsfw: Use saner defaults for DROPPROXY and DROPSAMBA.
-----------------------------------------------------------------------
Summary of changes: lfs/configroot | 4 +- src/misc-progs/wirelessctrl.c | 301 ++++++++++++++++++++---------------------- 2 files changed, 143 insertions(+), 162 deletions(-)
Difference in files: diff --git a/lfs/configroot b/lfs/configroot index d91dbeb..ba6770b 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -122,8 +122,8 @@ $(TARGET) : echo "FWPOLICY2=DROP" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPOUTGOING=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "DROPSAMBA=on" >> $(CONFIG_ROOT)/optionsfw/settings - echo "DROPPROXY=on" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPSAMBA=off" >> $(CONFIG_ROOT)/optionsfw/settings + echo "DROPPROXY=off" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWREMARK=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWCOLORS=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "SHOWTABLES=off" >> $(CONFIG_ROOT)/optionsfw/settings diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c index 450aa36..1016613 100644 --- a/src/misc-progs/wirelessctrl.c +++ b/src/misc-progs/wirelessctrl.c @@ -5,8 +5,6 @@ * * (c) Alan Hourihane, 2003 * - * $Id: wirelessctrl.c,v 1.2.2.5 2005/07/11 10:56:47 franck78 Exp $ - * */
#include "libsmooth.h" @@ -25,167 +23,150 @@ FILE *fd = NULL; char blue_dev[STRING_SIZE] = ""; char command[STRING_SIZE];
-void exithandler(void) -{ - /* added comment mark to the drop rules to be able to collect the bytes by the collectd */ - if(strlen(blue_dev)) - { - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); - safe_system(command); - } - - if (fd) - fclose(fd); +void exithandler(void) { + /* added comment mark to the drop rules to be able to collect the bytes by the collectd */ + if (strlen(blue_dev) > 0) { + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); + safe_system(command); + } + + if (fd) + fclose(fd); }
-int main(void) -{ - char green_dev[STRING_SIZE] = ""; - char buffer[STRING_SIZE]; - char *index, *ipaddress, *macaddress, *enabled; - struct keyvalue *kv = NULL; - - if (!(initsetuid())) - exit(1); - - /* flush wireless iptables */ - safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null"); - safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null"); - - memset(buffer, 0, STRING_SIZE); - - /* Init the keyvalue structure */ - kv=initkeyvalues(); - - /* Read in the current values */ - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - - /* Read in the firewall values */ - if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) - { - fprintf(stderr, "Cannot read optionsfw settings\n"); - exit(1); - } - - /* Get the GREEN interface details */ - if(!findkey(kv, "GREEN_DEV", green_dev)) - { - fprintf(stderr, "Cannot read GREEN_DEV\n"); - exit(1); - } - if (!VALID_DEVICE(green_dev)) - { - fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev); - exit(1); - } - /* Get the BLUE interface details */ - if(!findkey(kv, "BLUE_DEV", blue_dev)) - { - fprintf(stderr, "Cannot read BLUE_DEV\n"); - exit(1); - } - if (strlen(blue_dev) && !VALID_DEVICE(blue_dev)) - { - fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev); - exit(1); - } - if(! strlen(blue_dev) > 0) - { - fprintf(stderr, "No BLUE interface\n"); - exit(0); - } - - if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r"))) - return 0; - - /* register exit handler to ensure the block rule is always present */ - atexit(exithandler); - - if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r"))) - { - exit(0); - } - - /* restrict blue access tp the proxy port */ - if(findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"off")){ - /* Read the proxy values */ - if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer))) - { - fprintf(stderr, "Cannot read proxy settings\n"); - exit(1); - } - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer); - safe_system(command); - } - - /* not allow blue to acces a samba server running on local fire*/ - if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"off")){ - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); - safe_system(command); - } - - while (fgets(buffer, STRING_SIZE, fd)) - { - buffer[strlen(buffer) - 1] = 0; - - index = strtok(buffer, ","); - ipaddress = strtok(NULL, ","); - macaddress = strtok(NULL, ","); - enabled = strtok(NULL, ","); - - if (!strncmp(enabled, "on", 2)) { - - /* both specified, added security */ - if ((strlen(macaddress) == 17) && - (VALID_IP_AND_MASK(ipaddress))) { - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev); - safe_system(command); - } else { - - /* correctly formed mac address is 17 chars */ - if (strlen(macaddress) == 17) { - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev); - safe_system(command); - } - - if (VALID_IP_AND_MASK(ipaddress)) { - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev); - safe_system(command); - } - } - } +int main(void) { + char green_dev[STRING_SIZE] = ""; + char buffer[STRING_SIZE]; + char *index, *ipaddress, *macaddress, *enabled; + struct keyvalue *kv = NULL; + + if (!(initsetuid())) + exit(1); + + /* flush wireless iptables */ + safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null"); + safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null"); + + memset(buffer, 0, STRING_SIZE); + + /* Init the keyvalue structure */ + kv=initkeyvalues(); + + /* Read in the current values */ + if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) { + fprintf(stderr, "Cannot read ethernet settings\n"); + exit(1); + } + + /* Read in the firewall values */ + if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) { + fprintf(stderr, "Cannot read optionsfw settings\n"); + exit(1); + } + + /* Get the GREEN interface details */ + if (findkey(kv, "GREEN_DEV", green_dev) > 0) { + if (!VALID_DEVICE(green_dev)) { + fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev); + exit(1); + } + } + + /* Get the BLUE interface details */ + if (findkey(kv, "BLUE_DEV", blue_dev) > 0) { + if ((strlen(blue_dev) > 0) && !VALID_DEVICE(blue_dev)) { + fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev); + exit(1); + } + } + + if (strlen(blue_dev) == 0) { + exit(0); + } + + if ((fd = fopen(CONFIG_ROOT "/wireless/nodrop", "r"))) + return 0; + + /* register exit handler to ensure the block rule is always present */ + atexit(exithandler); + + if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r"))) { + exit(0); + } + + /* restrict blue access tp the proxy port */ + if (findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"off") == 0) { + /* Read the proxy values */ + if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer))) { + fprintf(stderr, "Cannot read proxy settings\n"); + exit(1); + } + + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev, buffer); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev, buffer); + safe_system(command); + } + + /* not allow blue to acces a samba server running on local fire*/ + if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"off")){ + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --ports 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); + safe_system(command); + } + + while (fgets(buffer, STRING_SIZE, fd)) { + buffer[strlen(buffer) - 1] = 0; + + index = strtok(buffer, ","); + ipaddress = strtok(NULL, ","); + macaddress = strtok(NULL, ","); + enabled = strtok(NULL, ","); + + if (strncmp(enabled, "on", 2) != 0) { + /* both specified, added security */ + if ((strlen(macaddress) == 17) && (VALID_IP_AND_MASK(ipaddress))) { + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j RETURN", macaddress, ipaddress, blue_dev); + safe_system(command); + } else { + /* correctly formed mac address is 17 chars */ + if (strlen(macaddress) == 17) { + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j RETURN", macaddress, blue_dev); + safe_system(command); }
- /* with this rule you can disable the logging of the dropped wireless input packets*/ - if(!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off")){ - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev); - safe_system(command); + if (VALID_IP_AND_MASK(ipaddress)) { + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j RETURN", ipaddress, blue_dev); + safe_system(command); } - /* with this rule you can disable the logging of the dropped wireless forward packets*/ - if(!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off")){ - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev); - safe_system(command); - } - - return 0; + } + } + } + + /* with this rule you can disable the logging of the dropped wireless input packets*/ + if (!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off") == 0) { + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev); + safe_system(command); + } + + /* with this rule you can disable the logging of the dropped wireless forward packets*/ + if (!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off") == 0) { + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev); + safe_system(command); + } + + return 0; }
hooks/post-receive -- IPFire 2.x development tree