SuSEfirewall, hooks for custom rules implementation

10 Sep 2000

1) I uploaded rpms for SuSEfirewall 3.2 to ftp.suse.com.

2) Following the recent discussion about hooks for custom rules, I have
sat down and implemented something. I disagree with Marc (sorry :-) )
and think having some hooks is better than having none. I have so far
only implemented hooks I use myself.

The method used is to set a variable in forewalls.rc.config (default
empty) of a file to source. This file, when sourced, overrides function
definitions (default empty) in SuSEfirewall. These functions are called at
"strategic" locations.

It would be nice if this could make it into the official version as that
would save me a lot of time tracking changes...

Documentation could be better, but I am reluctant to provide more unless
I knew it was going to be incorporated (I don't want to waste my time...).

Following are the diffs.

Volker


------------------- firewall.rc.config -------------

--- /var/adm/fillup-templates/firewall.rc.config	Fri Sep  8 11:11:15 2000
+++ firewall.rc.config	Sun Sep 10 18:57:56 2000
@@ -517,3 +543,9 @@
 # (omit the path or "ip_masq_" prefix as well as the ".o" suffix!)
 #
 FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive"
+
+#
+# 23.)
+# Load custom rules
+FW_CUSTOMRULES=""		# no rules loaded by default
+#FW_CUSTOMRULES="/etc/rc.config.d/firewall-custom.rc.config"
----------------------------------------------------

-------------- SuSEfirewall -----------------
--- SuSEfirewall-3.2.orig	Fri Sep  8 11:11:15 2000
+++ SuSEfirewall	Sun Sep 10 19:00:30 2000
@@ -2,8 +2,9 @@
 #
 #####################################################
 # Firewall Script v3.2 by Marc Heuse  #
+# additions by Volker Kuhlmann  #
 #####################################################
-VER="v3.2"
+VER="v3.2-VK"
 #
 # For all those fellow experts out there: yes I know that this is NOT a 
 # firewall setup but a simple (no, not simple, it tries actually to be
@@ -51,6 +52,7 @@
 
 FWCONFIG="/etc/rc.config.d/firewall.rc.config"
 LOCKFILE="/var/lock/SuSEfirewall.pid"
+FW_CUSTOMRULES=""
 
 test "$1" = -h -o "$1" = help && help
 test -z "$2" -a "$1" = file && help
@@ -135,6 +137,22 @@
        done
        echo " done"
 }
+# provide empty functions which can be redefined by custom rules  - VK
+function fw_custom_ipspoof_begin() { true; }
+function fw_custom_tcp_high() { true; }
+function fw_custom_input_end() { true; }
+function fw_custom_output_end() { true; }
+#
+# While testing, unload rules quickly without screen output and without
+# lock testing.  -VK
+test "$1" = emergencystop && {
+    reset_rules >/dev/null
+    echo "Firewall stopped in emergency."
+    # Log entry
+    test -x "$LOGGER" && \
+        $LOGGER -p kern.info -t SuSEfirewall "Firewall stopped in emergency."
+    exit 0
+}
 
 #####################
 #                   #
@@ -345,10 +363,8 @@
 test "$FW_ALLOW_INCOMING_HIGHPORTS_UDP" = yes && UDP_SOURCE=""
 test "$FW_LOG_DENY_CRIT" = no || LDC="-l"
 test "$FW_LOG_ACCEPT_CRIT" = no || LAC="-l"
-test "$FW_LOG_DENY_ALL" = yes && LDA="-l"
-test "$FW_LOG_ACCEPT_ALL" = yes && LAA="-l"
-test "$FW_LOG_DENY_ALL" = yes && LDC="-l"
-test "$FW_LOG_ACCEPT_ALL" = yes && LAC="-l"
+test "$FW_LOG_DENY_ALL" = yes && LDA="-l" LDC="-l"
+test "$FW_LOG_ACCEPT_ALL" = yes && LAA="-l" LAC="-l"
 test "$DENY" = ACCEPT && {
     LDA="-l"
     LDC="-l"
@@ -356,6 +372,18 @@
     LAC=""
 }
 
+#########################
+# Load custom functions #
+#########################
+test -n "$FW_CUSTOMRULES" && {
+    if [ -r "$FW_CUSTOMRULES" ]; then
+    	echo "Loading custom rules from '$FW_CUSTOMRULES'"
+    	. "$FW_CUSTOMRULES"
+    else
+    	echo "Can't read custom rules from '$FW_CUSTOMRULES'"
+    fi
+}
+
 #########
 # DEBUG #
 #########
@@ -380,7 +408,7 @@
 INTERFACE_OK=`echo "$DEV_WORLD $DEV_INT $DEV_DMZ" | $SED 's/ //g'`
 test -z "$INTERFACE_OK" && { echo 'No interfaces active! exiting ...'
     reset_rules ; exit 1 ; }
-# prevent errors due missing interfaces
+# prevent errors due to missing interfaces
 INTERFACE_OK=`echo "$DEV_WORLD" | $SED 's/ //g'`
 test -z "$INTERFACE_OK" && { DEV_WORLD=""; DEV_WORLD_NET=""; }
 INTERFACE_OK=`echo "$DEV_DMZ" | $SED 's/ //g'`
@@ -475,9 +503,10 @@
     $IPCHAINS -A input -j "$ACCEPT" -p udp -d 0/0 137:138 $LAA
 }
 
-###########################################
-# IP Spoofing & Circumventrion protection #
-###########################################
+##########################################
+# IP Spoofing & Circumvention protection #
+##########################################
+fw_custom_ipspoof_begin
 for i in $FW_DEV_INT; do
     for j in $DEV_WORLD_NET $DEV_DMZ_NET; do
         $IPCHAINS -A input -j "$DENY" -i $i -s $j $LDC
@@ -640,6 +669,7 @@
         $IPCHAINS -A input -j "$DENY"   -p tcp -d $j $i $LDA
     done
 done
+fw_custom_tcp_high  # custom rules, tcp, input chain, before blanket accept
 for i in $DEV_WORLD; do
     test -z "$TCP_SOURCE" && {
 	test -z "$LAC" || \
@@ -652,8 +682,8 @@
 	test -z "$SOURCE" && echo 'Warning: No nameservers in /etc/resolv.conf!'
 	for k in $SOURCE; do
 	    test -z "$LAC" || \
- $IPCHAINS -A input -j "$ACCEPT" -p tcp -s $k $j -d $i 1024:65535 -y $LAC
-$IPCHAINS -A input -j "$ACCEPT" -p tcp -s $k $j -d $i 1024:65535 $LAA
+        $IPCHAINS -A input -j "$ACCEPT" -p tcp -s $k $j -d $i 1024:65535 -y $LAC
+    	   $IPCHAINS -A input -j "$ACCEPT" -p tcp -s $k $j -d $i 1024:65535 $LAA
 	done
     done
 done
@@ -930,6 +960,11 @@
     $IPCHAINS -A input -j "$DENY" -p udp -l
     ( $IPCHAINS -A forward -j "$DENY" -p tcp -y -l ) > /dev/null 2>&1
 }
+
+# custom rules, end of input chain
+fw_custom_input_end
+
+# Default: deny
 $IPCHAINS -A input -j "$DENY" $LDA
 ( $IPCHAINS -A forward -j "$DENY" $LDA ) > /dev/null 2>&1
 
@@ -942,6 +977,9 @@
 $IPCHAINS -A output -j "$ACCEPT" -p udp --dport 162  -t 0x01 0x14  # SNMP Trap
 $IPCHAINS -A output -j "$ACCEPT" -p tcp --sport 20   -t 0x01 0x08  # FTP Data
 $IPCHAINS -A output -j "$ACCEPT" -p tcp --sport 80   -t 0x01 0x08  # HTTP
+
+# custom rules, end of output chain
+fw_custom_output_end
 
 # Log entry
 test -x "$LOGGER" && \
---------------------------------------------

---------- suggestion for a template ------------
#
# /etc/rc.config.d/firewall-custom.rc.config
#
# Deal with some rules we need to enter manually.
# (This requires changes to SuSEfirewall.)
# VK 10 Sep 00
#

isifup() {
    $IFCONFIG "$1" 2>/dev/null | $GREP '^ *UP ' >/dev/null
}

test -z "$FQHOSTNAME" && FQHOSTNAME="`hostname -f`"

# My IP, internal net
# (using a host name here could cause lockups)
MYIP_INT="$IPADDR_0"


fw_custom_ipspoof_begin() {
    # e.g. don't log certain broadcasts

    true
}


fw_custom_tcp_high() {
    # e.g. block a few specific high ports, when they're generally open
    # 12345:12346 netbus, (script kiddie) trojan 
    # 31337 back orifice
    for ports in 12345:12346 31337; do
    	$IPCHAINS -A input -j "$DENY" -p udp -d "$MYIP_INT" "$ports" $LDC
    	$IPCHAINS -A input -j "$DENY" -p tcp -d "$MYIP_INT" "$ports" $LDC
    done
}


fw_custom_input_end() {
    # enter any other rule for the input chain here
    # this is just before the last "deby + log all" rule

    true
}


fw_custom_output_end() {
    # enter any other rule for the output chain here

    true
}
-------------------------------------------------

    