diff options
author | David Sommerseth <dazo@users.sourceforge.net> | 2008-10-21 17:03:09 +0200 |
---|---|---|
committer | David Sommerseth <dazo@users.sourceforge.net> | 2008-10-21 17:03:09 +0200 |
commit | 1a9355f84232b835654de0a1088ea88de027d0a9 (patch) | |
tree | f8755083983da5651f68e6e345fc9cd39c2ffa5e | |
parent | 0ea1a3e2e6a10300388e01ac89504abe3624ae56 (diff) | |
download | eurephia-1a9355f84232b835654de0a1088ea88de027d0a9.tar.gz eurephia-1a9355f84232b835654de0a1088ea88de027d0a9.tar.xz eurephia-1a9355f84232b835654de0a1088ea88de027d0a9.zip |
Added (untested) firewall block when IP addresses are blacklisted
If the configuration variable 'firewall_blacklist_destination' is
set, it will insert DROP rules when a blacklisted IP address is
attempted.
Feature not tested yet.
-rw-r--r-- | plugin/eurephia.c | 10 | ||||
-rw-r--r-- | plugin/eurephia_struct.h | 4 | ||||
-rw-r--r-- | plugin/firewall/eurephiafw.c | 25 | ||||
-rw-r--r-- | plugin/firewall/eurephiafw.h | 1 | ||||
-rw-r--r-- | plugin/firewall/iptables/efw_iptables.c | 37 |
5 files changed, 66 insertions, 11 deletions
diff --git a/plugin/eurephia.c b/plugin/eurephia.c index 7454b1f..0e8e39c 100644 --- a/plugin/eurephia.c +++ b/plugin/eurephia.c @@ -257,6 +257,11 @@ int eurephia_tlsverify(eurephiaCTX *ctx, const char **env, const char *depth) ipaddr = (char *) get_env(ctx, 0, env, "untrusted_ip"); if( eDBblacklist_check(ctx, attempt_IPADDR, ipaddr) == 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); + + // If fw blacklisting is configured, also blacklist there too + if( (ctx->fwcfg != NULL) && (ctx->fwcfg->fwblacklist != NULL ) ) { + eFW_UpdateFirewall(ctx, FWRULE_BLACKLIST, ipaddr, ctx->fwcfg->fwblacklist, NULL); + } return 0; } @@ -311,6 +316,11 @@ int eurephia_userauth(eurephiaCTX *ctx, const char **env) ipaddr = (char *) get_env(ctx, 0, env, "untrusted_ip"); if( eDBblacklist_check(ctx, attempt_IPADDR, ipaddr) == 1 ) { eDBregister_attempt(ctx, attempt_IPADDR, ATTEMPT_REGISTER, ipaddr); + + // If fw blacklisting is configured, also blacklist there too + if( (ctx->fwcfg != NULL) && (ctx->fwcfg->fwblacklist != NULL ) ) { + eFW_UpdateFirewall(ctx, FWRULE_BLACKLIST, ipaddr, ctx->fwcfg->fwblacklist, NULL); + } return 0; } diff --git a/plugin/eurephia_struct.h b/plugin/eurephia_struct.h index cdb8403..7211e96 100644 --- a/plugin/eurephia_struct.h +++ b/plugin/eurephia_struct.h @@ -76,6 +76,10 @@ typedef struct { typedef struct { efw_threaddata thrdata; pid_t fwproc_pid; + + // Where to update firewall if we block blackisted + // IP addr in firewall too + char *fwblacklist; } eurephiaFWINTF; diff --git a/plugin/firewall/eurephiafw.c b/plugin/firewall/eurephiafw.c index 9fed02e..4df4459 100644 --- a/plugin/firewall/eurephiafw.c +++ b/plugin/firewall/eurephiafw.c @@ -132,6 +132,12 @@ void eFW_StartFirewall(eurephiaCTX *ctx) { eurephia_log(ctx, LOG_INFO, 1, "Using '%s' as firewall rule for VPN accesses", fwdest); } + ctx->fwcfg->fwblacklist = eGet_value(ctx->dbc->config, "firewall_blacklist_destination"); + if( ctx->fwcfg->fwblacklist != NULL ) { + eurephia_log(ctx, LOG_INFO, 1, + "Blacklisted IP addresses will also be blocked in '%s'", + ctx->fwcfg->fwblacklist); + } eurephia_log(ctx, LOG_INFO, 3, "Starting eurephia firewall interface"); // Setup semaphores we need @@ -254,7 +260,7 @@ void eFW_StopFirewall(eurephiaCTX *ctx) { int eFW_UpdateFirewall(eurephiaCTX *ctx, int mode, - const char *macaddr, const char *fwdest, const char *fwprofile) { + const char *addr, const char *fwdest, const char *fwprofile) { char buf[1026]; if( (*ctx->fwcfg).thrdata.fw_command == NULL ) { @@ -267,22 +273,29 @@ int eFW_UpdateFirewall(eurephiaCTX *ctx, int mode, switch( mode ) { case FWRULE_ADD: eurephia_log(ctx, LOG_INFO, 3, "Function call: eFW_UpdateFirewall(ctx, %s, '%s', '%s', '%s')", - "ADD", macaddr, fwdest, fwprofile); - snprintf(buf, 1024, "A %s %s %s", macaddr, fwdest, fwprofile); + "ADD", addr, fwdest, fwprofile); + snprintf(buf, 1024, "A %s %s %s", addr, fwdest, fwprofile); mq_send((*ctx->fwcfg).thrdata.msgq, buf, strlen(buf)+1, 1); return 1; case FWRULE_DELETE: eurephia_log(ctx, LOG_INFO, 3, "Function call: eFW_UpdateFirewall(ctx, %s, '%s', '%s', '%s')", - "DELETE", macaddr, fwdest, fwprofile); - snprintf(buf, 1024, "D %s %s %s", macaddr, fwdest, fwprofile); + "DELETE", addr, fwdest, fwprofile); + snprintf(buf, 1024, "D %s %s %s", addr, fwdest, fwprofile); + mq_send((*ctx->fwcfg).thrdata.msgq, buf, strlen(buf)+1, 1); + return 1; + + case FWRULE_BLACKLIST: + eurephia_log(ctx, LOG_INFO, 3, "Function call: eFW_UpdateFirewall(ctx, %s, '%s','%s', NULL)", + "BLACKLIST", addr, fwdest); + snprintf(buf, 1024, "B %s %s", addr, fwdest); mq_send((*ctx->fwcfg).thrdata.msgq, buf, strlen(buf)+1, 1); return 1; default: eurephia_log(ctx, LOG_CRITICAL, 0, "Function call: eFW_UpdateFirewall(ctx, %s, '%s') - UNKNOWN MODE", "(unknown)", - macaddr); + addr); return 0; } } diff --git a/plugin/firewall/eurephiafw.h b/plugin/firewall/eurephiafw.h index 0c82b30..9beee4d 100644 --- a/plugin/firewall/eurephiafw.h +++ b/plugin/firewall/eurephiafw.h @@ -23,6 +23,7 @@ #define FWRULE_ADD 0x101 #define FWRULE_DELETE 0x102 +#define FWRULE_BLACKLIST 0x103 int eFW_load(eurephiaCTX *ctx, const char *intf); int eFW_unload(eurephiaCTX *ctx); diff --git a/plugin/firewall/iptables/efw_iptables.c b/plugin/firewall/iptables/efw_iptables.c index 9e0aaa4..f62f059 100644 --- a/plugin/firewall/iptables/efw_iptables.c +++ b/plugin/firewall/iptables/efw_iptables.c @@ -98,7 +98,7 @@ void eFW_RunFirewall(void *fwargs) { int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) { - char mode[3], *macaddr = NULL, *destchain = NULL, *jump = NULL; + char mode[3], *addr = NULL, *destchain = NULL, *jump = NULL; char *msg = NULL, *orig_msg = NULL; char *iptables_args[] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL}; int ret = 0; @@ -121,10 +121,10 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) { case 'A': case 'D': iptables_args[1] = mode; - macaddr = msg; // start of string for macaddr + addr = msg; // start of string for macaddr // Search for end of macaddr and NULL terminate it - destchain = macaddr+1; + destchain = addr+1; while( (*destchain != 0x20) || (*destchain == 0) ) { destchain++; } @@ -146,7 +146,7 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) { iptables_args[3] = "-m\0"; iptables_args[4] = "mac\0"; iptables_args[5] = "--mac-source\0"; - iptables_args[6] = macaddr; + iptables_args[6] = addr; iptables_args[7] = "-m\0"; iptables_args[8] = "state\0"; iptables_args[9] = "--state\0"; @@ -157,7 +157,34 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) { eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules " "==> mode: %s macaddr: '%s' destchain: '%s' jump: '%s'", - (mode[1] == 'A' ? "ADD":"DELETE"), macaddr, destchain, jump); + (mode[1] == 'A' ? "ADD":"DELETE"), addr, destchain, jump); + ret = call_iptables(ctx, fwcmd, iptables_args); + break; + + case 'B': + addr = msg; // start of string for IP address to block + + // Search for end of IP address and NULL terminate it + destchain = addr+1; + while( (*destchain != 0x20) || (*destchain == 0) ) { + destchain++; + } + if( *destchain == 0 ) { + return 0; + } + *destchain = 0; // end of string for IP address + destchain++; // start of string for destchain + + iptables_args[1] = "-A\0"; + iptables_args[2] = destchain; + iptables_args[3] = "-s\0"; + iptables_args[4] = addr; + iptables_args[5] = "-j\0"; + iptables_args[6] = "DROP\0"; + iptables_args[7] = NULL; + + eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules " + "==> mode: BLACKLIST destchain: '%s' IP address: %s", destchain, addr); ret = call_iptables(ctx, fwcmd, iptables_args); break; |