├── cfg-version └── firewall@6 ├── debian ├── compat ├── docs ├── vyatta-cfg-firewall.lintian-overrides ├── vyatta-cfg-firewall-serial.lintian-overrides ├── vyatta-cfg-firewall-serial.install ├── README ├── autogen.sh ├── vyatta-cfg-firewall.postinst.in ├── control ├── vyatta-cfg-firewall.install ├── copyright └── rules ├── AUTHORS ├── ChangeLog ├── NEWS ├── templates ├── firewall │ ├── group │ │ ├── node.def │ │ ├── port-group │ │ │ ├── node.tag │ │ │ │ ├── description │ │ │ │ │ └── node.def │ │ │ │ └── port │ │ │ │ │ └── node.def │ │ │ └── node.def │ │ ├── address-group │ │ │ ├── node.tag │ │ │ │ ├── description │ │ │ │ │ └── node.def │ │ │ │ └── address │ │ │ │ │ └── node.def │ │ │ └── node.def │ │ ├── network-group │ │ │ ├── node.tag │ │ │ │ ├── description │ │ │ │ │ └── node.def │ │ │ │ └── network │ │ │ │ │ └── node.def │ │ │ └── node.def │ │ ├── ipv6-address-group │ │ │ ├── node.tag │ │ │ │ ├── description │ │ │ │ │ └── node.def │ │ │ │ └── address │ │ │ │ │ └── node.def │ │ │ └── node.def │ │ └── ipv6-network-group │ │ │ ├── node.tag │ │ │ ├── description │ │ │ │ └── node.def │ │ │ └── network │ │ │ │ └── node.def │ │ │ └── node.def │ ├── name │ │ ├── node.tag │ │ │ ├── rule │ │ │ │ ├── node.tag │ │ │ │ │ ├── state │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── new │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── invalid │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── related │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── established │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── tcp │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ └── flags │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── fragment │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── match-non-frag │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── match-frag │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── ipsec │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── match-ipsec │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── match-none │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── source │ │ │ │ │ │ ├── group │ │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ │ ├── port-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ │ ├── address-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ │ └── network-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── mac-address │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── address │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── port │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── time │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── utc │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── starttime │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── stoptime │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── monthdays │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── weekdays │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── stopdate │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── startdate │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── .p2p │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── kazaa │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── gnutella │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── applejuice │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── bittorrent │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── edonkey │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── directconnect │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── all │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── destination │ │ │ │ │ │ ├── group │ │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ │ ├── port-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ │ ├── network-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ │ └── address-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── address │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── port │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── icmp │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── code │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── type │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── type-name │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── disable │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── description │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── limit │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── burst │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── rate │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── recent │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── time │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── count │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── log │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── action │ │ │ │ │ │ └── node.def │ │ │ │ │ └── protocol │ │ │ │ │ │ └── node.def │ │ │ │ └── node.def │ │ │ ├── description │ │ │ │ └── node.def │ │ │ ├── enable-default-log │ │ │ │ └── node.def │ │ │ └── default-action │ │ │ │ └── node.def │ │ └── node.def │ ├── ipv6-name │ │ ├── node.tag │ │ │ ├── rule │ │ │ │ ├── node.tag │ │ │ │ │ ├── hop-limit │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── eq │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── lt │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── gt │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── state │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── new │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── invalid │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── related │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── established │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── tcp │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ └── flags │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── ipsec │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── match-ipsec │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── match-none │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── p2p │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── kazaa │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── gnutella │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── applejuice │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── bittorrent │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── edonkey │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── directconnect │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── all │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── source │ │ │ │ │ │ ├── group │ │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ │ ├── port-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ │ ├── address-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ │ └── network-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── mac-address │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── port │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── address │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── time │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── utc │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── starttime │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── stoptime │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── monthdays │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── weekdays │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── stopdate │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── startdate │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── disable │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── destination │ │ │ │ │ │ ├── group │ │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ │ ├── port-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ │ ├── network-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ │ └── address-group │ │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── port │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── address │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── icmpv6 │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ └── type │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── description │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── limit │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── burst │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── rate │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── recent │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── time │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── count │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── log │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── action │ │ │ │ │ │ └── node.def │ │ │ │ │ └── protocol │ │ │ │ │ │ └── node.def │ │ │ │ └── node.def │ │ │ ├── description │ │ │ │ └── node.def │ │ │ ├── enable-default-log │ │ │ │ └── node.def │ │ │ └── default-action │ │ │ │ └── node.def │ │ └── node.def │ ├── node.def │ ├── state-policy │ │ ├── invalid │ │ │ ├── log │ │ │ │ ├── enable │ │ │ │ │ └── node.def │ │ │ │ └── node.def │ │ │ ├── node.def │ │ │ └── action │ │ │ │ └── node.def │ │ ├── related │ │ │ ├── log │ │ │ │ ├── enable │ │ │ │ │ └── node.def │ │ │ │ └── node.def │ │ │ ├── node.def │ │ │ └── action │ │ │ │ └── node.def │ │ ├── established │ │ │ ├── log │ │ │ │ ├── enable │ │ │ │ │ └── node.def │ │ │ │ └── node.def │ │ │ ├── node.def │ │ │ └── action │ │ │ │ └── node.def │ │ └── node.def │ ├── config-trap │ │ └── node.def │ ├── twa-hazards-protection │ │ └── node.def │ ├── syn-cookies │ │ └── node.def │ ├── all-ping │ │ └── node.def │ ├── broadcast-ping │ │ └── node.def │ ├── ip-src-route │ │ └── node.def │ ├── send-redirects │ │ └── node.def │ ├── log-martians │ │ └── node.def │ ├── ipv6-receive-redirects │ │ └── node.def │ ├── source-validation │ │ └── node.def │ ├── ipv6-src-route │ │ └── node.def │ └── receive-redirects │ │ └── node.def └── policy │ ├── route │ ├── node.tag │ │ ├── rule │ │ │ ├── node.tag │ │ │ │ ├── state │ │ │ │ │ ├── node.def │ │ │ │ │ ├── new │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── invalid │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── related │ │ │ │ │ │ └── node.def │ │ │ │ │ └── established │ │ │ │ │ │ └── node.def │ │ │ │ ├── tcp │ │ │ │ │ ├── node.def │ │ │ │ │ └── flags │ │ │ │ │ │ └── node.def │ │ │ │ ├── time │ │ │ │ │ ├── node.def │ │ │ │ │ ├── utc │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── starttime │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── stoptime │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── monthdays │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── weekdays │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── stopdate │ │ │ │ │ │ └── node.def │ │ │ │ │ └── startdate │ │ │ │ │ │ └── node.def │ │ │ │ ├── fragment │ │ │ │ │ ├── node.def │ │ │ │ │ ├── match-non-frag │ │ │ │ │ │ └── node.def │ │ │ │ │ └── match-frag │ │ │ │ │ │ └── node.def │ │ │ │ ├── ipsec │ │ │ │ │ ├── node.def │ │ │ │ │ ├── match-ipsec │ │ │ │ │ │ └── node.def │ │ │ │ │ └── match-none │ │ │ │ │ │ └── node.def │ │ │ │ ├── set │ │ │ │ │ ├── node.def │ │ │ │ │ ├── mark │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── dscp │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── tcp-mss │ │ │ │ │ │ └── node.def │ │ │ │ │ └── table │ │ │ │ │ │ └── node.def │ │ │ │ ├── source │ │ │ │ │ ├── group │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── port-group │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── network-group │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── address-group │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── node.def │ │ │ │ │ ├── mac-address │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── address │ │ │ │ │ │ └── node.def │ │ │ │ │ └── port │ │ │ │ │ │ └── node.def │ │ │ │ ├── disable │ │ │ │ │ └── node.def │ │ │ │ ├── destination │ │ │ │ │ ├── group │ │ │ │ │ │ ├── node.def │ │ │ │ │ │ ├── port-group │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ ├── network-group │ │ │ │ │ │ │ └── node.def │ │ │ │ │ │ └── address-group │ │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── node.def │ │ │ │ │ ├── address │ │ │ │ │ │ └── node.def │ │ │ │ │ └── port │ │ │ │ │ │ └── node.def │ │ │ │ ├── icmp │ │ │ │ │ ├── node.def │ │ │ │ │ ├── code │ │ │ │ │ │ └── node.def │ │ │ │ │ ├── type │ │ │ │ │ │ └── node.def │ │ │ │ │ └── type-name │ │ │ │ │ │ └── node.def │ │ │ │ ├── description │ │ │ │ │ └── node.def │ │ │ │ ├── limit │ │ │ │ │ ├── node.def │ │ │ │ │ ├── burst │ │ │ │ │ │ └── node.def │ │ │ │ │ └── rate │ │ │ │ │ │ └── node.def │ │ │ │ ├── recent │ │ │ │ │ ├── node.def │ │ │ │ │ ├── time │ │ │ │ │ │ └── node.def │ │ │ │ │ └── count │ │ │ │ │ │ └── node.def │ │ │ │ ├── log │ │ │ │ │ └── node.def │ │ │ │ ├── action │ │ │ │ │ └── node.def │ │ │ │ └── protocol │ │ │ │ │ └── node.def │ │ │ └── node.def │ │ ├── description │ │ │ └── node.def │ │ └── enable-default-log │ │ │ └── node.def │ └── node.def │ └── ipv6-route │ ├── node.tag │ ├── rule │ │ ├── node.tag │ │ │ ├── state │ │ │ │ ├── node.def │ │ │ │ ├── new │ │ │ │ │ └── node.def │ │ │ │ ├── invalid │ │ │ │ │ └── node.def │ │ │ │ ├── related │ │ │ │ │ └── node.def │ │ │ │ └── established │ │ │ │ │ └── node.def │ │ │ ├── tcp │ │ │ │ ├── node.def │ │ │ │ └── flags │ │ │ │ │ └── node.def │ │ │ ├── time │ │ │ │ ├── node.def │ │ │ │ ├── utc │ │ │ │ │ └── node.def │ │ │ │ ├── starttime │ │ │ │ │ └── node.def │ │ │ │ ├── stoptime │ │ │ │ │ └── node.def │ │ │ │ ├── monthdays │ │ │ │ │ └── node.def │ │ │ │ ├── weekdays │ │ │ │ │ └── node.def │ │ │ │ ├── stopdate │ │ │ │ │ └── node.def │ │ │ │ └── startdate │ │ │ │ │ └── node.def │ │ │ ├── ipsec │ │ │ │ ├── node.def │ │ │ │ ├── match-ipsec │ │ │ │ │ └── node.def │ │ │ │ └── match-none │ │ │ │ │ └── node.def │ │ │ ├── set │ │ │ │ ├── node.def │ │ │ │ ├── mark │ │ │ │ │ └── node.def │ │ │ │ ├── dscp │ │ │ │ │ └── node.def │ │ │ │ ├── table │ │ │ │ │ └── node.def │ │ │ │ └── tcp-mss │ │ │ │ │ └── node.def │ │ │ ├── source │ │ │ │ ├── node.def │ │ │ │ ├── mac-address │ │ │ │ │ └── node.def │ │ │ │ ├── port │ │ │ │ │ └── node.def │ │ │ │ └── address │ │ │ │ │ └── node.def │ │ │ ├── disable │ │ │ │ └── node.def │ │ │ ├── destination │ │ │ │ ├── node.def │ │ │ │ ├── port │ │ │ │ │ └── node.def │ │ │ │ └── address │ │ │ │ │ └── node.def │ │ │ ├── icmpv6 │ │ │ │ ├── node.def │ │ │ │ └── type │ │ │ │ │ └── node.def │ │ │ ├── description │ │ │ │ └── node.def │ │ │ ├── limit │ │ │ │ ├── node.def │ │ │ │ ├── burst │ │ │ │ │ └── node.def │ │ │ │ └── rate │ │ │ │ │ └── node.def │ │ │ ├── recent │ │ │ │ ├── node.def │ │ │ │ ├── time │ │ │ │ │ └── node.def │ │ │ │ └── count │ │ │ │ │ └── node.def │ │ │ ├── log │ │ │ │ └── node.def │ │ │ ├── action │ │ │ │ └── node.def │ │ │ └── protocol │ │ │ │ └── node.def │ │ └── node.def │ ├── enable-default-log │ │ └── node.def │ └── description │ │ └── node.def │ └── node.def ├── README ├── scripts └── firewall │ ├── valid_port_range.pl │ ├── firewall.init.in │ ├── vyatta-firewall-trap.pl │ └── vyatta-fw-global-state-policy.pl ├── .gitignore ├── .frlog ├── etc └── modprobe.d │ ├── vyatta_ipset.conf │ └── vyatta_xt_recent.conf ├── configure.ac ├── Makefile.am ├── gen-interface-policy-templates.pl └── lib └── Vyatta └── IpTables └── AddressFilter.pm /cfg-version/firewall@6: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 9 2 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | eng@vyatta.com 2 | -------------------------------------------------------------------------------- /ChangeLog: -------------------------------------------------------------------------------- 1 | debian/changelog -------------------------------------------------------------------------------- /debian/docs: -------------------------------------------------------------------------------- 1 | NEWS 2 | README 3 | -------------------------------------------------------------------------------- /NEWS: -------------------------------------------------------------------------------- 1 | see http://www.vyatta.com/news/ 2 | -------------------------------------------------------------------------------- /templates/firewall/group/node.def: -------------------------------------------------------------------------------- 1 | help: Firewall group 2 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | This package has Vyatta Firewall configuration templates and scripts. 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/state/node.def: -------------------------------------------------------------------------------- 1 | help: Session state 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/tcp/node.def: -------------------------------------------------------------------------------- 1 | help: TCP flags to match 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/state/node.def: -------------------------------------------------------------------------------- 1 | help: Session state 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/tcp/node.def: -------------------------------------------------------------------------------- 1 | help: TCP flags to match 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/time/node.def: -------------------------------------------------------------------------------- 1 | help: Time to match rule 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/node.def: -------------------------------------------------------------------------------- 1 | help: Hop Limit 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/state/node.def: -------------------------------------------------------------------------------- 1 | help: Session state 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/tcp/node.def: -------------------------------------------------------------------------------- 1 | help: TCP flags to match 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/fragment/node.def: -------------------------------------------------------------------------------- 1 | help: IP fragment match 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/ipsec/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound IPsec packets 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/source/group/node.def: -------------------------------------------------------------------------------- 1 | help: Source group 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/source/node.def: -------------------------------------------------------------------------------- 1 | help: Source parameters 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/time/node.def: -------------------------------------------------------------------------------- 1 | help: Time to match rule 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/state/node.def: -------------------------------------------------------------------------------- 1 | help: Session state 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/node.def: -------------------------------------------------------------------------------- 1 | help: TCP flags to match 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/time/node.def: -------------------------------------------------------------------------------- 1 | help: Time to match rule 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/fragment/node.def: -------------------------------------------------------------------------------- 1 | help: IP fragment match 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/ipsec/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound IPsec packets 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/set/node.def: -------------------------------------------------------------------------------- 1 | help: Packet modifications 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/source/group/node.def: -------------------------------------------------------------------------------- 1 | help: Source group 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/source/node.def: -------------------------------------------------------------------------------- 1 | help: Source parameters 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound IPsec packets 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/node.def: -------------------------------------------------------------------------------- 1 | help: P2P application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/node.def: -------------------------------------------------------------------------------- 1 | help: Source group 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/source/node.def: -------------------------------------------------------------------------------- 1 | help: Source parameters 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/time/node.def: -------------------------------------------------------------------------------- 1 | help: Time to match rule 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/.p2p/node.def: -------------------------------------------------------------------------------- 1 | help: P2P application packets 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound IPsec packets 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/set/node.def: -------------------------------------------------------------------------------- 1 | help: Packet modifications 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/source/node.def: -------------------------------------------------------------------------------- 1 | help: Source parameters 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/disable/node.def: -------------------------------------------------------------------------------- 1 | help: Option to disable rule 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/disable/node.def: -------------------------------------------------------------------------------- 1 | help: Option to disable rule 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Rule-set description 4 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/.p2p/kazaa/node.def: -------------------------------------------------------------------------------- 1 | help: KaZaA application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/destination/group/node.def: -------------------------------------------------------------------------------- 1 | help: Destination group 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/destination/node.def: -------------------------------------------------------------------------------- 1 | help: Destination parameters 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/icmp/node.def: -------------------------------------------------------------------------------- 1 | help: ICMP type and code information 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/disable/node.def: -------------------------------------------------------------------------------- 1 | help: Option to disable rule 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/destination/group/node.def: -------------------------------------------------------------------------------- 1 | help: Destination group 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/destination/node.def: -------------------------------------------------------------------------------- 1 | help: Destination parameters 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/icmp/node.def: -------------------------------------------------------------------------------- 1 | help: ICMP type and code information 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Rule-set description 4 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/node.def: -------------------------------------------------------------------------------- 1 | help: Destination group 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/node.def: -------------------------------------------------------------------------------- 1 | help: Destination parameters 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/kazaa/node.def: -------------------------------------------------------------------------------- 1 | help: KaZaA application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/.p2p/gnutella/node.def: -------------------------------------------------------------------------------- 1 | help: Gnutella application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/disable/node.def: -------------------------------------------------------------------------------- 1 | help: Option to disable firewall rule 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/ipsec/match-ipsec/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound IPsec packets 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/ipsec/match-none/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound non-IPsec packets 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/destination/node.def: -------------------------------------------------------------------------------- 1 | help: Destination parameters 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Rule description 3 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound IPsec packets 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/ipsec/match-none/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound non-IPsec packets 2 | -------------------------------------------------------------------------------- /templates/firewall/group/port-group/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Port-group description 3 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/icmpv6/node.def: -------------------------------------------------------------------------------- 1 | help: ICMPv6 type and code information 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/match-ipsec/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound IPsec packets 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/ipsec/match-none/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound non-IPsec packets 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/gnutella/node.def: -------------------------------------------------------------------------------- 1 | help: Gnutella application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/.p2p/applejuice/node.def: -------------------------------------------------------------------------------- 1 | help: AppleJuice application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/.p2p/bittorrent/node.def: -------------------------------------------------------------------------------- 1 | help: BitTorrent application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/.p2p/edonkey/node.def: -------------------------------------------------------------------------------- 1 | help: eDonkey/eMule application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Rule description 4 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/limit/node.def: -------------------------------------------------------------------------------- 1 | help: Rate limit using a token bucket filter 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/node.def: -------------------------------------------------------------------------------- 1 | help: ICMPv6 type and code information 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-ipsec/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound IPsec packets 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/ipsec/match-none/node.def: -------------------------------------------------------------------------------- 1 | help: Inbound non-IPsec packets 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/limit/node.def: -------------------------------------------------------------------------------- 1 | help: Rate limit using a token bucket filter 2 | -------------------------------------------------------------------------------- /templates/firewall/group/address-group/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Address-group description 3 | -------------------------------------------------------------------------------- /templates/firewall/group/network-group/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Network-group description 3 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Rule description 4 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/node.def: -------------------------------------------------------------------------------- 1 | help: Rate limit using a token bucket filter 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/applejuice/node.def: -------------------------------------------------------------------------------- 1 | help: AppleJuice application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/bittorrent/node.def: -------------------------------------------------------------------------------- 1 | help: BitTorrent application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/edonkey/node.def: -------------------------------------------------------------------------------- 1 | help: eDonkey/eMule application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/enable-default-log/node.def: -------------------------------------------------------------------------------- 1 | help: Option to log packets hitting default-action 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/recent/node.def: -------------------------------------------------------------------------------- 1 | help: Parameters for matching recently seen sources 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Rule description 4 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/limit/node.def: -------------------------------------------------------------------------------- 1 | help: Rate limit using a token bucket filter 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Policy route rule set description 4 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/enable-default-log/node.def: -------------------------------------------------------------------------------- 1 | help: Option to log packets hitting default-action 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/recent/node.def: -------------------------------------------------------------------------------- 1 | help: Parameters for matching recently seen sources 2 | -------------------------------------------------------------------------------- /templates/firewall/group/ipv6-address-group/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: IPv6 Address-group description -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/enable-default-log/node.def: -------------------------------------------------------------------------------- 1 | help: Option to log packets hitting default-action 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/directconnect/node.def: -------------------------------------------------------------------------------- 1 | help: Direct Connect application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/node.def: -------------------------------------------------------------------------------- 1 | help: Parameters for matching recently seen sources 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/.p2p/directconnect/node.def: -------------------------------------------------------------------------------- 1 | help: Direct Connect application packets 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/enable-default-log/node.def: -------------------------------------------------------------------------------- 1 | help: Option to log packets hitting default-action 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/recent/node.def: -------------------------------------------------------------------------------- 1 | help: Parameters for matching recently seen sources 2 | -------------------------------------------------------------------------------- /templates/firewall/group/ipv6-network-group/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: IPv6-network-group description 3 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/fragment/match-non-frag/node.def: -------------------------------------------------------------------------------- 1 | help: Head fragments or unfragmented packets 2 | -------------------------------------------------------------------------------- /templates/firewall/node.def: -------------------------------------------------------------------------------- 1 | priority: 199 2 | help: Firewall 3 | end: ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="$VAR(@)" -------------------------------------------------------------------------------- /templates/firewall/state-policy/invalid/log/enable/node.def: -------------------------------------------------------------------------------- 1 | help: Enable logging of packets part of an invalid connection 2 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/related/log/enable/node.def: -------------------------------------------------------------------------------- 1 | help: Enable logging of packets part of a related connection 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/description/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Policy ipv6-route rule set description 4 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/fragment/match-non-frag/node.def: -------------------------------------------------------------------------------- 1 | help: Head fragments or unfragmented packets 2 | -------------------------------------------------------------------------------- /debian/vyatta-cfg-firewall.lintian-overrides: -------------------------------------------------------------------------------- 1 | vyatta-cfg-firewall: file-in-unusual-dir 2 | vyatta-cfg-firewall: dir-or-file-in-opt 3 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/established/log/enable/node.def: -------------------------------------------------------------------------------- 1 | help: Enable logging of packets part of an established connection 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/fragment/match-frag/node.def: -------------------------------------------------------------------------------- 1 | help: Second and further fragments of fragmented packets 2 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/recent/time/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Source addresses seen in the last N seconds 3 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/fragment/match-frag/node.def: -------------------------------------------------------------------------------- 1 | help: Second and further fragments of fragmented packets 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/recent/time/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Source addresses seen in the last N seconds 3 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/time/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Source addresses seen in the last N seconds 3 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/recent/time/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Source addresses seen in the last N seconds 3 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/time/utc/node.def: -------------------------------------------------------------------------------- 1 | help: Interpret times for startdate, stopdate, starttime and stoptime to be UTC 2 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/time/utc/node.def: -------------------------------------------------------------------------------- 1 | help: Interpret times for startdate, stopdate, starttime and stoptime to be UTC 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/time/utc/node.def: -------------------------------------------------------------------------------- 1 | help: Interpret times for startdate, stopdate, starttime and stoptime to be UTC 2 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/time/utc/node.def: -------------------------------------------------------------------------------- 1 | help: Interpret times for startdate, stopdate, starttime and stoptime to be U$ 2 | -------------------------------------------------------------------------------- /debian/vyatta-cfg-firewall-serial.lintian-overrides: -------------------------------------------------------------------------------- 1 | vyatta-cfg-firewall-serial: file-in-unusual-dir 2 | vyatta-cfg-firewall-serial: dir-or-file-in-opt 3 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/.p2p/all/node.def: -------------------------------------------------------------------------------- 1 | help: AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets 2 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/p2p/all/node.def: -------------------------------------------------------------------------------- 1 | help: AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets 2 | -------------------------------------------------------------------------------- /scripts/firewall/valid_port_range.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env perl 2 | 3 | $arg = $ARGV[0]; 4 | 5 | exit(1) unless $arg =~ /^!?((\d+|\d+-\d+|[a-zA-Z0-9\-]+),)*((\d+|\d+-\d+|[a-zA-Z0-9\-]+))$/; 6 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/state/new/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: New state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/state/new/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: New state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/state/new/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: New state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/state/new/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: New state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/state/invalid/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Invalid state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/state/related/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Related state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/state/invalid/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Invalid state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/state/related/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Related state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/state/established/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Established state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/state/established/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Established state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | -------------------------------------------------------------------------------- /debian/vyatta-cfg-firewall-serial.install: -------------------------------------------------------------------------------- 1 | opt/vyatta/share/vyatta-cfg/templates/interfaces/adsl 2 | opt/vyatta/share/vyatta-cfg/templates/interfaces/multilink 3 | opt/vyatta/share/vyatta-cfg/templates/interfaces/serial 4 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/invalid/node.def: -------------------------------------------------------------------------------- 1 | help: Global firewall policy for packets part of an invalid connection 2 | 3 | commit:expression: $VAR(./action/) != ""; 4 | "No action set for state 'invalid'" 5 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/related/node.def: -------------------------------------------------------------------------------- 1 | help: Global firewall policy for packets part of a related connection 2 | 3 | commit:expression: $VAR(./action/) != ""; 4 | "No action set for state 'related'" 5 | -------------------------------------------------------------------------------- /debian/README: -------------------------------------------------------------------------------- 1 | The Debian Package vyatta-cfg-firewall 2 | ---------------------------- 3 | 4 | This package has the Vyatta firewall configuration templates and scripts. 5 | 6 | -- Bob Gilligan , Dec. 10, 2007 7 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/established/node.def: -------------------------------------------------------------------------------- 1 | help: Global firewall policy for packets part of an established connection 2 | 3 | commit:expression: $VAR(./action/) != ""; 4 | "No action set for state 'established'" 5 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/icmp/code/node.def: -------------------------------------------------------------------------------- 1 | type: u32; "ICMP code must be between 0 and 255" 2 | help: ICMP code (0-255) 3 | syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP code must be between 0 and 255" 4 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/icmp/type/node.def: -------------------------------------------------------------------------------- 1 | type: u32; "ICMP type must be between 0 and 255" 2 | help: ICMP type (0-255) 3 | syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP type must be between 0 and 255" 4 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/limit/burst/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | default: 1 3 | help: Maximum number of packets to allow in excess of rate 4 | syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" 5 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/related/log/node.def: -------------------------------------------------------------------------------- 1 | help: Option to log packets part of a related connection 2 | 3 | commit:expression: $VAR(./enable) != ""; 4 | "Need to set 'enable' to log packets part of a related connection" 5 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/limit/burst/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | default: 1 3 | help: Maximum number of packets to allow in excess of rate 4 | syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" 5 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/burst/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | default: 1 3 | help: Maximum number of packets to allow in excess of rate 4 | syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" 5 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/invalid/log/node.def: -------------------------------------------------------------------------------- 1 | help: Option to log packets part of an invalid connection 2 | 3 | commit:expression: $VAR(./enable) != ""; 4 | "Need to set 'enable' to log packets part of an invalid connection" 5 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/limit/burst/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | default: 1 3 | help: Maximum number of packets to allow in excess of rate 4 | syntax:expression: ($VAR(@) >0) ; "Burst should be a value greater then zero" 5 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/established/log/node.def: -------------------------------------------------------------------------------- 1 | help: Option to log packets part of an established connection 2 | 3 | commit:expression: $VAR(./enable) != ""; 4 | "Need to set 'enable' to log packets part of an established connection" 5 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/set/mark/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Packet marking 3 | val_help: u32:1-2147483647; Packet marking 4 | syntax:expression: $VAR(@) > 0 && $VAR(@) <= 2147483647; "packet mark must be between 0 and 2,147,483,647" 5 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/log/node.def: -------------------------------------------------------------------------------- 1 | type: txt; "firewall logging must be enable or disable" 2 | help: Option to log packets matching rule 3 | syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/set/mark/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Packet marking 3 | val_help: u32:1-2147483647; Packet marking 4 | syntax:expression: $VAR(@) > 0 && $VAR(@) <= 2147483647; "packet mark must be between 0 and 2,147,483,647" 5 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/log/node.def: -------------------------------------------------------------------------------- 1 | type: txt; "firewall logging must be enable or disable" 2 | help: Option to log packets matching rule 3 | syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/log/node.def: -------------------------------------------------------------------------------- 1 | type: txt; "firewall logging must be enable or disable" 2 | help: Option to log packets matching rule 3 | syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/log/node.def: -------------------------------------------------------------------------------- 1 | type: txt; "firewall logging must be enable or disable" 2 | help: Option to log packets matching rule 3 | syntax:expression: $VAR(@) in "enable", "disable"; "firewall logging must be enable or disable" 4 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | 3 | type: u32 4 | 5 | help: Rule number (1-9999) 6 | 7 | syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "policy route rule number must be between 1 and 9999" 8 | 9 | val_help: u32:1-9999; Rule number 10 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | 3 | type: u32 4 | 5 | help: Rule number (1-999999) 6 | 7 | syntax:expression: $VAR(@) > 0 && $VAR(@) <= 999999; "firewall rule number must be between 1 and 999999" 8 | 9 | val_help: u32:1-999999; Rule number 10 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/set/dscp/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | val_help: u32:0-63 ; DSCP number 3 | help: Packet Differentiated Services Codepoint (DSCP) 4 | syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; 5 | "DSCP must be between 0 and 63" 6 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | 3 | type: u32 4 | 5 | help: Rule number (1-999999) 6 | 7 | syntax:expression: $VAR(@) > 0 && $VAR(@) <= 999999; "firewall rule number must be between 1 and 999999" 8 | 9 | val_help: u32:1-999999; Rule number 10 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/icmp/code/node.def: -------------------------------------------------------------------------------- 1 | type: u32; "ICMP code must be between 0 and 255" 2 | 3 | help: ICMP code (0-255) 4 | 5 | syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP code must be between 0 and 255" 6 | 7 | val_help: u32:0-255; ICMP code 8 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/icmp/type/node.def: -------------------------------------------------------------------------------- 1 | type: u32; "ICMP type must be between 0 and 255" 2 | 3 | help: ICMP type (0-255) 4 | 5 | syntax:expression: $VAR(@) >=0 && $VAR(@) <= 255; "ICMP type must be between 0 and 255" 6 | 7 | val_help: u32:0-255; ICMP type 8 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | 3 | type: u32 4 | 5 | help: Rule number (1-9999) 6 | 7 | syntax:expression: $VAR(@) > 0 && $VAR(@) <= 9999; "policy ipv6-route rule number must be between 1 and 9999" 8 | 9 | val_help: u32:1-9999; Rule number 10 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/set/dscp/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | val_help: u32:0-63 ; DSCP number 3 | help: Packet Differentiated Services Codepoint (DSCP) 4 | syntax:expression: $VAR(@) >= 0 && $VAR(@) < 64; 5 | "DSCP must be between 0 and 63" 6 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/action/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Rule action 4 | 5 | syntax:expression: $VAR(@) in "drop"; 6 | "action must be drop" 7 | 8 | allowed: echo "drop" 9 | 10 | val_help: drop ; Rule action to drop 11 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/action/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Rule action 4 | 5 | syntax:expression: $VAR(@) in "drop"; 6 | "action must be drop" 7 | 8 | allowed: echo "drop" 9 | 10 | val_help: drop; Rule action to drop 11 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/recent/count/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Source addresses seen more than N times 3 | syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" 4 | val_help: u32:1-255; Source addresses seen more than N times 5 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/recent/count/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Source addresses seen more than N times 3 | syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" 4 | val_help: u32:1-255; Source addresses seen more than N times 5 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/recent/count/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Source addresses seen more than N times 3 | syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" 4 | val_help: u32:1-255; Source addresses seen more than N times 5 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/recent/count/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Source addresses seen more than N times 3 | syntax:expression: $VAR(@) >=1 && $VAR(@) <= 255; "recent count value must be between 1 and 255" 4 | val_help: u32:1-255; Source addresses seen more than N times 5 | 6 | -------------------------------------------------------------------------------- /debian/autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | 4 | rm -rf config 5 | rm -f aclocal.m4 config.guess config.statusconfig.sub configure INSTALL 6 | 7 | autoreconf --force --install 8 | 9 | rm -f config.sub config.guess 10 | ln -s /usr/share/misc/config.sub . 11 | ln -s /usr/share/misc/config.guess . 12 | -------------------------------------------------------------------------------- /templates/firewall/group/address-group/node.tag/address/node.def: -------------------------------------------------------------------------------- 1 | multi: 2 | type: txt 3 | help: Address-group member 4 | val_help: ipv4; IPv4 address to match 5 | val_help: ipv4range; IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) 6 | 7 | syntax:expression: exec "/opt/vyatta/sbin/ipset-check-member address $VAR(@)" 8 | 9 | -------------------------------------------------------------------------------- /templates/firewall/group/network-group/node.tag/network/node.def: -------------------------------------------------------------------------------- 1 | multi: 2 | type: ipv4net 3 | help: Network-group member 4 | val_help: ipv4net; IPv4 Subnet to match 5 | 6 | syntax:expression: exec "/opt/vyatta/sbin/ipset-check-member network $VAR(@)" 7 | 8 | syntax:expression: exec "ipaddrcheck --verbose --is-ipv4-net $VAR(@)" 9 | -------------------------------------------------------------------------------- /templates/firewall/group/ipv6-network-group/node.tag/network/node.def: -------------------------------------------------------------------------------- 1 | multi: 2 | type: ipv6net 3 | help: Network-group member 4 | val_help: ipv6net; IPv6 Subnet to match 5 | 6 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" 7 | 8 | syntax:expression: exec "ipaddrcheck --verbose --is-ipv6-net $VAR(@)" 9 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/source/mac-address/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Source MAC address 3 | val_help: ; MAC address to match 4 | val_help: ; Match everything except the specified MAC address 5 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" 6 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/source/mac-address/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Source MAC address 3 | val_help: ; MAC address to match 4 | val_help: ; Match everything except the specified MAC address 5 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" 6 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/source/mac-address/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Source MAC address 3 | val_help: ; MAC address to match 4 | val_help: ; Match everything except the specified MAC address 5 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" 6 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/source/mac-address/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Source MAC address 3 | val_help: ; MAC address to match 4 | val_help: ; Match everything except the specified MAC address 5 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type macaddr_negate '$VAR(@)'" ; "invalid MAC address \"$VAR(@)\"" 6 | -------------------------------------------------------------------------------- /templates/firewall/group/port-group/node.tag/port/node.def: -------------------------------------------------------------------------------- 1 | multi: 2 | type: txt 3 | help: Port-group member 4 | 5 | val_help: ; Named port (any name in /etc/services, e.g., http) 6 | val_help: u32:1-65535; Numbered port 7 | val_help: -; Numbered port range (e.g. 1001-1050) 8 | 9 | syntax:expression: exec "/opt/vyatta/sbin/ipset-check-member port $VAR(@)" 10 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/eq/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Value to match a hop limit equal to it 3 | val_help: u32:0-255; Hop limit equal to value 4 | syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "eq must be between 0 and 255" 5 | commit:expression: ($VAR(../lt/) == "") && ($VAR(../gt/) == ""); "you may only define one comparison (eq|lt|gt)" 6 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/lt/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Value to match a hop limit less than or equal to it 3 | val_help: u32:0-255; Hop limit less than value 4 | syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "lt must be between 0 and 255" 5 | commit:expression: ($VAR(../eq/) == "") && ($VAR(../gt/) == ""); "you may only define one comparison (eq|lt|gt)" 6 | -------------------------------------------------------------------------------- /templates/firewall/group/ipv6-address-group/node.tag/address/node.def: -------------------------------------------------------------------------------- 1 | multi: 2 | type: txt 3 | help: Address-group member 4 | val_help: ipv6; IPv6 address to match 5 | 6 | syntax:expression: pattern $VAR(@) "^[^|;&$<>/]*$" ; \ 7 | "Error [$VAR(@)] isn't valid IPv6 host address" 8 | 9 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" 10 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/hop-limit/gt/node.def: -------------------------------------------------------------------------------- 1 | type: u32 2 | help: Value to match a hop limit greater than or equal to it 3 | val_help: u32:0-255; Hop limit greater than value 4 | syntax:expression: $VAR(@) >= 0 && $VAR(@) <= 255; "gt must be between 0 and 255" 5 | commit:expression: ($VAR(../lt/) == "") && ($VAR(../eq/) == ""); "you may only define one comparison (eq|lt|gt)" 6 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/time/starttime/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Time of day to start matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ 4 | "Incorrect value for starttime. Time should be entered using 24 hour notation - hh:mm:ss" 5 | 6 | comp_help: Enter time using using 24 hour notation - hh:mm:ss 7 | 8 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/time/stoptime/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Time of day to stop matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ 4 | "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" 5 | 6 | comp_help: Enter time using using 24 hour notation - hh:mm:ss 7 | 8 | 9 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/time/starttime/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Time of day to start matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ 4 | "Incorrect value for starttime. Time should be entered using 24 hour notation - hh:mm:ss" 5 | 6 | comp_help: Enter time using using 24 hour notation - hh:mm:ss 7 | 8 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/time/stoptime/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Time of day to stop matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ 4 | "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" 5 | 6 | comp_help: Enter time using using 24 hour notation - hh:mm:ss 7 | 8 | 9 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/time/starttime/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Time of day to start matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ 4 | "Incorrect value for starttime. Time should be entered using 24 hour notation - hh:mm:ss" 5 | 6 | comp_help: Enter time using using 24 hour notation - hh:mm:ss 7 | 8 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/time/stoptime/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Time of day to stop matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ 4 | "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" 5 | 6 | comp_help: Enter time using using 24 hour notation - hh:mm:ss 7 | 8 | 9 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/time/starttime/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Time of day to start matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ 4 | "Incorrect value for starttime. Time should be entered using 24 hour notation - hh:mm:ss" 5 | 6 | comp_help: Enter time using using 24 hour notation - hh:mm:ss 7 | 8 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/time/stoptime/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Time of day to stop matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\}$" ; \ 4 | "Incorrect value for stoptime. Time should be entered using 24 hour notation - hh:mm:ss" 5 | 6 | comp_help: Enter time using using 24 hour notation - hh:mm:ss 7 | 8 | 9 | -------------------------------------------------------------------------------- /templates/firewall/config-trap/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: SNMP trap generation on firewall configuration changes 4 | 5 | val_help: disable; Disable sending SNMP trap on firewall configuration change 6 | val_help: enable; Enable sending SNMP trap on firewall configuration change 7 | 8 | default: "disable" 9 | 10 | syntax:expression: $VAR(@) in "enable", "disable"; "config-trap must be enable or disable" 11 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/source/group/port-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of ports 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=port;" 8 | allowed: cli-shell-api listNodes firewall group port-group 9 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/time/monthdays/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Monthdays to match rule on 3 | syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ 4 | "Incorrect value for monthdays. Monthdays should be specified as 2,12,21 5 | For negation, add ! in front eg. !2,12,21" 6 | 7 | comp_help: Format for monthdays - 2,12,21 8 | To negate add ! at the front eg. !2,12,21 9 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/source/group/port-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of ports 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=port;" 8 | allowed: cli-shell-api listNodes firewall group port-group 9 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/time/monthdays/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Monthdays to match rule on 3 | syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ 4 | "Incorrect value for monthdays. Monthdays should be specified as 2,12,21 5 | For negation, add ! in front eg. !2,12,21" 6 | 7 | comp_help: Format for monthdays - 2,12,21 8 | To negate add ! at the front eg. !2,12,21 9 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/action/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Rule action 4 | 5 | syntax:expression: $VAR(@) in "drop", "reject", "accept"; 6 | "action must be one of drop, reject or accept" 7 | 8 | allowed: echo "drop reject accept" 9 | 10 | val_help: drop; Rule action to drop 11 | val_help: reject; Rule action to reject 12 | val_help: accept; Rule action to accept 13 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/port-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of ports 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=port;" 8 | allowed: cli-shell-api listNodes firewall group port-group 9 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/time/monthdays/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Monthdays to match rule on 3 | syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ 4 | "Incorrect value for monthdays. Monthdays should be specified as 2,12,21 5 | For negation, add ! in front eg. !2,12,21" 6 | 7 | comp_help: Format for monthdays - 2,12,21 8 | To negate add ! at the front eg. !2,12,21 9 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/destination/group/port-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of ports 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=port;" 8 | allowed: cli-shell-api listNodes firewall group port-group 9 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/time/monthdays/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Monthdays to match rule on 3 | syntax:expression: pattern $VAR(@) "^!?([[:digit:]]\{1,2\}\,)*[[:digit:]]\{1,2\}$" ; \ 4 | "Incorrect value for monthdays. Monthdays should be specified as 2,12,21 5 | For negation, add ! in front eg. !2,12,21" 6 | 7 | comp_help: Format for monthdays - 2,12,21 8 | To negate add ! at the front eg. !2,12,21 9 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/destination/group/port-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of ports 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=port;" 8 | allowed: cli-shell-api listNodes firewall group port-group 9 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/port-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of ports 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=port;" 8 | allowed: cli-shell-api listNodes firewall group port-group 9 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/source/group/network-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of networks 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=network;" 8 | allowed: cli-shell-api listNodes firewall group network-group 9 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/source/group/address-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of addresses 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=address;" 8 | allowed: cli-shell-api listNodes firewall group address-group 9 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/source/group/network-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of networks 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=network;" 8 | allowed: cli-shell-api listNodes firewall group network-group 9 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/destination/group/network-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of networks 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=network;" 8 | allowed: cli-shell-api listNodes firewall group network-group 9 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/source/group/address-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of addresses 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=address;" 8 | allowed: cli-shell-api listNodes firewall group address-group 9 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/action/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Rule action [REQUIRED] 4 | 5 | syntax:expression: $VAR(@) in "drop", "reject", "accept"; 6 | "action must be one of drop, reject or accept" 7 | 8 | allowed: echo "drop reject accept" 9 | 10 | val_help: drop ; Rule action to drop 11 | val_help: reject ; Rule action to reject 12 | val_help: accept ; Rule action to accept 13 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/destination/group/network-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of networks 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=network;" 8 | allowed: cli-shell-api listNodes firewall group network-group 9 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/address-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of addresses 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=address;" 8 | allowed: cli-shell-api listNodes firewall group ipv6-address-group 9 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/source/group/network-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of networks 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=network;" 8 | allowed: cli-shell-api listNodes firewall group ipv6-network-group 9 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/source/address/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Source IP address, subnet, or range 3 | val_help: ipv4; IP address to match 4 | val_help: ipv4net; Subnet to match 5 | val_help: ipv4range; IP range to match 6 | val_help: !ipv4; Match everything except the specified address 7 | val_help: !ipv4net; Match everything except the specified subnet 8 | val_help: !ipv4range; Match everything except the specified range 9 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/invalid/action/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Action for packets part of an invalid connection 4 | 5 | syntax:expression: $VAR(@) in "accept", "drop", "reject"; 6 | "action must be one of accept, drop, or reject" 7 | 8 | allowed: echo "accept drop reject" 9 | 10 | val_help: accept ; Action to accept 11 | val_help: drop ; Action to drop 12 | val_help: reject ; Action to reject 13 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/related/action/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Action for packets part of a related connection 4 | 5 | syntax:expression: $VAR(@) in "accept", "drop", "reject"; 6 | "action must be one of accept, drop, or reject" 7 | 8 | allowed: echo "accept drop reject" 9 | 10 | val_help: accept ; Action to accept 11 | val_help: drop ; Action to drop 12 | val_help: reject ; Action to reject 13 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/source/address/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Source IP address, subnet, or range 3 | val_help: ipv4; IP address to match 4 | val_help: ipv4net; Subnet to match 5 | val_help: ipv4range; IP range to match 6 | val_help: !ipv4; Match everything except the specified address 7 | val_help: !ipv4net; Match everything except the specified subnet 8 | val_help: !ipv4range; Match everything except the specified range 9 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/network-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of networks 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=network;" 8 | allowed: cli-shell-api listNodes firewall group ipv6-network-group 9 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/destination/group/address-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of addresses 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=address;" 8 | 9 | allowed: cli-shell-api listNodes firewall group address-group 10 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/established/action/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Action for packets part of an established connection 4 | 5 | syntax:expression: $VAR(@) in "accept", "drop", "reject"; 6 | "action must be one of accept, drop, or reject" 7 | 8 | allowed: echo "accept drop reject" 9 | 10 | val_help: accept ; Action to accept 11 | val_help: drop ; Action to drop 12 | val_help: reject ; Action to reject 13 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/destination/address/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Destination IP address, subnet, or range 3 | val_help: ipv4; IP address to match 4 | val_help: ipv4net; Subnet to match 5 | val_help: ipv4range; IP range to match 6 | val_help: !ipv4; Match everything except the specified address 7 | val_help: !ipv4net; Match everything except the specified subnet 8 | val_help: !ipv4range; Match everything except the specified range 9 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/destination/group/address-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of addresses 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=address;" 8 | 9 | allowed: cli-shell-api listNodes firewall group address-group 10 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/source/port/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Source port 3 | val_help: ; Named port (any name in /etc/services, e.g., http) 4 | val_help: u32:1-65535; Numbered port 5 | val_help: range; Numbered port range (e.g., 1001-1005) 6 | comp_help: Multiple source ports can be specified as a comma-separated list. 7 | The whole list can also be "negated" using '!'. For example: 8 | '!22,telnet,http,123,1001-1005' 9 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/state/invalid/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Invalid state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | 5 | commit:expression: 6 | exec " 7 | if cli-shell-api existsEffective firewall state-policy; then \ 8 | echo Warning: Use of state in rules overridden by \\'firewall state-policy\\' configuration; \ 9 | fi" 10 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/state/related/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Related state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | 5 | commit:expression: 6 | exec " 7 | if cli-shell-api existsEffective firewall state-policy; then \ 8 | echo Warning: Use of state in rules overridden by \\'firewall state-policy\\' configuration; \ 9 | fi" 10 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/source/port/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Source port 3 | val_help: ; Named port (any name in /etc/services, e.g., http) 4 | val_help: u32:1-65535; Numbered port 5 | val_help: range; Numbered port range (e.g., 1001-1005) 6 | comp_help: Multiple source ports can be specified as a comma-separated list. 7 | The whole list can also be "negated" using '!'. For example: 8 | '!22,telnet,http,123,1001-1005' 9 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/group/address-group/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Group of addresses 3 | 4 | commit:expression: exec "sudo /opt/vyatta/sbin/vyatta-ipset.pl \ 5 | --action=check-set-type \ 6 | --set-name=$VAR(@) \ 7 | --set-type=address;" 8 | 9 | allowed: cli-shell-api listNodes firewall group ipv6-address-group 10 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/state/invalid/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Invalid state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | 5 | commit:expression: 6 | exec " 7 | if cli-shell-api existsEffective firewall state-policy; then \ 8 | echo Warning: Use of state in rules overridden by \\'firewall state-policy\\' configuration; \ 9 | fi" 10 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/state/related/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Related state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | 5 | commit:expression: 6 | exec " 7 | if cli-shell-api existsEffective firewall state-policy; then \ 8 | echo Warning: Use of state in rules overridden by \\'firewall state-policy\\' configuration; \ 9 | fi" 10 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/state/established/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Established state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | 5 | commit:expression: 6 | exec " 7 | if cli-shell-api existsEffective firewall state-policy; then \ 8 | echo Warning: Use of state in rules overridden by \\'firewall state-policy\\' configuration; \ 9 | fi" 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | .*.swp 3 | aclocal.m4 4 | autom4te.cache 5 | build-stamp 6 | config 7 | config.log 8 | config.guess 9 | config.status 10 | config.sub 11 | configure 12 | debian/files 13 | debian/vyatta-cfg-firewall.postinst 14 | debian/vyatta-cfg-firewall 15 | debian/tmp 16 | debian/vyatta-cfg-firewall-serial 17 | debian/*.debhelper.log 18 | debian/*.substvars 19 | scripts/firewall/firewall.init 20 | INSTALL 21 | Makefile.in 22 | Makefile 23 | generated-templates 24 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/state/established/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Established state 3 | syntax:expression: $VAR(@) in "enable", "disable" ; "state value must be enable or disable" 4 | 5 | commit:expression: 6 | exec " 7 | if cli-shell-api existsEffective firewall state-policy; then \ 8 | echo Warning: Use of state in rules overridden by \\'firewall state-policy\\' configuration; \ 9 | fi" 10 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/default-action/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Default-action for rule-set 4 | 5 | default: "drop" 6 | 7 | syntax:expression: $VAR(@) in "drop", "accept", "reject"; 8 | "default-action must be drop, reject or accept" 9 | 10 | val_help: drop; Drop if no prior rules are hit (default) 11 | val_help: reject; Drop and notify source if no prior rules are hit 12 | val_help: accept; Accept if no prior rules are hit 13 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/destination/port/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Destination port 3 | val_help: ; Named port (any name in /etc/services, e.g., http) 4 | val_help: u32:1-65535; Numbered port 5 | val_help: range; Numbered port range (e.g., 1001-1005) 6 | comp_help: Multiple destination ports can be specified as a comma-separated list. 7 | The whole list can also be "negated" using '!'. For example: 8 | '!22,telnet,http,123,1001-1005' 9 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/default-action/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Default-action for rule-set 4 | 5 | default: "drop" 6 | 7 | syntax:expression: $VAR(@) in "drop", "accept", "reject"; 8 | "default-action must be drop, reject or accept" 9 | 10 | val_help: drop; Drop if no prior rules are hit (default) 11 | val_help: reject; Drop and notify source if no prior rules are hit 12 | val_help: accept; Accept if no prior rules are hit 13 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/destination/address/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Destination IP address, subnet, or range 4 | 5 | val_help: ipv4; IP address to match 6 | val_help: ipv4net; Subnet to match 7 | val_help: ipv4range; IP range to match 8 | val_help: !ipv4; Match everything except the specified address 9 | val_help: !ipv4net; Match everything except the specified subnet 10 | val_help: !ipv4range; Match everything except the specified range 11 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/destination/port/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Destination port 4 | 5 | val_help: ; Named port (any name in /etc/services, e.g., http) 6 | val_help: u32:1-65535; Numbered port 7 | val_help: range; Numbered port range (e.g., 1001-1005) 8 | comp_help: Multiple destination ports can be specified as a comma-separated list. 9 | The whole list can also be "negated" using '!'. For example: 10 | '!22,telnet,http,123,1001-1005' 11 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/source/port/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Source port 3 | val_help: ; Named port (any name in /etc/services, e.g., http) 4 | val_help: u32:1-65535; Numbered port 5 | val_help: range; Numbered port range (e.g., 1001-1005) 6 | comp_help: Multiple source ports can be specified as a comma-separated list. 7 | The whole list can also be "negated" using '!'. For example: 8 | '!22,telnet,http,123,1001-1005' 9 | syntax:expression: exec "${vyatta_sbindir}/valid_port_range.pl $VAR(@)" 10 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/source/port/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Source port 3 | val_help: ; Named port (any name in /etc/services, e.g., http) 4 | val_help: u32:1-65535; Numbered port 5 | val_help: range; Numbered port range (e.g., 1001-1005) 6 | comp_help: Multiple source ports can be specified as a comma-separated list. 7 | The whole list can also be "negated" using '!'. For example: 8 | '!22,telnet,http,123,1001-1005' 9 | syntax:expression: exec "${vyatta_sbindir}/valid_port_range.pl $VAR(@)" 10 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/time/weekdays/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Weekdays to match rule on 3 | syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ 4 | "Incorrect value for weekdays. Weekdays should be specified using the first 5 | three characters of the day with the first character capitalized eg. Mon,Thu,Sat 6 | For negation, add ! in front eg. !Mon,Thu,Sat" 7 | 8 | comp_help: Format for weekdays - Mon,Thu,Sat 9 | To negate add ! at the front eg. !Mon,Thu,Sat 10 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/time/weekdays/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Weekdays to match rule on 3 | syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ 4 | "Incorrect value for weekdays. Weekdays should be specified using the first 5 | three characters of the day with the first character capitalized eg. Mon,Thu,Sat 6 | For negation, add ! in front eg. !Mon,Thu,Sat" 7 | 8 | comp_help: Format for weekdays - Mon,Thu,Sat 9 | To negate add ! at the front eg. !Mon,Thu,Sat 10 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/time/weekdays/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Weekdays to match rule on 3 | syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ 4 | "Incorrect value for weekdays. Weekdays should be specified using the first 5 | three characters of the day with the first character capitalized eg. Mon,Thu,Sat 6 | For negation, add ! in front eg. !Mon,Thu,Sat" 7 | 8 | comp_help: Format for weekdays - Mon,Thu,Sat 9 | To negate add ! at the front eg. !Mon,Thu,Sat 10 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/time/weekdays/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Weekdays to match rule on 3 | syntax:expression: pattern $VAR(@) "^!?([[:upper:]][[:lower:]]\{2\}\,)*[[:upper:]][[:lower:]]\{2\}$" ; \ 4 | "Incorrect value for weekdays. Weekdays should be specified using the first 5 | three characters of the day with the first character capitalized eg. Mon,Thu,Sat 6 | For negation, add ! in front eg. !Mon,Thu,Sat" 7 | 8 | comp_help: Format for weekdays - Mon,Thu,Sat 9 | To negate add ! at the front eg. !Mon,Thu,Sat 10 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/destination/port/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Destination port 4 | 5 | val_help: ; Named port (any name in /etc/services, e.g., http) 6 | val_help: u32:1-65535; Numbered port 7 | val_help: range; Numbered port range (e.g., 1001-1005) 8 | comp_help: Multiple destination ports can be specified as a comma-separated list. 9 | The whole list can also be "negated" using '!'. For example: 10 | '!22,telnet,http,123,1001-1005' 11 | syntax:expression: exec "${vyatta_sbindir}/valid_port_range.pl $VAR(@)" 12 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/set/tcp-mss/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: TCP Maximum Segment Size 3 | 4 | syntax:expression: 5 | exec " 6 | if [[ ( $VAR(@) =~ ^[[:digit:]]*$ ) && \ 7 | ( $VAR(@) -ge \"500\" ) && \ 8 | ( $VAR(@) -le \"1460\" ) ]]; then \ 9 | exit 0; \ 10 | fi; \ 11 | echo Value must be a number between 500 and 1460; \ 12 | exit 1" 13 | 14 | val_help: 500-1460; Explicitly set TCP MSS value 15 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/port/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Destination port 4 | 5 | val_help: ; Named port (any name in /etc/services, e.g., http) 6 | val_help: u32:1-65535; Numbered port 7 | val_help: range; Numbered port range (e.g., 1001-1005) 8 | comp_help: Multiple destination ports can be specified as a comma-separated list. 9 | The whole list can also be "negated" using '!'. For example: 10 | '!22,telnet,http,123,1001-1005' 11 | syntax:expression: exec "${vyatta_sbindir}/valid_port_range.pl $VAR(@)" 12 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/set/table/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Routing table to forward packet with 3 | val_help: u32:1-200 ; Table number 4 | val_help: main ; Main table 5 | syntax:expression: exec " 6 | if [[ $VAR(@) =~ ^-?[0-9]+$ ]] ; then 7 | if [ $VAR(@) -lt 1 -o $VAR(@) -gt 200 ] ; then 8 | echo Table must be between 1-200 or table main 9 | exit 1 10 | fi 11 | else 12 | if [[ $VAR(@) != 'main' ]] ; then 13 | echo Table must be between 1-200 or table main 14 | exit 1 15 | fi 16 | fi" 17 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/source/address/node.def: -------------------------------------------------------------------------------- 1 | 2 | type: txt 3 | 4 | help: Source IPv6 address, prefix or range 5 | 6 | val_help: ipv6; IPv6 address to match 7 | val_help: ipv6net; IPv6 prefix to match 8 | val_help: ipv6range; IPv6 range to match 9 | val_help: !ipv6; Match everything except the specified address 10 | val_help: !ipv6net; Match everything except the specified prefix 11 | val_help: !ipv6range; Match everything except the specified range 12 | 13 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" 14 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/source/address/node.def: -------------------------------------------------------------------------------- 1 | 2 | type: txt 3 | 4 | help: Source IPv6 address, prefix or range to match 5 | 6 | val_help: ipv6; IPv6 address to match 7 | val_help: ipv6net; IPv6 prefix to match 8 | val_help: ipv6range; IPv6 range to match 9 | val_help: !ipv6; Match everything except the specified address 10 | val_help: !ipv6net; Match everything except the specified prefix 11 | val_help: !ipv6range; Match everything except the specified range 12 | 13 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" 14 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/destination/address/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Destination IPv6 address, prefix or range 4 | 5 | val_help: ipv6; IPv6 address to match 6 | val_help: ipv6net; IPv6 prefix to match 7 | val_help: ipv6range; IPv6 range to match 8 | val_help: !ipv6; Match everything except the specified address 9 | val_help: !ipv6net; Match everything except the specified prefix 10 | val_help: !ipv6range; Match everything except the specified range 11 | 12 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" 13 | 14 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/destination/address/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Destination IPv6 address, prefix or range 4 | 5 | val_help: ipv6; IPv6 address to match 6 | val_help: ipv6net; IPv6 prefix to match 7 | val_help: ipv6range; IPv6 range to match 8 | val_help: !ipv6; Match everything except the specified address 9 | val_help: !ipv6net; Match everything except the specified prefix 10 | val_help: !ipv6range; Match everything except the specified range 11 | 12 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type ipv6_addr_param $VAR(@)" 13 | 14 | -------------------------------------------------------------------------------- /debian/vyatta-cfg-firewall.postinst.in: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | prefix=@prefix@ 4 | exec_prefix=@exec_prefix@ 5 | sysconfdir=@sysconfdir@ 6 | bindir=@bindir@ 7 | sbindir=@sbindir@ 8 | 9 | # add symlinks for sudo 10 | ln -sf /opt/vyatta/sbin/vyatta-ipset.pl ${bindir}/sudo-users/vyatta-ipset.pl 11 | 12 | 13 | # comply with Squeeze version of modprobe 14 | # remove old versions of files during upgrade 15 | for modprobe in vyatta_xt_recent vyatta_sip_options 16 | do 17 | if [ -f /etc/modprobe.d/${modprobe} ]; then 18 | mv -f /etc/modprobe.d/${modprobe} /etc/modprobe.d/${modprobe}.conf 19 | fi 20 | done 21 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/set/table/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Routing table to forward packet with 3 | val_help: u32:1-200 ; Table number 4 | val_help: main ; Main table 5 | allowed: echo main `cli-shell-api listNodes protocols static table` 6 | syntax:expression: exec " 7 | if [[ $VAR(@) =~ ^-?[0-9]+$ ]] ; then 8 | if [ $VAR(@) -lt 1 -o $VAR(@) -gt 200 ] ; then 9 | echo Table must be between 1-200 or table main 10 | exit 1 11 | fi 12 | else 13 | if [[ $VAR(@) != 'main' ]] ; then 14 | echo Table must be between 1-200 or table main 15 | exit 1 16 | fi 17 | fi" 18 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/limit/rate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Maximum average matching rate 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ 4 | "Invalid value for rate. Rate should be specified as an integer followed by 5 | a forward slash '/' and either of these time units - second, minute, hour or day 6 | eg. 1/second implies rule to be matched at an average of once per second" 7 | 8 | comp_help:Format for rate : integer/time unit 9 | any one of second, minute, hour or day may be used to specify time unit 10 | eg. 1/second implies rule to be matched at an average of once per second 11 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/limit/rate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Maximum average matching rate 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ 4 | "Invalid value for rate. Rate should be specified as an integer followed by 5 | a forward slash '/' and either of these time units - second, minute, hour or day 6 | eg. 1/second implies rule to be matched at an average of once per second" 7 | 8 | comp_help:Format for rate : integer/time unit 9 | any one of second, minute, hour or day may be used to specify time unit 10 | eg. 1/second implies rule to be matched at an average of once per second 11 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/limit/rate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Maximum average matching rate 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ 4 | "Invalid value for rate. Rate should be specified as an integer followed by 5 | a forward slash '/' and either of these time units - second, minute, hour or day 6 | eg. 1/second implies rule to be matched at an average of once per second" 7 | 8 | comp_help:Format for rate : integer/time unit 9 | any one of second, minute, hour or day may be used to specify time unit 10 | eg. 1/second implies rule to be matched at an average of once per second 11 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/limit/rate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Maximum average matching rate 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]+/(second|minute|hour|day)$" ; \ 4 | "Invalid value for rate. Rate should be specified as an integer followed by 5 | a forward slash '/' and either of these time units - second, minute, hour or day 6 | eg. 1/second implies rule to be matched at an average of once per second" 7 | 8 | comp_help:Format for rate : integer/time unit 9 | any one of second, minute, hour or day may be used to specify time unit 10 | eg. 1/second implies rule to be matched at an average of once per second 11 | -------------------------------------------------------------------------------- /templates/firewall/twa-hazards-protection/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: RFC1337 TCP TIME-WAIT assasination hazards protection 4 | 5 | val_help: enable; Enable RFC1337 TIME-WAIT hazards protection 6 | val_help: disable; Disable RFC1337 TIME-WAIT hazards protection 7 | 8 | default: "disable" 9 | 10 | syntax:expression: $VAR(@) in "enable", "disable"; "twa-hazards-protection must be enable or disable" 11 | 12 | update: 13 | if [ x$VAR(@) == xenable ]; then 14 | sudo sh -c "echo 1 > /proc/sys/net/ipv4/tcp_rfc1337" 15 | else 16 | sudo sh -c "echo 0 > /proc/sys/net/ipv4/tcp_rfc1337" 17 | fi 18 | 19 | delete: 20 | sudo sh -c "echo 0 > /proc/sys/net/ipv4/tcp_rfc1337" 21 | -------------------------------------------------------------------------------- /.frlog: -------------------------------------------------------------------------------- 1 | Tue Dec 28 13:47:00 PST 2010: [new branch] at [debian/0.13.38] 2 | Thu Jul 7 20:55:13 PDT 2011: [new branch] at [debian/0.13.46] 3 | Sat Nov 5 06:16:00 NOVT 2011: [Force release] at [debian/0.13.52] 4 | Sat Mar 3 02:25:25 PST 2012: [new branch] at [debian/0.13.65] 5 | Fri Oct 12 19:46:42 PDT 2012: [new branch] at [debian/0.13.90] 6 | Sat Oct 13 13:30:28 PDT 2012: [create daisy branch] at [debian/0.13.91] 7 | Sun Nov 17 00:08:18 CET 2013: [New branch] at [debian/0.13.91+daisy7] 8 | Sat Feb 15 16:06:20 CET 2014: [New branch] at [debian/0.13.91+hydrogen1] 9 | Tue Nov 18 18:49:35 CET 2014: [New branch] at [debian/0.13.91+vyos1+helium8] 10 | Mon Dec 15 19:16:05 GMT 2014: [Force release] at [debian/0.14.0+vyos2+lithium3] 11 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/tcp/flags/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: TCP flags to match 3 | syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ 4 | "Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL 5 | When specifying more than one flag, flags should be comma-separated. 6 | For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with 7 | the SYN flag set, and the ACK, FIN and RST flags unset" 8 | 9 | comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL 10 | When specifying more than one flag, flags should be comma-separated. 11 | For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with 12 | the SYN flag set, and the ACK, FIN and RST flags unset 13 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/tcp/flags/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: TCP flags to match 3 | syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ 4 | "Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL 5 | When specifying more than one flag, flags should be comma-separated. 6 | For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with 7 | the SYN flag set, and the ACK, FIN and RST flags unset" 8 | 9 | comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL 10 | When specifying more than one flag, flags should be comma-separated. 11 | For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with 12 | the SYN flag set, and the ACK, FIN and RST flags unset 13 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/tcp/flags/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: TCP flags to match 3 | syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ 4 | "Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL 5 | When specifying more than one flag, flags should be comma-separated. 6 | For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with 7 | the SYN flag set, and the ACK, FIN and RST flags unset" 8 | 9 | comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL 10 | When specifying more than one flag, flags should be comma-separated. 11 | For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with 12 | the SYN flag set, and the ACK, FIN and RST flags unset 13 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/time/stopdate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Date to stop matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ 4 | "Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time 5 | of date with stopdate, append 'T' to date followed by time in 24 hour notation 6 | hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to 7 | 31st Jan 2009 with time 13:30:00" 8 | 9 | comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, 10 | append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg 11 | stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 12 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/tcp/flags/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: TCP flags to match 3 | syntax:expression: pattern $VAR(@) "^((!?ALL)|((!?(SYN|ACK|FIN|RST|PSH|URG),)*(!?(SYN|ACK|FIN|RST|PSH|URG))))$" ; \ 4 | "Invalid value for TCP flags. Allowed values : SYN ACK FIN RST URG PSH ALL 5 | When specifying more than one flag, flags should be comma-separated. 6 | For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with 7 | the SYN flag set, and the ACK, FIN and RST flags unset" 8 | 9 | comp_help: Allowed values for TCP flags : SYN ACK FIN RST URG PSH ALL 10 | When specifying more than one flag, flags should be comma-separated. 11 | For example : value of 'SYN,!ACK,!FIN,!RST' will only match packets with 12 | the SYN flag set, and the ACK, FIN and RST flags unset 13 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/time/stopdate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Date to stop matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ 4 | "Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time 5 | of date with stopdate, append 'T' to date followed by time in 24 hour notation 6 | hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to 7 | 31st Jan 2009 with time 13:30:00" 8 | 9 | comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, 10 | append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg 11 | stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 12 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/time/stopdate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Date to stop matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ 4 | "Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time 5 | of date with stopdate, append 'T' to date followed by time in 24 hour notation 6 | hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to 7 | 31st Jan 2009 with time 13:30:00" 8 | 9 | comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, 10 | append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg 11 | stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 12 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/time/stopdate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Date to stop matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ 4 | "Invalid value for stopdate. Date should use yyyy-mm-dd format. To specify time 5 | of date with stopdate, append 'T' to date followed by time in 24 hour notation 6 | hh:mm:ss. For example stopdate value of 2009-01-31T13:30:00 refers to 7 | 31st Jan 2009 with time 13:30:00" 8 | 9 | comp_help: Format for date : yyyy-mm-dd. To specify time of date with stopdate, 10 | append 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg 11 | stopdate value of 2009-01-31T13:30:00 refers to 31st Jan 2009 with time 13:30:00 12 | 13 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/time/startdate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Date to start matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ 4 | "Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time 5 | of date with startdate, append 'T' to date followed by time in 24 hour notation 6 | hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to 7 | 21st January 2009 with time 13:30:00" 8 | 9 | comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append 10 | 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate 11 | value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 12 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/time/startdate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Date to start matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ 4 | "Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time 5 | of date with startdate, append 'T' to date followed by time in 24 hour notation 6 | hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to 7 | 21st January 2009 with time 13:30:00" 8 | 9 | comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append 10 | 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate 11 | value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 12 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/time/startdate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Date to start matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ 4 | "Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time 5 | of date with startdate, append 'T' to date followed by time in 24 hour notation 6 | hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to 7 | 21st January 2009 with time 13:30:00" 8 | 9 | comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append 10 | 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate 11 | value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 12 | 13 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/time/startdate/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: Date to start matching rule 3 | syntax:expression: pattern $VAR(@) "^[[:digit:]]\{4\}[-][[:digit:]]\{2\}[-][[:digit:]]\{2\}(T[[:digit:]]\{2\}[:][[:digit:]]\{2\}[:][[:digit:]]\{2\})?$" ; \ 4 | "Invalid value for startdate. Date should use yyyy-mm-dd format. To specify time 5 | of date with startdate, append 'T' to date followed by time in 24 hour notation 6 | hh:mm:ss. For example startdate value of 2009-01-21T13:30:00 refers to 7 | 21st January 2009 with time 13:30:00" 8 | 9 | comp_help: Format for date : yyyy-mm-dd. To specify time of date with startdate, append 10 | 'T' to date followed by time in 24 hour notation hh:mm:ss. For eg startdate 11 | value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00 12 | -------------------------------------------------------------------------------- /etc/modprobe.d/vyatta_ipset.conf: -------------------------------------------------------------------------------- 1 | # 2 | # **** License **** 3 | # This program is free software; you can redistribute it and/or modify 4 | # it under the terms of the GNU General Public License version 2 as 5 | # published by the Free Software Foundation. 6 | # 7 | # This program is distributed in the hope that it will be useful, but 8 | # WITHOUT ANY WARRANTY; without even the implied warranty of 9 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 10 | # General Public License for more details. 11 | # 12 | # This code was originally developed by Vyatta, Inc. 13 | # Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. 14 | # All Rights Reserved. 15 | # **** End License **** 16 | # 17 | # Author: John Southworth 18 | # Description: Set maximum number of ipsets 19 | # 20 | 21 | options ip_set max_sets=3072 22 | -------------------------------------------------------------------------------- /templates/firewall/syn-cookies/node.def: -------------------------------------------------------------------------------- 1 | # tcp_syncookies 2 | # default value - 1 3 | # Send out syncookies when the syn backlog queue of a socket overflows. 4 | # This is to prevent against the common 'syn flood attack' 5 | 6 | type: txt 7 | 8 | help: Policy for using TCP SYN cookies with IPv4 9 | 10 | val_help: enable; Enable use of TCP SYN cookies with IPv4 11 | val_help: disable; Disable use of TCP SYN cookies with IPv4 12 | 13 | default: "enable" 14 | 15 | syntax:expression: $VAR(@) in "enable", "disable"; "syn-cookies must be enable or disable" 16 | 17 | update: 18 | if [ x$VAR(@) == xenable ]; then 19 | sudo sh -c "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" 20 | else 21 | sudo sh -c "echo 0 > /proc/sys/net/ipv4/tcp_syncookies" 22 | fi 23 | 24 | delete: 25 | sudo sh -c "echo 1 > /proc/sys/net/ipv4/tcp_syncookies" 26 | -------------------------------------------------------------------------------- /templates/firewall/all-ping/node.def: -------------------------------------------------------------------------------- 1 | # icmp_echo_ignore_all 2 | # default value - 0 3 | # If set non-zero, then kernel will ignore all ICMP ECHO requests sent to it 4 | 5 | type: txt 6 | 7 | help: Policy for handling of all IPv4 ICMP echo requests 8 | 9 | val_help: disable; Disable processing of all IPv4 ICMP echo requests 10 | val_help: enable; Enable processing of all IPv4 ICMP echo requests 11 | 12 | default: "enable" 13 | 14 | syntax:expression: $VAR(@) in "enable", "disable"; "all-ping must be enable or disable" 15 | 16 | update: 17 | if [ x$VAR(@) == xdisable ]; then 18 | sudo sh -c "echo 1 > \ 19 | /proc/sys/net/ipv4/icmp_echo_ignore_all" 20 | else 21 | sudo sh -c "echo 0 > \ 22 | /proc/sys/net/ipv4/icmp_echo_ignore_all" 23 | fi 24 | 25 | delete: 26 | sudo sh -c "echo 0 > \ 27 | /proc/sys/net/ipv4/icmp_echo_ignore_all" 28 | 29 | -------------------------------------------------------------------------------- /configure.ac: -------------------------------------------------------------------------------- 1 | # Process this file with autoconf to produce a configure script. 2 | AC_PREREQ(2.59) 3 | 4 | m4_define([VERSION_ID], [m4_esyscmd([ 5 | if test -f .version ; then 6 | head -n 1 .version | tr -d \\n 7 | else 8 | echo -n 2.4 9 | fi])]) 10 | AC_INIT([vyatta-cfg-firewall], VERSION_ID, [vyatta-support@vyatta.com]) 11 | 12 | test -n "$VYATTA_VERSION" || VYATTA_VERSION=$PACKAGE_VERSION 13 | 14 | AC_CONFIG_AUX_DIR([config]) 15 | AM_INIT_AUTOMAKE([gnu no-dist-gzip dist-bzip2 subdir-objects]) 16 | AC_PREFIX_DEFAULT([/opt/vyatta]) 17 | 18 | AC_ARG_ENABLE([nostrip], 19 | AC_HELP_STRING([--enable-nostrip], 20 | [include -nostrip option during packaging]), 21 | [NOSTRIP=-nostrip], [NOSTRIP=]) 22 | 23 | AC_CONFIG_FILES( 24 | [Makefile] 25 | [debian/vyatta-cfg-firewall.postinst] 26 | [scripts/firewall/firewall.init]) 27 | 28 | AC_SUBST(NOSTRIP) 29 | 30 | AC_OUTPUT 31 | 32 | -------------------------------------------------------------------------------- /etc/modprobe.d/vyatta_xt_recent.conf: -------------------------------------------------------------------------------- 1 | # 2 | # **** License **** 3 | # This program is free software; you can redistribute it and/or modify 4 | # it under the terms of the GNU General Public License version 2 as 5 | # published by the Free Software Foundation. 6 | # 7 | # This program is distributed in the hope that it will be useful, but 8 | # WITHOUT ANY WARRANTY; without even the implied warranty of 9 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 10 | # General Public License for more details. 11 | # 12 | # This code was originally developed by Vyatta, Inc. 13 | # Portions created by Vyatta are Copyright (C) 2010 Vyatta, Inc. 14 | # All Rights Reserved. 15 | # **** End License **** 16 | # 17 | # Author: Mohit Mehta 18 | # Description: Set number of packets per IP to remember to 255 for recent 19 | # match condition. Default value was 20 as of July 14, 2010 20 | # 21 | 22 | options xt_recent ip_pkt_list_tot=255 23 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: vyatta-cfg-firewall 2 | Section: contrib/net 3 | Priority: extra 4 | Maintainer: VyOS Package Maintainers 5 | Build-Depends: debhelper (>= 5), autotools-dev, autoconf, automake, cpio 6 | Standards-Version: 3.9.1 7 | 8 | Package: vyatta-cfg-firewall 9 | Architecture: all 10 | Depends: sed (>= 4.1.5), 11 | perl (>= 5.8.8), 12 | procps (>= 1:3.2.7-3), 13 | coreutils (>= 5.97-5.3), 14 | vyatta-cfg (>= 0.15.33), 15 | vyatta-cfg-system (>= 0.19.125), 16 | vyatta-bash | bash (>= 3.1), 17 | sysv-rc, 18 | ntp, 19 | rsyslog | system-log-daemon, 20 | busybox, 21 | whois, 22 | sudo, 23 | snmpd, 24 | ipset, 25 | iptables, 26 | libswitch-perl, 27 | libsnmp-perl 28 | Replaces: vyatta-cfg-system, 29 | vyatta-openvpn 30 | Suggests: util-linux (>= 2.13-5), 31 | net-tools, 32 | ethtool, 33 | ncurses-bin (>= 5.5-5), 34 | ntpdate 35 | Description: VyOS firewall configuration templates/scripts 36 | VyOS firewall configuration templates and scripts. 37 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/protocol/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: IPv6 protocol to match (protocol name, number, or "all") 4 | 5 | syntax:expression: exec " 6 | param=$VAR(@) 7 | if [ \"$param\" = \"icmpv6\" ]; then 8 | exit 0 9 | fi 10 | if [ \"$param\" = \"tcp_udp\" ]; then 11 | exit 0 12 | fi 13 | /opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)' 14 | " ; 15 | "invalid protocol \"$VAR(@)\"" 16 | 17 | # Provide some help for command completion. Doesn't return negated 18 | # values or protocol numbers 19 | allowed: 20 | protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'` 21 | protos="all icmpv6 $protos tcp_udp" 22 | echo -n $protos 23 | 24 | val_help: txt; IPv6 protocol name from /etc/protocols (e.g. "tcp" or "udp") 25 | val_help: u32:0-255; IPv6 protocol number 26 | val_help: tcp_udp; Both TCP and UDP 27 | val_help: all; All IPv6 protocols 28 | val_help: !; All IPv6 protocols except for the specified name or number 29 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/protocol/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Protocol to match (protocol name in /etc/protocols or protocol number or "all") 4 | 5 | val_help: txt; IP protocol name from /etc/protocols (e.g. "tcp" or "udp") 6 | val_help: u32:0-255; IP protocol number 7 | val_help: tcp_udp; Both TCP and UDP 8 | val_help: all; All IP protocols 9 | val_help: !; All IP protocols except for the specified name or number 10 | 11 | syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)'`\" ] \ 12 | && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ 13 | echo invalid protocol \"$VAR(@)\" ; \ 14 | exit 1 ; \ 15 | fi ; " 16 | 17 | # Provide some help for command completion. Doesn't return negated 18 | # values or protocol numbers 19 | allowed: 20 | protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v '6'` 21 | protos="all $protos tcp_udp" 22 | echo -n $protos 23 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/protocol/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: IPv6 protocol to match (protocol name, number, or "all") 4 | 5 | syntax:expression: exec " 6 | param=$VAR(@) 7 | if [ \"$param\" = \"icmpv6\" ]; then 8 | exit 0 9 | fi 10 | if [ \"$param\" = \"tcp_udp\" ]; then 11 | exit 0 12 | fi 13 | /opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)' 14 | " ; 15 | "invalid protocol \"$VAR(@)\"" 16 | 17 | # Provide some help for command completion. Doesn't return negated 18 | # values or protocol numbers 19 | allowed: 20 | protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'` 21 | protos="all icmpv6 $protos tcp_udp" 22 | echo -n $protos 23 | 24 | val_help: txt; IPv6 protocol name from /etc/protocols (e.g. "tcp" or "udp") 25 | val_help: u32:0-255; IPv6 protocol number 26 | val_help: tcp_udp; Both TCP and UDP 27 | val_help: all; All IPv6 protocols 28 | val_help: !; All IPv6 protocols except for the specified name or number 29 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/protocol/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: Protocol to match (protocol name in /etc/protocols or protocol number or "all") 4 | 5 | val_help: txt; IP protocol name from /etc/protocols (e.g. "tcp" or "udp") 6 | val_help: u32:0-255; IP protocol number 7 | val_help: tcp_udp; Both TCP and UDP 8 | val_help: all; All IP protocols 9 | val_help: !; All IP protocols except for the specified name or number 10 | 11 | syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type protocol_negate '$VAR(@)'`\" ] \ 12 | && [ \"$VAR(@)\" != 'tcp_udp' ]; then \ 13 | echo invalid protocol \"$VAR(@)\" ; \ 14 | exit 1 ; \ 15 | fi ; " 16 | 17 | # Provide some help for command completion. Doesn't return negated 18 | # values or protocol numbers 19 | allowed: 20 | protos=`cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }' | grep -v '6'` 21 | protos="all $protos tcp_udp" 22 | echo -n $protos 23 | -------------------------------------------------------------------------------- /templates/firewall/broadcast-ping/node.def: -------------------------------------------------------------------------------- 1 | # icmp_echo_ignore_broadcasts 2 | # default value - 1 3 | # If set non-zero, then the kernel will ignore all 4 | # ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast. 5 | 6 | type: txt 7 | 8 | help: Policy for handling broadcast IPv4 ICMP echo and timestamp requests 9 | 10 | val_help: disable; Disable processing of broadcast IPv4 ICMP echo/timestamp requests 11 | val_help: enable; Enable processing of broadcast IPv4 ICMP echo/timestamp requests 12 | 13 | default: "disable" 14 | 15 | syntax:expression: $VAR(@) in "enable", "disable"; "broadcast-ping must be enable or disable" 16 | 17 | update: 18 | if [ x$VAR(@) == xenable ]; then 19 | sudo sh -c "echo 0 > \ 20 | /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" 21 | else 22 | sudo sh -c "echo 1 > \ 23 | /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" 24 | fi 25 | 26 | delete: 27 | sudo sh -c "echo 1 > \ 28 | /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" 29 | 30 | -------------------------------------------------------------------------------- /templates/firewall/group/port-group/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | priority: 200 3 | type: txt 4 | help: Firewall port-group 5 | 6 | syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ 7 | "Firewall group name must be 31 characters or less" 8 | 9 | syntax:expression: pattern $VAR(@) "^[^-]" ; \ 10 | "Firewall group name cannot start with \"-\"" 11 | 12 | syntax:expression: pattern $VAR(@) "^[^!]" ; \ 13 | "Firewall group name cannot start with \"!\"" 14 | 15 | syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ 16 | "Firewall group name cannot contain shell punctuation" 17 | 18 | commit:expression:exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=check-duplicates --set-name=$VAR(@) --set-type=port --set-family=inet"; \ 19 | "There are duplicates inside port-group $VAR(@)" 20 | 21 | end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ 22 | --set-name="$VAR(@)" --set-type=port --set-family=inet; then 23 | ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group port-group $VAR(@)" 24 | fi 25 | -------------------------------------------------------------------------------- /templates/firewall/group/address-group/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | priority: 200 3 | type: txt 4 | help: Firewall address-group 5 | 6 | syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ 7 | "Firewall group name must be 31 characters or less" 8 | 9 | syntax:expression: pattern $VAR(@) "^[^-]" ; \ 10 | "Firewall group name cannot start with \"-\"" 11 | 12 | syntax:expression: pattern $VAR(@) "^[^!]" ; \ 13 | "Firewall group name cannot start with \"!\"" 14 | 15 | syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ 16 | "Firewall group name cannot contain shell punctuation" 17 | 18 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ 19 | --set-type=address --set-family=inet"; \ 20 | "Firewall group name already used as Ipv6 group address" 21 | 22 | end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ 23 | --set-name="$VAR(@)" --set-type=address --set-family=inet; then 24 | ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group address-group $VAR(@)" 25 | fi 26 | -------------------------------------------------------------------------------- /templates/firewall/group/network-group/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | priority: 200 3 | type: txt 4 | help: Firewall network-group 5 | 6 | syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ 7 | "Firewall group name must be 31 characters or less" 8 | 9 | syntax:expression: pattern $VAR(@) "^[^-]" ; \ 10 | "Firewall group name cannot start with \"-\"" 11 | 12 | syntax:expression: pattern $VAR(@) "^[^!]" ; \ 13 | "Firewall group name cannot start with \"!\"" 14 | 15 | syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ 16 | "Firewall group name cannot contain shell punctuation" 17 | 18 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ 19 | --set-type=network --set-family=inet"; \ 20 | "Firewall group name already used as Ipv6 group address" 21 | 22 | end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ 23 | --set-name="$VAR(@)" --set-type=network --set-family=inet; then 24 | ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group network-group $VAR(@)" 25 | fi 26 | 27 | -------------------------------------------------------------------------------- /templates/firewall/group/ipv6-address-group/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | priority: 200 3 | type: txt 4 | help: Firewall ipv6-address-group 5 | 6 | syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ 7 | "Firewall group name must be 31 characters or less" 8 | 9 | syntax:expression: pattern $VAR(@) "^[^-]" ; \ 10 | "Firewall group name cannot start with \"-\"" 11 | 12 | syntax:expression: pattern $VAR(@) "^[^!]" ; \ 13 | "Firewall group name cannot start with \"!\"" 14 | 15 | syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ 16 | "Firewall group name cannot contain shell punctuation" 17 | 18 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ 19 | --set-type=address --set-family=inet6"; \ 20 | "Firewall group name already used as Ipv4 group address" 21 | 22 | end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ 23 | --set-name="$VAR(@)" --set-type=address --set-family=inet6; then 24 | ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group ipv6-address-group $VAR(@)" 25 | fi 26 | -------------------------------------------------------------------------------- /templates/firewall/group/ipv6-network-group/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | priority: 200 3 | type: txt 4 | help: Firewall ipv6-network-group 5 | 6 | syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,31}$" ; \ 7 | "Firewall group name must be 31 characters or less" 8 | 9 | syntax:expression: pattern $VAR(@) "^[^-]" ; \ 10 | "Firewall group name cannot start with \"-\"" 11 | 12 | syntax:expression: pattern $VAR(@) "^[^!]" ; \ 13 | "Firewall group name cannot start with \"!\"" 14 | 15 | syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ 16 | "Firewall group name cannot contain shell punctuation" 17 | 18 | syntax:expression: exec "/opt/vyatta/sbin/vyatta-ipset.pl --action=is-group-defined --set-name=$VAR(@) \ 19 | --set-type=network --set-family=inet6"; \ 20 | "Firewall group name already used as Ipv4 group address" 21 | 22 | end: if sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=update-set \ 23 | --set-name="$VAR(@)" --set-type=network --set-family=inet6; then 24 | ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall group ipv6-network-group $VAR(@)" 25 | fi 26 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/set/tcp-mss/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: TCP Maximum Segment Size 3 | 4 | syntax:expression: 5 | exec " 6 | if [[ $VAR(@) =~ ^[[:alpha:]]*$ ]]; then \ 7 | if [ $VAR(@) == \"pmtu\" ]; then \ 8 | exit 0; \ 9 | fi; \ 10 | else \ 11 | if [[ ( $VAR(@) =~ ^[[:digit:]]*$ ) && \ 12 | ( $VAR(@) -ge \"500\" ) && \ 13 | ( $VAR(@) -le \"1460\" ) ]]; then \ 14 | exit 0; \ 15 | fi; \ 16 | fi; \ 17 | echo Value must be \\'pmtu\\' or a number between 500 and 1460; \ 18 | exit 1" 19 | 20 | val_help: pmtu; Automatically set to Path Maximum Transfer Unit minus 60 bytes 21 | val_help: 500-1460; Explicitly set TCP MSS value 22 | -------------------------------------------------------------------------------- /debian/vyatta-cfg-firewall.install: -------------------------------------------------------------------------------- 1 | etc/modprobe.d 2 | opt/vyatta/sbin 3 | opt/vyatta/etc 4 | opt/vyatta/share/perl5 5 | opt/vyatta/share/vyatta-cfg/templates/firewall 6 | opt/vyatta/share/vyatta-cfg/templates/policy 7 | opt/vyatta/share/vyatta-cfg/templates/interfaces/bonding 8 | opt/vyatta/share/vyatta-cfg/templates/interfaces/bridge 9 | opt/vyatta/share/vyatta-cfg/templates/interfaces/dummy 10 | opt/vyatta/share/vyatta-cfg/templates/interfaces/ethernet 11 | opt/vyatta/share/vyatta-cfg/templates/interfaces/input 12 | opt/vyatta/share/vyatta-cfg/templates/interfaces/macsec 13 | opt/vyatta/share/vyatta-cfg/templates/interfaces/openvpn 14 | opt/vyatta/share/vyatta-cfg/templates/interfaces/pppoe 15 | opt/vyatta/share/vyatta-cfg/templates/interfaces/pseudo-ethernet 16 | opt/vyatta/share/vyatta-cfg/templates/interfaces/tunnel 17 | opt/vyatta/share/vyatta-cfg/templates/interfaces/vti 18 | opt/vyatta/share/vyatta-cfg/templates/interfaces/wireless 19 | opt/vyatta/share/vyatta-cfg/templates/interfaces/wwan 20 | opt/vyatta/share/vyatta-cfg/templates/interfaces/l2tpv3 21 | opt/vyatta/share/vyatta-cfg/templates/interfaces/vxlan 22 | opt/vyatta/share/vyatta-cfg/templates/interfaces/wireguard 23 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | priority: 210 3 | 4 | type: txt 5 | 6 | syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \ 7 | "Policy ipv6-route rule set name must be 28 characters or less" 8 | syntax:expression: pattern $VAR(@) "^[^-]" ; \ 9 | "Policy ipv6-route rule set name cannot start with \"-\"" 10 | syntax:expression: pattern $VAR(@) "^[^;]*$" ; \ 11 | "Policy ipv6-route rule set name cannot contain ';'" 12 | syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ 13 | "Policy ipv6-route rule set name cannot start with 'VZONE'" 14 | 15 | end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "policy ipv6-route" "$VAR(@)" ; 16 | then 17 | if [ ${COMMIT_ACTION} = 'DELETE' ] ; 18 | then 19 | if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "policy ipv6-route" ; 20 | then 21 | sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "policy ipv6-route" 22 | fi 23 | fi 24 | else 25 | exit 1; 26 | fi 27 | 28 | create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "policy ipv6-route" 29 | 30 | help: IPv6 policy route rule set name 31 | -------------------------------------------------------------------------------- /templates/firewall/ip-src-route/node.def: -------------------------------------------------------------------------------- 1 | # accept_source_route 2 | # default - 0 3 | # Accept packets with SRR option. conf/all/accept_source_route and 4 | # conf/[interface]/accept_source_route must be set to TRUE 5 | # to accept packets with SRR option on the interface 6 | 7 | type: txt 8 | 9 | help: Policy for handling IPv4 packets with source route option 10 | 11 | val_help: enable; Enable processing of IPv4 packets with source route option 12 | val_help: disable; Disable processing of IPv4 packets with source route option 13 | 14 | default: "disable" 15 | 16 | syntax:expression: $VAR(@) in "enable", "disable"; "ip-src-route must be enable or disable" 17 | 18 | update: 19 | if [ x$VAR(@) == xenable ]; then 20 | array=(`ls /proc/sys/net/ipv4/conf/`) 21 | array_len=${#array[*]} 22 | i=0 23 | while [ $i -lt $array_len ]; do 24 | sudo sh -c "echo 1 > \ 25 | /proc/sys/net/ipv4/conf/${array[$i]%:*}/accept_source_route" 26 | let i++ 27 | done 28 | else 29 | sudo sh -c "echo 0 > \ 30 | /proc/sys/net/ipv4/conf/all/accept_source_route" 31 | fi 32 | 33 | delete: 34 | sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route" 35 | -------------------------------------------------------------------------------- /templates/policy/route/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | priority: 201 3 | 4 | type: txt 5 | 6 | syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \ 7 | "Policy route rule set name must be 28 characters or less" 8 | syntax:expression: pattern $VAR(@) "^[^-]" ; \ 9 | "Policy route rule set name cannot start with \"-\"" 10 | syntax:expression: pattern $VAR(@) "^[^;]*$" ; \ 11 | "Policy route rule set name cannot contain ';'" 12 | syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ 13 | "Policy route rule set name cannot start with 'VZONE'" 14 | 15 | end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "policy route" "$VAR(@)" ; 16 | then 17 | if [ ${COMMIT_ACTION} = 'DELETE' ] ; 18 | then 19 | if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "policy route" ; 20 | then 21 | sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "policy route" 22 | fi 23 | fi 24 | else 25 | exit 1; 26 | fi 27 | sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets 28 | 29 | create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables "policy route" 30 | 31 | help: Policy route rule set name 32 | -------------------------------------------------------------------------------- /templates/firewall/send-redirects/node.def: -------------------------------------------------------------------------------- 1 | # send_redirects 2 | # default value - 1 3 | # send_redirects for the interface will be enabled if at least one of 4 | # conf/{all,interface}/send_redirects is set to TRUE, else it will be disabled. 5 | 6 | 7 | type: txt 8 | 9 | help: Policy for sending IPv4 ICMP redirect messages 10 | 11 | val_help: enable; Enable sending IPv4 ICMP redirect messages 12 | val_help: disable; Disable sending IPv4 ICMP redirect messages 13 | 14 | default: "enable" 15 | 16 | syntax:expression: $VAR(@) in "enable", "disable"; "send-redirects must be enable or disable" 17 | 18 | update: 19 | if [ x$VAR(@) == xenable ]; then 20 | sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects" 21 | else 22 | # send-redirects can work when either set for 'all' or 'interface' 23 | # thus, unset all send-redirects parameters 24 | array=(`ls /proc/sys/net/ipv4/conf/`) 25 | array_len=${#array[*]} 26 | i=0 27 | while [ $i -lt $array_len ]; do 28 | sudo sh -c "echo 0 > \ 29 | /proc/sys/net/ipv4/conf/${array[$i]%:*}/send_redirects" 30 | let i++ 31 | done 32 | fi 33 | 34 | delete: 35 | sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects" 36 | -------------------------------------------------------------------------------- /templates/firewall/state-policy/node.def: -------------------------------------------------------------------------------- 1 | priority: 200 2 | help: Global firewall state-policy 3 | 4 | commit:expression: $VAR(./established) != "" || $VAR(./related) != "" 5 | || $VAR(./invalid) != ""; 6 | "No policy set for either 'established', 'related', or 'invalid' state" 7 | 8 | begin: 9 | if ! /opt/vyatta/sbin/vyatta-fw-global-state-policy.pl \ 10 | --action=state-policy-validity-checks; then \ 11 | exit 1 12 | fi 13 | 14 | create: 15 | if ! /opt/vyatta/sbin/vyatta-fw-global-state-policy.pl \ 16 | --action=setup-state-policy; then \ 17 | exit 1 18 | fi 19 | 20 | delete: 21 | if ! /opt/vyatta/sbin/vyatta-fw-global-state-policy.pl \ 22 | --action=teardown-state-policy; then \ 23 | exit 1 24 | fi 25 | 26 | end: 27 | if ! /opt/vyatta/sbin/vyatta-fw-global-state-policy.pl \ 28 | --action=set-state-actions; then \ 29 | exit 1 30 | fi 31 | if ! /opt/vyatta/sbin/vyatta-fw-global-state-policy.pl \ 32 | --action=enable-disable-conntrack; then \ 33 | exit 1 34 | fi 35 | ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall state-policy $VAR(@)" 36 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | This package was debianized by Bob Gilligan on 2 | Monday Dec 10, 2007 3 | 4 | It's original content from the GIT repository 5 | 6 | Upstream Author: 7 | 8 | 9 | 10 | Copyright: 11 | 12 | Copyright (C) 2007 Vyatta, Inc. 13 | All Rights Reserved. 14 | 15 | License: 16 | 17 | This program is free software; you can redistribute it and/or modify 18 | it under the terms of the GNU General Public License as published by 19 | the Free Software Foundation; either version 2, or (at your option) 20 | any later version. 21 | 22 | This program is distributed in the hope that it will be useful, but 23 | WITHOUT ANY WARRANTY; without even the implied warranty of 24 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 25 | General Public License for more details. 26 | 27 | A copy of the GNU General Public License is available as 28 | `/usr/share/common-licenses/GPL' in the Debian GNU/Linux distribution 29 | or on the World Wide Web at `http://www.gnu.org/copyleft/gpl.html'. 30 | You can also obtain it by writing to the Free Software Foundation, 31 | Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, 32 | MA 02110-1301, USA. 33 | 34 | The Debian packaging is (C) 2007, Vyatta, Inc. and 35 | is licensed under the GPL, see above. 36 | -------------------------------------------------------------------------------- /templates/firewall/log-martians/node.def: -------------------------------------------------------------------------------- 1 | # log_martians 2 | # default value - 1 3 | # Log packets with impossible addresses to kernel log. log_martians for the 4 | # interface will be enabled if at least one of conf/{all,interface}/log_martians 5 | # is set to TRUE, it will be disabled otherwise 6 | 7 | type: txt 8 | 9 | help: Policy for logging IPv4 packets with invalid addresses 10 | 11 | val_help: enable; Enable logging of IPv4 packets with invalid addresses 12 | val_help: disable; Disable logging of Ipv4 packets with invalid addresses 13 | 14 | default: "enable" 15 | 16 | syntax:expression: $VAR(@) in "enable", "disable"; "log-martians must be enable or disable" 17 | 18 | update: 19 | if [ x$VAR(@) == xenable ]; then 20 | sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" 21 | else 22 | # log-martians can work when either set for 'all' or 'interface' 23 | # thus, unset all log-martians parameters 24 | array=(`ls /proc/sys/net/ipv4/conf/`) 25 | array_len=${#array[*]} 26 | i=0 27 | while [ $i -lt $array_len ]; do 28 | sudo sh -c "echo 0 > \ 29 | /proc/sys/net/ipv4/conf/${array[$i]%:*}/log_martians" 30 | let i++ 31 | done 32 | fi 33 | 34 | delete: 35 | sudo sh -c "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians" 36 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-receive-redirects/node.def: -------------------------------------------------------------------------------- 1 | # accept_redirects - Accept ICMPv6 redirect messages. 2 | # default value - 0 3 | # 4 | 5 | type: txt 6 | 7 | help: Policy for handling received ICMPv6 redirect messages 8 | 9 | val_help: enable; Enable processing of received ICMPv6 redirect messages 10 | val_help: disable; Disable processing of received ICMPv6 redirect messages 11 | 12 | default: "disable" 13 | 14 | syntax:expression: $VAR(@) in "enable", "disable"; "icmpv6-receive-redirects must be enable or disable" 15 | 16 | update: 17 | if [ -d /proc/sys/net/ipv6 ]; then 18 | array=(`ls /proc/sys/net/ipv6/conf/`) 19 | array_len=${#array[*]} 20 | i=0 21 | while [ $i -lt $array_len ]; do 22 | if [ x$VAR(@) == xenable ]; then 23 | sudo sh -c "echo 1 > \ 24 | /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" 25 | else 26 | sudo sh -c "echo 0 > \ 27 | /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" 28 | fi 29 | let i++ 30 | done 31 | fi 32 | 33 | delete: 34 | if [ -d /proc/sys/net/ipv6 ]; then 35 | array=(`ls /proc/sys/net/ipv6/conf/`) 36 | array_len=${#array[*]} 37 | i=0 38 | while [ $i -lt $array_len ]; do 39 | sudo sh -c "echo 0 > \ 40 | /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_redirects" 41 | let i++ 42 | done 43 | fi 44 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | cfgdir = $(datadir)/vyatta-cfg/templates 2 | share_perl5dir = /opt/vyatta/share/perl5/Vyatta/IpTables 3 | curverdir = $(sysconfdir)/config-migrate/current 4 | modprobedir = /etc/modprobe.d 5 | 6 | modprobe_DATA = etc/modprobe.d/vyatta_xt_recent.conf 7 | modprobe_DATA += etc/modprobe.d/vyatta_ipset.conf 8 | 9 | sbin_SCRIPTS = 10 | curver_DATA = cfg-version/firewall@6 11 | 12 | sbin_SCRIPTS += scripts/firewall/vyatta-firewall.pl 13 | sbin_SCRIPTS += scripts/firewall/vyatta-firewall-trap.pl 14 | sbin_SCRIPTS += scripts/firewall/firewall.init 15 | sbin_SCRIPTS += scripts/firewall/vyatta-ipset.pl 16 | sbin_SCRIPTS += scripts/firewall/vyatta-fw-global-state-policy.pl 17 | sbin_SCRIPTS += scripts/firewall/valid_port_range.pl 18 | 19 | share_perl5_DATA = lib/Vyatta/IpTables/Rule.pm 20 | share_perl5_DATA += lib/Vyatta/IpTables/AddressFilter.pm 21 | share_perl5_DATA += lib/Vyatta/IpTables/IpSet.pm 22 | share_perl5_DATA += lib/Vyatta/IpTables/Mgr.pm 23 | 24 | cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ 25 | cpio -0pdu 26 | 27 | 28 | all-local: 29 | ./gen-interface-templates.pl 30 | ./gen-interface-policy-templates.pl 31 | 32 | clean-local: 33 | rm -rf generated-templates 34 | 35 | install-exec-hook: 36 | mkdir -p $(DESTDIR)$(cfgdir) 37 | cd templates; $(cpiop) $(DESTDIR)$(cfgdir); cd .. 38 | cd generated-templates; $(cpiop) $(DESTDIR)$(cfgdir); cd .. 39 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | priority: 210 3 | 4 | type: txt 5 | 6 | syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,28}$" ; \ 7 | "Firewall name must be 28 characters or less" 8 | syntax:expression: pattern $VAR(@) "^[^-]" ; \ 9 | "Firewall rule set name cannot start with \"-\"" 10 | syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ 11 | "Firewall rule set name cannot contain shell punctuation" 12 | syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ 13 | "Firewall rule set name cannot start with 'VZONE'" 14 | 15 | end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall ipv6-name" "$VAR(@)" ; 16 | then 17 | if [ ${COMMIT_ACTION} = 'DELETE' ] ; 18 | then 19 | if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall ipv6-name" ; 20 | then 21 | if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall ipv6-name"; then 22 | ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" 23 | fi 24 | fi 25 | else 26 | ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall ipv6-name $VAR(@)" 27 | fi 28 | else 29 | exit 1; 30 | fi 31 | sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets 32 | 33 | create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup ip6tables "firewall ipv6-name" 34 | 35 | help: IPv6 firewall rule-set name 36 | -------------------------------------------------------------------------------- /templates/firewall/source-validation/node.def: -------------------------------------------------------------------------------- 1 | # rp_filter 2 | # default value - 0 3 | # conf/all/rp_filter and conf/[interface]/rp_filter both must be set to 4 | # a value greater than 0 to do source validation on the interface 5 | 6 | 7 | type: txt 8 | 9 | help: Policy for source validation by reversed path, as specified in RFC3704 10 | 11 | val_help: strict; Enable Strict Reverse Path Forwarding as defined in RFC3704 12 | val_help: loose; Enable Loose Reverse Path Forwarding as defined in RFC3704 13 | val_help: disable; No source validation 14 | 15 | default: "disable" 16 | 17 | syntax:expression: $VAR(@) in "strict", "loose", "disable"; "source-validation must be set to 'loose', 'strict' or 'disable'" 18 | 19 | update: 20 | array=(`ls /proc/sys/net/ipv4/conf/`) 21 | array_len=${#array[*]} 22 | i=0 23 | if [ x$VAR(@) == xstrict ]; then 24 | while [ $i -lt $array_len ]; do 25 | sudo sh -c "echo 1 > \ 26 | /proc/sys/net/ipv4/conf/${array[$i]%:*}/rp_filter" 27 | let i++ 28 | done 29 | elif [ x$VAR(@) == xloose ]; then 30 | while [ $i -lt $array_len ]; do 31 | sudo sh -c "echo 2 > \ 32 | /proc/sys/net/ipv4/conf/${array[$i]%:*}/rp_filter" 33 | let i++ 34 | done 35 | else 36 | sudo sh -c "echo 0 > \ 37 | /proc/sys/net/ipv4/conf/all/rp_filter" 38 | fi 39 | 40 | delete: 41 | sudo sh -c "echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter" 42 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-src-route/node.def: -------------------------------------------------------------------------------- 1 | # accept_source_route - Text 2 | # Accept source routing (routing extension header). 3 | # 4 | # enable: Accept only routing header type 2. 5 | # disable: Do not accept routing header. 6 | # 7 | # Default: disable 8 | 9 | 10 | type: txt 11 | 12 | help: Policy for handling IPv6 packets with routing extension header 13 | 14 | val_help: enable; Enable processing of IPv6 packets with routing header type 2 15 | val_help: disable; Disable processing of IPv6 packets with routing header 16 | 17 | default: "disable" 18 | 19 | syntax:expression: $VAR(@) in "enable", "disable"; "ipv6-src-route must be enable or disable" 20 | 21 | update: 22 | if [ -d /proc/sys/net/ipv6 ]; then 23 | array=(`ls /proc/sys/net/ipv6/conf/`) 24 | array_len=${#array[*]} 25 | i=0 26 | while [ $i -lt $array_len ]; do 27 | if [ x$VAR(@) == xenable ]; then 28 | sudo sh -c "echo 0 > \ 29 | /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" 30 | else 31 | sudo sh -c "echo -1 > \ 32 | /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" 33 | fi 34 | let i++ 35 | done 36 | fi 37 | 38 | delete: 39 | if [ -d /proc/sys/net/ipv6 ]; then 40 | array=(`ls /proc/sys/net/ipv6/conf/`) 41 | array_len=${#array[*]} 42 | i=0 43 | while [ $i -lt $array_len ]; do 44 | sudo sh -c "echo -1 > \ 45 | /proc/sys/net/ipv6/conf/${array[$i]%:*}/accept_source_route" 46 | let i++ 47 | done 48 | fi 49 | -------------------------------------------------------------------------------- /templates/firewall/name/node.def: -------------------------------------------------------------------------------- 1 | tag: 2 | priority: 210 3 | 4 | type: txt 5 | 6 | syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,28}$" ; \ 7 | "Firewall name must be 28 characters or less" 8 | syntax:expression: pattern $VAR(@) "^[^-]" ; \ 9 | "Firewall rule set name cannot start with \"-\"" 10 | syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ 11 | "Firewall rule set name cannot contain shell punctuation" 12 | syntax:expression: ! pattern $VAR(@) "^VZONE" ; \ 13 | "Firewall rule set name cannot start with 'VZONE'" 14 | syntax:expression: ! pattern $VAR(@) "(PREROUTING|POSTROUTING|CONNMARK|MARK\ 15 | FILTER|FORWARD|INPUT|OUTPUT|VYATTA_.*_HOOK)" ; \ 16 | "$VAR(@) is a reserved name" 17 | 18 | end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "firewall name" "$VAR(@)" ; 19 | then 20 | if [ ${COMMIT_ACTION} = 'DELETE' ] ; 21 | then 22 | if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "firewall name" ; 23 | then 24 | if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "firewall name"; then 25 | ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall name $VAR(@)" 26 | fi 27 | fi 28 | else 29 | ${vyatta_sbindir}/vyatta-firewall-trap.pl --level="firewall name $VAR(@)" 30 | fi 31 | else 32 | exit 1; 33 | fi 34 | sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets 35 | 36 | create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables "firewall name" 37 | 38 | help: IPv4 firewall rule-set name 39 | -------------------------------------------------------------------------------- /templates/policy/route/node.tag/rule/node.tag/icmp/type-name/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: ICMP type-name 3 | allowed: 4 | array=(any echo-reply destination-unreachable network-unreachable 5 | host-unreachable protocol-unreachable port-unreachable 6 | fragmentation-needed source-route-failed network-unknown host-unknown 7 | network-prohibited host-prohibited TOS-network-unreachable 8 | TOS-host-unreachable communication-prohibited host-precedence-violation 9 | precedence-cutoff source-quench redirect network-redirect host-redirect 10 | TOS-network-redirect TOS-host-redirect echo-request router-advertisement 11 | router-solicitation time-exceeded ttl-zero-during-transit 12 | ttl-zero-during-reassembly parameter-problem ip-header-bad 13 | required-option-missing timestamp-request timestamp-reply 14 | address-mask-request address-mask-reply) 15 | echo -n ${array[@]} 16 | 17 | syntax:expression: exec " 18 | array=(any echo-reply destination-unreachable network-unreachable 19 | host-unreachable protocol-unreachable port-unreachable 20 | fragmentation-needed source-route-failed network-unknown host-unknown 21 | network-prohibited host-prohibited TOS-network-unreachable 22 | TOS-host-unreachable communication-prohibited host-precedence-violation 23 | precedence-cutoff source-quench redirect network-redirect host-redirect 24 | TOS-network-redirect TOS-host-redirect echo-request router-advertisement 25 | router-solicitation time-exceeded ttl-zero-during-transit 26 | ttl-zero-during-reassembly parameter-problem ip-header-bad 27 | required-option-missing timestamp-request timestamp-reply 28 | address-mask-request address-mask-reply) 29 | len=${#array[*]} 30 | i=0 31 | while [ $i -lt $len ]; do 32 | if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then 33 | exit 0 34 | fi 35 | let i++ 36 | done 37 | echo Invalid ICMP type-name [$VAR(@)] 38 | exit 1 " 39 | -------------------------------------------------------------------------------- /templates/firewall/receive-redirects/node.def: -------------------------------------------------------------------------------- 1 | # accept_redirects - Accept ICMP redirect messages. 2 | # default value - 0 3 | # 4 | # accept_redirects for the interface will be enabled if: 5 | # 6 | # - both conf/{all,interface}/accept_redirects are TRUE 7 | # in the case forwarding for the interface is enabled 8 | # or 9 | # - at least one of conf/{all,interface}/accept_redirects 10 | # is TRUE in the case forwarding for the interface is disabled 11 | # 12 | # accept_redirects for the interface will be disabled otherwise 13 | 14 | 15 | type: txt 16 | 17 | help: Policy for handling received IPv4 ICMP redirect messages 18 | 19 | val_help: enable; Enable processing of received IPv4 ICMP redirect messages 20 | val_help: disable; Disable processing of received IPv4 ICMP redirect messages 21 | 22 | default: "disable" 23 | 24 | syntax:expression: $VAR(@) in "enable", "disable"; "receive-redirects must be enable or disable" 25 | 26 | update: 27 | if [ x$VAR(@) == xenable ]; then 28 | array=(`ls /proc/sys/net/ipv4/conf/`) 29 | array_len=${#array[*]} 30 | i=0 31 | while [ $i -lt $array_len ]; do 32 | sudo sh -c "echo 1 > \ 33 | /proc/sys/net/ipv4/conf/${array[$i]%:*}/accept_redirects" 34 | let i++ 35 | done 36 | else 37 | array=(`ls /proc/sys/net/ipv4/conf/`) 38 | array_len=${#array[*]} 39 | i=0 40 | while [ $i -lt $array_len ]; do 41 | sudo sh -c "echo 0 > \ 42 | /proc/sys/net/ipv4/conf/${array[$i]%:*}/accept_redirects" 43 | let i++ 44 | done 45 | fi 46 | 47 | delete: 48 | array=(`ls /proc/sys/net/ipv4/conf/`) 49 | array_len=${#array[*]} 50 | i=0 51 | while [ $i -lt $array_len ]; do 52 | sudo sh -c "echo 0 > \ 53 | /proc/sys/net/ipv4/conf/${array[$i]%:*}/accept_redirects" 54 | let i++ 55 | done 56 | -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | # -*- makefile -*- 3 | # Sample debian/rules that uses debhelper. 4 | # This file was originally written by Joey Hess and Craig Small. 5 | # As a special exception, when this file is copied by dh-make into a 6 | # dh-make output file, you may use that output file without restriction. 7 | # This special exception was added by Craig Small in version 0.37 of dh-make. 8 | 9 | # Uncomment this to turn on verbose mode. 10 | #export DH_VERBOSE=1 11 | 12 | # These are used for cross-compiling and for saving the configure script 13 | # from having to guess our platform (since we know it already) 14 | DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) 15 | DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) 16 | PKGDIR=$(CURDIR)/debian/tmp 17 | 18 | configure = ./configure 19 | configure += --host=$(DEB_HOST_GNU_TYPE) 20 | configure += --build=$(DEB_BUILD_GNU_TYPE) 21 | configure += --prefix=/opt/vyatta 22 | configure += --mandir=\$${prefix}/share/man 23 | configure += --infodir=\$${prefix}/share/info 24 | 25 | configure: configure.ac Makefile.am 26 | chmod +x debian/autogen.sh 27 | debian/autogen.sh 28 | 29 | config.status: configure 30 | dh_testdir 31 | rm -f config.cache 32 | $(configure) 33 | 34 | build: build-stamp 35 | 36 | build-stamp: config.status 37 | dh_testdir 38 | $(MAKE) 39 | touch $@ 40 | 41 | clean: clean-patched 42 | 43 | # Clean everything up, including everything auto-generated 44 | # at build time that needs not to be kept around in the Debian diff 45 | clean-patched: 46 | dh_testdir 47 | dh_testroot 48 | if test -f Makefile ; then $(MAKE) clean distclean ; fi 49 | rm -f build-stamp 50 | rm -f config.status config.sub config.guess config.log 51 | rm -f aclocal.m4 configure Makefile.in Makefile INSTALL 52 | rm -rf config 53 | dh_clean 54 | 55 | install: build 56 | dh_testdir 57 | dh_testroot 58 | dh_clean -k 59 | dh_installdirs 60 | 61 | $(MAKE) DESTDIR=$(PKGDIR) install 62 | 63 | for p in vyatta-cfg-firewall vyatta-cfg-firewall-serial; do \ 64 | install -D --mode=0644 debian/$$p.lintian-overrides \ 65 | debian/$$p/usr/share/lintian/overrides/$$p; \ 66 | done 67 | 68 | # Build architecture-independent files here. 69 | binary-indep: build install 70 | rm -f debian/files 71 | dh_testdir 72 | dh_testroot 73 | dh_installchangelogs ChangeLog 74 | dh_installdocs 75 | dh_install --sourcedir=debian/tmp 76 | dh_installdebconf 77 | dh_link 78 | dh_strip 79 | dh_compress 80 | dh_fixperms 81 | dh_installdeb 82 | if [ -f "../.VYOS_DEV_BUILD" ]; then \ 83 | dh_gencontrol -- -v999.dev; \ 84 | else \ 85 | dh_gencontrol; \ 86 | fi 87 | dh_md5sums 88 | dh_builddeb 89 | 90 | # Build architecture-dependent files here. 91 | binary-arch: build install 92 | # This is an architecture independent package 93 | # so; we have nothing to do by default. 94 | 95 | binary: binary-indep binary-arch 96 | .PHONY: build clean binary-indep binary-arch binary install 97 | -------------------------------------------------------------------------------- /templates/firewall/name/node.tag/rule/node.tag/icmp/type-name/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | help: ICMP type-name 3 | allowed: 4 | array=(any echo-reply pong destination-unreachable network-unreachable 5 | host-unreachable protocol-unreachable port-unreachable 6 | fragmentation-needed source-route-failed network-unknown host-unknown 7 | network-prohibited host-prohibited TOS-network-unreachable 8 | TOS-host-unreachable communication-prohibited host-precedence-violation 9 | precedence-cutoff source-quench redirect network-redirect host-redirect 10 | TOS-network-redirect TOS-host-redirect echo-request ping router-advertisement 11 | router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit 12 | ttl-zero-during-reassembly parameter-problem ip-header-bad 13 | required-option-missing timestamp-request timestamp-reply 14 | address-mask-request address-mask-reply) 15 | echo -n ${array[@]} 16 | 17 | syntax:expression: exec " 18 | array=(any echo-reply pong destination-unreachable network-unreachable 19 | host-unreachable protocol-unreachable port-unreachable 20 | fragmentation-needed source-route-failed network-unknown host-unknown 21 | network-prohibited host-prohibited TOS-network-unreachable 22 | TOS-host-unreachable communication-prohibited host-precedence-violation 23 | precedence-cutoff source-quench redirect network-redirect host-redirect 24 | TOS-network-redirect TOS-host-redirect echo-request ping router-advertisement 25 | router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit 26 | ttl-zero-during-reassembly parameter-problem ip-header-bad 27 | required-option-missing timestamp-request timestamp-reply 28 | address-mask-request address-mask-reply) 29 | len=${#array[*]} 30 | i=0 31 | while [ $i -lt $len ]; do 32 | if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then 33 | exit 0 34 | fi 35 | let i++ 36 | done 37 | echo Invalid ICMP type-name [$VAR(@)] 38 | exit 1 " 39 | 40 | val_help: any; Any ICMP type/code 41 | val_help: echo-reply (pong); ICMP type/code name 42 | val_help: destination-unreachable; ICMP type/code name 43 | val_help: _ network-unreachable; ICMP type/code name 44 | val_help: _ host-unreachable; ICMP type/code name 45 | val_help: _ protocol-unreachable; ICMP type/code name 46 | val_help: _ port-unreachable; ICMP type/code name 47 | val_help: _ fragmentation-needed; ICMP type/code name 48 | val_help: _ source-route-failed; ICMP type/code name 49 | val_help: _ network-unknown; ICMP type/code name 50 | val_help: _ host-unknown; ICMP type/code name 51 | val_help: _ network-prohibited; ICMP type/code name 52 | val_help: _ host-prohibited; ICMP type/code name 53 | val_help: _ TOS-network-unreachable; ICMP type/code name 54 | val_help: _ TOS-host-unreachable; ICMP type/code name 55 | val_help: _ communication-prohibited; ICMP type/code name 56 | val_help: _ host-precedence-violation; ICMP type/code name 57 | val_help: _ precedence-cutoff; ICMP type/code name 58 | val_help: source-quench; ICMP type/code name 59 | val_help: redirect; ICMP type/code name 60 | val_help: _ network-redirect; ICMP type/code name 61 | val_help: _ host-redirect; ICMP type/code name 62 | val_help: _ TOS-network-redirect; ICMP type/code name 63 | val_help: _ TOS-host-redirect; ICMP type/code name 64 | val_help: echo-request (ping); ICMP type/code name 65 | val_help: router-advertisement; ICMP type/code name 66 | val_help: router-solicitation; ICMP type/code name 67 | val_help: time-exceeded (ttl-exceeded); ICMP type/code name 68 | val_help: _ ttl-zero-during-transit; ICMP type/code name 69 | val_help: _ ttl-zero-during-reassembly; ICMP type/code name 70 | val_help: parameter-problem; ICMP type/code name 71 | val_help: _ ip-header-bad; ICMP type/code name 72 | val_help: _ required-option-missing; ICMP type/code name 73 | val_help: timestamp-request; ICMP type/code name 74 | val_help: timestamp-reply; ICMP type/code name 75 | val_help: address-mask-request; ICMP type/code name 76 | val_help: address-mask-reply; ICMP type/code name 77 | -------------------------------------------------------------------------------- /templates/policy/ipv6-route/node.tag/rule/node.tag/icmpv6/type/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: ICMPv6 type/code 4 | 5 | val_help: destination-unreachable; ICMPv6 type/code name 6 | val_help: _ no-route; ICMPv6 type/code name 7 | val_help: _ communication-prohibited; ICMPv6 type/code name 8 | val_help: _ address-unreachable; ICMPv6 type/code name 9 | val_help: _ port-unreachable; ICMPv6 type/code name 10 | val_help: packet-too-big; ICMPv6 type/code name 11 | val_help: time-exceeded; ICMPv6 type/code name 12 | val_help: _ ttl-zero-during-transit; ICMPv6 type/code name 13 | val_help: _ ttl-zero-during-reassembly; ICMPv6 type/code name 14 | val_help: parameter-problem; ICMPv6 type/code name 15 | val_help: _ bad-header; ICMPv6 type/code name 16 | val_help: _ unknown-header-type; ICMPv6 type/code name 17 | val_help: _ unknown-option; ICMPv6 type/code name 18 | val_help: echo-request; ICMPv6 type/code name 19 | val_help: ping; ICMPv6 type/code name 20 | val_help: echo-reply; ICMPv6 type/code name 21 | val_help: pong; ICMPv6 type/code name 22 | val_help: router-solicitation; ICMPv6 type/code name 23 | val_help: router-advertisement; ICMPv6 type/code name 24 | val_help: neighbour-solicitation; ICMPv6 type/code name 25 | val_help: neighbor-solicitation; ICMPv6 type/code name 26 | val_help: neighbour-advertisement; ICMPv6 type/code name 27 | val_help: neighbor-advertisement; ICMPv6 type/code name 28 | val_help: u32:0-255; ICMPv6 type number 29 | val_help: <0-255>/<0-255>; ICMPv6 type and code numbers 30 | 31 | allowed: 32 | array=( 33 | destination-unreachable 34 | no-route 35 | communication-prohibited 36 | address-unreachable 37 | port-unreachable 38 | packet-too-big 39 | time-exceeded 40 | ttl-zero-during-transit 41 | ttl-zero-during-reassembly 42 | parameter-problem 43 | bad-header 44 | unknown-header-type 45 | unknown-option 46 | echo-request 47 | ping 48 | echo-reply 49 | pong 50 | router-solicitation 51 | router-advertisement 52 | neighbour-solicitation 53 | neighbor-solicitation 54 | neighbour-advertisement 55 | neighbor-advertisement ) 56 | echo -n ${array[@]} 57 | 58 | syntax:expression: exec " 59 | array=( 60 | destination-unreachable 61 | no-route 62 | communication-prohibited 63 | address-unreachable 64 | port-unreachable 65 | packet-too-big 66 | time-exceeded 67 | ttl-zero-during-transit 68 | ttl-zero-during-reassembly 69 | parameter-problem 70 | bad-header 71 | unknown-header-type 72 | unknown-option 73 | echo-request 74 | ping 75 | echo-reply 76 | pong 77 | router-solicitation 78 | router-advertisement 79 | neighbour-solicitation 80 | neighbor-solicitation 81 | neighbour-advertisement 82 | neighbor-advertisement ) 83 | len=${#array[*]} 84 | i=0 85 | while [ $i -lt $len ]; do 86 | if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then 87 | exit 0 88 | fi 89 | let i++ 90 | done 91 | 92 | param=$VAR(@) 93 | codepart=${param##*/} 94 | if [ -z \"$codepart\" -o \"$codepart\" = \"$param\" ]; then 95 | codepart=\"0\" 96 | fi 97 | 98 | typepart=${param%%/*} 99 | if [ -z \"$typepart\" ]; then 100 | echo \"Must specify ICMPv6 type\" 101 | exit 1 102 | fi 103 | 104 | shopt -s extglob 105 | 106 | leftover=${typepart##*([0-9])} 107 | if [ -n \"$leftover\" ]; then 108 | echo \"Invalid ICMPv6 type: $typepart\" 109 | exit 1 110 | fi 111 | 112 | leftover=${codepart##*([0-9])} 113 | if [ -n \"$leftover\" ]; then 114 | echo \"Invalid ICMPv6 code: $codepart\" 115 | exit 1 116 | fi 117 | 118 | if [ $typepart -lt 0 -o $typepart -gt 255 ]; then 119 | echo \"ICMPv6 type must be between 0 and 255\" 120 | exit 1 121 | fi 122 | 123 | if [ $codepart -lt 0 -o $codepart -gt 255 ]; then 124 | echo \"ICMPv6 code must be between 0 and 255\" 125 | exit 1 126 | fi 127 | " 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | -------------------------------------------------------------------------------- /templates/firewall/ipv6-name/node.tag/rule/node.tag/icmpv6/type/node.def: -------------------------------------------------------------------------------- 1 | type: txt 2 | 3 | help: ICMPv6 type/code 4 | 5 | val_help: destination-unreachable; ICMPv6 type/code name 6 | val_help: _ no-route; ICMPv6 type/code name 7 | val_help: _ communication-prohibited; ICMPv6 type/code name 8 | val_help: _ address-unreachable; ICMPv6 type/code name 9 | val_help: _ port-unreachable; ICMPv6 type/code name 10 | val_help: packet-too-big; ICMPv6 type/code name 11 | val_help: time-exceeded; ICMPv6 type/code name 12 | val_help: _ ttl-zero-during-transit; ICMPv6 type/code name 13 | val_help: _ ttl-zero-during-reassembly; ICMPv6 type/code name 14 | val_help: parameter-problem; ICMPv6 type/code name 15 | val_help: _ bad-header; ICMPv6 type/code name 16 | val_help: _ unknown-header-type; ICMPv6 type/code name 17 | val_help: _ unknown-option; ICMPv6 type/code name 18 | val_help: echo-request; ICMPv6 type/code name 19 | val_help: ping; ICMPv6 type/code name 20 | val_help: echo-reply; ICMPv6 type/code name 21 | val_help: pong; ICMPv6 type/code name 22 | val_help: router-solicitation; ICMPv6 type/code name 23 | val_help: router-advertisement; ICMPv6 type/code name 24 | val_help: neighbour-solicitation; ICMPv6 type/code name 25 | val_help: neighbor-solicitation; ICMPv6 type/code name 26 | val_help: neighbour-advertisement; ICMPv6 type/code name 27 | val_help: neighbor-advertisement; ICMPv6 type/code name 28 | val_help: redirect; ICMPv6 type/code name 29 | val_help: u32:0-255; ICMPv6 type number 30 | val_help: <0-255>/<0-255>; ICMPv6 type and code numbers 31 | 32 | allowed: 33 | array=( 34 | destination-unreachable 35 | no-route 36 | communication-prohibited 37 | address-unreachable 38 | port-unreachable 39 | packet-too-big 40 | time-exceeded 41 | ttl-zero-during-transit 42 | ttl-zero-during-reassembly 43 | parameter-problem 44 | bad-header 45 | unknown-header-type 46 | unknown-option 47 | echo-request 48 | ping 49 | echo-reply 50 | pong 51 | router-solicitation 52 | router-advertisement 53 | neighbour-solicitation 54 | neighbor-solicitation 55 | neighbour-advertisement 56 | neighbor-advertisement 57 | redirect ) 58 | echo -n ${array[@]} 59 | 60 | syntax:expression: exec " 61 | array=( 62 | destination-unreachable 63 | no-route 64 | communication-prohibited 65 | address-unreachable 66 | port-unreachable 67 | packet-too-big 68 | time-exceeded 69 | ttl-zero-during-transit 70 | ttl-zero-during-reassembly 71 | parameter-problem 72 | bad-header 73 | unknown-header-type 74 | unknown-option 75 | echo-request 76 | ping 77 | echo-reply 78 | pong 79 | router-solicitation 80 | router-advertisement 81 | neighbour-solicitation 82 | neighbor-solicitation 83 | neighbour-advertisement 84 | neighbor-advertisement 85 | redirect ) 86 | len=${#array[*]} 87 | i=0 88 | while [ $i -lt $len ]; do 89 | if [ \"${array[$i]}\" == \"$VAR(@)\" ] ; then 90 | exit 0 91 | fi 92 | let i++ 93 | done 94 | 95 | param=$VAR(@) 96 | codepart=${param##*/} 97 | if [ -z \"$codepart\" -o \"$codepart\" = \"$param\" ]; then 98 | codepart=\"0\" 99 | fi 100 | 101 | typepart=${param%%/*} 102 | if [ -z \"$typepart\" ]; then 103 | echo \"Must specify ICMPv6 type\" 104 | exit 1 105 | fi 106 | 107 | shopt -s extglob 108 | 109 | leftover=${typepart##*([0-9])} 110 | if [ -n \"$leftover\" ]; then 111 | echo \"Invalid ICMPv6 type: $typepart\" 112 | exit 1 113 | fi 114 | 115 | leftover=${codepart##*([0-9])} 116 | if [ -n \"$leftover\" ]; then 117 | echo \"Invalid ICMPv6 code: $codepart\" 118 | exit 1 119 | fi 120 | 121 | if [ $typepart -lt 0 -o $typepart -gt 255 ]; then 122 | echo \"ICMPv6 type must be between 0 and 255\" 123 | exit 1 124 | fi 125 | 126 | if [ $codepart -lt 0 -o $codepart -gt 255 ]; then 127 | echo \"ICMPv6 code must be between 0 and 255\" 128 | exit 1 129 | fi 130 | " 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | -------------------------------------------------------------------------------- /gen-interface-policy-templates.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # 3 | # **** License **** 4 | # This program is free software; you can redistribute it and/or modify 5 | # it under the terms of the GNU General Public License version 2 as 6 | # published by the Free Software Foundation. 7 | # 8 | # This program is distributed in the hope that it will be useful, but 9 | # WITHOUT ANY WARRANTY; without even the implied warranty of 10 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 | # General Public License for more details. 12 | # 13 | # This code was originally developed by Vyatta, Inc. 14 | # Portions created by Vyatta are Copyright (C) 2009 Vyatta, Inc. 15 | # All Rights Reserved. 16 | # 17 | # Author: Bob Gilligan (gilligan@vyatta.com) 18 | # Date: March 2009 19 | # Description: Script to automatically generate per-interface firewall 20 | # templates. 21 | # 22 | # Portions copyright by VyOS maintainers and contributors, 2015. 23 | # 24 | # **** End License **** 25 | # 26 | use strict; 27 | use warnings; 28 | 29 | # Set to 1 to enable debug output. 30 | # 31 | my $debug = 0; 32 | 33 | # This hash maps the root of the tree of firewall templates for each interface 34 | # into the variable reference that each of the node.def files in that tree 35 | # will need to use to get the interface name. The keys of this hash are 36 | # the partial pathname under the config template tree "interfaces/". 37 | # 38 | my %interface_hash = ( 39 | 'bonding/node.tag' => '$VAR(../../@)', 40 | 'bonding/node.tag/vif-s/node.tag' => '$VAR(../../../@).$VAR(../../@)', 41 | 'bonding/node.tag/vif-s/node.tag/vif-c/node.tag' => '$VAR(../../../../@).$VAR(../../../@).$VAR(../../@)', 42 | 'bonding/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)', 43 | 'bridge/node.tag' => '$VAR(../../@)', 44 | 'bridge/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)', 45 | 'dummy/node.tag' => '$VAR(../../@)', 46 | 'ethernet/node.tag' => '$VAR(../../@)', 47 | 'ethernet/node.tag/vif-s/node.tag' => '$VAR(../../../@).$VAR(../../@)', 48 | 'ethernet/node.tag/vif-s/node.tag/vif-c/node.tag' => '$VAR(../../../../@).$VAR(../../../@).$VAR(../../@)', 49 | 'ethernet/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)', 50 | 'input/node.tag' => '$VAR(../../@)', 51 | 'l2tpv3/node.tag' => '$VAR(../../@)', 52 | 'multilink/node.tag/vif/node.tag' => '$VAR(../../../@)', 53 | 'macsec/node.tag' => '$VAR(../../@)', 54 | 'openvpn/node.tag' => '$VAR(../../@)', 55 | 'pppoe/node.tag' => '$VAR(../../@)', 56 | 'pseudo-ethernet/node.tag' => '$VAR(../../@)', 57 | 'pseudo-ethernet/node.tag/vif-s/node.tag' => '$VAR(../../../@).$VAR(../../@)', 58 | 'pseudo-ethernet/node.tag/vif-s/node.tag/vif-c/node.tag' => '$VAR(../../../../@).$VAR(../../../@).$VAR(../../@)', 59 | 'pseudo-ethernet/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)', 60 | 'tunnel/node.tag' => '$VAR(../../@)', 61 | 'vti/node.tag' => '$VAR(../../@)', 62 | 'vxlan/node.tag' => '$VAR(../../@)', 63 | 'wireless/node.tag' => '$VAR(../../@)', 64 | 'wireless/node.tag/vif/node.tag' => '$VAR(../../../@).$VAR(../../@)', 65 | 'wwan/node.tag' => '$VAR(../../@)', 66 | 'wireguard/node.tag' => '$VAR(../../@)', 67 | ); 68 | 69 | # The subdirectory where the generated templates will go 70 | my $template_subdir = "generated-templates/interfaces"; 71 | 72 | # The name of the subdir under each interface holding the firewall tree 73 | my $firewall_subdir = "policy"; 74 | 75 | # The name of the config file we will be writing. 76 | my $node_file = "node.def"; 77 | 78 | sub mkdir_p { 79 | my $path = shift; 80 | 81 | return 1 if ( mkdir($path) ); 82 | 83 | my $pos = rindex( $path, "/" ); 84 | return unless $pos != -1; 85 | return unless mkdir_p( substr( $path, 0, $pos ) ); 86 | return mkdir($path); 87 | } 88 | 89 | # Generate the template file located at the root of the firewall tree 90 | # under an interface. This template just provides a help message. 91 | # 92 | sub gen_firewall_template { 93 | my ($if_tree) = @_; 94 | my $path = "${template_subdir}/${if_tree}/${firewall_subdir}"; 95 | 96 | ( -d $path ) or mkdir_p($path) 97 | or die "Can't make directory $path: $!"; 98 | 99 | open my $tp, '>', "$path/$node_file" 100 | or die "Can't create $path/$node_file: $!"; 101 | print $tp "help: Policy route options\n"; 102 | close $tp 103 | or die "Can't write $path/$node_file: $!"; 104 | } 105 | 106 | # Map a firewall ruleset type into the string that we will use to describe 107 | # it in help messages. 108 | # 109 | my %table_help_hash = ( 110 | "route" => "IPv4 policy route", 111 | "ipv6-route" => "IPv6 policy route", 112 | ); 113 | 114 | my %config_association_hash = ( 115 | "route" => "\"policy route\"", 116 | "ipv6-route" => "\"policy ipv6-route\"", 117 | ); 118 | 119 | # Generate the template file at the leaf of the per-interface firewall tree. 120 | # This template contains all the code to activate or deactivate a firewall 121 | # ruleset on an interface for a particular ruleset type and direction. 122 | # 123 | sub gen_template { 124 | my ( $if_tree, $table, $if_name ) = @_; 125 | 126 | if ($debug) { 127 | print "debug: table=$table\n"; 128 | } 129 | 130 | my $template_dir = 131 | "${template_subdir}/${if_tree}/${firewall_subdir}/${table}"; 132 | 133 | if ($debug) { 134 | print "debug: template_dir=$template_dir\n"; 135 | } 136 | 137 | ( -d $template_dir) or mkdir_p($template_dir) 138 | or die "Can't make directory $template_dir: $!"; 139 | 140 | open my $tp, '>', "${template_dir}/${node_file}" 141 | or die "Can't open ${template_dir}/${node_file}:$!"; 142 | 143 | print $tp < 17 | # Description: firewall init 18 | # this is an indirect init sub-script executed by ofr.init 19 | # 20 | # **** End License **** 21 | 22 | prefix=@prefix@ 23 | exec_prefix=@exec_prefix@ 24 | bindir=@bindir@ 25 | sbindir=@sbindir@ 26 | 27 | export PATH=/usr/bin:/usr/sbin:/bin:/sbin:$bindir:$sbindir 28 | 29 | . /lib/lsb/init-functions 30 | 31 | ACTION=$1 32 | 33 | declare -a modules=( 34 | nf_conntrack 35 | nf_conntrack_ftp 36 | nf_conntrack_tftp 37 | nf_nat 38 | nf_nat_ftp 39 | nf_nat_tftp 40 | nf_nat_sip 41 | nf_nat_h323 42 | nf_nat_pptp) 43 | 44 | declare -a modulesv6=( 45 | ip6t_NPT) 46 | 47 | ## setup firewall & nat conntrack modules 48 | start () { 49 | 50 | for mod in ${modules[@]} ; do 51 | modprobe --syslog $mod 52 | done 53 | # raw table ignore connection tracking chain 54 | iptables -t raw -N VYATTA_CT_IGNORE 55 | iptables -t raw -A VYATTA_CT_IGNORE -j RETURN 56 | 57 | # conection tracking timeout chain 58 | iptables -t raw -N VYATTA_CT_TIMEOUT 59 | iptables -t raw -A VYATTA_CT_TIMEOUT -j RETURN 60 | 61 | # user space helpers chain, enables helpers using iptables --helper. 62 | # FTP, sip and h323 to use this chain later on. 63 | iptables -t raw -N VYATTA_CT_HELPER 64 | /usr/sbin/nfct helper add rpc inet tcp 65 | /usr/sbin/nfct helper add rpc inet udp 66 | /usr/sbin/nfct helper add tns inet tcp 67 | iptables -t raw -I VYATTA_CT_HELPER -p tcp --dport 111 -j CT --helper rpc 68 | iptables -t raw -I VYATTA_CT_HELPER -p udp --dport 111 -j CT --helper rpc 69 | iptables -t raw -I VYATTA_CT_HELPER -p tcp --dport 1521 -j CT --helper tns 70 | iptables -t raw -I VYATTA_CT_HELPER -p tcp --dport 1525 -j CT --helper tns 71 | iptables -t raw -I VYATTA_CT_HELPER -p tcp --dport 1536 -j CT --helper tns 72 | iptables -t raw -A VYATTA_CT_HELPER -j RETURN 73 | 74 | # set up notrack chains/rules for IPv4 75 | # by default, nothing is tracked. 76 | iptables -t raw -N VYATTA_CT_PREROUTING_HOOK 77 | iptables -t raw -A VYATTA_CT_PREROUTING_HOOK -j RETURN 78 | iptables -t raw -A PREROUTING -j VYATTA_CT_PREROUTING_HOOK 79 | iptables -t raw -A PREROUTING -j NOTRACK 80 | iptables -t raw -N VYATTA_CT_OUTPUT_HOOK 81 | iptables -t raw -A VYATTA_CT_OUTPUT_HOOK -j RETURN 82 | iptables -t raw -A OUTPUT -j VYATTA_CT_OUTPUT_HOOK 83 | iptables -t raw -A OUTPUT -j NOTRACK 84 | 85 | # set up pre-firewall hooks for IPv4 86 | iptables -N VYATTA_PRE_FW_IN_HOOK 87 | iptables -N VYATTA_PRE_FW_FWD_HOOK 88 | iptables -N VYATTA_PRE_FW_OUT_HOOK 89 | iptables -A VYATTA_PRE_FW_IN_HOOK -j RETURN 90 | iptables -A VYATTA_PRE_FW_FWD_HOOK -j RETURN 91 | iptables -A VYATTA_PRE_FW_OUT_HOOK -j RETURN 92 | iptables -I INPUT -j VYATTA_PRE_FW_IN_HOOK 93 | iptables -I FORWARD -j VYATTA_PRE_FW_FWD_HOOK 94 | iptables -I OUTPUT -j VYATTA_PRE_FW_OUT_HOOK 95 | 96 | # set up post-firewall hooks for IPv4 97 | iptables -N VYATTA_POST_FW_IN_HOOK 98 | iptables -N VYATTA_POST_FW_FWD_HOOK 99 | iptables -N VYATTA_POST_FW_OUT_HOOK 100 | iptables -A VYATTA_POST_FW_IN_HOOK -j ACCEPT 101 | iptables -A VYATTA_POST_FW_FWD_HOOK -j ACCEPT 102 | iptables -A VYATTA_POST_FW_OUT_HOOK -j ACCEPT 103 | iptables -A INPUT -j VYATTA_POST_FW_IN_HOOK 104 | iptables -A FORWARD -j VYATTA_POST_FW_FWD_HOOK 105 | iptables -A OUTPUT -j VYATTA_POST_FW_OUT_HOOK 106 | 107 | # set up IPV6 notrack and pre, post fw rules 108 | if [ -d /proc/sys/net/ipv6 ] ; then 109 | for mod in ${modules_v6[@]} ; do 110 | modprobe --syslog $mod 111 | done 112 | 113 | # set up notrack chains/rules for IPv6 114 | ip6tables -t raw -N VYATTA_CT_PREROUTING_HOOK 115 | ip6tables -t raw -A VYATTA_CT_PREROUTING_HOOK -j RETURN 116 | ip6tables -t raw -A PREROUTING -j VYATTA_CT_PREROUTING_HOOK 117 | ip6tables -t raw -A PREROUTING -j NOTRACK 118 | ip6tables -t raw -N VYATTA_CT_OUTPUT_HOOK 119 | ip6tables -t raw -A VYATTA_CT_OUTPUT_HOOK -j RETURN 120 | ip6tables -t raw -A OUTPUT -j VYATTA_CT_OUTPUT_HOOK 121 | ip6tables -t raw -A OUTPUT -j NOTRACK 122 | 123 | # set up pre-firewall hooks for IPv6 124 | ip6tables -N VYATTA_PRE_FW_IN_HOOK 125 | ip6tables -N VYATTA_PRE_FW_FWD_HOOK 126 | ip6tables -N VYATTA_PRE_FW_OUT_HOOK 127 | ip6tables -A VYATTA_PRE_FW_IN_HOOK -j RETURN 128 | ip6tables -A VYATTA_PRE_FW_FWD_HOOK -j RETURN 129 | ip6tables -A VYATTA_PRE_FW_OUT_HOOK -j RETURN 130 | ip6tables -I INPUT -j VYATTA_PRE_FW_IN_HOOK 131 | ip6tables -I FORWARD -j VYATTA_PRE_FW_FWD_HOOK 132 | ip6tables -I OUTPUT -j VYATTA_PRE_FW_OUT_HOOK 133 | 134 | # set up post-firewall hooks for IPv6 135 | ip6tables -N VYATTA_POST_FW_IN_HOOK 136 | ip6tables -N VYATTA_POST_FW_FWD_HOOK 137 | ip6tables -N VYATTA_POST_FW_OUT_HOOK 138 | ip6tables -A VYATTA_POST_FW_IN_HOOK -j ACCEPT 139 | ip6tables -A VYATTA_POST_FW_FWD_HOOK -j ACCEPT 140 | ip6tables -A VYATTA_POST_FW_OUT_HOOK -j ACCEPT 141 | ip6tables -A INPUT -j VYATTA_POST_FW_IN_HOOK 142 | ip6tables -A FORWARD -j VYATTA_POST_FW_FWD_HOOK 143 | ip6tables -A OUTPUT -j VYATTA_POST_FW_OUT_HOOK 144 | 145 | # set up NPTv6 prerouting hook 146 | ip6tables -t mangle -N VYOS_DNPT_HOOK 147 | ip6tables -t mangle -A VYOS_DNPT_HOOK -j RETURN 148 | ip6tables -t mangle -A PREROUTING -j VYOS_DNPT_HOOK 149 | ip6tables -t mangle -N VYOS_SNPT_HOOK 150 | ip6tables -t mangle -A VYOS_SNPT_HOOK -j RETURN 151 | ip6tables -t mangle -A POSTROUTING -j VYOS_SNPT_HOOK 152 | ip6tables -t nat -N VYOS_DNPT_HOOK 153 | ip6tables -t nat -A VYOS_DNPT_HOOK -j RETURN 154 | ip6tables -t nat -A PREROUTING -j VYOS_DNPT_HOOK 155 | ip6tables -t nat -N VYOS_SNPT_HOOK 156 | ip6tables -t nat -A VYOS_SNPT_HOOK -j RETURN 157 | ip6tables -t nat -A POSTROUTING -j VYOS_SNPT_HOOK 158 | # NOTRACK hook : not needed, since every v6 connection is NOTRACK'ed for now (see a few lines up) 159 | # ip6tables -t raw -N VYOS_NPT_HOOK 160 | # ip6tables -t raw -A PREROUTING -j VYOS_NPT_HOOK 161 | 162 | 163 | else 164 | logger -t "Vyatta firewall init" -p warning "Kernel IPv6 support disabled. Not initializing IPv6 firewall" 165 | fi 166 | 167 | # set up pre-DNAT hook 168 | iptables -t nat -N VYATTA_PRE_DNAT_HOOK 169 | iptables -t nat -A VYATTA_PRE_DNAT_HOOK -j RETURN 170 | iptables -t nat -A PREROUTING -j VYATTA_PRE_DNAT_HOOK 171 | 172 | # set up pre-SNAT hook 173 | iptables -t nat -N VYATTA_PRE_SNAT_HOOK 174 | iptables -t nat -A VYATTA_PRE_SNAT_HOOK -j RETURN 175 | iptables -t nat -A POSTROUTING -j VYATTA_PRE_SNAT_HOOK 176 | 177 | iptables -t raw -I PREROUTING -j VYATTA_CT_TIMEOUT 178 | iptables -t raw -I OUTPUT -j VYATTA_CT_TIMEOUT 179 | 180 | iptables -t raw -I PREROUTING -j VYATTA_CT_IGNORE 181 | iptables -t raw -I OUTPUT -j VYATTA_CT_IGNORE 182 | # Loosen the acceptability rules for TCP sequence and ACK numbers in 183 | # conntrack. This allows TCP connections through NAT to survive certain 184 | # cases of packet loss where conntrack can not accurately track the 185 | # connection state 186 | sysctl -q -w net.netfilter.nf_conntrack_tcp_be_liberal=1 187 | 188 | # set conntrack table size 189 | sysctl -q -w net.nf_conntrack_max=262144 190 | 191 | # set conntrack expect table size 192 | sysctl -q -w net.netfilter.nf_conntrack_expect_max=2048 193 | } 194 | 195 | case "$ACTION" in 196 | start) start ;; 197 | stop|restart|force-reload) true ;; # nothing to stop/restart 198 | *) log_failure_msg "action unknown: $ACTION" ; 199 | false ;; 200 | esac 201 | 202 | exit $? 203 | 204 | # Local Variables: 205 | # mode: shell-script 206 | # sh-indentation: 4 207 | # End: 208 | 209 | -------------------------------------------------------------------------------- /lib/Vyatta/IpTables/AddressFilter.pm: -------------------------------------------------------------------------------- 1 | # Author: Vyatta 2 | # Date: 2007 3 | # Description: IP tables address filter 4 | 5 | # **** License **** 6 | # This program is free software; you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License version 2 as 8 | # published by the Free Software Foundation. 9 | # 10 | # This program is distributed in the hope that it will be useful, but 11 | # WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | # General Public License for more details. 14 | # 15 | # This code was originally developed by Vyatta, Inc. 16 | # Portions created by Vyatta are Copyright (C) 2006-2009 Vyatta, Inc. 17 | # All Rights Reserved. 18 | # **** End License **** 19 | 20 | package Vyatta::IpTables::AddressFilter; 21 | 22 | require Vyatta::Config; 23 | require Vyatta::IpTables::IpSet; 24 | use Vyatta::Misc qw(getPortRuleString); 25 | use Vyatta::TypeChecker; 26 | 27 | use strict; 28 | use warnings; 29 | 30 | my %_protocolswithports = ( 31 | tcp_udp => 1, 32 | 33 | # 'tcp_udp' is to be allowed for nat and firewall rules only. 34 | # features should have syntax checks for allowing or forbiding 35 | # the use of 'tcp_udp' as protocol. to allow tcp_udp see syntax check 36 | # in protocol/node.def for NAT rules and to forbid tcp_udp see syntax 37 | # check in protocol/node.def for load-balancing rules 38 | # when allowed : tcp_udp creates 2 iptable rules - one for tcp, other for udp 39 | tcp => 1, 40 | udp => 1, 41 | 6 => 1, 42 | 17 => 1, 43 | ); 44 | 45 | my %fields = ( 46 | _srcdst => undef, 47 | _range_start => undef, 48 | _range_stop => undef, 49 | _network => undef, 50 | _address => undef, 51 | _port => undef, 52 | _protocol => undef, 53 | _src_mac => undef, 54 | _ip_version => undef, 55 | _address_group => undef, 56 | _network_group => undef, 57 | _port_group => undef, 58 | ); 59 | 60 | sub new { 61 | my $that = shift; 62 | my $class = ref($that) || $that; 63 | my $self = {%fields,}; 64 | 65 | bless $self, $class; 66 | return $self; 67 | } 68 | 69 | sub set_ip_version { 70 | my ($self, $ip_version) = @_; 71 | 72 | $self->{_ip_version} = $ip_version; 73 | } 74 | 75 | sub setup_base { 76 | my ($self, $level, $func) = @_; 77 | my $config = new Vyatta::Config; 78 | 79 | $config->setLevel("$level"); 80 | 81 | # Default to IPv4. 82 | $self->{_ip_version} = "ipv4"; 83 | 84 | # setup needed parent nodes 85 | $self->{_srcdst} = $config->returnParent(".."); 86 | $self->{_protocol} = $config->$func(".. protocol"); 87 | 88 | # setup address filter nodes 89 | $self->{_address} = $config->$func("address"); 90 | $self->{_network} = undef; 91 | $self->{_range_start} = undef; 92 | $self->{_range_stop} = undef; 93 | if (defined($self->{_address})) { 94 | if ($self->{_address} =~ /\//) { 95 | $self->{_network} = $self->{_address}; 96 | $self->{_address} = undef; 97 | } elsif ($self->{_address} =~ /^([^-]+)-([^-]+)$/) { 98 | $self->{_range_start} = $1; 99 | $self->{_range_stop} = $2; 100 | $self->{_address} = undef; 101 | } 102 | } 103 | 104 | $self->{_port} = $config->$func("port"); 105 | $self->{_src_mac} = $config->$func("mac-address"); 106 | $self->{_address_group} = $config->$func("group address-group"); 107 | $self->{_network_group} = $config->$func("group network-group"); 108 | $self->{_port_group} = $config->$func("group port-group"); 109 | 110 | return 0; 111 | } 112 | 113 | sub setup { 114 | my ($self, $level) = @_; 115 | 116 | $self->setup_base($level, 'returnValue'); 117 | return 0; 118 | } 119 | 120 | sub setupOrig { 121 | my ($self, $level) = @_; 122 | 123 | $self->setup_base($level, 'returnOrigValue'); 124 | return 0; 125 | } 126 | 127 | sub print { 128 | my ($self) = @_; 129 | 130 | print "srcdst: $self->{_srcdst}\n" if defined $self->{_srcdst}; 131 | print "range start: $self->{_range_start}\n" if defined $self->{_range_start}; 132 | print "range stop: $self->{_range_stop}\n" if defined $self->{_range_stop}; 133 | print "network: $self->{_network}\n" if defined $self->{_network}; 134 | print "address: $self->{_address}\n" if defined $self->{_address}; 135 | print "port: $self->{_port}\n" if defined $self->{_port}; 136 | print "protocol: $self->{_protocol}\n" if defined $self->{_protocol}; 137 | print "src-mac: $self->{_src_mac}\n" if defined $self->{_src_mac}; 138 | 139 | return 0; 140 | } 141 | 142 | sub rule { 143 | my ($self) = @_; 144 | my $rule = ""; 145 | my $can_use_port = 1; 146 | 147 | my $addr_checker; 148 | my $prefix_checker; 149 | my $pure_addr_checker; 150 | my $ip_term; 151 | my $prefix_term; 152 | 153 | if ($self->{_ip_version} eq "ipv4") { 154 | # This is an IPv4 rule 155 | $addr_checker = 'ipv4_negate'; 156 | $prefix_checker = 'ipv4net_negate'; 157 | $pure_addr_checker = 'ipv4'; 158 | $ip_term = "IPv4"; 159 | $prefix_term = "subnet"; 160 | } elsif ($self->{_ip_version} eq "ipv6") { 161 | # This is an IPv6 rule 162 | $addr_checker = 'ipv6_negate'; 163 | $prefix_checker = 'ipv6net_negate'; 164 | $pure_addr_checker = 'ipv6'; 165 | $ip_term = "IPv6"; 166 | $prefix_term = "prefix"; 167 | } else { 168 | return (undef, "Invalid IP version: $self->{_ip_version}"); 169 | } 170 | 171 | if ( !defined($self->{_protocol}) 172 | || !defined($_protocolswithports{$self->{_protocol}})) 173 | { 174 | $can_use_port = 0; 175 | } 176 | 177 | if (($self->{_srcdst} eq "source") && (defined($self->{_src_mac}))) { 178 | 179 | # handle src mac 180 | my $str = $self->{_src_mac}; 181 | my $negate = ''; 182 | if ($str =~ /^\!(.*)$/) { 183 | $str = $1; 184 | $negate = '! '; 185 | } 186 | $rule .= "-m mac $negate --mac-source $str "; 187 | } 188 | 189 | my %group_ok; 190 | foreach my $group_type ('address', 'network', 'port') { 191 | $group_ok{$group_type} = 1; 192 | } 193 | 194 | # set the address filter parameters 195 | if (defined($self->{_network})) { 196 | my $str = $self->{_network}; 197 | return (undef, "\"$str\" is not a valid $ip_term $prefix_term") 198 | if (!Vyatta::TypeChecker::validateType($prefix_checker, $str, 1)); 199 | my $negate = ''; 200 | if ($str =~ /^\!(.*)$/) { 201 | $str = $1; 202 | $negate = '! '; 203 | } 204 | $rule .= "$negate --$self->{_srcdst} $str "; 205 | $group_ok{network} = 0; 206 | } elsif (defined($self->{_address})) { 207 | my $str = $self->{_address}; 208 | return (undef, "\"$str\" is not a valid $ip_term address") 209 | if (!Vyatta::TypeChecker::validateType($addr_checker, $str, 1)); 210 | my $negate = ''; 211 | if ($str =~ /^\!(.*)$/) { 212 | $str = $1; 213 | $negate = '! '; 214 | } 215 | $rule .= "$negate --$self->{_srcdst} $str "; 216 | $group_ok{address} = 0; 217 | } elsif ((defined $self->{_range_start}) && (defined $self->{_range_stop})) { 218 | my $start = $self->{_range_start}; 219 | my $stop = $self->{_range_stop}; 220 | return (undef, "\"$start-$stop\" is not a valid IP range") 221 | if ( !Vyatta::TypeChecker::validateType($addr_checker, $start, 1) 222 | || !Vyatta::TypeChecker::validateType($pure_addr_checker, $stop, 1)); 223 | my $negate = ''; 224 | if ($self->{_range_start} =~ /^!(.*)$/) { 225 | $start = $1; 226 | $negate = '! '; 227 | } 228 | if ("$self->{_srcdst}" eq "source") { 229 | $rule .= ("-m iprange $negate --src-range $start-$self->{_range_stop} "); 230 | }elsif ("$self->{_srcdst}" eq "destination") { 231 | $rule .= ("-m iprange $negate --dst-range $start-$self->{_range_stop} "); 232 | } 233 | $group_ok{address} = 0; 234 | $group_ok{network} = 0; 235 | } 236 | 237 | $group_ok{port} = 0 if defined $self->{_port}; 238 | my ($port_str, $port_err)= getPortRuleString($self->{_port}, $can_use_port,($self->{_srcdst} eq "source") ? "s" : "d",$self->{_protocol}); 239 | return (undef, $port_err) if (!defined($port_str)); 240 | $rule .= $port_str; 241 | # Handle groups last so we can check $group_ok 242 | my %group_used = ('address' => 0, 'network' => 0); 243 | foreach my $group_type ('address', 'network', 'port') { 244 | my $var_name = '_' . $group_type . '_group'; 245 | if (defined($self->{$var_name})) { 246 | $group_used{$group_type} = 1; 247 | my $name = $self->{$var_name}; 248 | if (!$group_ok{$group_type}) { 249 | return (undef, "Can't mix $self->{_srcdst} $group_type group [$name] and $group_type"); 250 | } 251 | my $group = new Vyatta::IpTables::IpSet($name, $group_type); 252 | my ($set_rule, $err_str) = $group->rule($self->{_srcdst}); 253 | return ($err_str,) if !defined $set_rule; 254 | $rule .= $set_rule; 255 | } 256 | } 257 | if ($group_used{address} and $group_used{network}) { 258 | return (undef,"Can't combine network and address group for $self->{_srcdst}\n"); 259 | } 260 | return ($rule, undef); 261 | } 262 | 263 | sub outputXmlElem { 264 | my ($name, $value, $fh) = @_; 265 | return if !defined $value; 266 | print $fh " <$name>$value\n"; 267 | } 268 | 269 | sub outputXml { 270 | my ($self, $prefix, $fh) = @_; 271 | if ( !defined($self->{_address}) 272 | && !defined($self->{_network}) 273 | && !defined($self->{_range_start}) 274 | && !defined($self->{_range_stop})) 275 | { 276 | if (($self->{_ip_version} eq "ipv4")) { 277 | $self->{_address} = "0.0.0.0/0"; 278 | } else { 279 | $self->{_address} = "::/0"; 280 | } 281 | } 282 | outputXmlElem("${prefix}_addr", $self->{_address}, $fh); 283 | outputXmlElem("${prefix}_net", $self->{_network}, $fh); 284 | outputXmlElem("${prefix}_addr_start", $self->{_range_start}, $fh); 285 | outputXmlElem("${prefix}_addr_stop", $self->{_range_stop}, $fh); 286 | outputXmlElem("${prefix}_port", $self->{_port}, $fh); 287 | } 288 | 289 | 1; 290 | -------------------------------------------------------------------------------- /scripts/firewall/vyatta-firewall-trap.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # 3 | # Module: vyatta-firewall-trap.pl 4 | # Description: Generate SNMP traps when firewall config changes 5 | # 6 | # **** License **** 7 | # This program is free software; you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License version 2 as 9 | # published by the Free Software Foundation. 10 | # 11 | # This program is distributed in the hope that it will be useful, but 12 | # WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 | # General Public License for more details. 15 | # 16 | # This code was originally developed by Vyatta, Inc. 17 | # Portions created by Vyatta are Copyright (C) 2013 Vyatta, Inc. 18 | # All Rights Reserved. 19 | # 20 | # **** End License **** 21 | # 22 | 23 | use lib "/opt/vyatta/share/perl5"; 24 | use warnings; 25 | use strict; 26 | use English; 27 | use Vyatta::Config; 28 | use Getopt::Long; 29 | use Sys::Syslog qw(:standard :macros); 30 | use SNMP; 31 | 32 | # Maps node status to OID value 33 | my %change_type_hash = ( 'unknown' => 0, 34 | 'added' => 1, 35 | 'deleted' => 2, 36 | 'changed' => 3 ); 37 | 38 | # Array of Net::SNMP::TrapSession to send traps 39 | my @snmp_sessions; 40 | 41 | # Enable printing debug output to stdout. 42 | my $debug_flag = 0; 43 | 44 | # Enable sending debug output to syslog. 45 | my $syslog_flag = 1; 46 | 47 | my $cfglevel; 48 | 49 | GetOptions("level=s" => \$cfglevel, 50 | "debug" => \$debug_flag, 51 | "syslog" => \$syslog_flag 52 | ); 53 | 54 | openlog("firewall-trap", "pid", "user") if $syslog_flag; 55 | 56 | # If debugging, lets see more SNMP outpyt 57 | $SNMP::debugging = $debug_flag; 58 | 59 | sub log_msg { 60 | my $message = shift; 61 | 62 | chomp($message); 63 | print "DEBUG: $message\n" if $debug_flag; 64 | syslog(LOG_NOTICE, "%s", $message) if $syslog_flag; 65 | } 66 | 67 | sub log_err { 68 | my $message = shift; 69 | 70 | chomp($message); 71 | print "DEBUG: $message\n" if $debug_flag; 72 | syslog(LOG_ERR, "%s", $message) if $syslog_flag; 73 | } 74 | 75 | # Initializes an SNMP session for each configured trap-target 76 | # 77 | # Returns: 78 | # undef if no trap-targets 79 | # # of trap targets 80 | sub snmp_init { 81 | my ( $config ) = @_; 82 | my $trap_session; 83 | my @trap_targets; 84 | my $level_pfx = "service snmp trap-target"; 85 | 86 | @trap_targets = $config->listNodes($level_pfx); 87 | return unless @trap_targets; 88 | 89 | foreach my $trap_target (@trap_targets) { 90 | my $port = $config->returnValue("$level_pfx $trap_target port"); 91 | my $community 92 | = $config->returnValue("$level_pfx $trap_target community"); 93 | 94 | $trap_target .= ":$port" if $port; 95 | $community = "public" unless $community; 96 | 97 | my ($snmp_session, $error) = new SNMP::TrapSession( 98 | DestHost => "$trap_target", 99 | Community => $community, 100 | Version => '2c' 101 | ); 102 | if (!defined $snmp_session) { 103 | log_err "Unable to open trap session for $trap_target community"; 104 | } else { 105 | push(@snmp_sessions, $snmp_session); 106 | } 107 | } 108 | return scalar (@trap_targets); 109 | } 110 | 111 | sub trap_send { 112 | my ($change_type, $prev, $curr) = @_; 113 | my $trap_name = 'VYATTA-TRAP-MIB::mgmtEventTrap'; 114 | my $mgmtEventUser = 'mgmtEventUser'; 115 | my $mgmtEventSource = 'mgmtEventSource'; 116 | my $mgmtEventType = 'mgmtEventType'; 117 | my $mgmtEventPrevCfg = 'mgmtEventPrevCfg'; 118 | my $mgmtEventCurrCfg = 'mgmtEventCurrCfg'; 119 | my $event_source = 1; # firewall 120 | my $event_name = getpwuid($UID) . "($UID)"; 121 | 122 | $change_type = $change_type_hash{$change_type}; 123 | $change_type = 0 unless $change_type; 124 | log_msg "trap_send: user = $event_name"; 125 | log_msg "trap_send: mgmtEventType = $change_type"; 126 | log_msg "trap_send: mgmtEventPrevCfg = $prev" if $prev; 127 | log_msg "trap_send: mgmtEventCurrCfg = $curr" if $curr; 128 | 129 | foreach my $snmp_session (@snmp_sessions) { 130 | # uptime is auto-populated if not explicitly set 131 | # trap does not like empty strings so only send oids with values 132 | if ($change_type == $change_type_hash{'added'}) { 133 | $snmp_session->trap( 134 | oid => $trap_name, 135 | [[$mgmtEventUser, 0, $event_name], 136 | [$mgmtEventSource, 0, $event_source], 137 | [$mgmtEventType, 0, $change_type], 138 | [$mgmtEventCurrCfg, 0, $curr]]); 139 | } elsif ($change_type == $change_type_hash{'deleted'}) { 140 | $snmp_session->trap( 141 | oid => $trap_name, 142 | [[$mgmtEventUser, 0, $event_name], 143 | [$mgmtEventSource, 0, $event_source], 144 | [$mgmtEventType, 0, $change_type], 145 | [$mgmtEventPrevCfg, 0, $prev]]); 146 | } elsif ($change_type == $change_type_hash{'changed'}) { 147 | $snmp_session->trap( 148 | oid => $trap_name, 149 | [[$mgmtEventUser, 0, $event_name], 150 | [$mgmtEventSource, 0, $event_source], 151 | [$mgmtEventType, 0, $change_type], 152 | [$mgmtEventPrevCfg, 0, $prev], 153 | [$mgmtEventCurrCfg, 0, $curr]]); 154 | } else { 155 | $snmp_session->trap( 156 | oid => $trap_name, 157 | [[$mgmtEventUser, 0, $event_name], 158 | [$mgmtEventSource, 0, $event_source], 159 | [$mgmtEventType, 0, $change_type]]); 160 | } 161 | } 162 | } 163 | 164 | sub leaf_trap { 165 | my ($config, $change_type, $level) = @_; 166 | my ($prev, $curr); 167 | 168 | if (($change_type eq "deleted") || ($change_type eq "changed")) { 169 | $prev = $config->returnOrigValue("$level"); 170 | chomp($prev); 171 | $prev = "$level $prev" if length($prev); 172 | } 173 | 174 | if (($change_type eq "added") || ($change_type eq "changed")) { 175 | $curr = $config->returnValue("$level"); 176 | chomp($curr); 177 | $curr = "$level $curr" if length($curr); 178 | } 179 | trap_send($change_type, $prev, $curr); 180 | } 181 | 182 | sub leaf_multi_trap { 183 | my ($config, $change_type, $level) = @_; 184 | my (@prev, @curr); 185 | my ($prevstr, $currstr); 186 | 187 | if (($change_type eq "deleted") || ($change_type eq "changed")) { 188 | @prev = $config->returnOrigValues("$level"); 189 | $prevstr = "$level " . join(' ', @prev); 190 | chomp($prevstr); 191 | } 192 | 193 | if (($change_type eq "added") || ($change_type eq "changed")) { 194 | @curr = $config->returnValues("$level"); 195 | $currstr = "$level " . join(' ', @curr); 196 | chomp($currstr); 197 | } 198 | trap_send($change_type, $prevstr, $currstr); 199 | } 200 | 201 | sub leaf_valueless_trap { 202 | my ($config, $change_type, $level) = @_; 203 | my ($prev, $curr); 204 | 205 | chomp($level); 206 | $prev = "$level" if ($change_type eq "deleted"); 207 | $curr = "$level" if ($change_type eq "added"); 208 | trap_send($change_type, $prev, $curr); 209 | } 210 | 211 | sub firewall_cfg_trap { 212 | my ($config, $level) = @_; 213 | my %node_status = $config->listNodeStatus("$level"); 214 | 215 | foreach my $node (keys %node_status) { 216 | next if $node_status{$node} eq 'static'; 217 | if ($config->isTagNode("$level $node")) { 218 | firewall_cfg_trap($config, "$level $node"); 219 | } elsif ($config->isLeafNode("$level $node")) { 220 | if ($config->isMultiNode("$level $node")) { 221 | leaf_multi_trap($config, $node_status{$node}, "$level $node"); 222 | } else { 223 | leaf_trap($config, $node_status{$node}, "$level $node"); 224 | } 225 | } elsif ($config->hasTmplChildren("$level $node")) { 226 | # Valueless node with children, descend tree recursively 227 | firewall_cfg_trap($config, "$level $node"); 228 | } else { 229 | # Valueless leaf node 230 | leaf_valueless_trap($config, $node_status{$node}, "$level $node"); 231 | } 232 | } 233 | } 234 | 235 | # Special handling for the top "firewall" config node. 236 | # 237 | # Only processes leaf nodes. Ideally the general purpose traversal 238 | # function (firewall_cfg_trap), could detect crossing priority groups 239 | # like the cstore code does. But this is easier. 240 | sub firewall_cfg_leaf_trap { 241 | my ($config, $level) = @_; 242 | my %node_status = $config->listNodeStatus("$level"); 243 | 244 | foreach my $node (keys %node_status) { 245 | next if $node_status{$node} eq 'static'; 246 | if ($config->isLeafNode("$level $node")) { 247 | if ($config->isMultiNode("$level $node")) { 248 | leaf_multi_trap($config, $node_status{$node}, "$level $node"); 249 | } else { 250 | leaf_trap($config, $node_status{$node}, "$level $node"); 251 | } 252 | } elsif ($config->isTagNode("$level $node")) { 253 | next; # Skip tag node 254 | } elsif ($config->hasTmplChildren("$level $node")) { 255 | next; # Valueless node with children, skip 256 | } else { 257 | # Valueless leaf node 258 | leaf_valueless_trap($config, $node_status{$node}, "$level $node"); 259 | } 260 | } 261 | } 262 | 263 | sub is_trap_enabled { 264 | my ($config) = @_; 265 | my $level = 'firewall config-trap'; 266 | my $value; 267 | 268 | if ($config->existsOrig($level)) { 269 | $value = $config->returnOrigValue($level); 270 | } else { 271 | my @tmpl = $config->parseTmpl($level); 272 | $value = $tmpl[2]; # default value 273 | } 274 | return $value eq 'enable'; 275 | } 276 | 277 | my $config = new Vyatta::Config; 278 | 279 | # Detect if firewall config traps are enabled 280 | exit 0 if ! is_trap_enabled($config); 281 | 282 | # Detect system startup (i.e., no snmpd running) and just exit. 283 | my $snmpd_service = `systemctl status snmpd.service 2> /dev/null`; 284 | exit 0 if (! $snmpd_service =~ m/snmpd is running/); 285 | 286 | # If no trap-targets configured just exit. 287 | exit 0 unless snmp_init($config); 288 | 289 | if (defined $cfglevel) { 290 | if ($cfglevel eq 'firewall') { 291 | # Special handling for the top "firewall" node. 292 | firewall_cfg_leaf_trap($config, "$cfglevel"); 293 | } else { 294 | firewall_cfg_trap($config, "$cfglevel"); 295 | } 296 | } 297 | 298 | exit 0; 299 | -------------------------------------------------------------------------------- /scripts/firewall/vyatta-fw-global-state-policy.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # 3 | # Module: vyatta-fw-global-state-policy.pl 4 | # 5 | # **** License **** 6 | # This program is free software; you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License version 2 as 8 | # published by the Free Software Foundation. 9 | # 10 | # This program is distributed in the hope that it will be useful, but 11 | # WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 | # General Public License for more details. 14 | # 15 | # This code was originally developed by Vyatta, Inc. 16 | # Portions created by Vyatta are Copyright (C) 2011 Vyatta, Inc. 17 | # All Rights Reserved. 18 | # 19 | # Author: Mohit Mehta 20 | # Date: November 2011 21 | # Description: Script for setting/changing/removing global FW state-policy 22 | # 23 | # **** End License **** 24 | # 25 | 26 | use lib "/opt/vyatta/share/perl5"; 27 | use warnings; 28 | use strict; 29 | use Switch; 30 | use Vyatta::Config; 31 | use Vyatta::IpTables::Mgr; 32 | use Getopt::Long; 33 | use Sys::Syslog qw(:standard :macros); 34 | 35 | # mapping from config node to iptables command 36 | our %cmd_hash = ( 'name' => '/sbin/iptables', 37 | 'ipv6-name' => '/sbin/ip6tables'); 38 | 39 | # mapping from config node to iptables/ip6tables table 40 | our %table_hash = ( 'name' => 'filter', 41 | 'ipv6-name' => 'filter'); 42 | 43 | # pre FW hooks in iptables' INPUT, OUTPUT and FORWARD chains 44 | our %pre_fw_hooks_hash = ( 'INPUT' => 'VYATTA_PRE_FW_IN_HOOK', 45 | 'FORWARD' => 'VYATTA_PRE_FW_FWD_HOOK', 46 | 'OUTPUT' => 'VYATTA_PRE_FW_OUT_HOOK'); 47 | 48 | # post FW hooks in iptables' INPUT, OUTPUT and FORWARD chains 49 | our %post_fw_hooks_hash = ( 'INPUT' => 'VYATTA_POST_FW_IN_HOOK', 50 | 'FORWARD' => 'VYATTA_POST_FW_FWD_HOOK', 51 | 'OUTPUT' => 'VYATTA_POST_FW_OUT_HOOK'); 52 | 53 | # state policy chains in iptables' INPUT, OUTPUT and FORWARD chains 54 | our %state_policy_chains_hash = ( 'INPUT' => 'VYATTA_STATE_POLICY_IN_HOOK', 55 | 'FORWARD' => 'VYATTA_STATE_POLICY_FWD_HOOK', 56 | 'OUTPUT' => 'VYATTA_STATE_POLICY_OUT_HOOK'); 57 | 58 | # state actions 59 | our %state_action_hash = ( 'drop' => 'DROP', 60 | 'reject' => 'REJECT', 61 | 'accept' => 'JUMP_TO_INDIVIDUAL_POST_FW_HOOK', 62 | 'log' => 'LOG'); 63 | 64 | # state actions' log abbreviations 65 | our %state_log_abbr_hash = ( 'drop' => 'D', 66 | 'reject' => 'R', 67 | 'accept' => 'A'); 68 | 69 | # imp to maintain order of this array since this is the 70 | # order we want to insert rules into state-policy chains 71 | my @fw_states = ('invalid', 'established', 'related'); 72 | 73 | # log prefix - FW_STATE_POL-$STATE-$ACTION_ABBREVIATION 74 | my $fw_log_prefix = 'FW-STATE_POL'; 75 | 76 | # this function performs the following functions: 77 | # 1. sets up VYATTA_FW_*_STATE_POLICY chains i.e. for INPUT, OUTPUT, FORWARD hooks 78 | # 2. adds rules in VYATTA_PRE_FW_*_HOOK hooks to jump to VYATTA_FW_*_STATE_POLICY 79 | sub setup_state_policy { 80 | my ($cmd, $error); 81 | 82 | foreach my $tree (keys %cmd_hash) { 83 | foreach my $iptables_chain (keys %state_policy_chains_hash) { 84 | # create VYATTA_FW_*_STATE_POLICY chains 85 | $error = Vyatta::IpTables::Mgr::create_ipt_chain ($cmd_hash{$tree}, 86 | $table_hash{$tree}, $state_policy_chains_hash{$iptables_chain}); 87 | return ($error, ) if $error; 88 | 89 | # append RETURN to VYATTA_FW_*_STATE_POLICY chains 90 | $error = Vyatta::IpTables::Mgr::append_ipt_rule ($cmd_hash{$tree}, 91 | $table_hash{$tree}, $state_policy_chains_hash{$iptables_chain}, 'RETURN'); 92 | return ($error, ) if $error; 93 | 94 | # insert rule in VYATTA_PRE_FW_*_HOOK to jump to VYATTA_FW_*_STATE_POLICY 95 | $error = Vyatta::IpTables::Mgr::insert_ipt_rule ($cmd_hash{$tree}, 96 | $table_hash{$tree}, $pre_fw_hooks_hash{$iptables_chain}, 97 | $state_policy_chains_hash{$iptables_chain}); 98 | return ($error, ) if $error; 99 | } 100 | } 101 | 102 | return; 103 | } 104 | 105 | # this function reverts the operations done in setup_state_policy(): 106 | # 1. removes rules from VYATTA_PRE_FW_*_HOOK hooks to jump to VYATTA_FW_*_STATE_POLICY 107 | # 2. deletes VYATTA_FW_STATE_POLICY chains i.e. for IN, OUT, FWD hooks 108 | sub teardown_state_policy { 109 | my ($cmd, $error); 110 | 111 | foreach my $tree (keys %cmd_hash) { 112 | foreach my $iptables_chain (keys %state_policy_chains_hash) { 113 | # remove rule in VYATTA_PRE_FW_*_HOOK to jump to VYATTA_FW_*_STATE_POLICY 114 | $error = Vyatta::IpTables::Mgr::delete_ipt_rule ($cmd_hash{$tree}, 115 | $table_hash{$tree}, $pre_fw_hooks_hash{$iptables_chain}, 116 | $state_policy_chains_hash{$iptables_chain}); 117 | return ($error, ) if $error; 118 | 119 | # flush all rules from VYATTA_FW_*_STATE_POLICY chains 120 | $error = Vyatta::IpTables::Mgr::flush_ipt_chain($cmd_hash{$tree}, 121 | $table_hash{$tree}, $state_policy_chains_hash{$iptables_chain}); 122 | return ($error, ) if $error; 123 | 124 | # delete VYATTA_FW_*_STATE_POLICY chains 125 | $error = Vyatta::IpTables::Mgr::delete_ipt_chain($cmd_hash{$tree}, 126 | $table_hash{$tree}, $state_policy_chains_hash{$iptables_chain}); 127 | return ($error, ) if $error; 128 | } 129 | } 130 | 131 | return; 132 | } 133 | 134 | # set all state actions and their log rules 135 | # Flush all previous rules and then set rules in the following order: 136 | # INVALID - log rule followed by action rule 137 | # ESTABLISHED - log rule followed by action rule 138 | # RELATED - log rule followed by action rule 139 | # Keep appending rules and then append RETURN rule at the end 140 | sub set_state_actions { 141 | my ($cmd, $error); 142 | 143 | my $config = new Vyatta::Config; 144 | # skip steps below if state-policy deleted 145 | return if (!defined $config->exists("firewall state-policy")); 146 | 147 | # flush state_policy_chains 148 | foreach my $tree (keys %cmd_hash) { 149 | foreach my $iptables_chain (keys %state_policy_chains_hash) { 150 | # flush all rules from VYATTA_FW_*_STATE_POLICY chains 151 | $error = Vyatta::IpTables::Mgr::flush_ipt_chain($cmd_hash{$tree}, 152 | $table_hash{$tree}, $state_policy_chains_hash{$iptables_chain}); 153 | return ($error, ) if $error; 154 | } 155 | } 156 | 157 | # check config for each states in this order: invalid, established, related 158 | # insert rules for log and action for each state 159 | foreach my $state (@fw_states) { 160 | $config->setLevel("firewall state-policy $state"); 161 | my ($action, $log_enabled) = (undef, undef); 162 | $log_enabled = $config->exists("log enable"); 163 | $action = $config->returnValue("action"); 164 | my $uc_action = uc($action) if defined $action; 165 | my $uc_state = uc ($state) if defined $state; 166 | if (defined $log_enabled) { 167 | foreach my $tree (keys %cmd_hash) { 168 | foreach my $iptables_chain (keys %state_policy_chains_hash) { 169 | # insert rule in VYATTA_FW_*_STATE_POLICY 170 | my $jump_target = "LOG --log-prefix \"[$fw_log_prefix-$uc_state-$state_log_abbr_hash{$action}]\" "; 171 | $error = Vyatta::IpTables::Mgr::append_ipt_rule ($cmd_hash{$tree}, 172 | $table_hash{$tree}, $state_policy_chains_hash{$iptables_chain}, $jump_target, "-m state --state $uc_state"); 173 | return ($error, ) if $error; 174 | } 175 | } 176 | } 177 | if (defined $action) { 178 | foreach my $tree (keys %cmd_hash) { 179 | foreach my $iptables_chain (keys %state_policy_chains_hash) { 180 | # if action is accept then jump target shold be post_fw_hooks post_fw_hooks_hash 181 | if ($action eq 'accept') { 182 | $error = Vyatta::IpTables::Mgr::append_ipt_rule ($cmd_hash{$tree}, 183 | $table_hash{$tree}, $state_policy_chains_hash{$iptables_chain}, 184 | $post_fw_hooks_hash{$iptables_chain}, "-m state --state $uc_state"); 185 | } else { 186 | $error = Vyatta::IpTables::Mgr::append_ipt_rule ($cmd_hash{$tree}, 187 | $table_hash{$tree}, $state_policy_chains_hash{$iptables_chain}, 188 | $uc_action, "-m state --state $uc_state"); 189 | } 190 | return ($error, ) if $error; 191 | } 192 | } 193 | } 194 | } 195 | 196 | # append rule with target RETURN at the end 197 | foreach my $tree (keys %cmd_hash) { 198 | foreach my $iptables_chain (keys %state_policy_chains_hash) { 199 | # append RETURN to VYATTA_FW_*_STATE_POLICY chains 200 | $error = Vyatta::IpTables::Mgr::append_ipt_rule ($cmd_hash{$tree}, 201 | $table_hash{$tree}, $state_policy_chains_hash{$iptables_chain}, 'RETURN'); 202 | return ($error, ) if $error; 203 | } 204 | } 205 | 206 | return; 207 | } 208 | 209 | sub enable_disable_conntrack { 210 | my ($cmd, $error); 211 | 212 | my $conntrack_enabled = 'false'; 213 | foreach my $state (@fw_states) { 214 | my $config = new Vyatta::Config; 215 | $config->setLevel("firewall state-policy $state"); 216 | my ($action) = (undef); 217 | $action = $config->returnOrigValue("action"); 218 | if (defined $action) { 219 | $conntrack_enabled = 'true'; 220 | last; 221 | } 222 | } 223 | if ($conntrack_enabled eq 'true') { 224 | foreach my $tree (keys %cmd_hash) { 225 | Vyatta::IpTables::Mgr::ipt_disable_conntrack($cmd_hash{$tree}, 'FW_STATE_POLICY_CONNTRACK'); 226 | } 227 | } 228 | 229 | my $enable_conntrack = 'false'; 230 | foreach my $state (@fw_states) { 231 | my $config = new Vyatta::Config; 232 | $config->setLevel("firewall state-policy $state"); 233 | my ($action) = (undef); 234 | $action = $config->returnValue("action"); 235 | if (defined $action) { 236 | $enable_conntrack = 'true'; 237 | last; 238 | } 239 | } 240 | if ($enable_conntrack eq 'true') { 241 | foreach my $tree (keys %cmd_hash) { 242 | Vyatta::IpTables::Mgr::ipt_enable_conntrack($cmd_hash{$tree}, 'FW_STATE_POLICY_CONNTRACK'); 243 | } 244 | } 245 | 246 | return; 247 | } 248 | 249 | sub state_policy_validity_checks { 250 | my ($cmd, $error); 251 | 252 | foreach my $state (@fw_states) { 253 | my $config = new Vyatta::Config; 254 | $config->setLevel("firewall state-policy $state"); 255 | my ($action, $log_enabled) = (undef, undef); 256 | $log_enabled = $config->exists("log enable"); 257 | $action = $config->returnValue("action"); 258 | if (defined $log_enabled && !defined $action) { 259 | $error = "log enabled but action not configured for state: $state\n" . 260 | "action is required to log packets\n"; 261 | return $error; 262 | } 263 | } 264 | 265 | return; 266 | } 267 | 268 | # 269 | # main 270 | # 271 | 272 | my ($action, $state, $state_action); 273 | 274 | GetOptions("action=s" => \$action, 275 | "state=s" => \$state, 276 | "state-action=s" => \$state_action, 277 | ); 278 | 279 | die "undefined action" if ! defined $action; 280 | 281 | my ($error, $warning); 282 | 283 | ($error, $warning) = setup_state_policy() if $action eq 'setup-state-policy'; 284 | 285 | ($error, $warning) = teardown_state_policy() if $action eq 'teardown-state-policy'; 286 | 287 | ($error, $warning) = set_state_actions() if $action eq 'set-state-actions'; 288 | 289 | ($error, $warning) = enable_disable_conntrack($state) if $action eq 'enable-disable-conntrack'; 290 | 291 | ($error, $warning) = state_policy_validity_checks($state) if $action eq 'state-policy-validity-checks'; 292 | 293 | if (defined $warning) { 294 | print "$warning\n"; 295 | } 296 | 297 | if (defined $error) { 298 | print "$error\n"; 299 | exit 1; 300 | } 301 | 302 | exit 0; 303 | 304 | # end of file 305 | --------------------------------------------------------------------------------