Skip to content
Browse files

add --enable-logging switch, default to no logging

  • Loading branch information...
1 parent 04fbc44 commit efc44aeb1145c24bdf31215c8aaa0cce29a23cab @jnorell jnorell committed
Showing with 48 additions and 10 deletions.
  1. +45 −10 vzfirewall
  2. +3 −0 vzfirewall.conf
View
55 vzfirewall
@@ -14,7 +14,7 @@ use POSIX 'strftime';
use Getopt::Long 2.25 qw(:config posix_default no_ignore_case);
use Switch;
-my $VERSION = "1.13, 2014-01-20";
+my $VERSION = "1.14, 2014-01-27";
my %conf = (); # running configuration (defaults + config file + cli opts)
my %opt = (); # command line options
@@ -26,6 +26,7 @@ GetOptions(\%opt, 'help|h', 'version|V', 'apply|a', 'test|t',
'iptables-rules|rules=s', 'openvz-conf-dir|dir|d=s',
'icmp-types=s{1,}' => \@ICMP_TYPES,
'failsafe-addrs=s{1,}' => \@FAILSAFE_ADDRS,
+ 'enable-logging|l',
) or exit(1);
if ($opt{'vzfw-conf'}) {
@@ -83,6 +84,10 @@ if ($opt{'iptables-rules'}) {
}
}
+if ($opt{'enable-logging'}) {
+ $conf{'enable-logging'} = $opt{'enable-logging'};
+}
+
if ($opt{help}) {
pod2usage( -verbose => $opt{verbose} ? 2 : 1 );
}
@@ -132,7 +137,8 @@ if ($opt{test}) {
sub do_apply {
my ($test_mode, $force) = @_;
-
+ my ($deny_chain) = ($conf{'enable-logging'} ? 'vzfw-log-deny' : 'vzfw-deny');
+
my @cmds = ();
push @cmds, "##\n## PLEASE DO NOT EDIT THIS FILE MANUALLY!!!\n##\n";
push @cmds, "## It is generated by " . basename($0) . "\n";
@@ -142,9 +148,10 @@ sub do_apply {
push @cmds, ":FORWARD ACCEPT [0:0]\n";
push @cmds, ":OUTPUT ACCEPT [0:0]\n";
push @cmds, "\n\n";
- push @cmds, "##\n## Basic logging rules with policy actions\n##\n";
+ push @cmds, "##\n## Basic logging and policy action rules\n##\n";
push @cmds, ":vzfw-log-allow - [0:0]\n";
push @cmds, ":vzfw-log-deny - [0:0]\n";
+ push @cmds, ":vzfw-deny - [0:0]\n";
push @cmds, "# logging with RETURN policy\n";
push @cmds, "-A vzfw-log-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix \"[VZFW ALLOW] \"\n";
push @cmds, "# logging with DENY policy\n";
@@ -154,16 +161,21 @@ sub do_apply {
push @cmds, "-A vzfw-log-deny -m addrtype --dst-type BROADCAST -j DROP\n";
push @cmds, "-A vzfw-log-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix \"[VZFW BLOCK] \"\n";
push @cmds, "-A vzfw-log-deny -j REJECT --reject-with icmp-admin-prohibited\n";
+ push @cmds, "# DENY policy\n";
+ push @cmds, "-A vzfw-deny -m state --state INVALID -j DROP\n";
+ push @cmds, "-A vzfw-deny -m addrtype --dst-type MULTICAST -j DROP\n";
+ push @cmds, "-A vzfw-deny -m addrtype --dst-type BROADCAST -j DROP\n";
+ push @cmds, "-A vzfw-deny -j REJECT --reject-with icmp-admin-prohibited\n";
push @cmds, "\n\n";
push @cmds, "##\n## Default opened on loopback interface.\n##\n";
push @cmds, "-A INPUT -i lo -j ACCEPT\n";
push @cmds, "-A OUTPUT -o lo -j ACCEPT\n";
push @cmds, "-A FORWARD -i lo -j ACCEPT\n";
push @cmds, "\n##\n## Stop spoofing of our addresses.\n##\n";
- push @cmds, "-A INPUT -m addrtype --src-type LOCAL -j vzfw-log-deny\n";
+ push @cmds, "-A INPUT -m addrtype --src-type LOCAL -j $deny_chain\n";
for my $chain ("INPUT", "OUTPUT", "FORWARD") {
push @cmds, "\n##\n## Firewall states ($chain).\n##\n";
- push @cmds, "-A $chain -m state --state INVALID -j vzfw-log-deny\n";
+ push @cmds, "-A $chain -m state --state INVALID -j $deny_chain\n";
push @cmds, "-A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT\n";
push @cmds, "# Allowed icmp types\n";
@@ -173,14 +185,18 @@ sub do_apply {
}
if ( grep { /any/i } @{$conf{'failsafe-addrs'}} ) {
push @cmds, "\n# Failsafe SSH access open to hardware node.\n";
- push @cmds, "-A INPUT -p tcp --dport 22 -j vzfw-log-allow\n";
+ if ($conf{'enable-logging'}) {
+ push @cmds, "-A INPUT -p tcp --dport 22 -j vzfw-log-allow\n";
+ }
push @cmds, "-A INPUT -p tcp --dport 22 -j ACCEPT\n";
} elsif ( grep { /none/i } @{$conf{'failsafe-addrs'}} ) {
push @cmds, "\n# Failsafe SSH access to hardware node is disabled.\n";
} else {
push @cmds, "\n# Failsafe SSH access to hardware node.\n";
for my $addr ( @{$conf{'failsafe-addrs'}} ) {
- push @cmds, "-A INPUT -p tcp -s $addr --dport 22 -j vzfw-log-allow\n";
+ if ($conf{'enable-logging'}) {
+ push @cmds, "-A INPUT -p tcp -s $addr --dport 22 -j vzfw-log-allow\n";
+ }
push @cmds, "-A INPUT -p tcp -s $addr --dport 22 -j ACCEPT\n";
}
}
@@ -258,8 +274,8 @@ sub do_apply {
}
push @cmds, "\n\n##\n## Default action for incoming packets - reject.\n##\n";
- push @cmds, "-A INPUT -j vzfw-log-deny\n";
- push @cmds, "-A FORWARD -j vzfw-log-deny\n";
+ push @cmds, "-A INPUT -j $deny_chain\n";
+ push @cmds, "-A FORWARD -j $deny_chain\n";
push @cmds, "COMMIT\n";
my $cmds = join "", @cmds;
@@ -350,7 +366,8 @@ sub generate_open_rule {
sub generate_close_rule {
my ($dst_ip) = @_;
- return ($dst_ip && $dst_ip ne "*"? "-A FORWARD -d $dst_ip" : "-A INPUT") . " -j vzfw-log-deny\n";
+ my ($deny_chain) = ($conf{'enable-logging'} ? 'vzfw-log-deny' : 'vzfw-deny');
+ return ($dst_ip && $dst_ip ne "*"? "-A FORWARD -d $dst_ip" : "-A INPUT") . " -j $deny_chain\n";
}
sub generate_outgoing_rule {
@@ -422,6 +439,13 @@ sub read_vzfirewall_conf {
$$cfg{'failsafe-addrs'} = \@v;
}
}
+ case "ENABLE_LOGGING" {
+ unless ($$cli{'enable-logging'}) {
+ if ($v !~ /^(false|no|off|0)$/i) {
+ $$cfg{'enable-logging'} = $v;
+ }
+ }
+ }
}
}
}
@@ -518,6 +542,10 @@ I<addr> can be a single host, subnet, C<any> or C<none>.
Default: any
+=item B<-l>, B<--enable-logging>
+
+Enable logging of denied traffic.
+
=back
@@ -570,6 +598,12 @@ Specify hosts allowed administrative (ssh) access to the openvz hardware node.
Corresponds to --failsafe-addrs command-line option.
+=item C<ENABLE_LOGGING>
+
+Enable logging of denied traffic.
+
+Corresponds to the --enable-logging command-line option.
+
=back
@@ -585,6 +619,7 @@ on a C<debian> system using C<iptables-persistent> to load iptables rules:
IPTABLES_RULES = /etc/iptables/rules.v4
ICMP_TYPES = 3 4 11 12 8
FAILSAFE_ADDRS = any
+ ENABLE_LOGGING = false
=head2 Firewall the OpenVZ host
View
3 vzfirewall.conf
@@ -20,3 +20,6 @@
# Hosts/subnets allowed admin (ssh) access to the hardware node.
# Use "none" to disable
#FAILSAFE_ADDRS = any
+
+# Enable logging of denied traffic
+ENABLE_LOGGING = true

0 comments on commit efc44ae

Please sign in to comment.
Something went wrong with that request. Please try again.