Permalink
Browse files

Switched --no-ipt-sync to default to not syncing with the iptables po…

…licy

By default fwsnort attempts to match translated Snort rules to the running
iptables policy, but this is tough to do well because iptables policies can be
complex.  And, before fwsnort switched to the iptables-save format for
instantiating the policy, a large set of translated rules could take a really
long time to make active within the kernel.  Finally, many Snort rules restrict
themselves to established TCP connections anyway, and if a restrictive policy
doesn't allow connections to get into the established state for some port let's
say, then there is little harm in having translated Snort rules for this port.
Some kernel memory would be wasted (small), but no performance would be lost
since packets won't be processed against these rules anyway.  The end result is
that the default behavior is now to not sync with the local iptables policy in
favor of translating and instantiating as many rules as possible.

This commit also moves the fwsnort.sh script and associated files into the
/var/lib/fwsnort/ directory.
  • Loading branch information...
1 parent 863f73a commit 724f75a13f3ec264eccb553c6c28f83706048047 @mrash committed Feb 17, 2012
Showing with 41 additions and 30 deletions.
  1. +4 −1 CREDITS
  2. +18 −18 fwsnort
  3. +11 −4 fwsnort.8
  4. +7 −6 fwsnort.conf
  5. +1 −1 install.pl
View
@@ -74,5 +74,8 @@ Kim Hagen
Couldn't load target
`FWSNORT_FORWARD_ESTAB':/lib/xtables/libipt_FWSNORT_FORWARD_ESTAB.so:
- cannot open shared object file: No such file or directory
+ cannot open shared object file: No such file or directory
+Peter Vrabec
+ - Suggested a new directory /var/lib/fwsnort/ for the fwsnort.sh script
+ and associated files (fwsnort.save, fwsnort_iptcmd.sh, etc.).
View
36 fwsnort
@@ -372,6 +372,7 @@ my $ipt_script = '';
my $logfile = '';
my $rules_dir = '';
my $homedir = '';
+my $abs_num = 0;
my $run_last = 0;
my $queue_rules_dir = '';
my $queue_pre_match_max = 0;
@@ -385,20 +386,20 @@ my $update_rules = 0; ### used to download latest snort rules
my $ipt_print_type = 0;
my $ipt_check_capabilities = 0;
my $ipt_rule_ctr = 1;
-my $ipt_sync = 1;
+my $ipt_sync = 0;
my $ipt_flush = 0;
my $ipt_del_chains = 0;
my $ipt_list = 0;
my $ipt_file = '';
my $no_pcre = 0;
-my $no_ipt_sync = 0;
my $no_ipt_log = 0;
my $no_ipt_test = 0;
my $no_ipt_jumps = 0;
my $no_ipt_input = 0;
my $no_ipt_output = 0;
my $no_addr_check = 0;
my $no_ipt_forward = 0;
+my $ignore_opt = 0;
my $include_sids = '';
my $exclude_sids = '';
my $add_deleted = 0;
@@ -581,7 +582,6 @@ sub parse_snort_rules() {
}
}
- my $abs_num = 0;
my $sabs_num = 0;
my $tot_ipt_apply = 0;
my $tot_unsup_ctr = 0;
@@ -3281,7 +3281,6 @@ sub fwsnort_init() {
}
unless ($is_root) {
- $no_ipt_sync = 1;
$no_ipt_test = 1;
}
@@ -3296,8 +3295,6 @@ sub fwsnort_init() {
}
}
- $ipt_sync = 0 if $no_ipt_sync;
-
if ($enable_ip6tables) {
### switch to ip6tables
$ipt_var_str = 'IP6TABLES';
@@ -3484,10 +3481,12 @@ sub handle_cmd_line() {
'snort-rfile=s' => \$rules_file, # Translate a single rules file.
'no-pcre' => \$no_pcre, # Make no attempt to translate PCRE's.
'no-addresses' => \$no_addr_check, # Don't check local ifconfig output.
- 'no-ipt-sync' => \$no_ipt_sync, # Do not sync with the iptables policy.
+ 'no-ipt-sync' => \$ignore_opt, # Do not sync with the iptables policy.
+ 'ipt-sync' => \$ipt_sync, # Sync fwsnort ruls with the iptables
+ # policy.
'no-ipt-log' => \$no_ipt_log, # Do not generate iptables logging rules.
- 'no-ipt-test' => \$no_ipt_test, # Don't perform any checks against
- # iptables.
+ 'no-ipt-test' => \$no_ipt_test, # Don't perform any checks for
+ # iptables capabilities.
'no-ipt-jumps' => \$no_ipt_jumps, # Don't jump packets from the INPUT or
# FORWARD chains.
'no-ipt-conntrack' => \$no_ipt_conntrack, # Don't use iptables connection
@@ -3657,7 +3656,7 @@ sub required_vars() {
FWSNORT_FORWARD_JUMP MAX_STRING_LEN CONF_DIR RULES_DIR ARCHIVE_DIR
QUEUE_RULES_DIR LOG_DIR LIBS_DIR CONF_FILE FWSNORT_SCRIPT LOG_FILE
FWSNORT_SAVE_FILE FWSNORT_SAVE_EXEC_FILE IPT_BACKUP_SAVE_FILE
- UPDATE_RULES_URL
+ UPDATE_RULES_URL STATE_DIR
);
for my $var (@required_vars) {
die "[*] Variable $var not defined in $fwsnort_conf. Exiting.\n"
@@ -4212,16 +4211,17 @@ sub setup() {
### import fwsnort perl modules
&import_perl_modules();
+ for my $dir ($config{'LOG_DIR'}, $config{'STATE_DIR'}) {
+ unless (-d $dir) {
+ mkdir $dir, 0755 or die "[*] Could not mkdir($dir): $!";
+ }
+ }
+
unless (-d $config{'ARCHIVE_DIR'}) {
mkdir $config{'ARCHIVE_DIR'}, 0500 or
die "[*] Could not mkdir($config{'ARCHIVE_DIR'}): $!";
}
- unless (-d $config{'LOG_DIR'}) {
- mkdir $config{'LOG_DIR'}, 0755 or
- die "[*] Could not mkdir($config{'LOG_DIR'}): $!";
- }
-
if (($queue_mode or $nfqueue_mode) and not -d $config{'QUEUE_RULES_DIR'}) {
mkdir $config{'QUEUE_RULES_DIR'}, 0500 or die $!;
}
@@ -4499,7 +4499,7 @@ sub write_save_file() {
my @fws_exec_lines = ();
push @fws_exec_lines, &hdr_lines();
- push @fws_exec_lines, qq|echo " "|, qq|echo "[+] Splicing fwsnort rules | .
+ push @fws_exec_lines, qq|echo " "|, qq|echo "[+] Splicing fwsnort $abs_num rules | .
qq|into the $ipt_str policy..."|,
"$restore_bin < $config{'FWSNORT_SAVE_FILE'}",
qq|echo " Done."\n|,
@@ -4631,8 +4631,8 @@ Options:
--ipt-check-capabilities - Check iptables capabilities and exit.
--no-ipt-comments - Do not add Snort "msg" fields to iptables
rules with the iptables comment match.
- --no-ipt-sync - Add iptables rules for signatures that
- are already blocked by iptables.
+ --ipt-sync - Only add iptables rules for signatures that
+ are not already blocked by iptables.
--no-ipt-log - Do not generate iptables log rules
(can only be used with --ipt-drop).
--no-ipt-test - Do not run any checks for availability
View
@@ -263,10 +263,17 @@ rule for each successfully translated snort rule. This can be disabled
with the \-\-no-ipt-log option, but \-\-ipt-drop must also be specified.
.TP
.BR \-\^\-no-ipt-sync
-Do not consult the iptables policy currently running on the machine
-for applicable snort rules. Unless limited with the \-\-include-type or \-\-snort-sid
-options this can result in a fwsnort.sh script that contains several
-thousand iptables rules.
+This is a deprecated option since the default behavior is to translate as
+many Snort rules into iptables rules as possible. With
+.B fwsnort
+able to produce iptables rules in iptables\-save format, it is extremely fast
+to instantiate a large set of translated Snort rules into an iptables policy.
+A new \-\-ipt-sync option has been added to reverse this behavior (not
+recommended).
+.TP
+.BR \-\^\-ipt-sync
+Consult the iptables policy currently running on the machine
+for applicable snort rules.
.TP
.BR \-\^\-no-ipt-test
Do not test the iptables build for existence of support for the LOG and
View
@@ -87,17 +87,18 @@ FWSNORT_FORWARD_ESTAB FWSNORT_FORWARD_ESTAB;
### fwsnort library path
CONF_DIR /etc/fwsnort;
RULES_DIR $CONF_DIR/snort_rules;
-ARCHIVE_DIR $CONF_DIR/archive;
QUEUE_RULES_DIR $CONF_DIR/snort_rules_queue;
LOG_DIR /var/log/fwsnort;
-LIBS_DIR /usr/lib/fwsnort;
+LIBS_DIR /usr/lib/fwsnort; ### for perl modules
+STATE_DIR /var/lib/fwsnort;
+ARCHIVE_DIR $STATE_DIR/archive;
CONF_FILE $CONF_DIR/fwsnort.conf;
LOG_FILE $LOG_DIR/fwsnort.log;
-FWSNORT_SCRIPT $CONF_DIR/fwsnort_iptcmds.sh; ### slow version
-FWSNORT_SAVE_EXEC_FILE $CONF_DIR/fwsnort.sh; ### main fwsnort.sh script
-FWSNORT_SAVE_FILE $CONF_DIR/fwsnort.save; ### main fwsnort.save file
-IPT_BACKUP_SAVE_FILE $CONF_DIR/iptables.save; ### iptables policy backup
+FWSNORT_SCRIPT $STATE_DIR/fwsnort_iptcmds.sh; ### slow version
+FWSNORT_SAVE_EXEC_FILE $STATE_DIR/fwsnort.sh; ### main fwsnort.sh script
+FWSNORT_SAVE_FILE $STATE_DIR/fwsnort.save; ### main fwsnort.save file
+IPT_BACKUP_SAVE_FILE $STATE_DIR/iptables.save; ### iptables policy backup
### system binaries
shCmd /bin/sh;
View
@@ -215,7 +215,7 @@ ()
print "\n========================================================\n",
"\n[+] fwsnort will generate an iptables script located at:\n",
- " /etc/fwsnort/fwsnort.sh when executed.\n",
+ " /var/lib/fwsnort.sh when executed.\n",
"\n[+] fwsnort has been successfully installed!\n\n";
return;

0 comments on commit 724f75a

Please sign in to comment.