my $logfile = '';
my $rules_dir = '';
my $homedir = '';
+my $abs_num = 0;
my $run_last = 0;
my $queue_rules_dir = '';
my $queue_pre_match_max = 0;
my $ipt_print_type = 0;
my $ipt_check_capabilities = 0;
my $ipt_rule_ctr = 1;
-my $ipt_sync = 1;
+my $ipt_sync = 0;
my $ipt_flush = 0;
my $ipt_del_chains = 0;
my $ipt_list = 0;
my $ipt_file = '';
my $no_pcre = 0;
-my $no_ipt_sync = 0;
my $no_ipt_log = 0;
my $no_ipt_test = 0;
my $no_ipt_jumps = 0;
my $no_ipt_output = 0;
my $no_addr_check = 0;
my $no_ipt_forward = 0;
+my $ignore_opt = 0;
my $include_sids = '';
my $exclude_sids = '';
my $add_deleted = 0;
}
}
- my $abs_num = 0;
my $sabs_num = 0;
my $tot_ipt_apply = 0;
my $tot_unsup_ctr = 0;
}
unless ($is_root) {
- $no_ipt_sync = 1;
$no_ipt_test = 1;
}
}
}
- $ipt_sync = 0 if $no_ipt_sync;
-
if ($enable_ip6tables) {
### switch to ip6tables
$ipt_var_str = 'IP6TABLES';
'snort-rfile=s' => \$rules_file, # Translate a single rules file.
'no-pcre' => \$no_pcre, # Make no attempt to translate PCRE's.
'no-addresses' => \$no_addr_check, # Don't check local ifconfig output.
- 'no-ipt-sync' => \$no_ipt_sync, # Do not sync with the iptables policy.
+ 'no-ipt-sync' => \$ignore_opt, # Do not sync with the iptables policy.
+ 'ipt-sync' => \$ipt_sync, # Sync fwsnort ruls with the iptables
+ # policy.
'no-ipt-log' => \$no_ipt_log, # Do not generate iptables logging rules.
- 'no-ipt-test' => \$no_ipt_test, # Don't perform any checks against
- # iptables.
+ 'no-ipt-test' => \$no_ipt_test, # Don't perform any checks for
+ # iptables capabilities.
'no-ipt-jumps' => \$no_ipt_jumps, # Don't jump packets from the INPUT or
# FORWARD chains.
'no-ipt-conntrack' => \$no_ipt_conntrack, # Don't use iptables connection
FWSNORT_FORWARD_JUMP MAX_STRING_LEN CONF_DIR RULES_DIR ARCHIVE_DIR
QUEUE_RULES_DIR LOG_DIR LIBS_DIR CONF_FILE FWSNORT_SCRIPT LOG_FILE
FWSNORT_SAVE_FILE FWSNORT_SAVE_EXEC_FILE IPT_BACKUP_SAVE_FILE
- UPDATE_RULES_URL
+ UPDATE_RULES_URL STATE_DIR
);
for my $var (@required_vars) {
die "[*] Variable $var not defined in $fwsnort_conf. Exiting.\n"
### import fwsnort perl modules
&import_perl_modules();
+ for my $dir ($config{'LOG_DIR'}, $config{'STATE_DIR'}) {
+ unless (-d $dir) {
+ mkdir $dir, 0755 or die "[*] Could not mkdir($dir): $!";
+ }
+ }
+
unless (-d $config{'ARCHIVE_DIR'}) {
mkdir $config{'ARCHIVE_DIR'}, 0500 or
die "[*] Could not mkdir($config{'ARCHIVE_DIR'}): $!";
}
- unless (-d $config{'LOG_DIR'}) {
- mkdir $config{'LOG_DIR'}, 0755 or
- die "[*] Could not mkdir($config{'LOG_DIR'}): $!";
- }
-
if (($queue_mode or $nfqueue_mode) and not -d $config{'QUEUE_RULES_DIR'}) {
mkdir $config{'QUEUE_RULES_DIR'}, 0500 or die $!;
}
my @fws_exec_lines = ();
push @fws_exec_lines, &hdr_lines();
- push @fws_exec_lines, qq|echo " "|, qq|echo "[+] Splicing fwsnort rules | .
+ push @fws_exec_lines, qq|echo " "|, qq|echo "[+] Splicing fwsnort $abs_num rules | .
qq|into the $ipt_str policy..."|,
"$restore_bin < $config{'FWSNORT_SAVE_FILE'}",
qq|echo " Done."\n|,
--ipt-check-capabilities - Check iptables capabilities and exit.
--no-ipt-comments - Do not add Snort "msg" fields to iptables
rules with the iptables comment match.
- --no-ipt-sync - Add iptables rules for signatures that
- are already blocked by iptables.
+ --ipt-sync - Only add iptables rules for signatures that
+ are not already blocked by iptables.
--no-ipt-log - Do not generate iptables log rules
(can only be used with --ipt-drop).
--no-ipt-test - Do not run any checks for availability
with the \-\-no-ipt-log option, but \-\-ipt-drop must also be specified.
.TP
.BR \-\^\-no-ipt-sync
-Do not consult the iptables policy currently running on the machine
-for applicable snort rules. Unless limited with the \-\-include-type or \-\-snort-sid
-options this can result in a fwsnort.sh script that contains several
-thousand iptables rules.
+This is a deprecated option since the default behavior is to translate as
+many Snort rules into iptables rules as possible. With
+.B fwsnort
+able to produce iptables rules in iptables\-save format, it is extremely fast
+to instantiate a large set of translated Snort rules into an iptables policy.
+A new \-\-ipt-sync option has been added to reverse this behavior (not
+recommended).
+.TP
+.BR \-\^\-ipt-sync
+Consult the iptables policy currently running on the machine
+for applicable snort rules.
.TP
.BR \-\^\-no-ipt-test
Do not test the iptables build for existence of support for the LOG and
### fwsnort library path
CONF_DIR /etc/fwsnort;
RULES_DIR $CONF_DIR/snort_rules;
-ARCHIVE_DIR $CONF_DIR/archive;
QUEUE_RULES_DIR $CONF_DIR/snort_rules_queue;
LOG_DIR /var/log/fwsnort;
-LIBS_DIR /usr/lib/fwsnort;
+LIBS_DIR /usr/lib/fwsnort; ### for perl modules
+STATE_DIR /var/lib/fwsnort;
+ARCHIVE_DIR $STATE_DIR/archive;
CONF_FILE $CONF_DIR/fwsnort.conf;
LOG_FILE $LOG_DIR/fwsnort.log;
-FWSNORT_SCRIPT $CONF_DIR/fwsnort_iptcmds.sh; ### slow version
-FWSNORT_SAVE_EXEC_FILE $CONF_DIR/fwsnort.sh; ### main fwsnort.sh script
-FWSNORT_SAVE_FILE $CONF_DIR/fwsnort.save; ### main fwsnort.save file
-IPT_BACKUP_SAVE_FILE $CONF_DIR/iptables.save; ### iptables policy backup
+FWSNORT_SCRIPT $STATE_DIR/fwsnort_iptcmds.sh; ### slow version
+FWSNORT_SAVE_EXEC_FILE $STATE_DIR/fwsnort.sh; ### main fwsnort.sh script
+FWSNORT_SAVE_FILE $STATE_DIR/fwsnort.save; ### main fwsnort.save file
+IPT_BACKUP_SAVE_FILE $STATE_DIR/iptables.save; ### iptables policy backup
### system binaries
shCmd /bin/sh;
projects / fwsnort.git / commitdiff