more changes for firewalld

2014-08-31 00:29:17 -04:00 · 2014-08-31 00:29:17 -04:00 · 25d252c11a
commit 25d252c11a
parent e54383b518
4 changed files with 63 additions and 31 deletions
--- a/README.md
+++ b/README.md
@ -9,9 +9,9 @@ default-drop filtering stance. The main application of SPA is to use a firewall
 to drop all attempts to connect to services such as SSH in order to make the
 exploitation of vulnerabilities (both 0-day and unpatched code) more difficult.
 Because there are no open ports, any service that is concealed by SPA naturally
-cannot be scanned for with Nmap. The fwknop project supports three different
-firewalls: iptables on Linux systems, pf on OpenBSD, and ipfw on FreeBSD and
-Mac OS X.
+cannot be scanned for with Nmap. The fwknop project supports four different
+firewalls: firewalld and iptables on Linux systems, pf on OpenBSD, and ipfw on
+FreeBSD and Mac OS X.

 SPA is essentially next generation Port Knocking (PK), but solves many of the
 limitations exhibited by PK while retaining its core benefits. PK limitations
@ -103,6 +103,9 @@ the `INSTALL` file for the general basics on using autoconf.
      --with-gpgme-prefix=PFX prefix where GPGME is installed (optional)
      --with-gpg=/path/to/gpg Specify path to the gpg executable that gpgme will
                              use [default=check path]
+      --with-firewalld=/path/to/firewalld
+                              Specify path to the firewalld executable
+                              [default=check path]
      --with-iptables=/path/to/iptables
                              Specify path to the iptables executable
                              [default=check path]
--- a/configure.ac
+++ b/configure.ac
@ -476,6 +476,24 @@ AS_IF([test "$want_server" = yes], [
  AM_CONDITIONAL([USE_NDBM], [test x$use_ndbm = xyes])
  AM_CONDITIONAL([CONFIG_FILE_CACHE], [test x$want_file_cache = xyes])

+dnl Check for firewalld
+dnl
+  AC_ARG_WITH([firewall-cmd],
+    [AS_HELP_STRING([--with-firewall-cmd=/path/to/firewall-cmd],
+      [Specify path to the firewall-cmd executable @<:@default=check path@:>@])],
+    [
+      AS_IF([ test "x$withval" = xno ], [],
+        AS_IF([ test "x$withval" = x -o "x$withval" = xyes ],
+          [AC_MSG_ERROR([--with-firewall-cmd requires an argument specifying a path to firewall-cmd])],
+          [ FORCE_FIREWALLD_EXE=$withval ]
+        )
+      )
+    ],
+    [
+      AC_PATH_PROG(FIREWALLD_EXE, [firewall-cmd], [], [$APP_PATH])
+    ]
+  )
+
 dnl Check for iptables
 dnl
  AC_ARG_WITH([iptables],
@ -550,6 +568,9 @@ dnl

 dnl If a firewall was forced. set the appropriate _EXE var and clear the others.
 dnl
+  AS_IF([test "x$FORCE_FIREWALLD_EXE" != x], [
+    FIREWALLD_EXE="$FORCE_FIREWALLD_EXE"    
+  ],[
  AS_IF([test "x$FORCE_IPTABLES_EXE" != x], [
    IPTABLES_EXE="$FORCE_IPTABLES_EXE"    
  ],[
@ -571,12 +592,19 @@ dnl
      ]
    ]
  ]
-  ))))
+  ]
+  )))))

 dnl Determine which firewall exe we use (if we have one).
-dnl If iptables was found or specified, it wins, then we fallback to ipfw,
-dnl then pf, and otherwise we try ipf.
+dnl If firewalld was found or specified, it wins, then we fallback to iptables,
+dnl then ipfw, pf, and otherwise we try ipf.
 dnl
+  AS_IF([test "x$FIREWALLD_EXE" != x], [
+      FW_DEF="FW_FIREWALLD"
+      FIREWALL_TYPE="firewalld" 
+      FIREWALL_EXE=$FIREWALLD_EXE
+      AC_DEFINE_UNQUOTED([FIREWALL_FIREWALLD], [1], [The firewall type: firewalld.])
+  ],[
  AS_IF([test "x$IPTABLES_EXE" != x], [
      FW_DEF="FW_IPTABLES"
      FIREWALL_TYPE="iptables" 
@ -604,7 +632,8 @@ dnl
        ]
    ]
  ]
-  ))))
+  ]
+  )))))

  AC_DEFINE_UNQUOTED([FIREWALL_EXE], ["$FIREWALL_EXE"],
    [Path to firewall command executable (it should match the firewall type).])
--- a/fwknop.spec
+++ b/fwknop.spec
@ -50,11 +50,11 @@ Requires:	libfko => 2.0.3, libpcap, iptables

 %description
 Fwknop implements an authorization scheme known as Single Packet Authorization
-(SPA) for Linux systems running iptables.  This mechanism requires only a
-single encrypted and non-replayed packet to communicate various pieces of
-information including desired access through an iptables policy. The main
-application of this program is to use iptables in a default-drop stance to
-protect services such as SSH with an additional layer of security in order
+(SPA) for Linux systems running firewalld or iptables.  This mechanism requires
+only a single encrypted and non-replayed packet to communicate various pieces of
+information including desired access through a firewalld or iptables policy. The
+main application of this program is to use firewalld or iptables in a default-drop
+stance to protect services such as SSH with an additional layer of security in order
 to make the exploitation of vulnerabilities (both 0-day and unpatched code)
 much more difficult.

--- a/server/fw_util_firewalld.h
+++ b/server/fw_util_firewalld.h
@ -35,25 +35,25 @@

 /* firewalld command args
 */
-#define FIREWD_CHK_RULE_ARGS       "--direct --passthrough -C %s %s"  /* 2>&1 is always added in the second %s */
-#define FIREWD_RULE_ARGS           "--direct --passthrough -t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
-#define FIREWD_OUT_RULE_ARGS       "--direct --passthrough -t %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
-#define FIREWD_FWD_RULE_ARGS       "--direct --passthrough -t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
-#define FIREWD_DNAT_RULE_ARGS      "--direct --passthrough -t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1"
-#define FIREWD_SNAT_RULE_ARGS      "--direct --passthrough -t %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
-#define FIREWD_TMP_COMMENT_ARGS    "--direct --passthrough -t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1"
-#define FIREWD_TMP_CHK_RULE_ARGS   "--direct --passthrough -t %s -I %s %i -s 127.0.0.2 -p udp -j %s 2>&1"
-#define FIREWD_TMP_VERIFY_CHK_ARGS "--direct --passthrough -t %s -C %s -s 127.0.0.2 -p udp -j %s 2>&1"
-#define FIREWD_DEL_RULE_ARGS       "--direct --passthrough -t %s -D %s %i 2>&1"
-#define FIREWD_NEW_CHAIN_ARGS      "--direct --passthrough -t %s -N %s 2>&1"
-#define FIREWD_FLUSH_CHAIN_ARGS    "--direct --passthrough -t %s -F %s 2>&1"
-#define FIREWD_CHAIN_EXISTS_ARGS   "--direct --passthrough -t %s -L %s -n 2>&1"
-#define FIREWD_DEL_CHAIN_ARGS      "--direct --passthrough -t %s -X %s 2>&1"
-#define FIREWD_CHK_JUMP_RULE_ARGS  "--direct --passthrough -t %s -j %s 2>&1"
-#define FIREWD_ADD_JUMP_RULE_ARGS  "--direct --passthrough -t %s -I %s %i -j %s 2>&1"
-#define FIREWD_DEL_JUMP_RULE_ARGS  "--direct --passthrough -t %s -D %s -j %s 2>&1"  /* let firewalld work out the rule number */
-#define FIREWD_LIST_RULES_ARGS     "--direct --passthrough -t %s -L %s --line-numbers -n 2>&1"
-#define FIREWD_LIST_ALL_RULES_ARGS "--direct --passthrough -t %s -v -n -L --line-numbers 2>&1"
+#define FIREWD_CHK_RULE_ARGS       "--direct --passthrough ipv4 -C %s %s"  /* 2>&1 is always added in the second %s */
+#define FIREWD_RULE_ARGS           "--direct --passthrough ipv4 -t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
+#define FIREWD_OUT_RULE_ARGS       "--direct --passthrough ipv4 -t %s -p %i -d %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
+#define FIREWD_FWD_RULE_ARGS       "--direct --passthrough ipv4 -t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s 2>&1"
+#define FIREWD_DNAT_RULE_ARGS      "--direct --passthrough ipv4 -t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i 2>&1"
+#define FIREWD_SNAT_RULE_ARGS      "--direct --passthrough ipv4 -t %s -p %i -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s %s 2>&1"
+#define FIREWD_TMP_COMMENT_ARGS    "--direct --passthrough ipv4 -t %s -I %s %i -s 127.0.0.2 -m comment --comment " TMP_COMMENT " -j %s 2>&1"
+#define FIREWD_TMP_CHK_RULE_ARGS   "--direct --passthrough ipv4 -t %s -I %s %i -s 127.0.0.2 -p udp -j %s 2>&1"
+#define FIREWD_TMP_VERIFY_CHK_ARGS "--direct --passthrough ipv4 -t %s -C %s -s 127.0.0.2 -p udp -j %s 2>&1"
+#define FIREWD_DEL_RULE_ARGS       "--direct --passthrough ipv4 -t %s -D %s %i 2>&1"
+#define FIREWD_NEW_CHAIN_ARGS      "--direct --passthrough ipv4 -t %s -N %s 2>&1"
+#define FIREWD_FLUSH_CHAIN_ARGS    "--direct --passthrough ipv4 -t %s -F %s 2>&1"
+#define FIREWD_CHAIN_EXISTS_ARGS   "--direct --passthrough ipv4 -t %s -L %s -n 2>&1"
+#define FIREWD_DEL_CHAIN_ARGS      "--direct --passthrough ipv4 -t %s -X %s 2>&1"
+#define FIREWD_CHK_JUMP_RULE_ARGS  "--direct --passthrough ipv4 -t %s -j %s 2>&1"
+#define FIREWD_ADD_JUMP_RULE_ARGS  "--direct --passthrough ipv4 -t %s -I %s %i -j %s 2>&1"
+#define FIREWD_DEL_JUMP_RULE_ARGS  "--direct --passthrough ipv4 -t %s -D %s -j %s 2>&1"  /* let firewalld work out the rule number */
+#define FIREWD_LIST_RULES_ARGS     "--direct --passthrough ipv4 -t %s -L %s --line-numbers -n 2>&1"
+#define FIREWD_LIST_ALL_RULES_ARGS "--direct --passthrough ipv4 -t %s -v -n -L --line-numbers 2>&1"

 int validate_firewd_chain_conf(const char * const chain_str);