Re: [Shorewall-users] using events to allow ident only from recent irc connections
On 6/19/2018 7:14 PM, Brian J. Murrell wrote:
> On Tue, 2018-06-19 at 09:39 -0700, Tom Eastep wrote:
>>
>> It is in 5.2.0
>
> Hrm. I had to patch /usr/share/shorewall/action.IfEvent by hand with
> 5.2.0.
>
>> Does your distro install the common Shorewall files in
>> a directory other than /usr/share/shorewall/?
>
> I don't believe so, no:
>
> $ rpm -qf /usr/share/shorewall/action.IfEvent
> shorewall-5.2.0-0.01.fc28.noarch
>
>> Does 'shorewall show
>> actions' list IfEvent?
>
> $ sudo shorewall show actions | grep IfEvent
> IfEventnoinline # Perform an action based
> on an event
>
> Here's what's in the tarball I downloaded:
>
> $ md5sum shorewall-5.2.0.tar.bz2
> 64197788451a266d542f0af17fa9da12 shorewall-5.2.0.tar.bz2
> $ tar xOjvf shorewall-5.2.0.tar.bz2 shorewall-5.2.0/Actions/action.IfEvent |
> sed -ne '135,141p'
> #
> # if the event is armed, remove it and perform the action
> #
> perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent
> --remove --name $event" );
> } elsif ( $command & $UPDATE_CMD ) {
> perl_action_helper( $action, "-m recent --update ${duration}--hitcount
> $hitcount --name $event $srcdst" );
> } else {
>
> Which looks to me like the unpatched version, or am I mistaken?
>
> I'd do some git archaeology to see when this patch went in but it seems
> SF's git-web interface is pretty immature in that respect. Github's
> "Blame" functionality would tell the story.
>
Looks like the change is in tag '5.2.0.1' in the code repo.
-Matt
--
Matt Darfeuille
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] using events to allow ident only from recent irc connections
On Tue, 2018-06-19 at 09:39 -0700, Tom Eastep wrote:
>
> It is in 5.2.0
Hrm. I had to patch /usr/share/shorewall/action.IfEvent by hand with
5.2.0.
> Does your distro install the common Shorewall files in
> a directory other than /usr/share/shorewall/?
I don't believe so, no:
$ rpm -qf /usr/share/shorewall/action.IfEvent
shorewall-5.2.0-0.01.fc28.noarch
> Does 'shorewall show
> actions' list IfEvent?
$ sudo shorewall show actions | grep IfEvent
IfEvent noinline # Perform an action based
on an event
Here's what's in the tarball I downloaded:
$ md5sum shorewall-5.2.0.tar.bz2
64197788451a266d542f0af17fa9da12 shorewall-5.2.0.tar.bz2
$ tar xOjvf shorewall-5.2.0.tar.bz2 shorewall-5.2.0/Actions/action.IfEvent |
sed -ne '135,141p'
#
# if the event is armed, remove it and perform the action
#
perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent
--remove --name $event" );
} elsif ( $command & $UPDATE_CMD ) {
perl_action_helper( $action, "-m recent --update ${duration}--hitcount
$hitcount --name $event $srcdst" );
} else {
Which looks to me like the unpatched version, or am I mistaken?
I'd do some git archaeology to see when this patch went in but it seems
SF's git-web interface is pretty immature in that respect. Github's
"Blame" functionality would tell the story.
Speaking of git, you have 3 merge requests open on Shorewall, FWIW.
Some have been there quite a while.
Cheers,
b.
signature.asc
Description: This is a digitally signed message part
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] using events to allow ident only from recent irc connections
On 06/19/2018 08:41 AM, Brian J. Murrell wrote: > On Fri, 2018-04-13 at 09:08 -0700, Tom Eastep wrote: >> >> In the process, I discovered a bug in the 'reset' logic of IfEvent() >> when 'dst' is specified; that bug is corrected by the attached patch: >> >> patch /usr/share/shorewall/action.IfEvent < IfEvent.patch > > I see this is missing from 5.2.0. Is it queued for a subsequent > release? > It is in 5.2.0 - Does your distro install the common Shorewall files in a directory other than /usr/share/shorewall/? Does 'shorewall show actions' list IfEvent? -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] using events to allow ident only from recent irc connections
On Fri, 2018-04-13 at 09:08 -0700, Tom Eastep wrote: > > In the process, I discovered a bug in the 'reset' logic of IfEvent() > when 'dst' is specified; that bug is corrected by the attached patch: > > patch /usr/share/shorewall/action.IfEvent < IfEvent.patch I see this is missing from 5.2.0. Is it queued for a subsequent release? Cheers, b. signature.asc Description: This is a digitally signed message part -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] using events to allow ident only from recent irc connections
On 04/15/2018 08:38 AM, Brian J. Murrell wrote:
> On Fri, 2018-04-13 at 09:08 -0700, Tom Eastep wrote:
>>
>> I've tested the following:
>>
>> #
>> #
>> # IRC
>> #
>> SetEvent(IRC) { SOURCE=loc,apps,
>> DEST=net, PROTO=tcp, DPORT=6667 }
>> IfEvent(IRC,ACCEPT,10,1,dst,reset){ SOURCE=net,
>> DEST=loc,apps, PROTO=tcp, DPORT=113 }
>
> What is the significance of "apps" in these two rules? Is it just
> another zone name in your configuration?
>
Yes -- it is just another zone name.
-Tom
--
Tom Eastep\ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\___
signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] using events to allow ident only from recent irc connections
On 04/15/2018 08:46 AM, Brian J. Murrell wrote:
> Damn. I knew I shouldn't have hit send so quickly...
>
> On Fri, 2018-04-13 at 09:08 -0700, Tom Eastep wrote:
>> diff --git a/Shorewall/Actions/action.IfEvent
>> b/Shorewall/Actions/action.IfEvent
>> index 5f245ed22..64cbb8e25 100644
>> --- a/Shorewall/Actions/action.IfEvent
>> +++ b/Shorewall/Actions/action.IfEvent
>> @@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
>> #
>> # if the event is armed, remove it and perform the action
>> #
>> -perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent
>> --remove --name $event" );
>> +perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent
>> --remove --name $event $srcdest" );
>
> $srcdest here or $srcdst?
>
>> } elsif ( $command & $UPDATE_CMD ) {
>> perl_action_helper( $action, "-m recent --update ${duration}--hitcount
>> $hitcount --name $event $srcdst" );
>> } else {
>
Should be $srcdst.
-Tom
--
Tom Eastep\ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\___
signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] using events to allow ident only from recent irc connections
Damn. I knew I shouldn't have hit send so quickly...
On Fri, 2018-04-13 at 09:08 -0700, Tom Eastep wrote:
> diff --git a/Shorewall/Actions/action.IfEvent
> b/Shorewall/Actions/action.IfEvent
> index 5f245ed22..64cbb8e25 100644
> --- a/Shorewall/Actions/action.IfEvent
> +++ b/Shorewall/Actions/action.IfEvent
> @@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
> #
> # if the event is armed, remove it and perform the action
> #
> -perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent
> --remove --name $event" );
> +perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent
> --remove --name $event $srcdest" );
$srcdest here or $srcdst?
> } elsif ( $command & $UPDATE_CMD ) {
> perl_action_helper( $action, "-m recent --update ${duration}--hitcount
> $hitcount --name $event $srcdst" );
> } else {
Cheers,
b.
signature.asc
Description: This is a digitally signed message part
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] using events to allow ident only from recent irc connections
On Fri, 2018-04-13 at 09:08 -0700, Tom Eastep wrote:
>
> I've tested the following:
>
> #
> #
> # IRC
> #
> SetEvent(IRC) { SOURCE=loc,apps,
> DEST=net, PROTO=tcp, DPORT=6667 }
> IfEvent(IRC,ACCEPT,10,1,dst,reset){ SOURCE=net,
> DEST=loc,apps, PROTO=tcp, DPORT=113 }
What is the significance of "apps" in these two rules? Is it just
another zone name in your configuration?
Cheers,
b.
signature.asc
Description: This is a digitally signed message part
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] using events to allow ident only from recent irc connections
On 04/13/2018 06:24 AM, Brian J. Murrell wrote:
> I'm having trouble wrapping my mind around what the Events
> configuration looks like for the use-case of an IRC server wanting to
> reach the ident server of an IRC client on connect.
>
> I.e. If IRC client C makes a connection to IRC server S on port 6667,
> then IRC server S is allowed to connect from any port to IRC client C
> on port 113 for the next 10 seconds.
>
> Any hints?
I've tested the following:
##
# IRC
#
SetEvent(IRC) { SOURCE=loc,apps, DEST=net,
PROTO=tcp, DPORT=6667 }
IfEvent(IRC,ACCEPT,10,1,dst,reset){ SOURCE=net, DEST=loc,apps,
PROTO=tcp, DPORT=113 }
In the process, I discovered a bug in the 'reset' logic of IfEvent()
when 'dst' is specified; that bug is corrected by the attached patch:
patch /usr/share/shorewall/action.IfEvent < IfEvent.patch
-Tom
--
Tom Eastep\ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\___
diff --git a/Shorewall/Actions/action.IfEvent b/Shorewall/Actions/action.IfEvent
index 5f245ed22..64cbb8e25 100644
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
#
# if the event is armed, remove it and perform the action
#
-perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdest" );
} elsif ( $command & $UPDATE_CMD ) {
perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
} else {
signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
