walterdejong / firewater Goto Github PK

Hi,

It seems that the kernel settings are never changed.
The code is:

# change linux kernel settings
if [ "LINUX_KERNEL_SETTINGS" = "yes" ]
then
        echo $RP_FILTER >/proc/sys/net/ipv4/conf/all/rp_filter
        echo $LOG_MARTIANS >/proc/sys/net/ipv4/conf/all/log_martians
        echo $TCP_SYNCOOKIES >/proc/sys/net/ipv4/tcp_syncookies
fi

Because there is no "$" in front of the parameter it is taken literally and never changed.

nested ifdef/ifndef/else/endif constructs do not work correctly.

problem with init.d/ script (under contrib/)
if $compiled_ruleset does not exist, you can't do anything any more because the init-script will exit immediately with exit code 1

It's really an iptables-restore bug, but it would be nice if firewater would not generate lines that are too long for iptables-restore.

make a long line and continue it with backslash. Use option -v. It will only display the first part of the long line.

root# service firewater test
/etc/firewater.rules:56: failed to resolve 'bestaatniet'

warning: your changes have not been committed
warning: use '/etc/init.d/firewater commit' to save the ruleset


root# echo $?
0

root# /etc/init.d/firewater test
/etc/firewater.rules:56: failed to resolve 'bestaatniet'

warning: your changes have not been committed
warning: use '/etc/init.d/firewater commit' to save the ruleset


root# echo $?
0

If the test would exit 1, it would be possible to check test result from automated scripts etc

The echo and verbatim statements output system-specific lines. These lines are invalid when a different output module than "iptables" is selected. Come to think of it, different output modules are not supported yet. (But they will be).

To counter this problem an "ifdef" statement is needed. Syntax:

ifdef module

endif

No need for an "else" statement, and personally I find "elif" confusing.

firewater is Python 2 code. Python 2 goes end-of-life soon: https://pythonclock.org/

Firewater cannot handle iptables rules with the -t option.

For example the iptable command:

iptables -t nat -A POSTROUTING -o iface -j MASQUERADE

setting in firewater rules:

echo -t nat -A POSTROUTING -o iface -j MASQUERADE

will fail:

root# /etc/init.d/firewater commit
Starting firewater hostbased firewall ...
iptables-restore v1.4.8: Line 25 seems to have a -t table option.

Error occurred at line: 25
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

iptables-restore can not handle the -t option.

To restore nat/routing iptables, the input for iptables-restore should look like this for example:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o iface -j MASQUERADE
COMMIT

ifdef doesn't work as expected when you do something like this:

ifdef MYDEF
iface public eth0
endif

ifndef MYDEF
iface public eth1
endif

It will produce an error and say that interface 'public' is already defined.
Apparently the ifdef only works around rules, not around definitions.

The help message says that the rule syntax is in the documentation, but the documentation is missing

if you make a line like this:

interface admin-interfaces adm_if0, adm_if1, adm_if2
adm_if3, adm_if4

the output will be wrong. The result is something like:

iptables -A INPUT -i adm_if2 adm_if3 -s sourceaddr -p tcp ...

This happens because there is no comma after "adm_if2" in the interface definition, which is really a syntax error.