'Re: [ossec-dev] Re: firewall-drop.sh'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-dev
Subject:    Re: [ossec-dev] Re: firewall-drop.sh
From:       David ROBERT <castlebbs () gmail ! com>
Date:       2010-05-18 20:47:30
Message-ID: AANLkTimtLc9wHYrC24FAp_q3UDTFQSuXsvN0BHbZZz0G () mail ! gmail ! com
[Download RAW message or body]

Hi Daniel,

My opinion is that, enabling logging is one more rule, so I like the
idea of maintaining only one script. We could add a parameter when
invoking the script, but we can as well define setting at the
beginning of the script (to two options are not exclusive).

The only thing is that, to achieve this, it's better to create a
function within the script responsible for launching the iptables
commands. This function would take two inputs (IP and action: add or
delete) and check the value of a variable (eg LOG). If LOG=yes it
would create the rules for logging as well.

I can propose you a patch for this is you want

David
http://blog.ombrepixel.com/

2010/5/14 Daniel Cid <dcid@ossec.net>:
> Hi David,
>
> Thanks for the patch and cleaning the code :) That duplication there was
> just silly.
>
> I am not going to enable the firewall logging by default, but we can it add as
> a parameter in the script (or just create a separate one, like
> firewall-droplog.sh).
>
> Any preferences?
>
> Thanks,
>
> On Thu, May 13, 2010 at 7:47 AM, David ROBERT <castlebbs@gmail.com> wrote:
>> Hi all,
>>
>> I have implemented the logging in this patch:
>> http://blog.ombrepixel.com/public/firewall-drop.sh.patch
>>
>> I changed a bit the loop structure to prevent having to duplicate too
>> much code. Storing all iptables arguments in a single shell variable
>> seems to cause some problems if we want to define a --log-prefix that
>> needs to include spaces characters (limitation of shell variable
>> substitution) so I haven't defined one.
>>
>> David ROBERT
>> http://blog.ombrepixel.com/
>>
>> On May 7, 11:43 am, David ROBERT <da...@ombrepixel.com> wrote:
>>> Hi all,
>>>
>>> I am about to change firewall-drop.sh to add logging of packets
>>> dropped by iptables.
>>> However, the way the script is written makes thinks harder (no
>>> functions, 18 lines of code need to be copied/pasted for each iptables
>>> command needed etc.).
>>> If I try to clean-up this script, will this be useful for anyone or do
>>> you prefer letting this script as-is?
>>>
>>> Also, looking at the code below since COUNT is not put back to 0
>>> before the next while loop, I am not sure that the logic will work as
>>> expected. What do you think?
>>>
>>>    # Executing and exiting
>>>    COUNT=0;
>>>    while [ 1 ]; do
>>>        echo ".."
>>>         ${IPTABLES} ${ARG1}
>>>         RES=$?
>>>         if [ $RES = 0 ]; then
>>>             break;
>>>         else
>>>             COUNT=`expr $COUNT + 1`;
>>>             echo "`date` Unable to run (iptables returning != $RES):
>>> $COUNT - $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
>>>             sleep $COUNT;
>>>
>>>             if [ $COUNT -gt 4 ]; then
>>>                 break;
>>>             fi
>>>         fi
>>>    done
>>>
>>>    while [ 1 ]; do
>>>         ${IPTABLES} ${ARG2}
>>>         RES=$?
>>>         if [ $RES = 0 ]; then
>>>             break;
>>>         else
>>>             COUNT=`expr $COUNT + 1`;
>>>             echo "`date` Unable to run (iptables returning != $RES):
>>> $COUNT - $0 $1 $2 $3 $4 $5" >> ${PWD}/../logs/active-responses.log
>>>             sleep $COUNT;
>>>
>>>             if [ $COUNT -gt 4 ]; then
>>>                 break;
>>>             fi
>>>         fi
>>>    done
>>>
>>> David ROBERThttp://blog.ombrepixel.com/
>>
>



-- 
David ROBERT

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic