Re: [Shorewall-users] using events to allow ident only from recent irc connections

Fri, 13 Apr 2018 09:09:45 -0700 

On 04/13/2018 06:24 AM, Brian J. Murrell wrote:
> I'm having trouble wrapping my mind around what the Events
> configuration looks like for the use-case of an IRC server wanting to
> reach the ident server of an IRC client on connect.
>
> I.e. If IRC client C makes a connection to IRC server S on port 6667,
> then IRC server S is allowed to connect from any port to IRC client C
> on port 113 for the next 10 seconds.
>
> Any hints?
I've tested the following:

    
######################################################################################################
    # IRC
    #
    SetEvent(IRC)                             { SOURCE=loc,apps, DEST=net, 
PROTO=tcp, DPORT=6667 }
    IfEvent(IRC,ACCEPT,10,1,dst,reset)        { SOURCE=net, DEST=loc,apps, 
PROTO=tcp, DPORT=113 }

In the process, I discovered a bug in the 'reset' logic of IfEvent()
when 'dst' is specified; that bug is corrected by the attached patch:

    patch /usr/share/shorewall/action.IfEvent < IfEvent.patch

-Tom

-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't 
http://shorewall.org \   understand
                      \_______________________________________________


diff --git a/Shorewall/Actions/action.IfEvent b/Shorewall/Actions/action.IfEvent
index 5f245ed22..64cbb8e25 100644
--- a/Shorewall/Actions/action.IfEvent
+++ b/Shorewall/Actions/action.IfEvent
@@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
     #
     # if the event is armed, remove it and perform the action
     #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdest" );
 } elsif ( $command & $UPDATE_CMD ) {
     perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to