Shorewall users - Sep 2014 - Missing ACCEPT target in the KnockEnhanced module

>
> ---------- Message transféré ----------
> From: Tom Eastep <teastep@shorewall.net>
> To: shorewall-users@lists.sourceforge.net
> Cc:
> Date: Fri, 27 Jun 2014 10:51:12 -0700
> Subject: Re: [Shorewall-users] Problems with Shorewall 4.6.1.1 and
> Portknocking Events example
> On 6/26/2014 10:17 PM, Gerhard Wiesinger wrote:
> > On 24.06.2014 19:28, Gerhard Wiesinger wrote:
> >> On 20.06.2014 20:03, Tornhoof wrote:
> >>> Hi, I previously used (4.5.x, 4.6.0) the following
Portknocking
> >>> configuration (from here http://shorewall.net/Events.html):
> >>>
> >>
> >> Please find attached a "real" stateful Port Knocking
Module for
> >> shorewall. Was quite a challenge to write a stateful iptables
"program".
> >>
> >> Feedback is welcome.
> >>
> >> @Tom: Can you integrate it in the next version?
> >>
> >> Thank you.
> >>
> >> Ciao,
> >> Gerhard
> >
> > Any Feedback?
> >
>
> Sorry to be slow responding. Very busy week at work this week.
>
> I guess what I would like to do is to place this in the contrib
> directory on the server and create a link to it from the port mapping page.
>
> If the .pm is installed in site_perl, and if the user codes:
>
>         ?PERL use KnockEnhanced; KnockEnhanced 'net',
'$FW',...
>
> then the script creates the appropriate rules.
>
>
Hello

After giving this module a try I found out that the final ACCEPT target is
missing. I had to add an ACCEPT rule juste after the log rule to make it
work (patch attached).

Here is the part that causes trouble :
    if ($args->{log_level} & 1)
    {
      log_rule_limit($args->{log_level},
                     $chainref,
                     $name,
                     'ACCEPT',
                     '',
                     $args->{log_tag} || '',
                     'add',
                     "-p $current_proto --dport $current_port -m recent
--rcheck --seconds $seconds --name $lastname"
                    );
    }
    else
    {
      add_rule($chainref, "-p $current_proto --dport $current_port -m
recent --rcheck --seconds $seconds --name $lastname -j ACCEPT");
    }


H. Werner



------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk