Merge pull request #3018 from usernamepi/master

Update ufw.conf: several fixes and enhancements
pull/3019/head
Sergey G. Brester 4 years ago committed by GitHub
commit 5a8f1bceb8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -20,6 +20,9 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition
### Fixes ### Fixes
* readline fixed to consider interim new-line character as part of code point in multi-byte logs * readline fixed to consider interim new-line character as part of code point in multi-byte logs
(e. g. unicode encoding like utf-16be, utf-16le); (e. g. unicode encoding like utf-16be, utf-16le);
* `action.d/ufw.conf`:
- fixed handling on IPv6 (using prepend, gh-2331, gh-3018)
- application names containing spaces can be used now (gh-656, gh-1532, gh-3018)
* `filter.d/drupal-auth.conf` more strict regex, extended to match "Login attempt failed from" (gh-2742) * `filter.d/drupal-auth.conf` more strict regex, extended to match "Login attempt failed from" (gh-2742)
### New Features and Enhancements ### New Features and Enhancements
@ -29,6 +32,9 @@ ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition
* better recognition of log rotation, better performance by reopen: avoid unnecessary seek to begin of file * better recognition of log rotation, better performance by reopen: avoid unnecessary seek to begin of file
(and hash calculation) (and hash calculation)
* file filter reads only complete lines (ended with new-line) now, so waits for end of line (for its completion) * file filter reads only complete lines (ended with new-line) now, so waits for end of line (for its completion)
* `action.d/ufw.conf` (gh-3018):
- new option `add` (default `prepend`), can be supplied as `insert 1` for ufw versions before v.0.36 (gh-2331, gh-3018)
- new options `kill-mode` and `kill` to drop established connections of intruder (see action for details, gh-3018)
* `filter.d/nginx-http-auth.conf` - extended with parameter mode, so additionally to `auth` (or `normal`) * `filter.d/nginx-http-auth.conf` - extended with parameter mode, so additionally to `auth` (or `normal`)
mode `fallback` (or combined as `aggressive`) can find SSL errors while SSL handshaking, gh-2881 mode `fallback` (or combined as `aggressive`) can find SSL errors while SSL handshaking, gh-2881

@ -13,16 +13,44 @@ actionstop =
actioncheck = actioncheck =
actionban = [ -n "<application>" ] && app="app <application>" # ufw does "quickly process packets for which we already have a connection" in before.rules,
ufw insert <insertpos> <blocktype> from <ip> to <destination> $app # therefore all related sockets should be closed
# actionban is using `ss` to do so, this only handles IPv4 and IPv6.
actionunban = [ -n "<application>" ] && app="app <application>" actionban = if [ -n "<application>" ] && ufw app info "<application>"
ufw delete <blocktype> from <ip> to <destination> $app then
ufw <add> <blocktype> from <ip> to <destination> app "<application>" comment "<comment>"
else
ufw <add> <blocktype> from <ip> to <destination> comment "<comment>"
fi
<kill>
actionunban = if [ -n "<application>" ] && ufw app info "<application>"
then
ufw delete <blocktype> from <ip> to <destination> app "<application>"
else
ufw delete <blocktype> from <ip> to <destination>
fi
# Option: kill-mode
# Notes.: can be set to ss (may be extended later with other modes) to immediately drop all connections from banned IP, default empty (no kill)
# Example: banaction = ufw[kill-mode=ss]
kill-mode =
# intern conditional parameter used to provide killing mode after ban:
_kill_ =
_kill_ss = ss -K dst "[<ip>]"
# Option: kill
# Notes.: can be used to specify custom killing feature, by default depending on option kill-mode
# Examples: banaction = ufw[kill='ss -K "( sport = :http || sport = :https )" dst "[<ip>]"']
banaction = ufw[kill='cutter "<ip>"']
kill = <_kill_<kill-mode>>
[Init] [Init]
# Option: insertpos # Option: add
# Notes.: The position number in the firewall list to insert the block rule # Notes.: can be set to "insert 1" to insert a rule at certain position (here 1):
insertpos = 1 add = prepend
# Option: blocktype # Option: blocktype
# Notes.: reject or deny # Notes.: reject or deny

Loading…
Cancel
Save