From patchwork Tue Dec 17 12:06:29 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 2649 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 47ccLj6gPGz43dc for ; Tue, 17 Dec 2019 12:06:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 47ccLh2fCYz2jb; Tue, 17 Dec 2019 12:06:36 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 47ccLh1b5wz2yHm; Tue, 17 Dec 2019 12:06:36 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 47ccLf2XFFz2xZ8 for ; Tue, 17 Dec 2019 12:06:34 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 47ccLb61mTz2jb; Tue, 17 Dec 2019 12:06:31 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909ed25519; t=1576584392; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=TLv4t9yKJbSN6Qy7pQAHufsEyp54whEab6Q3a766FoM=; b=3aAYiyMkxOEFc0i9SH+UeODP2sAMud83pFKVsNHXL58X3P1EcryPz1csqacKkTOkmcndvC mIzAAGRDqOllmrAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201909rsa; t=1576584392; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=TLv4t9yKJbSN6Qy7pQAHufsEyp54whEab6Q3a766FoM=; b=jpnu9FafJEXwLh5jkhrO3hRdZb87ct7Pk4MuaO19fFqmlPkdT6myZwO9pijNn02vI6KLkc +Wa2GOezHl7NkB4I4v8w/NqVhWin/BBcIcnIdWBp7l3QRPpTRWyZ7QdHcPtsnfPN0SyO0w IRwmoo9E8NcxFaVwTuCmmwBGa7ib7MQ00p8n9jPGs0jcC/qd300r7edvnLO6Crm6Iq7yxT qaF0IgqsOyK++5hCLFf/P1yXtbZH8vInEy1sxhQsuSUOmwthyMpojPPUjnB7qoXpZJhH2H ju4jhnBb+DdnixQXZVov6SADgTw6pCk+ZYU1UqtFTNvVXFNxu8GS0IyKR2Crtw== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH] IDS: Allow to inspect traffic from or to OpenVPN Date: Tue, 17 Dec 2019 13:06:29 +0100 Message-Id: <20191217120629.2679-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This commit allows to configure suricata to monitor traffic from or to OpenVPN tunnels. This includes the RW server and all established N2N connections. Because the RW server and/or each N2N connection uses it's own tun? device, it is only possible to enable monitoring all of them or to disable monitoring entirely. Fixes #12111. Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 10 ++++++++-- src/initscripts/system/suricata | 18 +++++++++++++++++- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index da009f891..2a8a7cb26 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -49,6 +49,11 @@ my %ignored=(); # the list of zones in an array. my @network_zones = &IDS::get_available_network_zones(); +# Check if openvpn is started and add it to the array of network zones. +if ( -e "/var/run/openvpn.pid") { + push(@network_zones, "ovpn"); +} + my $errormessage; # Create files if they does not exist yet. @@ -59,7 +64,8 @@ my %colourhash = ( 'red' => $Header::colourred, 'green' => $Header::colourgreen, 'blue' => $Header::colourblue, - 'orange' => $Header::colourorange + 'orange' => $Header::colourorange, + 'ovpn' => $Header::colourovpn ); &Header::showhttpheaders(); @@ -839,7 +845,7 @@ END $checked_input = "checked = 'checked'"; } - print "\n"; + print "\n"; print "\n"; print " $Lang::tr{'enabled on'} $Lang::tr{$zone_name}\n"; print "\n"; diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 27ab2e4e8..29e58a7e2 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -29,7 +29,7 @@ IPS_OUTPUT_CHAIN="IPS_OUTPUT" NFQ_OPTS="--queue-bypass " # Array containing the 4 possible network zones. -network_zones=( red green blue orange ) +network_zones=( red green blue orange ovpn ) # Array to store the network zones weather the IPS is enabled for. enabled_ips_zones=() @@ -86,6 +86,22 @@ function generate_fw_rules { if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then # Set device name to ppp0. network_device="ppp0" + elif [ "$zone" == "ovpn" ]; then + # Get all virtual net devices because the RW server and each + # N2N connection creates it's own tun device. + for virt_dev in /sys/devices/virtual/net/*; do + # Cut-off the directory. + dev="${virt_dev##*/}" + + # Only process tun devices. + if [[ $dev =~ "tun" ]]; then + # Add the network device to the array of enabled zones. + enabled_ips_zones+=( "$dev" ) + fi + done + + # Process next zone. + continue else # Generate variable name which contains the device name. zone_name="$zone_upper"