IDS: Allow to inspect traffic from or to OpenVPN

This commit allows to configure suricata to monitor traffic from or to
OpenVPN tunnels. This includes the RW server and all established N2N
connections.

Because the RW server and/or each N2N connection uses it's own tun?
device, it is only possible to enable monitoring all of them or to disable
monitoring entirely.

Fixes #12111.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index da009f89189499f47face02de862407435f12f35..2a8a7cb261af83162f6c7fc5378325ca48ca4cab 100644 (file)
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -49,6 +49,11 @@ my %ignored=();
 # the list of zones in an array.
 my @network_zones = &IDS::get_available_network_zones();
 
+# Check if openvpn is started and add it to the array of network zones.
+if ( -e "/var/run/openvpn.pid") {
+       push(@network_zones, "ovpn");
+}
+
 my $errormessage;
 
 # Create files if they does not exist yet.
@@ -59,7 +64,8 @@ my %colourhash = (
        'red' => $Header::colourred,
        'green' => $Header::colourgreen,
        'blue' => $Header::colourblue,
-       'orange' => $Header::colourorange
+       'orange' => $Header::colourorange,
+       'ovpn' => $Header::colourovpn
 );
 
 &Header::showhttpheaders();
@@ -839,7 +845,7 @@ END
                        $checked_input = "checked = 'checked'";
                }
 
-               print "<td class='base' width='25%'>\n";
+               print "<td class='base' width='20%'>\n";
                print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>\n";
                print "&nbsp;$Lang::tr{'enabled on'}<font color='$colourhash{$zone}'> $Lang::tr{$zone_name}</font>\n";
                print "</td>\n";

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 5a567f2d7f4bfef90fabb11438bc5065e731f21c..5dc4082623c162055bc80c9a082a66714d3e3fe5 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -29,7 +29,7 @@ IPS_OUTPUT_CHAIN="IPS_OUTPUT"
 NFQ_OPTS="--queue-bypass "
 
 # Array containing the 4 possible network zones.
-network_zones=( red green blue orange )
+network_zones=( red green blue orange ovpn )
 
 # Array to store the network zones weather the IPS is enabled for.
 enabled_ips_zones=()
@@ -86,6 +86,22 @@ function generate_fw_rules {
                        if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then
                                # Set device name to ppp0.
                                network_device="ppp0"
+                       elif [ "$zone" == "ovpn" ]; then
+                               # Get all virtual net devices because the RW server and each
+                               # N2N connection creates it's own tun device.
+                               for virt_dev in /sys/devices/virtual/net/*; do
+                                       # Cut-off the directory.
+                                       dev="${virt_dev##*/}"
+
+                                       # Only process tun devices.
+                                       if [[ $dev =~ "tun" ]]; then
+                                               # Add the network device to the array of enabled zones.
+                                               enabled_ips_zones+=( "$dev" )
+                                       fi
+                               done
+
+                               # Process next zone.
+                               continue
                        else
                                # Generate variable name which contains the device name.
                                zone_name="$zone_upper"