Forward Firewall: fixed firewall hits statistik and extended it to show input,output...
authorAlexander Marx <amarx@ipfire.org>
Sun, 14 Apr 2013 13:10:13 +0000 (15:10 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:13:10 +0000 (14:13 +0200)
config/cfgroot/graphs.pl
config/collectd/collectd.conf
config/forwardfw/firewall-policy
src/initscripts/init.d/firewall

index c51e882e20ff2267fae3c45381db6f2f4ed8b5cd..83cc60f2609297d6c0958b8c4d64c58e80905b36 100644 (file)
@@ -216,7 +216,7 @@ sub updatecpugraph {
                        ,"GPRINT:userpct:AVERAGE:%3.2lf%%"
                        ,"GPRINT:userpct:MIN:%3.2lf%%"
                        ,"GPRINT:userpct:LAST:%3.2lf%%\\j"
-                       ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'cpu system usage'})
+                       ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-26s",$Lang::tr{'cpu system usage'})
                        ,"GPRINT:systempct:MAX:%3.2lf%%"
                        ,"GPRINT:systempct:AVERAGE:%3.2lf%%"
                        ,"GPRINT:systempct:MIN:%3.2lf%%"
@@ -602,26 +602,50 @@ sub updatefwhitsgraph {
                "--color=SHADEA".$color{"color19"},
                "--color=SHADEB".$color{"color19"},
                "--color=BACK".$color{"color21"},
-               "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-FORWARD/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE",
-               "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-INPUT/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE",
+               "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE",
+               "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE",
+               "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE",
                "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
                "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
-               "CDEF:amount=output,input,newnotsyn,+,+",
-               "COMMENT:".sprintf("%-20s",$Lang::tr{'caption'}),
+               #"CDEF:amount=input",
+               "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
                "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
                "COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
-               "COMMENT:".sprintf("%15s",$Lang::tr{'minimal'}),
+               "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}),
                "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j",
-               "AREA:amount".$color{"color24"}."A0:".sprintf("%-20s",$Lang::tr{'firewallhits'}),
-               "GPRINT:amount:MAX:%8.1lf %sBps",
-               "GPRINT:amount:AVERAGE:%8.1lf %sBps",
-               "GPRINT:amount:MIN:%8.1lf %sBps",
-               "GPRINT:amount:LAST:%8.1lf %sBps\\j",
-               "STACK:portscan".$color{"color25"}."A0:".sprintf("%-20s",$Lang::tr{'portscans'}),
+               "AREA:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-INPUT"),
+               "GPRINT:input:MAX:%8.1lf %sBps",
+               "GPRINT:input:AVERAGE:%8.1lf %sBps",
+               "GPRINT:input:MIN:%8.1lf %sBps",
+               "GPRINT:input:LAST:%8.1lf %sBps\\j",
+               "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-OUTPUT"),
+               "GPRINT:output:MAX:%8.1lf %sBps",
+               "GPRINT:output:AVERAGE:%8.1lf %sBps",
+               "GPRINT:output:MIN:%8.1lf %sBps",
+               "GPRINT:output:LAST:%8.1lf %sBps\\j",
+               "AREA:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-FORWARD"),
+               "GPRINT:forward:MAX:%8.1lf %sBps",
+               "GPRINT:forward:AVERAGE:%8.1lf %sBps",
+               "GPRINT:forward:MIN:%8.1lf %sBps",
+               "GPRINT:forward:LAST:%8.1lf %sBps\\j",
+               "AREA:newnotsyn".$color{"color14"}."A0:".sprintf("%-24s","NewNotSyn"),
+               "GPRINT:newnotsyn:MAX:%8.1lf %sBps",
+               "GPRINT:newnotsyn:MIN:%8.1lf %sBps",
+               "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps",
+               "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j",
+               "AREA:portscan".$color{"color16"}."A0:".sprintf("%-24s",$Lang::tr{'portscans'}),
                "GPRINT:portscan:MAX:%8.1lf %sBps",
                "GPRINT:portscan:MIN:%8.1lf %sBps",
                "GPRINT:portscan:AVERAGE:%8.1lf %sBps",
                "GPRINT:portscan:LAST:%8.1lf %sBps\\j",
+                               
+               "LINE1:input".$color{"color24"},
+               "LINE1:output".$color{"color25"},
+               "LINE1:forward".$color{"color23"},
+               "LINE1:newnotsyn".$color{"color14"},
+               "LINE1:portscan".$color{"color16"},
+               
+               
                );
                $ERROR = RRDs::error;
                print "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR;
index 67d9e19054da255ef327cd036496fed18f2b1411..e222d5cb72c2ae535cf9c8e22633846cdd70879b 100644 (file)
@@ -23,7 +23,7 @@ LoadPlugin memory
 LoadPlugin ping
 LoadPlugin processes
 LoadPlugin rrdtool
-LoadPlugin sensors
+#LoadPlugin sensors
 LoadPlugin swap
 LoadPlugin syslog
 #LoadPlugin wireless
@@ -45,10 +45,11 @@ include "/etc/collectd.precache"
 </Plugin>
 
 <Plugin iptables>
-       Chain filter INPUT DROP_INPUT
-       Chain filter FORWARD DROP_OUTPUT
        Chain filter PSCAN DROP_PScan
        Chain filter NEWNOTSYN DROP_NEWNOTSYN
+       Chain filter POLICYFWD DROP_FORWARD
+       Chain filter POLICYOUT DROP_OUTPUT
+       Chain filter POLICYIN DROP_INPUT
 </Plugin>
 
 #<Plugin logfile>
index 55287dd074518f3185c8f31241adcb13d12f2bf9..6e648e2685865df719973d28aaa608743eb16b93 100755 (executable)
@@ -23,8 +23,8 @@ if [ "$POLICY" == "MODE1" ]; then
                        /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
                fi
 else
-       /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP -m comment --comment "DROP_FORWARD_BLUE"
-       /sbin/iptables -A POLICYFWD -j ACCEPT -m comment --comment "DROP_FORWARD"
+       /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP 
+       /sbin/iptables -A POLICYFWD -j ACCEPT 
 fi
 
 #OUTGOINGFW
@@ -42,7 +42,7 @@ if [ "$POLICY1" == "MODE1" ]; then
                        /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
        fi
 else
-       /sbin/iptables -A POLICYOUT -j ACCEPT -m comment --comment "DROP_OUTPUT"
+       /sbin/iptables -A POLICYOUT -j ACCEPT 
 fi
 #INPUT
 if [ "$FWPOLICY2" == "REJECT" ]; then
index 7e3248147dc7e5bbcda0ba68a4af0e21cf2881c4..57bdef9016517ce24dc882f7e5646dd4e76f3973 100644 (file)
@@ -277,6 +277,9 @@ case "$1" in
 
        /usr/sbin/firewall-policy
        
+       #Only for firewall Hits statistik
+       /sbin/iptables -A POLICYFWD -j DROP  -m comment --comment "DROP_FORWARD"
+       /sbin/iptables -A POLICYOUT -j DROP  -m comment --comment "DROP_OUTPUT"
        ;;
   startovpn)  
        # run openvpn