From 94ea1f03464ab9434189ec270baa83fc2f2dcadd Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Sun, 14 Apr 2013 15:10:13 +0200 Subject: [PATCH] Forward Firewall: fixed firewall hits statistik and extended it to show input,output,forward,newnotsyn and portscan seperately. --- config/cfgroot/graphs.pl | 48 ++++++++++++++++++++++++-------- config/collectd/collectd.conf | 7 +++-- config/forwardfw/firewall-policy | 6 ++-- src/initscripts/init.d/firewall | 3 ++ 4 files changed, 46 insertions(+), 18 deletions(-) diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index c51e882e2..83cc60f26 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -216,7 +216,7 @@ sub updatecpugraph { ,"GPRINT:userpct:AVERAGE:%3.2lf%%" ,"GPRINT:userpct:MIN:%3.2lf%%" ,"GPRINT:userpct:LAST:%3.2lf%%\\j" - ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'cpu system usage'}) + ,"STACK:systempct".$color{"color13"}."A0:".sprintf("%-26s",$Lang::tr{'cpu system usage'}) ,"GPRINT:systempct:MAX:%3.2lf%%" ,"GPRINT:systempct:AVERAGE:%3.2lf%%" ,"GPRINT:systempct:MIN:%3.2lf%%" @@ -602,26 +602,50 @@ sub updatefwhitsgraph { "--color=SHADEA".$color{"color19"}, "--color=SHADEB".$color{"color19"}, "--color=BACK".$color{"color21"}, - "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-FORWARD/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE", - "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-INPUT/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE", + "DEF:output=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYOUT/ipt_bytes-DROP_OUTPUT.rrd:value:AVERAGE", + "DEF:input=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYIN/ipt_bytes-DROP_INPUT.rrd:value:AVERAGE", + "DEF:forward=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-POLICYFWD/ipt_bytes-DROP_FORWARD.rrd:value:AVERAGE", "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE", "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE", - "CDEF:amount=output,input,newnotsyn,+,+", - "COMMENT:".sprintf("%-20s",$Lang::tr{'caption'}), + #"CDEF:amount=input", + "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}), "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), - "COMMENT:".sprintf("%15s",$Lang::tr{'minimal'}), + "COMMENT:".sprintf("%14s",$Lang::tr{'minimal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'current'})."\\j", - "AREA:amount".$color{"color24"}."A0:".sprintf("%-20s",$Lang::tr{'firewallhits'}), - "GPRINT:amount:MAX:%8.1lf %sBps", - "GPRINT:amount:AVERAGE:%8.1lf %sBps", - "GPRINT:amount:MIN:%8.1lf %sBps", - "GPRINT:amount:LAST:%8.1lf %sBps\\j", - "STACK:portscan".$color{"color25"}."A0:".sprintf("%-20s",$Lang::tr{'portscans'}), + "AREA:input".$color{"color24"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-INPUT"), + "GPRINT:input:MAX:%8.1lf %sBps", + "GPRINT:input:AVERAGE:%8.1lf %sBps", + "GPRINT:input:MIN:%8.1lf %sBps", + "GPRINT:input:LAST:%8.1lf %sBps\\j", + "AREA:output".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-OUTPUT"), + "GPRINT:output:MAX:%8.1lf %sBps", + "GPRINT:output:AVERAGE:%8.1lf %sBps", + "GPRINT:output:MIN:%8.1lf %sBps", + "GPRINT:output:LAST:%8.1lf %sBps\\j", + "AREA:forward".$color{"color23"}."A0:".sprintf("%-25s",$Lang::tr{'firewallhits'}."-FORWARD"), + "GPRINT:forward:MAX:%8.1lf %sBps", + "GPRINT:forward:AVERAGE:%8.1lf %sBps", + "GPRINT:forward:MIN:%8.1lf %sBps", + "GPRINT:forward:LAST:%8.1lf %sBps\\j", + "AREA:newnotsyn".$color{"color14"}."A0:".sprintf("%-24s","NewNotSyn"), + "GPRINT:newnotsyn:MAX:%8.1lf %sBps", + "GPRINT:newnotsyn:MIN:%8.1lf %sBps", + "GPRINT:newnotsyn:AVERAGE:%8.1lf %sBps", + "GPRINT:newnotsyn:LAST:%8.1lf %sBps\\j", + "AREA:portscan".$color{"color16"}."A0:".sprintf("%-24s",$Lang::tr{'portscans'}), "GPRINT:portscan:MAX:%8.1lf %sBps", "GPRINT:portscan:MIN:%8.1lf %sBps", "GPRINT:portscan:AVERAGE:%8.1lf %sBps", "GPRINT:portscan:LAST:%8.1lf %sBps\\j", + + "LINE1:input".$color{"color24"}, + "LINE1:output".$color{"color25"}, + "LINE1:forward".$color{"color23"}, + "LINE1:newnotsyn".$color{"color14"}, + "LINE1:portscan".$color{"color16"}, + + ); $ERROR = RRDs::error; print "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR; diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 67d9e1905..e222d5cb7 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -23,7 +23,7 @@ LoadPlugin memory LoadPlugin ping LoadPlugin processes LoadPlugin rrdtool -LoadPlugin sensors +#LoadPlugin sensors LoadPlugin swap LoadPlugin syslog #LoadPlugin wireless @@ -45,10 +45,11 @@ include "/etc/collectd.precache" - Chain filter INPUT DROP_INPUT - Chain filter FORWARD DROP_OUTPUT Chain filter PSCAN DROP_PScan Chain filter NEWNOTSYN DROP_NEWNOTSYN + Chain filter POLICYFWD DROP_FORWARD + Chain filter POLICYOUT DROP_OUTPUT + Chain filter POLICYIN DROP_INPUT # diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy index 55287dd07..6e648e268 100755 --- a/config/forwardfw/firewall-policy +++ b/config/forwardfw/firewall-policy @@ -23,8 +23,8 @@ if [ "$POLICY" == "MODE1" ]; then /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" fi else - /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP -m comment --comment "DROP_FORWARD_BLUE" - /sbin/iptables -A POLICYFWD -j ACCEPT -m comment --comment "DROP_FORWARD" + /sbin/iptables -A POLICYFWD -i blue0 ! -o $IFACE -j DROP + /sbin/iptables -A POLICYFWD -j ACCEPT fi #OUTGOINGFW @@ -42,7 +42,7 @@ if [ "$POLICY1" == "MODE1" ]; then /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" fi else - /sbin/iptables -A POLICYOUT -j ACCEPT -m comment --comment "DROP_OUTPUT" + /sbin/iptables -A POLICYOUT -j ACCEPT fi #INPUT if [ "$FWPOLICY2" == "REJECT" ]; then diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 7e3248147..57bdef901 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -277,6 +277,9 @@ case "$1" in /usr/sbin/firewall-policy + #Only for firewall Hits statistik + /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD" + /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT" ;; startovpn) # run openvpn -- 2.39.2