Forums

Resolved
0 votes
I execute a script that adds a iptables logging rule for port-probing, to run it after each firewall restart I added the path to the script at the end of /etc/clearos/firewall.d/90-attack-detector, this worked fine but I noticed recently that these rules are no longer being added to iptables, it seems that 90-attack-detector might have been updated and therefore my path removed.

Where can I add a script to execute on each FW restart? does /etc/clearos/firewall.d/local get updated or is that safe?
(also I need the script to run after 90-attack-detector)
Wednesday, July 08 2020, 11:08 AM
Share this post:
Responses (2)
  • Accepted Answer

    Wednesday, July 08 2020, 01:36 PM - #Permalink
    Resolved
    0 votes
    Thanks for that, adding the IPv4 block was important, was wondering why the rules were added twice. thanks

    (The script I run does not have static IP rules, instead it extracts all open ports from iptables and creates a rule to log all traffic excluding those open ports. Here is the script I run https://github.com/srulikuk/c-f2b/blob/master/iptables/rules.sh)
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 08 2020, 01:05 PM - #Permalink
    Resolved
    0 votes
    Attack Detector was updared recently IIRC.
    You can use the local file but remember the local file fires before all the numbered files, but after the main firewall and custom. Also just changing local will trigger an immediate firewall restart. We do not change the local file.
    Alternatively you can add a numbered file. I think the number has to be between 01 and 99, but I am not sure of the exact rules. The number affects where it fires in the firewall starting sequence. The higher the number the later it fires.
    Remember to always enclose you rules in an IPv4 block or that the file exits if the firewall is loading IPv6. See how it is done in any of the other files. There seem to be 2 ways. If you don't the rule will fire twice, once during the IPv4 script and once during the IPv6 script. If you specify an IPv4 IP address, the firewall will also show failed if the IPv6 script tries to load it.
    The reply is currently minimized Show
Your Reply