Navigation

Hawker · #1 20th April 2007, 23:09

I thought all went well with the upgrade to 2.2.12 until I saw blocked IPs appearing in my security logs.

Would it be possible to check for the existence of /etc/Bastille/firewall.d and if it exists copy the contents during an upgrade?

Thank God you already make a backup first.

falko · #2 21st April 2007, 13:22

Quote:

Originally Posted by Hawker

Would it be possible to check for the existence of /etc/Bastille/firewall.d and if it exists copy the contents during an upgrade?

I'm not sure if this isn't already done?

Hawker · #3 21st April 2007, 15:18

I double checked the install script. The /etc/Bastille directory is backed up in it's entirety but the /etc/Bastille/firewall.d directory is not recreated or copied when the upgrade is complete.

Code:

if(is_dir("/etc/Bastille")) caselog("mv -f /etc/Bastille /etc/Bastille.backup_".date("m_d_Y__H_i_s", $current_date), $FILE, __LINE__);
  @mkdir("/etc/Bastille", octdec($directory_mode));
  caselog("cp -f isp/conf/bastille-firewall.cfg.master /etc/Bastille/bastille-firewall.cfg", $FILE, __LINE__);
  caselog("chmod 644 /etc/Bastille/bastille-firewall.cfg", $FILE, __LINE__);
  $conf = rf("/etc/Bastille/bastille-firewall.cfg");
  $conf = str_replace("{DNS_SERVERS}", "", $conf);

  $tcp_public_services = '';
  $udp_public_services = '';
  if($conn = mysql_query("SELECT dienst_port, dienst_typ FROM isp_firewall WHERE dienst_aktiv = 'ja'")){
    while($row = mysql_fetch_array($conn)){
      if($row['dienst_typ'] == 'tcp') $tcp_public_services .= $row['dienst_port'].' ';
      if($row['dienst_typ'] == 'udp') $udp_public_services .= $row['dienst_port'].' ';
    }
    $tcp_public_services = trim($tcp_public_services);
    $udp_public_services = trim($udp_public_services);
  } else {
    $tcp_public_services = '21 22 25 53 80 81 110 443 10000';
    $udp_public_services = '53';
  }
  $conf = str_replace("{TCP_PUBLIC_SERVICES}", $tcp_public_services, $conf);
  $conf = str_replace("{UDP_PUBLIC_SERVICES}", $udp_public_services, $conf);

  wf("/etc/Bastille/bastille-firewall.cfg", $conf);

Perhaps this would work inserted after the last line shown...

Code:

  if(is_dir("/etc/Bastille.backup_".date("m_d_Y__H_i_s", $current_date)."/firewall.d") {
  @mkdir("/etc/Bastille/firewall.d", octdec($directory_mode));
  caselog("cp -f /etc/Bastille.backup_".date("m_d_Y__H_i_s", $current_date)."/firewall.d/post-rule-setup.sh /etc/Bastille/firewall.d/post-rule-setup.sh", $FILE, __LINE__);
  caselog("chmod 644 /etc/Bastille/firewall.d/post-rule-setup.sh", $FILE, __LINE__);
  }

falko · #4 22nd April 2007, 23:15

I've added this to our bug tracker.

Hawker · #5 2nd May 2007, 13:30

Have you ever been doing something totally unrelated to ISPC and suddenly had something come to mind that could be a problem for ISPC? Well I just did...

If you use my solution above, this should be place in a variable...

Code:

date("m_d_Y__H_i_s", $current_date)

Such as...

Code:

$backup_date == date("m_d_Y__H_i_s", $current_date);

Changing the code sections to...

Code:

$backup_date == date("m_d_Y__H_i_s", $current_date);
if(is_dir("/etc/Bastille")) caselog("mv -f /etc/Bastille /etc/Bastille.backup_".$backup_date, $FILE, __LINE__);
  @mkdir("/etc/Bastille", octdec($directory_mode));
....
....

Code:

if(is_dir("/etc/Bastille.backup_".$backup_date."/firewall.d") {
  @mkdir("/etc/Bastille/firewall.d", octdec($directory_mode));
  caselog("cp -f /etc/Bastille.backup_".$backup_date."/firewall.d/post-rule-setup.sh /etc/Bastille/firewall.d/post-rule-setup.sh", $FILE, __LINE__);
  caselog("chmod 644 /etc/Bastille/firewall.d/post-rule-setup.sh", $FILE, __LINE__);
  }

Otherwise if a user begins this part of the code at 23:59:59:XX it is possible that the current date will change and the part of the code to copy the directory will fail.