Imported Upstream version 1.7.1

parent 797df451
=======
Changes
=======
All notable changes to this project will be documented in this file.
*Note on deprecation:* Deprecated features will be removed in the next
non-bugfix release. If you would like to nominate a feature to be
un-deprecated, contact the project mailing list.
.. contents::
1.7.1
=====
October 2016
**Added**
- Add sample Mac OS X 10.12 style launchd.plist
**Changed**
- Allow multiple forward slashes in process name
- Log released addresses only when debugging
**Deprecated**
- Process validation (``-f`` option) is deprecated
**Fixed**
- Adjust TIMESTAMP_ISO8601 for Mac OS X 10.12
- Fix build error in hosts backend
- Fix empty functions in firewall scripts causing errors with Bash
- Flush stdout after every line in sshg-parser
1.7.0
=====
August 2016
**Added**
- Add *sshg-logtail*
- Add *sshg-parser*
- Control firewall using *sshg-fw*
- Match "no matching key exchange method" for SSH
**Deprecated**
- Hosts backend is deprecated
- Logsuck (``-l`` option) is deprecated, use *sshg-logtail* instead
- Process validation (``-f`` option) is deprecated
**Removed**
- Remove external hooks (``-e`` option)
- Remove support for genfilt and ipfilter backends
**Fixed**
- Accept socklog messages without a timestamp
- Fix excessive logging causing endless looping in logsuck
- Fix undefined assignment of initial inode number
1.6.4
=====
April 2016
- Match Postfix pre-authentication disconnects
- Fix bashisms in iptables backend
- Fix size argument in inet_ntop() call
- Remove excessive logging when polling from files
- Keep looking for unreadable files while polling
- Update Dovecot signature for POP3
- Match "Connection reset" message for SSH
- Resurrect PID file option by popular demand
- Adjust default abuse threshold
1.6.3
=====
January 2016
- Add sample systemd(8) unit file
- Disable blacklisting by default
- Fix `pfctl` command syntax with OpenBSD 5.8
- Implement logging as wrappers around syslog(2)
- Improve log and error messages
- Match sendmail authentication failures
- Remove PID file option
- Remove SIGTSTP and SIGCONT handler
- Remove reverse mapping attack signature
- Remove safe_fgets() and exit on interrupt
- Terminate state entries for hosts blocked with pf
- Update and shorten command-line usage
- Use 'configure' to set feature-test macros
1.6.2
=====
October 2015
- Make '-w' option backwards-compatible for iptables (James Harris)
- Remove support for ip6fw and 'ipfw-range' option
- Rewrite ipfw backend using command framework
1.6.1
=====
July 2015
- Accept "Received disconnect" with optional prefix
- Add support for socklog entries
- Fix 'ipfw-rules-range' option in configure script
- Fix build for 'ipfw' and 'hosts' backends
- Fix integer comparisons of different types
- Match attacks when syslog debugging is enabled
1.6.0
=====
May 2015
- Add rules for Postfix SASL login attempts
- Add support for ISO 8601 timestamps (David Caldwell)
- Add support for external commands run on firewall events (-e)
- Blacklist file is now human-readable (Armando Miraglia)
- Check tcpwrapper file permissions regardless of local umask
- Detect additional pre-auth disconnects
- Fix ipfw crash when loading an empty blacklist (Jin Choi)
- Fix log parsing on days beginning with zero
- Fix log polling on filesystems with many files (Johann H. Hauschild)
- Fix matching for Cyrus IMAP login via SASL
- Fix syslog format detection on hosts with undefined hostname
- Match SSH login failures with "via" suffix
- Remove broken kqueue(2) support
- Tweak option names and help strings
- Update SSH "Bad protocol" signature
- Use case-insensitive "invalid user" signature
- Wait for xtables lock when using iptables command (James Harris)
1.5
===
Feb 2011
- logsucker: sshguard polls multiple log files at once
- recognize syslog's "last message repeated N times" contextually and per-source
- attackers now gauged with attack *dangerousness* instead of count (adjust your -a !)
- improve IPv6 support
- add detection for: Exim, vsftpd, Sendmail, Cucipop
- improve Solaris support (thanks OpenCSW.org folks)
- handle huge blacklists efficiently
- improve logging granularity and descriptiveness
- add -i command line option for saving PID file as an aid for startup scripts
- update some attack signatures
- many other improvements, see 1.5beta and 1.5rc changelogs for complete credits
- fix a recognition problem for multilog files
- fix log filtering on OSes with inverted priority declarations
- fix file descriptor leak if "ps" command fails to run
- fix whitelist module allowing some entries to be skipped (thanks Andrea Dal Farra)
- fix segfault from invalid free() when all DNS lookups fail
- fix assertion failure when logsucker is notified before the logging completes (thanks Colin Keith)
1.4
===
Aug 2009
- add touchiness: block repeated abusers for longer
- add blacklisting: store frequent abusers for permanent blocking
- add support for IPv6 in whitelisting (experimental)
- sshguard ignores interrupted fgets() and reloads more seldom (thanks Keven Tipping)
- debug mode now enabled with SSHGUARD_DEBUG environment variable (no "-d")
- support non-POSIX libCs that require getopt.h (thanks Nobuhiro Iwamatsu)
- import newer SimCList containing a number of fixes and improvements
- firewall backends now block all traffic from attackers by default, not per-service
- netfilter/iptables backend now verifies credentials at initialization
- parser accepts "-" and "_" chars in process names
- fix detection of some ProFTPd and pure-ftp messages
- support log formats of new versions of ProFTPd
- fix one dovecot pattern
- correctly handle abuse threshold = 1 (thanks K. Tipping)
- fix handling of IPv6 with IPFW under Mac OS X Leopard (thanks David Horn)
- fix cmdline argument BoF exploitable by local users when sshguard is setuid
- support blocking IPv6 addrs in backed "hosts.allow"
- extend hosts.allow backend to support all service types
- localhost addresses are now whitelisted a priori
- extend IPv6 pattern for matching special addresses (eg, IPv4 embedded)
- fix grammar to be insensitive to a log injection in sshd (thanks J. Oosterveen)
1.3
===
Oct 2008
- fix autoconf problem
- automatically detect when ipfw supports IPv6 (thanks David Horn)
- be sensitive to proftpd messages to auth facility, not daemon (thanks Andy Berkvam)
- add sshd pattern for "Bad protocol" and "Did not receive identif string"
1.2
===
Sep 2008
- support for Cyrus IMAP
- support for SSH "possible break-in attempt" messages
- updated support for dovecot to include logging format of new versions
- (thanks Michael Maynard) fix of IPF backend causing sshguard not to
update /etc/ipf.rules (disallow IPv6)
- fix detection of password when sshd doesn't log anything more than PAM
1.1
===
Jul 2008 (midway releases from Jul 2007 to Jun 2008)
- support suspension
- support debug mode at runtime (-d) for helping users in problem solving
- support for metalog logging format
- fix parser bug when recognizing certain IPv6 addresses
- fix segfault when the pipe to sshguard is closed unexpectedly
- support for ipfilter as blocking backend (thanks Hellmuth Michaelis for feedback)
- support for log messages authentication
- support for AIX genfilt firewall (thanks Gabor Szittner)
- fix "hosts" backend bug not discarding temporary files
- add monitoring support for new services:
- dovecot imap
- UWimap imap and pop
- FreeBSD's ftpd
- ProFTPd
- pure-ftpd
1.0
===
May 2007
- address whitelisting for protecting friend addressess
- support for IPv6
- support for service multiplexing (behave differently for different services)
- more powerful parsing (context-free): support multilog, autotranslate
hostnames and easily extends to a lot of services
- new blocking backend: "hosts" for /etc/hosts.deny
- paths autodetected and adjustable from ./configure
- script for trivially generating new custom backends
0.91
====
Mar 2007
- run away from scons and use autotools as building system
0.9
===
Feb 2007
- first public release
* 1.6.4 April 2016
- Match Postfix pre-authentication disconnects
- Fix bashisms in iptables backend
- Fix size argument in inet_ntop() call
- Remove excessive logging when polling from files
- Keep looking for unreadable files while polling
- Update Dovecot signature for POP3
- Match "Connection reset" message for SSH
- Resurrect PID file option by popular demand
- Adjust default abuse threshold
* 1.6.3 January 2016
- Add sample systemd(8) unit file
- Disable blacklisting by default
- Fix `pfctl` command syntax with OpenBSD 5.8
- Implement logging as wrappers around syslog(2)
- Improve log and error messages
- Match sendmail authentication failures
- Remove PID file option
- Remove SIGTSTP and SIGCONT handler
- Remove reverse mapping attack signature
- Remove safe_fgets() and exit on interrupt
- Terminate state entries for hosts blocked with pf
- Update and shorten command-line usage
- Use 'configure' to set feature-test macros
* 1.6.2 October 2015
- Make '-w' option backwards-compatible for iptables (James Harris)
- Remove support for ip6fw and 'ipfw-range' option
- Rewrite ipfw backend using command framework
* 1.6.1 July 2015
- Accept "Received disconnect" with optional prefix
- Add support for socklog entries
- Fix 'ipfw-rules-range' option in configure script
- Fix build for 'ipfw' and 'hosts' backends
- Fix integer comparisons of different types
- Match attacks when syslog debugging is enabled
* 1.6.0 May 2015
- Add rules for Postfix SASL login attempts
- Add support for ISO 8601 timestamps (David Caldwell)
- Add support for external commands run on firewall events (-e)
- Blacklist file is now human-readable (Armando Miraglia)
- Check tcpwrapper file permissions regardless of local umask
- Detect additional pre-auth disconnects
- Fix ipfw crash when loading an empty blacklist (Jin Choi)
- Fix log parsing on days beginning with zero
- Fix log polling on filesystems with many files (Johann H. Hauschild)
- Fix matching for Cyrus IMAP login via SASL
- Fix syslog format detection on hosts with undefined hostname
- Match SSH login failures with "via" suffix
- Remove broken kqueue(2) support
- Tweak option names and help strings
- Update SSH "Bad protocol" signature
- Use case-insensitive "invalid user" signature
- Wait for xtables lock when using iptables command (James Harris)
* 1.5 Feb 2011
- logsucker: sshguard polls multiple log files at once
- recognize syslog's "last message repeated N times" contextually and per-source
- attackers now gauged with attack *dangerousness* instead of count (adjust your -a !)
- improve IPv6 support
- add detection for: Exim, vsftpd, Sendmail, Cucipop
- improve Solaris support (thanks OpenCSW.org folks)
- handle huge blacklists efficiently
- improve logging granularity and descriptiveness
- add -i command line option for saving PID file as an aid for startup scripts
- update some attack signatures
- many other improvements, see 1.5beta and 1.5rc changelogs for complete credits
- fix a recognition problem for multilog files
- fix log filtering on OSes with inverted priority declarations
- fix file descriptor leak if "ps" command fails to run
- fix whitelist module allowing some entries to be skipped (thanks Andrea Dal Farra)
- fix segfault from invalid free() when all DNS lookups fail
- fix assertion failure when logsucker is notified before the logging completes (thanks Colin Keith)
* 1.4 Aug 2009
- add touchiness: block repeated abusers for longer
- add blacklisting: store frequent abusers for permanent blocking
- add support for IPv6 in whitelisting (experimental)
- sshguard ignores interrupted fgets() and reloads more seldom (thanks Keven Tipping)
- debug mode now enabled with SSHGUARD_DEBUG environment variable (no "-d")
- support non-POSIX libCs that require getopt.h (thanks Nobuhiro Iwamatsu)
- import newer SimCList containing a number of fixes and improvements
- firewall backends now block all traffic from attackers by default, not per-service
- netfilter/iptables backend now verifies credentials at initialization
- parser accepts "-" and "_" chars in process names
- fix detection of some ProFTPd and pure-ftp messages
- support log formats of new versions of ProFTPd
- fix one dovecot pattern
- correctly handle abuse threshold = 1 (thanks K. Tipping)
- fix handling of IPv6 with IPFW under Mac OS X Leopard (thanks David Horn)
- fix cmdline argument BoF exploitable by local users when sshguard is setuid
- support blocking IPv6 addrs in backed "hosts.allow"
- extend hosts.allow backend to support all service types
- localhost addresses are now whitelisted a priori
- extend IPv6 pattern for matching special addresses (eg, IPv4 embedded)
- fix grammar to be insensitive to a log injection in sshd (thanks J. Oosterveen)
* 1.3 Oct 2008
- fix autoconf problem
- automatically detect when ipfw supports IPv6 (thanks David Horn)
- be sensitive to proftpd messages to auth facility, not daemon (thanks Andy Berkvam)
- add sshd pattern for "Bad protocol" and "Did not receive identif string"
* 1.2 Sep 2008
- support for Cyrus IMAP
- support for SSH "possible break-in attempt" messages
- updated support for dovecot to include logging format of new versions
- (thanks Michael Maynard) fix of IPF backend causing sshguard not to
update /etc/ipf.rules (disallow IPv6)
- fix detection of password when sshd doesn't log anything more than PAM
* 1.1 Jul 2008 (midway releases from Jul 2007 to Jun 2008)
- support suspension
- support debug mode at runtime (-d) for helping users in problem solving
- support for metalog logging format
- fix parser bug when recognizing certain IPv6 addresses
- fix segfault when the pipe to sshguard is closed unexpectedly
- support for ipfilter as blocking backend (thanks Hellmuth Michaelis for feedback)
- support for log messages authentication
- support for AIX genfilt firewall (thanks Gabor Szittner)
- fix "hosts" backend bug not discarding temporary files
- add monitoring support for new services:
@ dovecot imap
@ UWimap imap and pop
@ FreeBSD's ftpd
@ ProFTPd
@ pure-ftpd
* 1.0 May 2007
- address whitelisting for protecting friend addressess
- support for IPv6
- support for service multiplexing (behave differently for different services)
- more powerful parsing (context-free): support multilog, autotranslate
hostnames and easily extends to a lot of services
- new blocking backend: "hosts" for /etc/hosts.deny
- paths autodetected and adjustable from ./configure
- script for trivially generating new custom backends
* 0.91 Mar 2007
- run away from scons and use autotools as building system
* 0.9 Feb 2007
- first public release
EXTRA_DIST = examples/ README.rst
SUBDIRS = src man
SUBDIRS = src
EXTRA_DIST = doc/ examples/ CHANGELOG.rst README.rst
man_MANS = doc/sshguard.8
......@@ -96,7 +96,7 @@ am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
configure.lineno config.status.lineno
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/src/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_FILES = src/fwalls/sshg-fw
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
......@@ -125,6 +125,37 @@ am__can_run_installinfo = \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
man8dir = $(mandir)/man8
am__installdirs = "$(DESTDIR)$(man8dir)"
NROFF = nroff
MANS = $(man_MANS)
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
distclean-recursive maintainer-clean-recursive
am__recursive_targets = \
......@@ -154,8 +185,9 @@ ETAGS = etags
CTAGS = ctags
CSCOPE = cscope
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in COPYING ChangeLog ar-lib \
compile install-sh missing
am__DIST_COMMON = $(srcdir)/Makefile.in \
$(top_srcdir)/src/fwalls/sshg-fw.in COPYING ar-lib compile \
install-sh missing
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
......@@ -269,15 +301,11 @@ datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
genfiltpath = @genfiltpath@
host_alias = @host_alias@
htmldir = @htmldir@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipfpath = @ipfpath@
ipfwpath = @ipfwpath@
iptablespath = @iptablespath@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
......@@ -286,7 +314,6 @@ mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pfctlpath = @pfctlpath@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
......@@ -298,8 +325,9 @@ target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
EXTRA_DIST = examples/ README.rst
SUBDIRS = src man
SUBDIRS = src
EXTRA_DIST = doc/ examples/ CHANGELOG.rst README.rst
man_MANS = doc/sshguard.8
all: all-recursive
.SUFFIXES:
......@@ -336,6 +364,51 @@ $(top_srcdir)/configure: $(am__configure_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
$(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS)
$(am__aclocal_m4_deps):
src/fwalls/sshg-fw: $(top_builddir)/config.status $(top_srcdir)/src/fwalls/sshg-fw.in
cd $(top_builddir) && $(SHELL) ./config.status $@
install-man8: $(man_MANS)
@$(NORMAL_INSTALL)
@list1=''; \
list2='$(man_MANS)'; \
test -n "$(man8dir)" \
&& test -n "`echo $$list1$$list2`" \
|| exit 0; \
echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
{ for i in $$list1; do echo "$$i"; done; \
if test -n "$$list2"; then \
for i in $$list2; do echo "$$i"; done \
| sed -n '/\.8[a-z]*$$/p'; \
fi; \
} | while read p; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; echo "$$p"; \
done | \
sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
sed 'N;N;s,\n, ,g' | { \
list=; while read file base inst; do \
if test "$$base" = "$$inst"; then list="$$list $$file"; else \
echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
$(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
fi; \
done; \
for i in $$list; do echo "$$i"; done | $(am__base_list) | \
while read files; do \
test -z "$$files" || { \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
done; }
uninstall-man8:
@$(NORMAL_UNINSTALL)
@list=''; test -n "$(man8dir)" || exit 0; \
files=`{ for i in $$list; do echo "$$i"; done; \
l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
sed -n '/\.8[a-z]*$$/p'; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
# This directory's subdirectories are mostly independent; you can cd
# into them and run 'make' without going through this Makefile.
......@@ -633,9 +706,12 @@ distcleancheck: distclean
exit 1; } >&2
check-am: all-am
check: check-recursive
all-am: Makefile
all-am: Makefile $(MANS)
installdirs: installdirs-recursive
installdirs-am:
for dir in "$(DESTDIR)$(man8dir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-recursive
install-exec: install-exec-recursive
install-data: install-data-recursive
......@@ -687,7 +763,7 @@ info: info-recursive
info-am:
install-data-am:
install-data-am: install-man
install-dvi: install-dvi-recursive
......@@ -703,7 +779,7 @@ install-info: install-info-recursive
install-info-am:
install-man:
install-man: install-man8
install-pdf: install-pdf-recursive
......@@ -733,7 +809,9 @@ ps: ps-recursive
ps-am:
uninstall-am:
uninstall-am: uninstall-man
uninstall-man: uninstall-man8
.MAKE: $(am__recursive_targets) install-am install-strip
......@@ -746,11 +824,12 @@ uninstall-am:
html-am info info-am install install-am install-data \
install-data-am install-dvi install-dvi-am install-exec \
install-exec-am install-html install-html-am install-info \
install-info-am install-man install-pdf install-pdf-am \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs installdirs-am maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic pdf \
pdf-am ps ps-am tags tags-am uninstall uninstall-am
install-info-am install-man install-man8 install-pdf \
install-pdf-am install-ps install-ps-am install-strip \
installcheck installcheck-am installdirs installdirs-am \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-generic pdf pdf-am ps ps-am tags tags-am uninstall \
uninstall-am uninstall-man uninstall-man8
.PRECIOUS: Makefile
......
This diff is collapsed.
# Process this file with autoconf to produce a configure script.
AC_PREREQ([2.60])
AC_INIT([sshguard], [1.6.4], [sshguard-users@lists.sourceforge.net])
AC_INIT([sshguard], [1.7.1], [sshguard-users@lists.sourceforge.net])
AC_CONFIG_SRCDIR([src/simclist.c])
AM_CONFIG_HEADER([src/config.h])
AM_INIT_AUTOMAKE([foreign])
AM_INIT_AUTOMAKE([foreign subdir-objects])
AM_SILENT_RULES([yes])
##############################################################################
# Configuration Options
AC_ARG_WITH([firewall], [AS_HELP_STRING([--with-firewall=fw],
[Firewall backend (one of pf, ipfw, iptables, ipfilter, hosts, aix, or null)])],
[Firewall backend (one of pf, ipfw, iptables, hosts, or null)])],
[
FWALLSDIR="src/fwalls"
# Substitute the correct commands into the firewall script.
AC_SUBST_FILE([sshg_fw_subr])
sshg_fw_subr=src/fwalls/$withval.sh
case "$withval" in
aix)
cp $FWALLSDIR/command_aix.h $FWALLSDIR/command.h
useaix=true
AC_CHECK_PROG([genfiltpath], [genfilt])
if test x$genfiltpath = x
then
# genfilt not in PATH, use "/usr/sbin" as default path
genfiltpath=/usr/sbin
AC_MSG_WARN([genfilt program not in path! Using /usr/sbin as default unless --with-genfilt specified])
fi
;;
hosts)
usehosts=true
;;
ipfilter)
cp $FWALLSDIR/command_ipfilter.h $FWALLSDIR/command.h
useipfilter=true
# is ipf in PATH?
AC_CHECK_PROG([ipfpath], [ipf])
if test x$ipfpath = x
then
# if ipf is not in PATH not, use "/sbin" as default path
ipfpath=/sbin
AC_MSG_WARN([ipf program not in path! Using /sbin as default unless --with-ipf specified])
fi
;;
ipfw)
cp $FWALLSDIR/command_ipfw.h $FWALLSDIR/command.h
useipfw=true
# is ipfw in PATH ?
AC_CHECK_PROG([ipfwpath], [ipfw])
if test x$ipfwpath = x
then
# if ipfw is not in PATH not, use "/sbin" as default path
ipfwpath=/sbin
AC_MSG_WARN([ipfw program not in path! Using /sbin as default unless --with-ipfw specified])
fi
;;
iptables)
cp $FWALLSDIR/command_iptables.h $FWALLSDIR/command.h
useiptables=true
# is iptables in PATH ?
AC_CHECK_PROG([iptablespath], [iptables])
if test x$iptablespath = x
then
# if iptables is not in PATH not, use "/sbin" as default path
iptablespath=/sbin
AC_MSG_WARN([iptables program not in path! Using /sbin as default unless --with-iptables specified])
fi
;;
pf)
cp $FWALLSDIR/command_pf.h $FWALLSDIR/command.h
usepf=true
# is pfctl in PATH ?
AC_CHECK_PROG([pfctlpath], [pfctl])
if test x$pfctlpath = x
then
# if pfctl is not in PATH not, use "/sbin" as default path
pfctlpath=/sbin
AC_MSG_WARN([pfctl program not in path! Using /sbin as default unless --with-pfctl specified])
fi
;;
null)
cp $FWALLSDIR/command_null.h $FWALLSDIR/command.h
usenull=true
;;
*)
......@@ -89,46 +41,18 @@ AC_ARG_WITH([firewall], [AS_HELP_STRING([--with-firewall=fw],
AC_MSG_ERROR([Please choose a firewall backend (see help)])
])
AC_ARG_WITH([genfilt], [AS_HELP_STRING([--with-genfilt=path],
[Path to the genfilt command (default from PATH)])],
[genfiltpath=`dirname $withval`])
AC_ARG_WITH([hosts], [AS_HELP_STRING([--with-hosts=file],
[Path to allowed hosts file (default /etc/hosts.allow)])],
[hostsfilepath=$withval],
[hostsfilepath=/etc/hosts.allow])
AC_ARG_WITH([ipf], [AS_HELP_STRING([--with-ipf=path],
[Path to the ipf command (default from PATH)])],
[ipfpath=`dirname $withval`])
AC_ARG_WITH([ipfconf], [AS_HELP_STRING([--with-ipfconf=file],
[Path to ipf configuration file (default /etc/ipf.rules)])],
[ipfconf=$withval],
[ipfconf=/etc/ipf.rules])
AC_ARG_WITH([ipfw], [AS_HELP_STRING([--with-ipfw=path],
[Path to the ipfw command (default from PATH)])],
[ipfwpath=`dirname $withval`])
AC_ARG_WITH([iptables], [AS_HELP_STRING([--with-iptables=path],
[Path to the iptables command (default from PATH)])],
[iptablespath=`dirname $withval`])
AC_ARG_WITH([pfctl], [AS_HELP_STRING([--with-pfctl=path],
[Path to the pfctl command (default from PATH)])],
[pfctlpath=`dirname $withval`])
##############################################################################
AS_BOX([Program Checks])
# Enable POSIX extensions on hosts that normally disable them.
AC_USE_SYSTEM_EXTENSIONS
AC_PROG_AWK
AC_PROG_CC
AC_PROG_CC_C99
AC_PROG_EGREP
AC_PROG_RANLIB
AC_PROG_YACC
AM_PROG_AR
......@@ -138,19 +62,8 @@ AM_PROG_LEX
AS_BOX([Headers, Types, and Compiler Checks])
# Header Files
AC_HEADER_STDC
AC_CHECK_HEADERS([getopt.h])
# Types
AC_TYPE_OFF_T
AC_TYPE_PID_T
AC_TYPE_SIZE_T
# Compiler Characteristics
AC_C_CONST
AC_C_INLINE
AC_C_RESTRICT
##############################################################################
AS_BOX([Library Functions])
......@@ -159,39 +72,9 @@ AC_SEARCH_LIBS([pthread_create], [pthread])
AC_SEARCH_LIBS([socket], [socket])
# set what firewall backend has been used, for automake
# AIX chosen
AM_CONDITIONAL(FWALL_AIX, test x$useaix = xtrue)