Linux Firewalls - Michael Rash [108]
[-] SID: 2003306 Unsupported option: "pcre" at line: 120. Skipping rule.
Note
The fwsnort.sh script is the real "meat and potatoes" of fwsnort; it's a Bourne shell script generated by fwsnort that is responsible for implementing the necessary iptables commands to construct the equivalent iptables policy. The internals of this script are discussed in "Structure of fwsnort.sh" on page 179, and a complete fwsnort.sh script can be found in Appendix B.
Configuration File for fwsnort
The main configuration file for fwsnort, /etc/fwsnort/fwsnort.conf, defines networks, port numbers, paths to system binaries (such as the path to iptables), and other key pieces of information needed for proper execution.
As with psad, the fwsnort.conf file follows a simple key/value format, and many of the keywords and semantics are identical to those found in Snort's own configuration file. For example, both the HOME_NET and EXTERNAL_NET keywords are defaulted to the wildcard value any, and lists of IP addresses and/or networks can be enclosed within braces. (Nearly all Snort rules use some combination of the HOME_NET and EXTERNAL_NET keywords.) The notion of variable resolution is also supported; that is, HTTP_SERVERS maps to $HOME_NET, which in turn maps to a specific network (or networks) or the wildcard value any, for example.
You'll find a complete example fwsnort.conf file below (and at http://www.cipherdyne.org/linuxfirewalls), and all fwsnort usage examples in this book will reference this configuration file. In this case, the network protected by the iptables firewall on which fwsnort is deployed is the Class C network 192.168.10.0/24 (see Figure 1-2), so we set HOME_NET accordingly.
[iptablesfw]# cat /etc/fwsnort/fwsnort.conf
# This is the configuration file for fwsnort. There are some similarities
# between this file and the configuration file for Snort.
# $Id: fwsnort.conf 356 2007-03-20 01:31:28Z mbr $
### fwsnort treats all traffic directed to / originating from the local
### machine as going to / coming from the HOME_NET in Snort rule parlance.
### If there is only one interface on the local system, then there will be
### no rules processed via the FWSNORT_FORWARD chain because no traffic
### would make it into the iptables FORWARD chain.
HOME_NET 192.168.10.0/24;
EXTERNAL_NET any;
### List of servers. fwsnort supports the same variable resolution as Snort.
HTTP_SERVERS $HOME_NET;
SMTP_SERVERS $HOME_NET;
DNS_SERVERS $HOME_NET;
SQL_SERVERS $HOME_NET;
TELNET_SERVERS $HOME_NET;
### AOL AIM server nets
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.1
2.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
### Configurable port numbers
SSH_PORTS 22;
HTTP_PORTS 80;
SHELLCODE_PORTS !80;
ORACLE_PORTS 1521;
### Define average packet lengths and maximum frame length. This is used
### for iptables length match emulation of the Snort dsize option.
❶ AVG_IP_HEADER_LEN 20; ### IP options are not usually used.
AVG_TCP_HEADER_LEN 40; ### Includes options
MAX_FRAME_LEN 1500;
### Use the WHITELIST variable to define a list of hosts/networks that
### should be completely ignored by fwsnort. For example, if you want
### to whitelist the IP address 192.168.10.1 and the network 10.1.1.0/24,
### you will use (note that you can also specify multiple WHITELIST
### variables, one per line):
#WHITELIST 192.168.10.1, 10.1.1.0/24;
❷ WHITELIST NONE;
### Use the BLACKLIST variable to define a list of hosts/networks
### that for which fwsnort should DROP or REJECT all traffic. For
### example, to DROP all traffic from the 192.168.10.0/24 network,
### you can use:
### BLACKLIST 192.168.10.0/24 DROP;
### To have fwsnort REJECT all traffic from 192.168.10.0/24,