[prev in list] [next in list] [prev in thread] [next in thread]
List: ipcop-svn
Subject: [Ipcop-svn] SF.net SVN: ipcop:[1755] ipcop/trunk
From: dotzball () users ! sourceforge ! net
Date: 2008-08-31 13:54:05
Message-ID: E1KZnNV-00012X-5o () c3vjzd1 ! ch3 ! sourceforge ! com
[Download RAW message or body]
Revision: 1755
http://ipcop.svn.sourceforge.net/ipcop/?rev=1755&view=rev
Author: dotzball
Date: 2008-08-31 13:54:02 +0000 (Sun, 31 Aug 2008)
Log Message:
-----------
Enabled/Disabled of "BOT" removed.
Modified Paths:
--------------
ipcop/trunk/config/cfgroot/firewall-lib.pl
ipcop/trunk/html/cgi-bin/fwrules.cgi
ipcop/trunk/html/cgi-bin/fwrulesadm.cgi
ipcop/trunk/src/scripts/puzzleFwRules.pl
Modified: ipcop/trunk/config/cfgroot/firewall-lib.pl
===================================================================
--- ipcop/trunk/config/cfgroot/firewall-lib.pl 2008-08-31 13:44:27 UTC (rev 1754)
+++ ipcop/trunk/config/cfgroot/firewall-lib.pl 2008-08-31 13:54:02 UTC (rev 1755)
@@ -52,86 +52,12 @@
&DATA::setup_default_interfaces(\%FW::interfaces, \%ifaceCounts);
$FW::settingsfile = "${General::swroot}/firewall/settings";
-$FW::enabledfile = "${General::swroot}/firewall/enabled";
-$FW::disabledfile = "${General::swroot}/firewall/disabled";
$FW::settingsCGI = '/cgi-bin/fwrulesadm.cgi';
$FW::configCGI = '/cgi-bin/fwrules.cgi';
$FW::advConfCGI = '/cgi-bin/fwadvconf.cgi';
$FW::timeframeLogfile = "/var/log/fw_timeframe_log";
-sub printEnabledBox
-{
- my $currPage = shift;
- my $currSelect = shift;
- my %selected;
- &Header::openbox('100%', 'left', "$Lang::tr{'block out traff'}:");
-
- $selected{'ADV_CONFIG'}{'services'} = '';
- $selected{'ADV_CONFIG'}{'serviceGrouping'} = '';
- $selected{'ADV_CONFIG'}{'addresses'} = '';
- $selected{'ADV_CONFIG'}{'addressGrouping'} = '';
- $selected{'ADV_CONFIG'}{'interfaces'} = '';
- $selected{'ADV_CONFIG'}{$currSelect} = "selected='selected'";
-
- my $status;
- if (-e $FW::enabledfile){
- $status = "<b><font \
color='${Header::colourgreen}'>$Lang::tr{'enabledtitle'}</font></b>";
- }
- else{
- $status = "<b><font \
color='${Header::colourred}'>$Lang::tr{'disabledtitle'}</font></b>";
- }
-
- print <<END;
- <table width='100%'>
- <tr>
- <td width='40%'>$Lang::tr{'block out traff is'}$status </td>
-END
-
- if ($currPage ne 'advConf') {
- if ($currPage ne 'rules') {
- print <<END;
- <td align='left'>
- <form method='post' action='$FW::configCGI'>
- <input type='submit' name='ACTION' value='$Lang::tr{'rules'}' />
- </form>
- </td>
-END
- }
- print <<END;
- <td align='left'>
- <form method='post' action='$FW::settingsCGI'>
- <input type='submit' name='ACTION' value='$Lang::tr{'settings'}' />
- </form>
- </td>
-END
- }
- else
- {
- print <<END;
- <td width='60%' align='right'>
- <form method='post' action='$FW::advConfCGI'>
- <select name='ADV_CONFIG'>
- <option value='services' \
$selected{'ADV_CONFIG'}{'services'}>$Lang::tr{'services settings \
txt'}</option>
- <option value='serviceGrouping' \
$selected{'ADV_CONFIG'}{'serviceGrouping'}>$Lang::tr{'service grouping settings \
txt'}</option>
- <option value='addresses' \
$selected{'ADV_CONFIG'}{'addresses'}>$Lang::tr{'address settings \
txt'}</option>
- <option value='addressGrouping' \
$selected{'ADV_CONFIG'}{'addressGrouping'}>$Lang::tr{'address grouping settings \
txt'}</option>
- <option value='interfaces' \
$selected{'ADV_CONFIG'}{'interfaces'}>$Lang::tr{'interfaces settings \
txt'}</option>
- </select>
- <input type='submit' name='ACTION' value='$Lang::tr{'show adv config'}' />
- </form>
- </td>
-END
- }
-
- print <<END;
- </tr>
- </table>
-END
-
- &Header::closebox();
-}
-
sub readValidSettings
{
&General::readhash($FW::settingsfile, \%FW::fwSettings);
Modified: ipcop/trunk/html/cgi-bin/fwrules.cgi
===================================================================
--- ipcop/trunk/html/cgi-bin/fwrules.cgi 2008-08-31 13:44:27 UTC (rev 1754)
+++ ipcop/trunk/html/cgi-bin/fwrules.cgi 2008-08-31 13:54:02 UTC (rev 1755)
@@ -57,8 +57,7 @@
require '/var/ipcop/firewall/firewall-lib.pl';
my (%cgiparams,%selected,%checked,%radio);
-my @dummy = ($FW::settingsCGI,
- ${Header::colourred},
+my @dummy = (${Header::colourred},
@DATA::timeKeys_all,
@DATA::ruleKeys_unique,
@DATA::weekDays);
@@ -385,7 +384,6 @@
print "<b>$Lang::tr{'note'}:</b><br />$warnOpenFwMessage\n";
&Header::closebox();
}
- &FW::printEnabledBox('rules','');
&printSelectNewRuleBox();
&printCurrentRulesBox('all');
}
Modified: ipcop/trunk/html/cgi-bin/fwrulesadm.cgi
===================================================================
--- ipcop/trunk/html/cgi-bin/fwrulesadm.cgi 2008-08-31 13:44:27 UTC (rev 1754)
+++ ipcop/trunk/html/cgi-bin/fwrulesadm.cgi 2008-08-31 13:54:02 UTC (rev 1755)
@@ -116,28 +116,7 @@
}
} # end if ($cgiparams{'ACTION'} eq $Lang::tr{'save'})
-if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'EDIT_FORM'} eq \
'settings' ) {
- if (-e $FW::enabledfile) {
- $cgiparams{'ACTION'} = '';
- $errormessage .= "$Lang::tr{'disable bot before edit settings'}<br/>";
- }
-}
-if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'})
-{
- if (-e $FW::enabledfile) {
- unlink $FW::enabledfile;
- system("/usr/bin/touch $FW::disabledfile");
- &General::log($Lang::tr{'blockouttraffic disabled'});
- }
- else {
- unlink $FW::disabledfile;
- system("/usr/bin/touch $FW::enabledfile");
- &General::log($Lang::tr{'blockouttraffic enabled'});
- }
- `/usr/local/bin/setfwrules < /dev/null > /dev/null 2>&1 &`;
-}
-
# user input was invalid before reset,
# re-read settings from file,
# we are still in edit
@@ -190,17 +169,7 @@
$checked{'SHOW_COLORS'}{'on'} = '';
$checked{'SHOW_COLORS'}{$cgiparams{'SHOW_COLORS'}} = "checked='checked'" ;
-$cgiparams{'ENABLED'} = -e $FW::enabledfile? 'on' : 'off';
-
-my $gif;
-my $toggle;
-
-if (-e $FW::enabledfile) {
- $gif = 'on.gif'; $toggle=$Lang::tr{'disable bot'};}
-else {
- $gif = 'off.gif'; $toggle=$Lang::tr{'enable bot'}; }
-
-&Header::openpage($Lang::tr{'firewall configuration'}, 1, '');
+&Header::openpage($Lang::tr{'firewall settings'}, 1, '');
&Header::openbigbox('100%', 'left');
if ($errormessage) {
@@ -212,39 +181,7 @@
$error = 'error';
}
-unless( $cgiparams{'ACTION'} eq $Lang::tr{'edit'}){
- &Header::openbox('100%', 'left', "$Lang::tr{'blockouttraffic configuration'}:");
- print <<END;
- <table width='100%'>
- <tr>
- <td class='base' width='25%'>$Lang::tr{'blockouttraffic enabled'}:</td>
- <td align='left' width='10%'>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='image' name='$Lang::tr{'toggle enable disable'}' \
src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle \
enable disable'}' />
- <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' \
/>
- </form>
- </td>
- <td align='left' width='20%'>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='submit' value='$toggle' />
- <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' \
/>
- </form>
- </td>
- <td align='right'>
- <form method='post' action='$FW::configCGI'>
- <input type='submit' name='ACTION' value='$Lang::tr{'rules'}' />
- </form>
- </td>
- </tr>
- </table>
-END
-
- &Header::closebox();
-
-} # end unless( $cgiparams{'ACTION'} eq "$Lang::tr{'edit'}settings")
-
-
if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'EDIT_FORM'} eq \
'policy') {
&Header::openbox('100%', 'left', "$Lang::tr{'edit policy'}:", $error);
Modified: ipcop/trunk/src/scripts/puzzleFwRules.pl
===================================================================
--- ipcop/trunk/src/scripts/puzzleFwRules.pl 2008-08-31 13:44:27 UTC (rev 1754)
+++ ipcop/trunk/src/scripts/puzzleFwRules.pl 2008-08-31 13:54:02 UTC (rev 1755)
@@ -60,7 +60,7 @@
$FW::fwSettings{'CON_STATE'} = 'off';
my $invalidSettings = &FW::readValidSettings();
-if ($invalidSettings && -e $FW::enabledfile) {
+if ($invalidSettings) {
&General::log("BlockOutTraffic: $Lang::tr{'settingsfile bad. please edit'}");
exit 1;
}
@@ -69,19 +69,8 @@
my ($second, $minute, $hour, $day, $month ,$year, $wday) = localtime(time);
# weekday starts on sunday with 0
-my @allRuleTypes = ();
+my @allRuleTypes = ("INPUT", "FORWARD", "EXTERNAL", "DMZHOLES");
-# disabled file is only there if user disables BOT in the GUI and
-# puzzleFwRules.pl run the first time, the file is removed at the
-# end of this run
-if (-e $FW::enabledfile || -e $FW::disabledfile)
-{
- @allRuleTypes = ("INPUT", "FORWARD");
-}
-
-# Add external access and pinholes (for IPcop 2.0 only, not in addon for IPCop 1.4)
-@allRuleTypes = (@allRuleTypes, "EXTERNAL", "DMZHOLES");
-
my @runRuleTypes = ();
# init timeframe settings
@@ -220,12 +209,6 @@
foreach my $type (@runRuleTypes)
{
- # no need to run BOT rules if BOT is disabled (the BOT chains are only
- # in the runRuleTypes array to flush the chains, on next run those chains
- # are not in the array as the disabled file is removed at the end of this run)
- next if($type eq "INPUT" && -e $FW::disabledfile);
- next if($type eq "FORWARD" && -e $FW::disabledfile);
-
foreach my $rule (@{$ruleConfig{$type}})
{
next if ($rule->{'ENABLED'} ne 'on'); # Enabled ?
@@ -715,128 +698,127 @@
####################################################
#
# create default rules
-if (-e $FW::enabledfile)
-{
- my $defaultRule = '';
- my $defaultAction = 'DROP';
- $defaultAction = 'REJECT' if ($FW::fwSettings{'DEFAULT_ACTION'} eq 'reject');
- my %ifacePolicies = ();
- &DATA::readReadPolicies(\%FW::interfaces, \%ifacePolicies);
+my $defaultRule = '';
+my $defaultAction = 'DROP';
+$defaultAction = 'REJECT' if ($FW::fwSettings{'DEFAULT_ACTION'} eq 'reject');
+my %ifacePolicies = ();
+&DATA::readReadPolicies(\%FW::interfaces, \%ifacePolicies);
+## DEBUG
+print "Setup default rules\n" if ($debugLevel > 0);
+## DEBUG END
+
+
+# Deny only those traffic which is open in vanila IPCop.
+# Other traffic blocked by IPCop rules. So it is possible by using related, \
established connections +foreach my $inIface (keys %FW::interfaces)
+{
## DEBUG
- print "Setup default rules\n" if ($debugLevel > 0);
+ print "In: $inIface\n" if ($debugLevel > 0);
## DEBUG END
-
- # Deny only those traffic which is open in vanila IPCop.
- # Other traffic blocked by IPCop rules. So it is possible by using related, \
established connections
- foreach my $inIface (keys %FW::interfaces)
+ unless(defined($ifacePolicies{$inIface}))
{
- ## DEBUG
- print "In: $inIface\n" if ($debugLevel > 0);
- ## DEBUG END
+ print "Policy for interface '$inIface' not defined\n" if ($debugLevel > 0);
+ next;
+ }
- # only create rules for this interface if it is activ
- next if($FW::interfaces{$inIface}{'ACTIV'} ne 'yes');
+ # only create rules for this interface if it is activ
+ next if($FW::interfaces{$inIface}{'ACTIV'} ne 'yes');
- # if policy is 'open', we don't need block rules
- next if ($ifacePolicies{$inIface}{'POLICY'} eq 'open');
+ # if policy is 'open', we don't need block rules
+ next if ($ifacePolicies{$inIface}{'POLICY'} eq 'open');
- # get outgoing interfaces
- my @outDevs = &getOutIfacesByColor($FW::interfaces{$inIface}{'COLOR'}, $inIface);
+ # get outgoing interfaces
+ my @outDevs = &getOutIfacesByColor($FW::interfaces{$inIface}{'COLOR'}, $inIface);
- if ($ifacePolicies{$inIface}{'CON_STATE'} eq 'on') {
- &prepareRule("-A FW_FORWARD -i $FW::interfaces{$inIface}{'IFACE'} -m state \
--state RELATED,ESTABLISHED -j ACCEPT");
- &prepareRule("-A FW_INPUT -i $FW::interfaces{$inIface}{'IFACE'} -m state --state \
RELATED,ESTABLISHED -j ACCEPT"); + if ($ifacePolicies{$inIface}{'CON_STATE'} eq 'on') \
{ + &prepareRule("-A FW_FORWARD -i $FW::interfaces{$inIface}{'IFACE'} -m state \
--state RELATED,ESTABLISHED -j ACCEPT"); + &prepareRule("-A FW_INPUT -i \
$FW::interfaces{$inIface}{'IFACE'} -m state --state RELATED,ESTABLISHED -j ACCEPT"); \
+ } +
+ # open some default services for policy 'half-open'
+ if($ifacePolicies{$inIface}{'POLICY'} eq 'half-open')
+ {
+ # Some IPCop services
+ my @ipcopServices = ();
+ my @forwardServices = ();
+ if($FW::interfaces{$inIface}{'COLOR'} =~ \
/^GREEN_COLOR|BLUE_COLOR|IPSEC_COLOR|OVPN_COLOR$/) + {
+ @ipcopServices =('IPCop dhcp', 'IPCop dns',
+ #'IPCop https',
+ 'IPCop ntp', 'IPCop proxy'
+ #,'IPCop ssh'
+ );
+ @forwardServices = ('http', 'https');
}
+ elsif($FW::interfaces{$inIface}{'COLOR'} =~ /^ORANGE_COLOR$/)
+ {
+ @forwardServices = ('domain', 'http', 'https', 'ntp');
+ }
- # open some default services for policy 'half-open'
- if($ifacePolicies{$inIface}{'POLICY'} eq 'half-open')
+ foreach my $service (@ipcopServices)
{
- # Some IPCop services
- my @ipcopServices = ();
- my @forwardServices = ();
- if($FW::interfaces{$inIface}{'COLOR'} =~ \
/^GREEN_COLOR|BLUE_COLOR|IPSEC_COLOR|OVPN_COLOR$/)
- {
- @ipcopServices =('IPCop dhcp', 'IPCop dns',
- #'IPCop https',
- 'IPCop ntp', 'IPCop proxy'
- #,'IPCop ssh'
- );
- @forwardServices = ('http', 'https');
+ my @serviceXYZ = &buildServiceParamsDefault($service, "");
+ foreach my $protoPort (@serviceXYZ) {
+ &prepareRule("-A FW_INPUT -i $FW::interfaces{$inIface}{'IFACE'} $protoPort -j \
ACCEPT"); }
- elsif($FW::interfaces{$inIface}{'COLOR'} =~ /^ORANGE_COLOR$/)
- {
- @forwardServices = ('domain', 'http', 'https', 'ntp');
- }
+ }
- foreach my $service (@ipcopServices)
+ # Some services to the outside
+ foreach my $service (@forwardServices)
+ {
+ my @serviceXYZ = &buildServiceParamsDefault($service, "");
+
+ # open the service to all possible outgoing interfaces
+ foreach my $outIface (@outDevs)
{
- my @serviceXYZ = &buildServiceParamsDefault($service, "");
foreach my $protoPort (@serviceXYZ) {
- &prepareRule("-A FW_INPUT -i $FW::interfaces{$inIface}{'IFACE'} $protoPort -j \
ACCEPT"); + &prepareRule("-A FW_FORWARD -i $FW::interfaces{$inIface}{'IFACE'} \
$protoPort -o $outIface -j ACCEPT"); }
}
-
- # Some services to the outside
- foreach my $service (@forwardServices)
- {
- my @serviceXYZ = &buildServiceParamsDefault($service, "");
-
- # open the service to all possible outgoing interfaces
- foreach my $outIface (@outDevs)
- {
- foreach my $protoPort (@serviceXYZ) {
- &prepareRule("-A FW_FORWARD -i $FW::interfaces{$inIface}{'IFACE'} $protoPort \
-o $outIface -j ACCEPT");
- }
- }
- }
- } # if($ifacePolicies{$inIface}{'POLICY'} eq 'half-open')
-
- # input
- if($FW::interfaces{$inIface}{'COLOR'} =~ \
/^GREEN_COLOR|BLUE_COLOR|IPSEC_COLOR|OVPN_COLOR$/)
- {
- $defaultRule = "-A FW_INPUT -i $FW::interfaces{$inIface}{'IFACE'} -j";
- &prepareRule("$defaultRule LOG --log-prefix \"\U$inIface\E $defaultAction \" ") \
if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on');
- &prepareRule("$defaultRule $defaultAction");
}
+ } # if($ifacePolicies{$inIface}{'POLICY'} eq 'half-open')
- # forward
- foreach my $outIface (@outDevs)
- {
- $defaultRule = "-A FW_FORWARD -i $FW::interfaces{$inIface}{'IFACE'} -o $outIface \
-j";
- &prepareRule("$defaultRule LOG --log-prefix \"\U$inIface\E $defaultAction \" ") \
if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on');
- &prepareRule("$defaultRule $defaultAction");
- } # forward END
- } # foreach (source) interface END
-
- # put admin rules at first position
- $defaultRule = "-I FW_INPUT -i \
$FW::interfaces{$FW::fwSettings{'ADMIN_NETWORK'}}{'IFACE'} ";
- if($FW::fwSettings{'USE_ADMIN_MAC'} eq 'on') {
- $defaultRule .= "-m mac --mac-source $FW::fwSettings{'ADMIN_MAC'} ";
+ # input
+ if($FW::interfaces{$inIface}{'COLOR'} =~ \
/^GREEN_COLOR|BLUE_COLOR|IPSEC_COLOR|OVPN_COLOR$/) + {
+ $defaultRule = "-A FW_INPUT -i $FW::interfaces{$inIface}{'IFACE'} -j";
+ &prepareRule("$defaultRule LOG --log-prefix \"\U$inIface\E $defaultAction \" ") if \
($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); + &prepareRule("$defaultRule \
$defaultAction"); }
- # IPCop https
- my @ipcopHTTPS = &buildServiceParamsDefault('IPCop https', "");
- foreach my $httpsProtoPort (@ipcopHTTPS) {
- &prepareRule("$defaultRule $httpsProtoPort -j ACCEPT");
- }
- # IPCop ssh
- my @ipcopSSH = &buildServiceParamsDefault('IPCop ssh', "");
- foreach my $sshProtoPort (@ipcopSSH) {
- &prepareRule("$defaultRule $sshProtoPort -j ACCEPT");
- }
-} # end default rules
+ # forward
+ foreach my $outIface (@outDevs)
+ {
+ $defaultRule = "-A FW_FORWARD -i $FW::interfaces{$inIface}{'IFACE'} -o $outIface \
-j"; + &prepareRule("$defaultRule LOG --log-prefix \"\U$inIface\E $defaultAction \" \
") if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); + &prepareRule("$defaultRule \
$defaultAction"); + } # forward END
+} # foreach (source) interface END
+
+# put admin rules at first position
+$defaultRule = "-I FW_INPUT -i \
$FW::interfaces{$FW::fwSettings{'ADMIN_NETWORK'}}{'IFACE'} "; \
+if($FW::fwSettings{'USE_ADMIN_MAC'} eq 'on') { + $defaultRule .= "-m mac \
--mac-source $FW::fwSettings{'ADMIN_MAC'} "; +}
+# IPCop https
+my @ipcopHTTPS = &buildServiceParamsDefault('IPCop https', "");
+foreach my $httpsProtoPort (@ipcopHTTPS) {
+ &prepareRule("$defaultRule $httpsProtoPort -j ACCEPT");
+}
+# IPCop ssh
+my @ipcopSSH = &buildServiceParamsDefault('IPCop ssh', "");
+foreach my $sshProtoPort (@ipcopSSH) {
+ &prepareRule("$defaultRule $sshProtoPort -j ACCEPT");
+}
+
# now run all iptables rules we did prepare before
&submitAllRules();
# write timeframe settings
&General::writehash($FW::timeframeLogfile, \%timeframeSettings);
-
-if (-e $FW::disabledfile) {
- unlink $FW::disabledfile;
-}
exit 0;
sub prepareRule
This was sent by the SourceForge.net collaborative development platform, the world's \
largest Open Source development site.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Ipcop-svn mailing list
Ipcop-svn@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic