[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfire-scm
Subject: [git.ipfire.org] IPFire 2.x development tree branch, fifteen, updated. 901aa8b943e6442e4b3540a73fe7c
From: git () ipfire ! org (Michael Tremer)
Date: 2013-10-25 9:40:38
Message-ID: 20131025094039.47F0820870 () argus ! ipfire ! org
[Download RAW message or body]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, fifteen has been updated
via 901aa8b943e6442e4b3540a73fe7c79c9a9cd419 (commit)
via 39e360b26c3815adfb32ead9ea5e782898ca97c2 (commit)
via 9c89c64de19f43d77e2bc720fef2b58486472878 (commit)
via 85f129fe3cac3f5161a6451e137084d91282472a (commit)
via 8039a71099eafbec9fb280ce9caff2c069bdff7f (commit)
via 6d8eb5dec7bf36f9b1bd53c9354d980aea315d89 (commit)
via 6921f0ea0a62b09fd3bb9772ffc50b86b49bef97 (commit)
via 11760a707510a5173f41c58551e03438043f36d6 (commit)
from b161bfa8683402036e0d3e08159aafda5d4c4310 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 901aa8b943e6442e4b3540a73fe7c79c9a9cd419
Author: Michael Tremer <michael.tremer at ipfire.org>
Date: Fri Oct 25 11:40:06 2013 +0200
firewall: Fix layout of protocol selection.
commit 39e360b26c3815adfb32ead9ea5e782898ca97c2
Author: Alexander Marx <amarx at ipfire.org>
Date: Thu Oct 24 16:24:45 2013 +0200
Firewall: added missing translation for short IPv6 protcol in ruletable
commit 9c89c64de19f43d77e2bc720fef2b58486472878
Author: Alexander Marx <amarx at ipfire.org>
Date: Thu Oct 24 16:04:26 2013 +0200
Firewall: rename Protocol 41 in Dropdown and ruletable ->Now "IPv6 Encapsulation \
(protocol 41)" in dropdown and "IPv6 Encap" in ruletable
commit 85f129fe3cac3f5161a6451e137084d91282472a
Author: Alexander Marx <amarx at ipfire.org>
Date: Thu Oct 24 14:16:03 2013 +0200
Firewall: fix deleted files from core fifteen firewall
commit 8039a71099eafbec9fb280ce9caff2c069bdff7f
Author: Alexander Marx <amarx at ipfire.org>
Date: Thu Oct 24 09:42:42 2013 +0200
Firewall: renamed forwardfwctrl to firewallctrl
commit 6d8eb5dec7bf36f9b1bd53c9354d980aea315d89
Author: Alexander Marx <amarx at ipfire.org>
Date: Thu Oct 24 09:24:12 2013 +0200
Firewall: Renamed directory /var/ipfire/forward to /var/ipfire/firewall
commit 6921f0ea0a62b09fd3bb9772ffc50b86b49bef97
Author: Alexander Marx <amarx at ipfire.org>
Date: Thu Oct 24 08:15:48 2013 +0200
Firewall: renamed /config/forwardfw to config/firewall
commit 11760a707510a5173f41c58551e03438043f36d6
Author: Alexander Marx <amarx at ipfire.org>
Date: Thu Oct 24 07:59:42 2013 +0200
Firewall: Added protocols IPv6 (41) and IPIP (94)
-----------------------------------------------------------------------
Summary of changes:
config/backup/backup.pl | 47 ++---
config/backup/exclude | 3 +-
config/backup/include | 2 +-
config/cfgroot/general-functions.pl | 4 +-
config/{forwardfw => firewall}/convert-dmz | 2 +-
config/{forwardfw => firewall}/convert-outgoingfw | 12 +-
config/{forwardfw => firewall}/convert-portfw | 4 +-
config/{forwardfw => firewall}/convert-xtaccess | 2 +-
config/{forwardfw => firewall}/firewall-lib.pl | 0
config/{forwardfw => firewall}/firewall-policy | 2 +-
config/{forwardfw => firewall}/p2protocols | 0
config/{forwardfw => firewall}/rules.pl | 18 +-
config/rootfiles/common/configroot | 22 +-
config/rootfiles/common/misc-progs | 2 +-
config/rootfiles/core/fifteen/filelists/firewall | 18 +-
html/cgi-bin/firewall.cgi | 221 +++++++++++----------
html/cgi-bin/fwhosts.cgi | 4 +-
html/cgi-bin/optionsfw.cgi | 14 +-
html/cgi-bin/ovpnmain.cgi | 2 +-
html/cgi-bin/p2p-block.cgi | 2 +-
langs/de/cgi-bin/de.pl | 2 +
langs/en/cgi-bin/en.pl | 2 +
lfs/configroot | 26 +--
lfs/initscripts | 2 +-
src/initscripts/init.d/firewall | 2 +-
src/misc-progs/Makefile | 6 +-
src/misc-progs/{forwardfwctrl.c => firewallctrl.c} | 4 +-
27 files changed, 216 insertions(+), 209 deletions(-)
rename config/{forwardfw => firewall}/convert-dmz (99%)
rename config/{forwardfw => firewall}/convert-outgoingfw (98%)
rename config/{forwardfw => firewall}/convert-portfw (98%)
rename config/{forwardfw => firewall}/convert-xtaccess (98%)
rename config/{forwardfw => firewall}/firewall-lib.pl (100%)
rename config/{forwardfw => firewall}/firewall-policy (98%)
rename config/{forwardfw => firewall}/p2protocols (100%)
rename config/{forwardfw => firewall}/rules.pl (97%)
rename src/misc-progs/{forwardfwctrl.c => firewallctrl.c} (79%)
Difference in files:
diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 28e2dd8..5424a1e 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -66,15 +66,15 @@ elsif ($ARGV[0] eq 'restore') {
system("/usr/sbin/ovpn-ccd-convert");
#OUTGOINGFW CONVERTER
if( -d "${General::swroot}/outgoing"){
- if( -f "${General::swroot}/forward/config" ){
- unlink("${General::swroot}/forward/config");
- system("touch ${General::swroot}/forward/config");
- chown 99,99,"${General::swroot}/forward/config";
+ if( -f "${General::swroot}/firewall/config" ){
+ unlink("${General::swroot}/firewall/config");
+ system("touch ${General::swroot}/firewall/config");
+ chown 99,99,"${General::swroot}/firewall/config";
}
- if( -f "${General::swroot}/forward/outgoing" ){
- unlink("${General::swroot}/forward/outgoing");
- system("touch ${General::swroot}/forward/outgoing");
- chown 99,99,"${General::swroot}/forward/outgoing";
+ if( -f "${General::swroot}/firewall/outgoing" ){
+ unlink("${General::swroot}/firewall/outgoing");
+ system("touch ${General::swroot}/firewall/outgoing");
+ chown 99,99,"${General::swroot}/firewall/outgoing";
}
unlink("${General::swroot}/fwhosts/customgroups");
unlink("${General::swroot}/fwhosts/customhosts");
@@ -97,38 +97,33 @@ elsif ($ARGV[0] eq 'restore') {
}
#XTACCESS CONVERTER
if( -d "${General::swroot}/xtaccess"){
- if( -f "${General::swroot}/forward/input" ){
- unlink("${General::swroot}/forward/input");
- system("touch ${General::swroot}/forward/input");
+ if( -f "${General::swroot}/firewall/input" ){
+ unlink("${General::swroot}/firewall/input");
+ system("touch ${General::swroot}/firewall/input");
}
#START CONVERTER "XTACCESS"
system("/usr/sbin/convert-xtaccess");
- chown 99,99,"${General::swroot}/forward/input";
+ chown 99,99,"${General::swroot}/firewall/input";
rmtree("${General::swroot}/xtaccess");
}
#DMZ-HOLES CONVERTER
- if( -d "${General::swroot}/dmzholes"){
- if( -f "${General::swroot}/forward/dmz" ){
- unlink("${General::swroot}/forward/dmz");
- system("touch ${General::swroot}/forward/dmz");
+ if( -d "${General::swroot}/dmzholes" || -d "${General::swroot}/portfw"){
+ if( -f "${General::swroot}/firewall/config" ){
+ unlink("${General::swroot}/firewall/config");
+ system("touch ${General::swroot}/firewall/config");
}
#START CONVERTER "DMZ-HOLES"
system("/usr/sbin/convert-dmz");
- chown 99,99,"${General::swroot}/forward/dmz";
+ chown 99,99,"${General::swroot}/firewall/config";
rmtree("${General::swroot}/dmzholes");
}
#PORTFORWARD CONVERTER
if( -d "${General::swroot}/portfw"){
- if( -f "${General::swroot}/forward/nat" ){
- unlink("${General::swroot}/forward/nat");
- system("touch ${General::swroot}/forward/nat");
- }
- #START CONVERTER "PORTFW"
- system("/usr/sbin/convert-portfw");
- chown 99,99,"${General::swroot}/forward/nat";
- rmtree("${General::swroot}/portfw");
+ #START CONVERTER "PORTFW"
+ System("/usr/sbin/convert-portfw");
+ rmtree("${General::swroot}/portfw");
}
- system("/usr/local/bin/forwardfwctrl");
+ system("/usr/local/bin/firewallctrl");
}
elsif ($ARGV[0] eq 'restoreaddon') {
if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] \
/var/ipfire/backup/addons/backup/$ARGV[1]");}
diff --git a/config/backup/exclude b/config/backup/exclude
index 41ae8b5..83db234 100644
--- a/config/backup/exclude
+++ b/config/backup/exclude
@@ -1,7 +1,6 @@
*.tmp
/var/ipfire/ethernet/settings
-/var/ipfire/forward/bin/*
+/var/ipfire/firewall/bin/*
/var/ipfire/proxy/calamaris/bin/*
/var/ipfire/qos/bin/qos.pl
/var/ipfire/urlfilter/blacklists/*/*.db
-/var/ipfire/forward/bin/*
diff --git a/config/backup/include b/config/backup/include
index 551b52d..1d55e4a 100644
--- a/config/backup/include
+++ b/config/backup/include
@@ -15,7 +15,7 @@
/var/ipfire/auth/users
/var/ipfire/dhcp/*
/var/ipfire/dnsforward/*
-/var/ipfire/forward
+/var/ipfire/firewall
/var/ipfire/fwhosts
/var/ipfire/main/*
/var/ipfire/ovpn
diff --git a/config/cfgroot/general-functions.pl \
b/config/cfgroot/general-functions.pl index 8236f07..48d68a2 100644
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -1137,7 +1137,7 @@ sub write_file_utf8 ($) {
return;
}
-my $FIREWALL_RELOAD_INDICATOR = "${General::swroot}/forward/reread";
+my $FIREWALL_RELOAD_INDICATOR = "${General::swroot}/firewall/reread";
sub firewall_config_changed() {
open FILE, ">$FIREWALL_RELOAD_INDICATOR" or die "Could not open \
$FIREWALL_RELOAD_INDICATOR"; @@ -1153,7 +1153,7 @@ sub firewall_needs_reload() {
}
sub firewall_reload() {
- system("/usr/local/bin/forwardfwctrl");
+ system("/usr/local/bin/firewallctrl");
}
1;
diff --git a/config/firewall/convert-dmz b/config/firewall/convert-dmz
new file mode 100755
index 0000000..0f7c68e
--- /dev/null
+++ b/config/firewall/convert-dmz
@@ -0,0 +1,193 @@
+#!/usr/bin/perl
+
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+# #
+# This script converts old dmz holes rules from old firewall #
+# to the new one. This is a 2-step process. #
+# STEP1: read old config and normalize settings #
+# STEP2: check valid ip and save valid rules to new firewall #
+# #
+###############################################################################
+my @current=();
+my @alias=();
+my %configdmz=();
+my %ifaces=();
+my %configfwdfw=();
+require '/var/ipfire/general-functions.pl';
+my $dmzconfig = "${General::swroot}/dmzholes/config";
+my $fwdfwconfig = "${General::swroot}/firewall/config";
+my $ifacesettings = "${General::swroot}/ethernet/settings";
+my $field0 = 'ACCEPT';
+my $field1 = 'FORWARDFW';
+my $field2 = ''; #ON or emtpy
+my $field3 = ''; #std_net_src or src_addr
+my $field4 = ''; #ALL or IP-Address with /32
+my $field5 = ''; #std_net_tgt or tgt_addr
+my $field6 = ''; #IP or network name
+my $field11 = 'ON'; #use target port
+my $field12 = ''; #TCP or UDP
+my $field13 = 'All ICMP-Types';
+my $field14 = 'TGT_PORT';
+my $field15 = ''; #Port Number
+my $field16 = ''; #remark
+my $field26 = '00:00';
+my $field27 = '00:00';
+my $field28 = '';
+my $field29 = 'ALL';
+my $field30 = '';
+my $field31 = 'dnat';
+
+
+open(FILE, $dmzconfig) or die 'Unable to open config file.';
+my @current = <FILE>;
+close(FILE);
+#open LOGFILE
+open (LOG, ">/var/log/converters/dmz-convert.log") or die $!;
+&General::readhash($ifacesettings, \%ifaces);
+&General::readhasharray($fwdfwconfig,\%configfwdfw);
+&process_rules;
+sub process_rules{
+ foreach my $line (@current){
+ my $now=localtime;
+ #get values from old configfile
+ my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line);
+ $h =~ s/\s*\n//gi;
+ print LOG "$now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g \
H: $h\n"; + #Now convert values and check ip addresses
+ $a=uc($a);
+ $e=uc($e);
+ $field2=$e if($e eq 'ON');
+ #SOURCE IP-check
+ $b=&check_ip($b);
+ if (&General::validipandmask($b)){
+ #When ip valid, check if we have a network
+ my ($ip,$subnet) = split ("/",$b);
+ if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){
+ $field3='std_net_src';
+ $field4='ORANGE';
+ }elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
+ $field3='std_net_src';
+ $field4='BLUE';
+ }elsif($f eq 'orange' && \
&General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){ \
+ $field3='src_addr'; + $field4=$b;
+ }elsif($f eq 'blue' && \
&General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ \
+ $field3='src_addr'; + $field4=$b;
+ }else{
+ print LOG "$now ->NOT Converted, source ip $b not part of source network $f \
\n\n"; + next;
+ }
+ }else{
+ print LOG "$now -> SOURCE IP INVALID. \n\n";
+ next;
+ }
+ #TARGET IP-check
+ $c=&check_ip($c);
+ if (&General::validipandmask($c)){
+ my $now=localtime;
+ #When ip valid, check if we have a network
+ my ($ip,$subnet) = split ("/",$c);
+ if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){
+ $field5='std_net_tgt';
+ $field6='GREEN';
+ }elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
+ $field5='std_net_tgt';
+ $field6='BLUE';
+ }elsif($g eq 'green' && \
&General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){ \
+ $field5='tgt_addr'; + $field6=$c;
+ }elsif($g eq 'blue' && \
&General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ \
+ $field5='tgt_addr'; + $field6=$c;
+ }else{
+ print LOG "$now ->NOT Converted, target ip $c not part of target network $g \
\n\n"; + next;
+ }
+ }else{
+ print LOG "$now -> TARGET IP INVALID. \n\n";
+ next;
+ }
+ $field12=$a;
+ #convert portrange
+ $d =~ tr/-/:/;
+ $field15=$d;
+ $field16=$h;
+ my $key = &General::findhasharraykey (\%configfwdfw);
+ foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";}
+ $configfwdfw{$key}[0] = $field0;
+ $configfwdfw{$key}[1] = $field1;
+ $configfwdfw{$key}[2] = $field2;
+ $configfwdfw{$key}[3] = $field3;
+ $configfwdfw{$key}[4] = $field4;
+ $configfwdfw{$key}[5] = $field5;
+ $configfwdfw{$key}[6] = $field6;
+ $configfwdfw{$key}[7] = '';
+ $configfwdfw{$key}[8] = '';
+ $configfwdfw{$key}[9] = '';
+ $configfwdfw{$key}[10] = '';
+ $configfwdfw{$key}[11] = $field11;
+ $configfwdfw{$key}[12] = $field12;
+ $configfwdfw{$key}[13] = $field13;
+ $configfwdfw{$key}[14] = $field14;
+ $configfwdfw{$key}[15] = $field15;
+ $configfwdfw{$key}[16] = $field16;
+ $configfwdfw{$key}[17] = '';
+ $configfwdfw{$key}[18] = '';
+ $configfwdfw{$key}[19] = '';
+ $configfwdfw{$key}[20] = '';
+ $configfwdfw{$key}[21] = '';
+ $configfwdfw{$key}[22] = '';
+ $configfwdfw{$key}[23] = '';
+ $configfwdfw{$key}[24] = '';
+ $configfwdfw{$key}[25] = '';
+ $configfwdfw{$key}[26] = $field26;
+ $configfwdfw{$key}[27] = $field27;
+ $configfwdfw{$key}[28] = $field28;
+ $configfwdfw{$key}[29] = $field29;
+ $configfwdfw{$key}[30] = $field30;
+ $configfwdfw{$key}[31] = $field31;
+ print LOG "$Now -> Converted to \
$field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n";
+ }
+ &General::writehasharray($fwdfwconfig,\%configfwdfw);
+close (LOG);
+}
+
+sub check_ip
+{
+ my $adr=shift;
+ my $a;
+ #ip with subnet in decimal
+ if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
+ $adr=int($1).".".int($2).".".int($3).".".int($4);
+ my $b = &General::iporsubtodec($5);
+ $a=$adr."/".$b;
+ }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
+ $adr=int($1).".".int($2).".".int($3).".".int($4);
+ if(&General::validip($adr)){
+ $a=$adr."/32";
+ }
+ }
+ if(&General::validipandmask($adr)){
+ $a=&General::iporsubtodec($adr);
+ }
+ return $a;
+}
diff --git a/config/firewall/convert-outgoingfw b/config/firewall/convert-outgoingfw
new file mode 100755
index 0000000..0d7f7d3
--- /dev/null
+++ b/config/firewall/convert-outgoingfw
@@ -0,0 +1,704 @@
+#!/usr/bin/perl
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+# #
+# This script converts old groups and firewallrules #
+# to the new one. This is a 3-step process. #
+# STEP1: convert groups ->LOG /var/log/converters #
+# STEP2: convert rules ->LOG /var/log/converters #
+# STEP3: convert P2P rules #
+# #
+###############################################################################
+
+require '/var/ipfire/general-functions.pl';
+
+use Socket;
+use File::Path;
+use File::Copy;
+
+my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/";
+my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/";
+my $outgoingrules = "${General::swroot}/outgoing/rules";
+my $outfwsettings = "${General::swroot}/outgoing/settings";
+my $host = "Converted ";
+my $confighosts = "${General::swroot}/fwhosts/customhosts";
+my $confignets = "${General::swroot}/fwhosts/customnetworks";
+my $configgroups = "${General::swroot}/fwhosts/customgroups";
+my $ovpnsettings = "${General::swroot}/ovpn/settings";
+my $ovpnconfig = "${General::swroot}/ovpn/ovpnconfig";
+my $ccdconfig = "${General::swroot}/ovpn/ccd.conf";
+my $fwdfwconfig = "${General::swroot}/firewall/config";
+my $outfwconfig = "${General::swroot}/firewall/outgoing";
+my $fwdfwsettings = "${General::swroot}/firewall/settings";
+my @ipgroups = qx(ls $ipgrouppath);
+my @macgroups = qx(ls $macgrouppath);
+my @hostarray=();
+my %outsettings=();
+my %hosts=();
+my %nets=();
+my %groups=();
+my %settingsovpn=();
+my %configovpn=();
+my %ccdconf=();
+my %fwconfig=();
+my %fwconfigout=();
+my %fwdsettings=();
+my %ownnet=();
+my %ovpnSettings = ();
+&General::readhash("${General::swroot}/ovpn/settings", \%ovpnSettings);
+&General::readhash($outfwsettings,\%outsettings);
+&General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
+#ONLY RUN if /var/ipfire/outgoing exists
+if ( -d "/var/ipfire/outgoing"){
+ &process_groups;
+ &process_rules;
+ &process_p2p;
+}
+system("/usr/local/bin/firewallctrl");
+sub process_groups
+{
+ if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
+ if( -f "/var/log/converters/groups-convert.log"){rmtree("var/log/converters");}
+ open (LOG, ">/var/log/converters/groups-convert.log") or die $!;
+ #IP Group processing
+ foreach my $group (@ipgroups){
+ my $now=localtime;
+ chomp $group;
+ print LOG "\n$now Processing IP-GROUP: $group...\n";
+ open (DATEI, "<$ipgrouppath/$group");
+ my @zeilen = <DATEI>;
+ foreach my $ip (@zeilen){
+ chomp($ip);
+ $ip =~ s/\s//gi;
+ print LOG "$now Check IP $ip from Group $group ";
+ my $val=&check_ip($ip);
+ if($val){
+ push(@hostarray,$val.",ip");
+ print LOG "$now -> OK\n";
+ }
+ else{
+ print LOG "$now -> IP \"$ip\" from group $group not converted (invalid IP) \n";
+ }
+ $val='';
+ }
+ &new_hostgrp($group,'ip');
+ @hostarray=();
+ }
+ $group='';
+ @zeilen=();
+ @hostarray=();
+ #MAC Group processing
+ foreach my $group (@macgroups){
+ chomp $group;
+ print LOG "\nProcessing MAC-GROUP: $group...\n";
+ open (DATEI, "<$macgrouppath/$group");
+ my @zeilen = <DATEI>;
+ foreach my $mac (@zeilen){
+ chomp($mac);
+ $mac =~ s/\s//gi;
+ print LOG "$now Checking MAC $mac from group $group ";
+ #MAC checking
+ if(&General::validmac($mac)){
+ $val=$mac;
+ }
+ if($val){
+ push(@hostarray,$val.",mac");
+ print LOG "$now -> OK\n";
+ }
+ else{
+ print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n";
+ }
+ $val='';
+ }
+ &new_hostgrp($group,'mac');
+ @hostarray=();
+ @zeilen=();
+ }
+ close (LOG);
+}
+sub check_ip
+{
+ my $adr=shift;
+ my $a;
+ #ip with subnet in decimal
+ if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
+ $adr=int($1).".".int($2).".".int($3).".".int($4);
+ my $b = &General::iporsubtodec($5);
+ $a=$adr."/".$b;
+ }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
+ $adr=int($1).".".int($2).".".int($3).".".int($4);
+ if(&General::validip($adr)){
+ $a=$adr."/255.255.255.255";
+ }
+ }
+ if(&General::validipandmask($adr)){
+ $a=&General::iporsubtodec($adr);
+ }
+ return $a;
+}
+sub new_hostgrp
+{
+ &General::readhasharray($confighosts,\%hosts);
+ &General::readhasharray($confignets,\%nets);
+ &General::readhasharray($configgroups,\%groups);
+ my $grp=shift;
+ my $run=shift;
+ my $name; #"converted"
+ my $name2;
+ my $name3; #custom host/custom net
+ foreach my $adr (@hostarray){
+ if($run eq 'ip'){
+ my ($ip,$type) = split(",",$adr);
+ my ($ippart,$subnet) = split("/",$ip);
+ my ($byte1,$byte2,$byte3,$byte4) = split(/\./,$subnet);
+ if($byte4 eq '255'){
+ print LOG "Processing SINGLE HOST $ippart/$subnet from group $grp\n";
+ if(!&check_host($ip)){
+ my $key = &General::findhasharraykey(\%hosts);
+ $name="host ";
+ $name2=$name.$ippart;
+ $name3="Custom Host";
+ $hosts{$key}[0] = $name2;
+ $hosts{$key}[1] = $type;
+ $hosts{$key}[2] = $ip;
+ $hosts{$key}[3] = '';
+ $hosts{$key}[4] = 1;
+ print LOG "->Host (IP) $ip added to custom hosts\n"
+ }else{
+ print LOG "->Host (IP) $ip already exists in custom hosts\n";
+ $name="host ";
+ $name2=$name.$ippart;
+ foreach my $key (sort keys %hosts){
+ if($hosts{$key}[0] eq $name2){
+ $hosts{$key}[4]++;
+ }
+ }
+ $name="host ";
+ $name2=$name.$ippart;
+ $name3="Custom Host";
+ }
+ }elsif($byte4 < '255'){
+ print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n";
+ if(!&check_net($ippart,$subnet)){
+ #Check if this network is one one of IPFire internal networks
+ if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne \
'0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'}))
+ {
+ $name2='GREEN';
+ $name3='Standard Network';
+ }elsif (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne \
'0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'}))
+ {
+ $name2='ORANGE';
+ $name3='Standard Network';
+ }elsif (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne \
'0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'}))
+ {
+ $name2='BLUE';
+ $name3='Standard Network';
+ }elsif ($ippart eq '0.0.0.0')
+ {
+ $name2='ALL';
+ $name3='Standard Network';
+ }elsif(defined($ovpnSettings{'DOVPN_SUBNET'}) && \
"$ippart/".&General::iporsubtodec($subnet) eq $ovpnSettings{'DOVPN_SUBNET'}) + {
+ $name2='OpenVPN-Dyn';
+ $name3='Standard Network';
+ }else{
+ my $netkey = &General::findhasharraykey(\%nets);
+ $name="net ";
+ $name2=$name.$ippart;
+ $name3="Custom Network";
+ $nets{$netkey}[0] = $name2;
+ $nets{$netkey}[1] = $ippart;
+ $nets{$netkey}[2] = $subnet;
+ $nets{$netkey}[3] = '';
+ $nets{$netkey}[4] = 1;
+ print LOG "->Network $ippart/$subnet added to custom networks\n";
+ }
+ }else{
+ print LOG "Network $ippart already exists in custom networks\n";
+ $name="net ";
+ $name2=$name.$ippart;
+ foreach my $key (sort keys %nets){
+ if($nets{$key}[0] eq $name2){
+ $nets{$key}[4]++;
+ }
+ }
+ $name="net ";
+ $name2=$name.$ippart;
+ $name3="Custom Network";
+ }
+ }
+ if($name2 && !&check_grp($grp,$name2)){
+ my $grpkey = &General::findhasharraykey(\%groups);
+ $groups{$grpkey}[0] = $grp;
+ $groups{$grpkey}[1] = '';
+ $groups{$grpkey}[2] = $name2;
+ $groups{$grpkey}[3] = $name3;
+ $groups{$grpkey}[4] = 0;
+ print LOG "->$name2 added to group $grp\n";
+ }
+ }elsif($run eq 'mac'){
+ #MACRUN
+ my ($mac,$type) = split(",",$adr);
+ print LOG "Processing HOST (MAC) $mac\n";
+ if(!&check_host($mac)){
+ my $key = &General::findhasharraykey(\%hosts);
+ $name="host ";
+ $name2=$name.$mac;
+ $name3="Custom Host";
+ $hosts{$key}[0] = $name2;
+ $hosts{$key}[1] = $type;
+ $hosts{$key}[2] = $mac;
+ $hosts{$key}[3] = '';
+ $hosts{$key}[4] = 1;
+ print LOG "->Host (MAC) $mac added to custom hosts\n";
+ }else{
+ print LOG "->Host (MAC) $mac already exists in custom hosts \n";
+ $name="host ";
+ $name2=$name.$mac;
+ foreach my $key (sort keys %hosts){
+ if($hosts{$key}[0] eq $name2){
+ $hosts{$key}[4]++;
+ }
+ }
+ $name="host ";
+ $name2=$name.$mac;
+ $name3="Custom Host";
+ }
+ if($name2 && !&check_grp($grp,$name2)){
+ my $grpkey = &General::findhasharraykey(\%groups);
+ $groups{$grpkey}[0] = $grp;
+ $groups{$grpkey}[1] = '';
+ $groups{$grpkey}[2] = $name2;
+ $groups{$grpkey}[3] = $name3;
+ $groups{$grpkey}[4] = 0;
+ print LOG "->$name2 added to group $grp\n";
+ }
+ }
+ }
+ @hostarray=();
+ &General::writehasharray($confighosts,\%hosts);
+ &General::writehasharray($configgroups,\%groups);
+ &General::writehasharray($confignets,\%nets);
+
+}
+sub check_host
+{
+ my $ip=shift;
+ foreach my $key (sort keys %hosts)
+ {
+ if($hosts{$key}[2] eq $ip)
+ {
+ return 1;
+ }
+ }
+ return 0;
+}
+sub check_net
+{
+ my $ip=shift;
+ my $sub=shift;
+ foreach my $key (sort keys %nets)
+ {
+ if($nets{$key}[1] eq $ip && $nets{$key}[2] eq $sub)
+ {
+ return 1;
+ }
+ }
+ return 0;
+}
+sub check_grp
+{
+ my $grp=shift;
+ my $value=shift;
+ foreach my $key (sort keys %groups)
+ {
+ if($groups{$key}[0] eq $grp && $groups{$key}[2] eq $value)
+ {
+ return 1;
+ }
+ }
+ return 0;
+}
+sub process_rules
+{
+ my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$re \
mark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
+ #open LOG
+ if( -f "/var/log/converters/outgoingfw-convert.log"){unlink \
("/var/log/converters/outgoingfw-convert.log");} + open (LOG, \
">/var/log/converters/outgoingfw-convert.log") or die $!; +
+ &General::readhash($fwdfwsettings,\%fwdsettings);
+ if ($outsettings{'POLICY'} eq 'MODE1'){
+ $fwdsettings{'POLICY'}='MODE1';
+ $fwdsettings{'POLICY1'}='MODE2';
+ $type='ALLOW';
+ $action='ACCEPT';
+ }else{
+ $fwdsettings{'POLICY'}='MODE2';
+ $fwdsettings{'POLICY1'}='MODE2';
+ $type='DENY';
+ $action='DROP';
+ }
+ &General::writehash($fwdfwsettings,\%fwdsettings);
+ open (DATEI, "<$outgoingrules");
+ my @lines = <DATEI>;
+ foreach my $rule (@lines)
+ {
+ my $now=localtime;
+ chomp($rule);
+ $port='';
+ print LOG "$now processing: $rule\n";
+ my @configline=();
+ @configline = split( /\;/, $rule );
+ my @prot=();
+ if($configline[0] eq $type){
+ #some variables we can use from old config
+ if($configline[1] eq 'on'){ $active='ON';}else{$active='';}
+ if($configline[3] eq 'all' && $configline[8] ne ''){
+ push(@prot,"TCP");
+ push(@prot,"UDP");
+ }elsif($configline[3] eq 'all' && $configline[8] eq ''){
+ push(@prot,"");
+ }else{
+ push(@prot,$configline[3]);
+ }
+ if($configline[4] ne ''){
+ $configline[4] =~ s/,/;/g;
+ $remark = $configline[4];
+ }else{$remark = '';}
+ if($configline[9] eq 'Active'){ $log='ON';}else{$log='';}
+ if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' \
&& $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && \
$configline[16] eq 'on'){ + if($configline[17] eq '00:00' && $configline[18] eq \
'00:00'){ + $time='';
+ }else{
+ $time='ON';
+ }
+ }else{
+ $time='ON';
+ }
+ $time_mon=$configline[10];
+ $time_tue=$configline[11];
+ $time_wed=$configline[12];
+ $time_thu=$configline[13];
+ $time_fri=$configline[14];
+ $time_sat=$configline[15];
+ $time_sun=$configline[16];
+ $time_from=$configline[17];
+ $time_to=$configline[18];
+ ############################################################
+ #sourcepart
+ if ($configline[2] eq 'green') {
+ $grp1='std_net_src';
+ $source='GREEN';
+ }elsif ($configline[2] eq 'orange') {
+ $grp1='std_net_src';
+ $source='ORANGE';
+ }elsif ($configline[2] eq 'red') {
+ $grp1='std_net_src';
+ $source='IPFire';
+ &General::readhash($fwdfwsettings,\%fwdsettings);
+ $fwdsettings{'POLICY1'}=$outsettings{'POLICY'};
+ $fwdsettings{'POLICY'}=$outsettings{'POLICY'};
+ &General::writehash($fwdfwsettings,\%fwdsettings);
+ }elsif ($configline[2] eq 'blue') {
+ $grp1='std_net_src';
+ $source='BLUE';
+ }elsif ($configline[2] eq 'ipsec') {
+ print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire \
2.7 \n"; + next;
+ }elsif ($configline[2] eq 'ovpn') {
+ print LOG "$now ->Creating networks/groups for OpenVPN...\n";
+ &build_ovpn_grp;
+ $grp1='cust_grp_src';
+ $source='ovpn'
+ }elsif ($configline[2] eq 'ip') {
+ my $z=&check_ip($configline[5]);
+ if($z){
+ my ($ipa,$subn) = split("/",$z);
+ $subn=&General::iporsubtocidr($subn);
+ $grp1='src_addr';
+ $source="$ipa/$subn";
+ }else{
+ print LOG "$now -> Rule not converted, missing/invalid source ip \
\"$configline[5]\"\n"; + next;
+ }
+ }elsif ($configline[2] eq 'mac') {
+ if(&General::validmac($configline[6])){
+ $grp1='src_addr';
+ $source=$configline[6];
+ }else{
+ print LOG"$now -> Rule not converted, invalid MAC \"$configline[6]\" \n";
+ next;
+ }
+ }elsif ($configline[2] eq 'all') {
+ $grp1='std_net_src';
+ $source='ALL';
+ }else{
+ foreach my $key (sort keys %groups){
+ if($groups{$key}[0] eq $configline[2]){
+ $grp1='cust_grp_src';
+ $source=$configline[2];
+ }
+ }
+ if ($grp1 eq '' || $source eq ''){
+ print LOG "$now -> Rule not converted, no valid source recognised\n";
+ }
+ }
+ ############################################################
+ #destinationpart
+ if($configline[7] ne ''){
+ my $address=&check_ip($configline[7]);
+ if($address){
+ my ($dip,$dsub) = split("/",$address);
+ $dsub=&General::iporsubtocidr($dsub);
+ $grp2='tgt_addr';
+ $target="$dip/$dsub";
+ }elsif(!$address){
+ my $getwebsiteip=&get_ip_from_domain($configline[7]);
+ if ($getwebsiteip){
+ $grp2='tgt_addr';
+ $target=$getwebsiteip;
+ $remark.=" $configline[7]";
+ }else{
+ print LOG "$now -> Rule not converted, invalid domain \"$configline[7]\"\n";
+ next;
+ }
+ }
+ }else{
+ $grp2='std_net_tgt';
+ $target='ALL';
+ }
+ if($configline[8] ne '' && $configline[3] ne 'gre' && $configline[3] ne 'esp'){
+ my @values=();
+ my @parts=split(",",$configline[8]);
+ foreach (@parts){
+ $_=~ tr/-/:/;
+ if (!($_ =~ /^(\d+)\:(\d+)$/)) {
+ if(&General::validport($_)){
+ $useport='ON';
+ push (@values,$_);
+ $grp3='TGT_PORT';
+ }else{
+ print LOG "$now -> Rule not converted, invalid destination Port \
\"$configline[8]\"\n"; + next;
+ }
+ }else{
+ my ($a1,$a2) = split(/\:/,$_);
+ if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){
+ $useport='ON';
+ push (@values,"$a1:$a2");
+ $grp3='TGT_PORT';
+ }else{
+ print LOG "$now -> Rule not converted, invalid destination Port \
\"$configline[8]\"\n"; + next;
+ }
+ }
+ }
+ $port=join("|", at values);
+ @values=();
+ @parts=();
+ }
+ }else{
+ print LOG "-> Rule not converted because not for Firewall mode \
$outsettings{'POLICY'} (we are only converting for actual mode)\n"; + }
+ &General::readhasharray($fwdfwconfig,\%fwconfig);
+ &General::readhasharray($outfwconfig,\%fwconfigout);
+ my $check;
+ my $chain;
+ foreach my $protocol (@prot){
+ my $now=localtime;
+ if ($source eq 'IPFire'){
+ $chain='OUTGOINGFW';
+ }else{
+ $chain='FORWARDFW';
+ }
+ $protocol=uc($protocol);
+ print LOG "$now -> Converted: \
$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port \
,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
+ #Put rules into system....
+ ###########################
+ #check for double rules
+ foreach my $key (sort keys %fwconfig){
+ if("$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$g \
rp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to"
+ eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3] \
,$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwc \
onfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig \
{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key} \
[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){
+ $check='on';
+ next;
+ }
+ }
+ if($check ne 'on'){
+ #increase groupcounter
+ my $check1;
+ if($grp1 eq 'cust_grp_src'){
+ foreach my $key (sort keys %groups){
+ if($groups{$key}[0] eq $source){
+ $groups{$key}[4]++;
+ $check1='on';
+ }
+ }
+ if($check1 eq 'on'){
+ &General::writehasharray($configgroups,\%groups);
+ }
+ }
+ if ($chain eq 'FORWARDFW'){
+ my $key = &General::findhasharraykey(\%fwconfig);
+ $fwconfig{$key}[0] = $action;
+ $fwconfig{$key}[1] = $chain;
+ $fwconfig{$key}[2] = $active;
+ $fwconfig{$key}[3] = $grp1;
+ $fwconfig{$key}[4] = $source;
+ $fwconfig{$key}[5] = $grp2;
+ $fwconfig{$key}[6] = $target;
+ $fwconfig{$key}[11] = $useport;
+ $fwconfig{$key}[12] = $protocol;
+ $fwconfig{$key}[14] = $grp3;
+ $fwconfig{$key}[15] = $port;
+ $fwconfig{$key}[16] = $remark;
+ $fwconfig{$key}[17] = $log;
+ $fwconfig{$key}[18] = $time;
+ $fwconfig{$key}[19] = $time_mon;
+ $fwconfig{$key}[20] = $time_tue;
+ $fwconfig{$key}[21] = $time_wed;
+ $fwconfig{$key}[22] = $time_thu;
+ $fwconfig{$key}[23] = $time_fri;
+ $fwconfig{$key}[24] = $time_sat;
+ $fwconfig{$key}[25] = $time_sun;
+ $fwconfig{$key}[26] = $time_from;
+ $fwconfig{$key}[27] = $time_to;
+ $fwconfig{$key}[28] = '';
+ $fwconfig{$key}[29] = 'ALL';
+ $fwconfig{$key}[30] = '';
+ $fwconfig{$key}[31] = 'dnat';
+ }else{
+ my $key = &General::findhasharraykey(\%fwconfigout);
+ $fwconfigout{$key}[0] = $action;
+ $fwconfigout{$key}[1] = $chain;
+ $fwconfigout{$key}[2] = $active;
+ $fwconfigout{$key}[3] = $grp1;
+ $fwconfigout{$key}[4] = $source;
+ $fwconfigout{$key}[5] = $grp2;
+ $fwconfigout{$key}[6] = $target;
+ $fwconfigout{$key}[11] = $useport;
+ $fwconfigout{$key}[12] = $protocol;
+ $fwconfigout{$key}[14] = $grp3;
+ $fwconfigout{$key}[15] = $port;
+ $fwconfigout{$key}[16] = $remark;
+ $fwconfigout{$key}[17] = $log;
+ $fwconfigout{$key}[18] = $time;
+ $fwconfigout{$key}[19] = $time_mon;
+ $fwconfigout{$key}[20] = $time_tue;
+ $fwconfigout{$key}[21] = $time_wed;
+ $fwconfigout{$key}[22] = $time_thu;
+ $fwconfigout{$key}[23] = $time_fri;
+ $fwconfigout{$key}[24] = $time_sat;
+ $fwconfigout{$key}[25] = $time_sun;
+ $fwconfigout{$key}[26] = $time_from;
+ $fwconfigout{$key}[27] = $time_to;
+ $fwconfigout{$key}[28] = '';
+ $fwconfigout{$key}[29] = 'ALL';
+ $fwconfigout{$key}[30] = '';
+ $fwconfigout{$key}[31] = 'dnat';
+ }
+ &General::writehasharray($fwdfwconfig,\%fwconfig);
+ &General::writehasharray($outfwconfig,\%fwconfigout);
+ }
+ }
+ @prot=();
+ }
+ close(LOG);
+ @lines=();
+}
+sub get_ip_from_domain
+{
+ $web=shift;
+ my $resolvedip;
+ my $checked;
+ my ($name,$aliases,$addrtype,$length, at addrs) = gethostbyname($web);
+ if(@addrs){
+ $resolvedip=inet_ntoa($addrs[0]);
+ return $resolvedip;
+ }
+ return;
+}
+sub build_ovpn_grp
+{
+ my $now=localtime;
+ &General::readhasharray($confighosts,\%hosts);
+ &General::readhasharray($confignets,\%nets);
+ &General::readhasharray($configgroups,\%groups);
+ &General::readhasharray($ovpnconfig,\%configovpn);
+ &General::readhasharray($ccdconfig,\%ccdconf);
+ &General::readhash($ovpnsettings,\%settingsovpn);
+ #get ovpn nets
+ my @ovpnnets=();
+ if($settingsovpn{'DOVPN_SUBNET'}){
+ my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'});
+ push (@ovpnnets,"$net,$subnet,dynamic");
+ print LOG "$now ->found dynamic OpenVPN net\n";
+ }
+ foreach my $key (sort keys %ccdconf){
+ my ($net,$subnet)=split("/",$ccdconf{$key}[1]);
+ $subnet=&General::iporsubtodec($subnet);
+ push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]");
+ print LOG "$now ->found OpenVPN static net $net/$subnet\n";
+ }
+ foreach my $key (sort keys %configovpn){
+ if ($configovpn{$key}[3] eq 'net'){
+ my ($net,$subnet)=split("/",$configovpn{$key}[27]);
+ push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]");
+ print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n";
+ }
+ }
+ #add ovpn nets to customnetworks/groups
+ foreach my $line (@ovpnnets){
+ my $now=localtime;
+ my ($net,$subnet,$name) = split(",",$line);
+ if (!&check_net($net,$subnet)){
+ my $netkey = &General::findhasharraykey(\%nets);
+ $name2=$name."(ovpn)".$net;
+ $name3="Custom Network";
+ $nets{$netkey}[0] = $name2;
+ $nets{$netkey}[1] = $net;
+ $nets{$netkey}[2] = $subnet;
+ $nets{$netkey}[3] = '';
+ $nets{$netkey}[4] = 1;
+ print LOG "$now ->added $name2 $net/$subnet to customnetworks\n";
+ }else{
+ print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can \
ignore this, if this run was manual from shell)\n"; + }
+ if($name2){
+ my $grpkey = &General::findhasharraykey(\%groups);
+ $groups{$grpkey}[0] = "ovpn";
+ $groups{$grpkey}[1] = '';
+ $groups{$grpkey}[2] = $name2;
+ $groups{$grpkey}[3] = "Custom Network";
+ $groups{$grpkey}[4] = 0;
+ print LOG "$now ->added $name2 to customgroup ovpn\n";
+ }
+ $name2='';
+ }
+ @ovpnnets=();
+ &General::writehasharray($confighosts,\%hosts);
+ &General::writehasharray($configgroups,\%groups);
+ &General::writehasharray($confignets,\%nets);
+ print LOG "$now ->finished OVPN\n";
+}
+sub process_p2p
+{
+ copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/firewall/p2protocols");
+ chmod oct('0777'), '/var/ipfire/firewall/p2protocols';
+}
diff --git a/config/firewall/convert-portfw b/config/firewall/convert-portfw
new file mode 100755
index 0000000..f6ddd25
--- /dev/null
+++ b/config/firewall/convert-portfw
@@ -0,0 +1,158 @@
+#!/usr/bin/perl
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+# #
+# This script converts old portforwarding rules from old Firewall #
+# to the new one. This is a 3-step process. #
+# STEP1: read old config and normalize settings #
+# STEP2: create new rules from old ones #
+# STEP3: check if rule already exists, when not, put it into #
+# /var/ipfire/firewall/config #
+###############################################################################
+require '/var/ipfire/general-functions.pl';
+my @values=();
+my @built_rules=();
+my %nat=();
+my $portfwconfig = "${General::swroot}/portfw/config";
+my $confignat = "${General::swroot}/firewall/config";
+my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark);
+my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1);
+my $count=0;
+my $jump;
+if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
+open(FILE, $portfwconfig) or die 'Unable to open config file.';
+my @current = <FILE>;
+close(FILE);
+open (LOG, ">/var/log/converters/portfw-convert.log") or die $!;
+open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases \
file.'; +my @alias = <ALIAS>;
+close(ALIAS);
+&get_config;
+&build_rules;
+&write_rules;
+sub get_config
+{
+ print LOG "STEP 1: Get config from old \
portforward\n#########################################\n"; + foreach my $line \
(@current){ + if($jump eq '1'){
+ $jump='';
+ $count++;
+ next;
+ }
+ my $u=$count+1;
+ ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) \
= split(",",$line); + ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) \
= split(",",$current[$u]); + if ($flag1 eq '1'){
+ $source=$source1;
+ $jump='1';
+ }
+ my $now=localtime;
+ chomp($remark);
+ print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: \
$ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias \
SOURCE: $source REM: $remark Doublerule: $jump\n"; + push \
(@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark);
+ $count++;
+ }
+}
+sub build_rules
+{
+ print LOG "\nSTEP 2: Convert old portforwardrules in a useable \
format\n########################################################\n"; + my $src;
+ my $src1;
+ my $ipfireip;
+ my $count=0;
+ my $stop;
+ #build rules for new firewall
+ foreach my $line (@values){
+ chomp ($line);
+ ($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line);
+ $count++;
+ #get sourcepart
+ if($source eq '0.0.0.0/0'){
+ $src = 'std_net_src';
+ $src1 = 'ALL';
+ }else{
+ $src = 'src_addr';
+ my ($a,$b) = split("/",$source);
+ $src1 = $a."/32";
+ }
+ #get ipfire ip
+ if($alias eq '0.0.0.0'){
+ $alias='ALL';
+ }else{
+ foreach my $ali (@alias){
+ my ($alias_ip,$alias_active,$alias_name) = split (",",$ali);
+ if($alias eq $alias_ip){
+ chomp($alias_name);
+ $alias=$alias_name;
+ }
+ }
+ }
+ $active = uc $active;
+ $prot = uc $prot;
+ chomp($remark);
+ push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
+ my $now=localtime;
+ print LOG "$now Converted-> KEY: $count \
ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
+ }
+}
+sub write_rules
+{
+ my $skip='';
+ my $id;
+ print LOG "\nSTEP 3: Create DNAT rules in new \
firewall\n#########################################\n"; \
+ &General::readhasharray($confignat,\%nat); + foreach my $line (@built_rules){
+ $skip='';
+ my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) \
= split (",",$line); + foreach my $key (sort keys %nat){
+ if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4 \
],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[ \
14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){
+ my $now=localtime;
+ print LOG "$now SKIP-> Rule \
$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$n \
at{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15] \
,$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] \
->EXISTS\n"; + $skip='1';
+ }
+ }
+ if ($skip ne '1'){
+ $id = &General::findhasharraykey(\%nat);
+ $nat{$id}[0] = $action;
+ $nat{$id}[1] = $chain;
+ $nat{$id}[2] = $active;
+ $nat{$id}[3] = $src;
+ $nat{$id}[4] = $src1;
+ $nat{$id}[5] = $tgt;
+ $nat{$id}[6] = $tgt1;
+ $nat{$id}[11] = $use_prot;
+ $nat{$id}[12] = $prot;
+ $nat{$id}[13] = $dummy;
+ $nat{$id}[14] = $tgt_port;
+ $nat{$id}[15] = $tgt_port1;
+ $nat{$id}[16] = $remark;
+ $nat{$id}[26] = $from;
+ $nat{$id}[27] = $to;
+ $nat{$id}[28] = $use_port;
+ $nat{$id}[29] = $alias;
+ $nat{$id}[30] = $ipfireport;
+ $nat{$id}[31] = $dnat;
+ my $now=localtime;
+ print LOG "$now NEW RULE-> Rule \
$nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id \
}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[1 \
6],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n";
+ }
+ }
+ &General::writehasharray($confignat,\%nat);
+}
+close (LOG);
diff --git a/config/firewall/convert-xtaccess b/config/firewall/convert-xtaccess
new file mode 100755
index 0000000..e04ab6d
--- /dev/null
+++ b/config/firewall/convert-xtaccess
@@ -0,0 +1,141 @@
+#!/usr/bin/perl
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+# #
+#This script converts old xtaccess rules to new firewall #
+#Logfiles are created under /var/log/converters #
+# #
+###############################################################################
+my @current=();
+my @alias=();
+my %configinputfw=();
+require '/var/ipfire/general-functions.pl';
+my $xtaccessconfig = "${General::swroot}/xtaccess/config";
+my $inputfwconfig = "${General::swroot}/firewall/input";
+my $aliasconfig = "${General::swroot}/ethernet/aliases";
+my $field0='ACCEPT';
+my $field1='INPUTFW';
+my $field2=''; #ON or emtpy
+my $field3=''; #std_net_src or src_addr
+my $field4=''; #ALL or IP-Address with /32
+my $field5='ipfire';
+my $field6=''; #Default IP or alias name
+my $field11='ON'; #use target port
+my $field12=''; #TCP or UDP
+my $field13='All ICMP-Types';
+my $field14='TGT_PORT';
+my $field15=''; #Port Number
+my $field16=''; #remark
+my $field26='00:00';
+my $field27='00:00';
+my $field28 = '';
+my $field29 = 'ALL';
+my $field30 = '';
+my $field31 = 'dnat';
+open(FILE, $xtaccessconfig) or die 'Unable to open config file.';
+my @current = <FILE>;
+close(FILE);
+open(FILE1, $aliasconfig) or die 'Unable to open config file.';
+my @alias = <FILE1>;
+close(FILE1);
+&General::readhasharray($inputfwconfig,\%configinputfw);
+
+foreach my $line (@current){
+ my ($a,$b,$c,$d,$e,$f) = split (",",$line);
+ $e =~ s/\R//g;
+ if ($f gt ''){
+ $f =~ s/\R//g;
+ $field16=$f;
+ }
+ #active or not
+ $field2=uc($d);
+ #get protocol
+ if ($a eq 'tcp'){ $field12 ='TCP';}else{$field12='UDP';}
+ #check source address
+ if ($b eq '0.0.0.0/0'){
+ $field3='std_net_src';
+ $field4='ALL';
+ }elsif($b =~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
+ $field3='src_addr';
+ $field4=$b."/32";
+ }elsif ($b =~ /^(.*?)\/(.*?)$/) {
+ $field3='src_addr';
+ $field4=$b;
+ }else{
+ print "Regel konnte nicht konvertiert werden!\n";
+ }
+ #check ipfire address
+ if ($e eq '0.0.0.0'){
+ $field6 = 'RED1';
+ }else{
+ foreach my $line (@alias){
+ my ($ip,$state,$aliasname) = split (",",$line);
+ if ($ip eq $e){
+ $aliasname =~ s/\R//g;
+ $field6 = $aliasname;
+ }
+ }
+ }
+ #get target port
+ $c=~ s/\R//g;
+ $c=~ tr/-/:/;
+ if ($c =~ /^(\D)\:(\d+)$/) {
+ $c = "1:$2";
+ }
+ if ($c =~ /^(\d+)\:(\D)$/) {
+ $c = "$1:65535";
+ }
+ $field15=$c;
+ my $key = &General::findhasharraykey (\%configinputfw);
+ foreach my $i (0 .. 31) { $configinputfw{$key}[$i] = "";}
+ $configinputfw{$key}[0] = $field0;
+ $configinputfw{$key}[1] = $field1;
+ $configinputfw{$key}[2] = $field2;
+ $configinputfw{$key}[3] = $field3;
+ $configinputfw{$key}[4] = $field4;
+ $configinputfw{$key}[5] = $field5;
+ $configinputfw{$key}[6] = $field6;
+ $configinputfw{$key}[7] = '';
+ $configinputfw{$key}[8] = '';
+ $configinputfw{$key}[9] = '';
+ $configinputfw{$key}[10] = '';
+ $configinputfw{$key}[11] = $field11;
+ $configinputfw{$key}[12] = $field12;
+ $configinputfw{$key}[13] = $field13;
+ $configinputfw{$key}[14] = $field14;
+ $configinputfw{$key}[15] = $field15;
+ $configinputfw{$key}[16] = $field16;
+ $configinputfw{$key}[17] = '';
+ $configinputfw{$key}[18] = '';
+ $configinputfw{$key}[19] = '';
+ $configinputfw{$key}[20] = '';
+ $configinputfw{$key}[21] = '';
+ $configinputfw{$key}[22] = '';
+ $configinputfw{$key}[23] = '';
+ $configinputfw{$key}[24] = '';
+ $configinputfw{$key}[25] = '';
+ $configinputfw{$key}[26] = $field26;
+ $configinputfw{$key}[27] = $field27;
+ $configinputfw{$key}[28] = $field28;
+ $configinputfw{$key}[29] = $field29;
+ $configinputfw{$key}[30] = $field30;
+ $configinputfw{$key}[31] = $field31;
+ &General::writehasharray($inputfwconfig,\%configinputfw);
+}
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
new file mode 100755
index 0000000..f1e8403
--- /dev/null
+++ b/config/firewall/firewall-lib.pl
@@ -0,0 +1,256 @@
+#!/usr/bin/perl
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+use strict;
+no warnings 'uninitialized';
+
+package fwlib;
+
+my %customnetwork=();
+my %customhost=();
+my %customgrp=();
+my %customservice=();
+my %customservicegrp=();
+my %ccdnet=();
+my %ccdhost=();
+my %ipsecconf=();
+my %ipsecsettings=();
+my %netsettings=();
+my %ovpnsettings=();
+
+require '/var/ipfire/general-functions.pl';
+
+my $confignet = "${General::swroot}/fwhosts/customnetworks";
+my $confighost = "${General::swroot}/fwhosts/customhosts";
+my $configgrp = "${General::swroot}/fwhosts/customgroups";
+my $configsrv = "${General::swroot}/fwhosts/customservices";
+my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
+my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
+my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
+my $configipsec = "${General::swroot}/vpn/config";
+my $configovpn = "${General::swroot}/ovpn/settings";
+my $val;
+my $field;
+
+&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
+&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
+&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
+
+
+&General::readhasharray("$confignet", \%customnetwork);
+&General::readhasharray("$confighost", \%customhost);
+&General::readhasharray("$configgrp", \%customgrp);
+&General::readhasharray("$configccdnet", \%ccdnet);
+&General::readhasharray("$configccdhost", \%ccdhost);
+&General::readhasharray("$configipsec", \%ipsecconf);
+&General::readhasharray("$configsrv", \%customservice);
+&General::readhasharray("$configsrvgrp", \%customservicegrp);
+
+sub get_srv_prot
+{
+ my $val=shift;
+ foreach my $key (sort {$a <=> $b} keys %customservice){
+ if($customservice{$key}[0] eq $val){
+ if ($customservice{$key}[0] eq $val){
+ return $customservice{$key}[2];
+ }
+ }
+ }
+}
+sub get_srvgrp_prot
+{
+ my $val=shift;
+ my @ips=();
+ my $tcp;
+ my $udp;
+ my $icmp;
+ foreach my $key (sort {$a <=> $b} keys %customservicegrp){
+ if($customservicegrp{$key}[0] eq $val){
+ if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){
+ $tcp=1;
+ }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){
+ $udp=1;
+ }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){
+ $icmp=1;
+ }
+ }
+ }
+ if ($tcp eq '1'){push (@ips,'TCP');}
+ if ($udp eq '1'){push (@ips,'UDP');}
+ if ($icmp eq '1'){push (@ips,'ICMP');}
+ my $back=join(",", at ips);
+ return $back;
+
+}
+
+
+sub get_srv_port
+{
+ my $val=shift;
+ my $field=shift;
+ my $prot=shift;
+ foreach my $key (sort {$a <=> $b} keys %customservice){
+ if($customservice{$key}[0] eq $val){
+ if($customservice{$key}[2] eq $prot){
+ return $customservice{$key}[$field];
+ }
+ }
+ }
+}
+sub get_srvgrp_port
+{
+ my $val=shift;
+ my $prot=shift;
+ my $back;
+ my $value;
+ my @ips=();
+ foreach my $key (sort {$a <=> $b} keys %customservicegrp){
+ if($customservicegrp{$key}[0] eq $val){
+ if ($prot ne 'ICMP'){
+ $value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
+ }elsif ($prot eq 'ICMP'){
+ $value=&get_srv_port($customservicegrp{$key}[2],3,$prot);
+ }
+ push (@ips,$value) if ($value ne '') ;
+ }
+ }
+ if($prot ne 'ICMP'){
+ if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
+ }elsif ($prot eq 'ICMP'){
+ $back="--icmp-type ";
+ }
+
+ $back.=join(",", at ips);
+ return $back;
+}
+sub get_ipsec_net_ip
+{
+ my $val=shift;
+ my $field=shift;
+ foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+ if($ipsecconf{$key}[1] eq $val){
+ return $ipsecconf{$key}[$field];
+ }
+ }
+}
+sub get_ipsec_host_ip
+{
+ my $val=shift;
+ my $field=shift;
+ foreach my $key (sort {$a <=> $b} keys %ipsecconf){
+ if($ipsecconf{$key}[1] eq $val){
+ return $ipsecconf{$key}[$field];
+ }
+ }
+}
+sub get_ovpn_n2n_ip
+{
+ my $val=shift;
+ my $field=shift;
+ foreach my $key (sort {$a <=> $b} keys %ccdhost){
+ if($ccdhost{$key}[1] eq $val){
+ return $ccdhost{$key}[$field];
+ }
+ }
+}
+sub get_ovpn_host_ip
+{
+ my $val=shift;
+ my $field=shift;
+ foreach my $key (sort {$a <=> $b} keys %ccdhost){
+ if($ccdhost{$key}[1] eq $val){
+ return $ccdhost{$key}[$field];
+ }
+ }
+}
+sub get_ovpn_net_ip
+{
+
+ my $val=shift;
+ my $field=shift;
+ foreach my $key (sort {$a <=> $b} keys %ccdnet){
+ if($ccdnet{$key}[0] eq $val){
+ return $ccdnet{$key}[$field];
+ }
+ }
+}
+sub get_grp_ip
+{
+ my $val=shift;
+ my $src=shift;
+ foreach my $key (sort {$a <=> $b} keys %customgrp){
+ if ($customgrp{$key}[0] eq $val){
+ &get_address($customgrp{$key}[3],$src);
+ }
+ }
+
+}
+sub get_std_net_ip
+{
+ my $val=shift;
+ my $con=shift;
+ if ($val eq 'ALL'){
+ return "0.0.0.0/0.0.0.0";
+ }elsif($val eq 'GREEN'){
+ return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+ }elsif($val eq 'ORANGE'){
+ return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
+ }elsif($val eq 'BLUE'){
+ return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
+ }elsif($val eq 'RED'){
+ return "0.0.0.0/0 -o $con";
+ }elsif($val =~ /OpenVPN/i){
+ return "$ovpnsettings{'DOVPN_SUBNET'}";
+ }elsif($val =~ /IPsec/i){
+ return "$ipsecsettings{'RW_NET'}";
+ }elsif($val eq 'IPFire'){
+ return ;
+ }
+}
+sub get_net_ip
+{
+ my $val=shift;
+ foreach my $key (sort {$a <=> $b} keys %customnetwork){
+ if($customnetwork{$key}[0] eq $val){
+ return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
+ }
+ }
+}
+sub get_host_ip
+{
+ my $val=shift;
+ my $src=shift;
+ foreach my $key (sort {$a <=> $b} keys %customhost){
+ if($customhost{$key}[0] eq $val){
+ if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
+ return "-m mac --mac-source $customhost{$key}[2]";
+ }elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){
+ return "$customhost{$key}[2]";
+ }elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){
+ return "$customhost{$key}[2]";
+ }elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){
+ return "none";
+ }
+ }
+ }
+}
+
+return 1;
diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
new file mode 100755
index 0000000..6d26d5b
--- /dev/null
+++ b/config/firewall/firewall-policy
@@ -0,0 +1,124 @@
+#!/bin/sh
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+
+iptables -F POLICYFWD
+iptables -F POLICYOUT
+iptables -F POLICYIN
+
+if [ -f "/var/ipfire/red/iface" ]; then
+ IFACE="$(</var/ipfire/red/iface)"
+fi
+
+# Figure out what devices are configured.
+HAVE_BLUE="false"
+HAVE_ORANGE="false"
+
+case "${CONFIG_TYPE}" in
+ 2)
+ HAVE_BLUE="true"
+ ;;
+ 3)
+ HAVE_ORANGE="true"
+ ;;
+ 4)
+ HAVE_BLUE="true"
+ HAVE_ORANGE="true"
+ ;;
+esac
+
+# INPUT
+case "${FWPOLICY2}" in
+ REJECT)
+ if [ "${DROPINPUT}" = "on" ]; then
+ /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix \
"REJECT_INPUT" + fi
+ /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m \
comment --comment "DROP_INPUT" + ;;
+ *) # DROP
+ if [ "${DROPINPUT}" = "on" ]; then
+ /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix \
"DROP_INPUT" + fi
+ /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
+ ;;
+esac
+
+# FORWARD
+case "${POLICY}" in
+ MODE1)
+ case "${FWPOLICY}" in
+ REJECT)
+ if [ "${DROPFORWARD}" = "on" ]; then
+ /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix \
"REJECT_FORWARD" + fi
+ /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m \
comment --comment "DROP_FORWARD" + ;;
+ *) # DROP
+ if [ "${DROPFORWARD}" = "on" ]; then
+ /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix \
"DROP_FORWARD" + fi
+ /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+ ;;
+ esac
+ ;;
+
+ *)
+ if [ -n "${IFACE}" ]; then
+ if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
+ /sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
+ fi
+ if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
+ /sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
+ fi
+ fi
+ /sbin/iptables -A POLICYFWD -j ACCEPT
+ /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
+ ;;
+esac
+
+# OUTGOING
+case "${POLICY1}" in
+ MODE1)
+ case "${FWPOLICY1}" in
+ REJECT)
+ if [ "${DROPOUTGOING}" = "on" ]; then
+ /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix \
"REJECT_OUTPUT" + fi
+ /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m \
comment --comment "DROP_OUTPUT" + ;;
+ *) # DROP
+ if [ "${DROPOUTGOING}" == "on" ]; then
+ /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix \
"DROP_OUTPUT" + fi
+ /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
+ ;;
+ esac
+ ;;
+ *)
+ /sbin/iptables -A POLICYOUT -j ACCEPT
+ /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
+ ;;
+esac
+
+exit 0
diff --git a/config/firewall/p2protocols b/config/firewall/p2protocols
new file mode 100644
index 0000000..7000581
--- /dev/null
+++ b/config/firewall/p2protocols
@@ -0,0 +1,9 @@
+Applejuice;apple;off;
+Ares;ares;off;
+Bittorrent;bit;off;
+DirectConnect;dc;off;
+Edonkey;edk;off;
+Gnutella;gnu;off;
+KaZaA;kazaa;off;
+SoulSeek;soul;off;
+WinMX;winmx;off;
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
new file mode 100755
index 0000000..c724aa8
--- /dev/null
+++ b/config/firewall/rules.pl
@@ -0,0 +1,635 @@
+#!/usr/bin/perl
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+use strict;
+use Time::Local;
+no warnings 'uninitialized';
+
+# enable only the following on debugging purpose
+#use warnings;
+#use CGI::Carp 'fatalsToBrowser';
+
+my %fwdfwsettings=();
+my %defaultNetworks=();
+my %configfwdfw=();
+my %color=();
+my %icmptypes=();
+my %ovpnSettings=();
+my %customgrp=();
+our %sourcehash=();
+our %targethash=();
+my @timeframe=();
+my %configinputfw=();
+my %configoutgoingfw=();
+my %confignatfw=();
+my %aliases=();
+my @DPROT=();
+my @p2ps=();
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/lang.pl";
+require "${General::swroot}/firewall/bin/firewall-lib.pl";
+
+my $configfwdfw = "${General::swroot}/firewall/config";
+my $configinput = "${General::swroot}/firewall/input";
+my $configoutgoing = "${General::swroot}/firewall/outgoing";
+my $p2pfile = "${General::swroot}/firewall/p2protocols";
+my $configgrp = "${General::swroot}/fwhosts/customgroups";
+my $netsettings = "${General::swroot}/ethernet/settings";
+my $errormessage = '';
+my $orange = '';
+my $green = '';
+my $blue = '';
+my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
+my $CHAIN = "FORWARDFW";
+my $conexists = 'off';
+my $command = 'iptables -A';
+my $dnat ='';
+my $snat ='';
+
+&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
+&General::readhash("$netsettings", \%defaultNetworks);
+&General::readhasharray($configfwdfw, \%configfwdfw);
+&General::readhasharray($configinput, \%configinputfw);
+&General::readhasharray($configoutgoing, \%configoutgoingfw);
+&General::readhasharray($configgrp, \%customgrp);
+&General::get_aliases(\%aliases);
+
+#check if we have an internetconnection
+open (CONN,"/var/ipfire/red/iface");
+my $con = <CONN>;
+close(CONN);
+if (-f "/var/ipfire/red/active"){
+ $conexists='on';
+}
+open (CONN1,"/var/ipfire/red/local-ipaddress");
+my $redip = <CONN1>;
+close(CONN1);
+#################
+# DEBUG/TEST #
+#################
+my $MODE=0; # 0 - normal operation
+ # 1 - print configline and rules to console
+ #
+#################
+my $param=shift;
+
+if($param eq 'flush'){
+ if ($MODE eq '1'){
+ print " Flushing chains...\n";
+ }
+ &flush;
+}else{
+ if ($MODE eq '1'){
+ print " Flushing chains...\n";
+ }
+ &flush;
+ if ($MODE eq '1'){
+ print " Preparing rules...\n";
+ }
+ &preparerules;
+ if($MODE eq '0'){
+ if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
+ &p2pblock;
+ system ("/usr/sbin/firewall-policy");
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
+ &p2pblock;
+ system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
+ system ("/usr/sbin/firewall-policy");
+ system ("/etc/sysconfig/firewall.local reload");
+ }
+ }
+}
+sub flush
+{
+ system ("iptables -F FORWARDFW");
+ system ("iptables -F INPUTFW");
+ system ("iptables -F OUTGOINGFW");
+ system ("iptables -t nat -F NAT_DESTINATION");
+ system ("iptables -t nat -F NAT_SOURCE");
+}
+sub preparerules
+{
+ if (! -z "${General::swroot}/firewall/config"){
+ &buildrules(\%configfwdfw);
+ }
+ if (! -z "${General::swroot}/firewall/input"){
+ &buildrules(\%configinputfw);
+ }
+ if (! -z "${General::swroot}/firewall/outgoing"){
+ &buildrules(\%configoutgoingfw);
+ }
+}
+sub buildrules
+{
+ my $hash=shift;
+ my $STAG;
+ my $natip;
+ my $snatport;
+ my $fireport;
+ my $nat;
+ my $fwaccessdport;
+ my $natchain;
+ my $icmptype;
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq \
'off' ); + $command="iptables -A";
+ if ($$hash{$key}[28] eq 'ON'){
+ $command='iptables -t nat -A';
+ $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
+ if($$hash{$key}[31] eq 'dnat'){
+ $nat='DNAT';
+ if ($$hash{$key}[30] =~ /\|/){
+ $$hash{$key}[30]=~ tr/|/,/;
+ $fireport='-m multiport --dport '.$$hash{$key}[30];
+ }else{
+ $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
+ }
+ }else{
+ $nat='SNAT';
+ }
+ }
+ $STAG='';
+ if($$hash{$key}[2] eq 'ON'){
+ #get source ip's
+ if ($$hash{$key}[3] eq 'cust_grp_src'){
+ foreach my $grp (sort {$a <=> $b} keys %customgrp){
+ if($customgrp{$grp}[0] eq $$hash{$key}[4]){
+ &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
+ }
+ }
+ }else{
+ &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
+ }
+ #get target ip's
+ if ($$hash{$key}[5] eq 'cust_grp_tgt'){
+ foreach my $grp (sort {$a <=> $b} keys %customgrp){
+ if($customgrp{$grp}[0] eq $$hash{$key}[6]){
+ &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
+ }
+ }
+ }elsif($$hash{$key}[5] eq 'ipfire' ){
+ if($$hash{$key}[6] eq 'GREEN'){
+ $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
+ }
+ if($$hash{$key}[6] eq 'BLUE'){
+ $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
+ }
+ if($$hash{$key}[6] eq 'ORANGE'){
+ $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
+ }
+ if($$hash{$key}[6] eq 'ALL'){
+ $targethash{$key}[0]='0.0.0.0/0';
+ }
+ if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
+ open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open \
local-ipaddress"; + $targethash{$key}[0]= <FILE>;
+ close(FILE);
+ }else{
+ foreach my $alias (sort keys %aliases){
+ if ($$hash{$key}[6] eq $alias){
+ $targethash{$key}[0]=$aliases{$alias}{'IPT'};
+ }
+ }
+ }
+ }else{
+ &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
+ }
+ ##get source prot and port
+ $SRC_TGT='SRC';
+ $SPORT = &get_port($hash,$key);
+ $SRC_TGT='';
+
+ ##get target prot and port
+ $DPROT=&get_prot($hash,$key);
+
+ if ($DPROT eq ''){$DPROT=' ';}
+ @DPROT=split(",",$DPROT);
+
+ #get time if defined
+ if($$hash{$key}[18] eq 'ON'){
+ my ($time1,$time2,$daylight);
+ my $daylight=$$hash{$key}[28];
+ $time1=&get_time($$hash{$key}[26],$daylight);
+ $time2=&get_time($$hash{$key}[27],$daylight);
+ if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
+ if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
+ if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
+ if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
+ if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
+ if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
+ if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
+ $TIME=join(",", at timeframe);
+
+ $TIMEFROM="--timestart $time1 ";
+ $TIMETILL="--timestop $time2 ";
+ $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
+ }
+ if ($MODE eq '1'){
+ print "NR:$key ";
+ foreach my $i (0 .. $#{$$hash{$key}}){
+ print "$i: $$hash{$key}[$i] ";
+ }
+ print "\n";
+ print"##################################\n";
+ #print rules to console
+ foreach my $DPROT (@DPROT){
+ $DPORT = &get_port($hash,$key,$DPROT);
+ $PROT=$DPROT;
+ $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
+ foreach my $a (sort keys %sourcehash){
+ foreach my $b (sort keys %targethash){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' \
|| $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ + if($DPROT ne ''){
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ \
$STAG="-s";} + if(substr($DPORT, 2, 4) eq 'icmp'){
+ my @icmprule= split(",",substr($DPORT, 12,));
+ foreach (@icmprule){
+ $icmptype="--icmp-type ";
+ if ($_ eq "BLANK") {
+ $icmptype="";
+ $_="";
+ }
+ if ($$hash{$key}[17] eq 'ON'){
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $icmptype $_ $TIME -j LOG\n"; + }
+ print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n"; + }
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
+ $natchain='NAT_DESTINATION';
+ if ($$hash{$key}[17] eq 'ON'){
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME \
-j LOG --log-prefix 'DNAT' \n"; + }
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+ #Process NAT with servicegroup used
+ if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && \
$$hash{$key}[14] eq 'cust_srvgrp'){ + print "$command $natchain $PROT $STAG \
$sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; \
+ $fwaccessdport=$DPORT; + }else{
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip \
$fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g;
+ if ($DPORT){
+ $fwaccessdport="--dport ".substr($DPORT,1,);
+ }elsif(! $DPORT && $$hash{$key}[30] ne ''){
+ if ($$hash{$key}[30]=~m/|/i){
+ $$hash{$key}[30] =~ s/\|/,/g;
+ $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
+ }else{
+ $fwaccessdport="--dport $$hash{$key}[30]";
+ }
+ }
+ }
+ print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip \
$fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next;
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ $natchain='NAT_SOURCE';
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + }
+ if ($$hash{$key}[17] eq 'ON' ){
+ print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $DPORT $TIME -j LOG\n"; + }
+ if ($PROT ne '-p ICMP'){
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + }
+ if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + }
+ }
+ }
+ }
+ }
+ print"\n";
+ }
+ }elsif($MODE eq '0'){
+ foreach my $DPROT (@DPROT){
+ $DPORT = &get_port($hash,$key,$DPROT);
+ $PROT=$DPROT;
+ $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
+ foreach my $a (sort keys %sourcehash){
+ foreach my $b (sort keys %targethash){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' \
|| $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ + if($DPROT ne ''){
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ \
$STAG="-s";} + #Process ICMP RULE
+ if(substr($DPORT, 2, 4) eq 'icmp'){
+ my @icmprule= split(",",substr($DPORT, 12,));
+ foreach (@icmprule){
+ $icmptype="--icmp-type ";
+ if ($_ eq "BLANK") {
+ $icmptype="";
+ $_="";
+ }
+ if ($$hash{$key}[17] eq 'ON'){
+ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $icmptype $_ $TIME -j LOG"); + }
+ system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]"); + }
+ #PROCESS DNAT RULE (Portforward)
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
+ $natchain='NAT_DESTINATION';
+ if ($$hash{$key}[17] eq 'ON'){
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME \
-j LOG --log-prefix 'DNAT' \n"; + }
+ my ($ip,$sub) =split("/",$targethash{$b}[0]);
+ #Process NAT with servicegroup used
+ if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && \
$$hash{$key}[14] eq 'cust_srvgrp'){ + system "$command $natchain $PROT \
$STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j $nat --to $ip $DPORT\n"; \
+ $fwaccessdport=$DPORT; + }else{
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip \
$fireport $TIME -j $nat --to $ip$DPORT\n"; + $DPORT =~ s/\-/:/g;
+ if ($DPORT){
+ $fwaccessdport="--dport ".substr($DPORT,1,);
+ }elsif(! $DPORT && $$hash{$key}[30] ne ''){
+ if ($$hash{$key}[30]=~m/|/i){
+ $$hash{$key}[30] =~ s/\|/,/g;
+ $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
+ }else{
+ $fwaccessdport="--dport $$hash{$key}[30]";
+ }
+ }
+ }
+ system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d \
$ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; + next;
+ #PROCESS SNAT RULE
+ }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
+ $natchain='NAT_SOURCE';
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; + }
+ if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){
+ system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $DPORT $TIME -j LOG\n"; + }
+ #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied \
double) + if ($PROT ne '-p ICMP'){
+ system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + }
+ #PROCESS Prot ICMP and type = All ICMP-Types
+ if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
+ system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; + }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ %sourcehash=();
+ %targethash=();
+ undef $TIME;
+ undef $TIMEFROM;
+ undef $TIMETILL;
+ undef $fireport;
+ }
+}
+sub get_nat_ip
+{
+ my $val=shift;
+ my $type=shift;
+ my $result;
+ if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
+ $result=$defaultNetworks{$val.'_ADDRESS'};
+ }elsif($val eq 'ALL'){
+ $result='-i '.$con;
+ }elsif($val eq 'Default IP' && $type eq 'dnat'){
+ $result='-d '.$redip;
+ }elsif($val eq 'Default IP' && $type eq 'snat'){
+ $result=$redip;
+ }else{
+ foreach my $al (sort keys %aliases){
+ if($val eq $al && $type eq 'dnat'){
+ $result='-d '.$aliases{$al}{'IPT'};
+ }elsif($val eq $al && $type eq 'snat'){
+ $result=$aliases{$al}{'IPT'};
+ }
+ }
+ }
+ return $result;
+}
+sub get_time
+{
+ my $val=shift;
+ my $val1=shift;
+ my $time;
+ my $minutes;
+ my $ruletime;
+ $minutes = &utcmin($val);
+ $ruletime = $minutes + &time_get_utc($val);
+ if ($ruletime < 0){$ruletime +=1440;}
+ if ($ruletime > 1440){$ruletime -=1440;}
+ $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
+ return $time;
+}
+sub time_get_utc
+{
+ # Calculates the UTCtime from a given time
+ my $val=shift;
+ my @localtime=localtime(time);
+ my @gmtime=gmtime(time);
+ my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
+ return $diff;
+}
+sub utcmin
+{
+ my $ruletime=shift;
+ my ($hrs,$min) = split(":",$ruletime);
+ my $newtime = $hrs*60+$min;
+ return $newtime;
+}
+sub p2pblock
+{
+ my $P2PSTRING;
+ my $DO;
+ open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
+ @p2ps = <FILE>;
+ close FILE;
+ my $CMD = "-m ipp2p";
+ foreach my $p2pentry (sort @p2ps) {
+ my @p2pline = split( /\;/, $p2pentry );
+ if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
+ $DO = "ACCEPT";
+ if ("$p2pline[2]" eq "on") {
+ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+ }
+ }else {
+ $DO = "RETURN";
+ if ("$p2pline[2]" eq "off") {
+ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+ }
+ }
+ }
+ if ($MODE eq 1){
+ if($P2PSTRING){
+ print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
+ }
+ }else{
+ if($P2PSTRING){
+ system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
+ }
+ }
+}
+sub get_address
+{
+ my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
+ my $base2=shift;
+ my $type=shift; #src or tgt
+ my $hash;
+ if ($type eq 'src'){
+ $hash=\%sourcehash;
+ }else{
+ $hash=\%targethash;
+ }
+ my $key = &General::findhasharraykey($hash);
+ if($base eq 'src_addr' || $base eq 'tgt_addr' ){
+ if (&General::validmac($base2)){
+ $$hash{$key}[0] = "-m mac --mac-source $base2";
+ }else{
+ $$hash{$key}[0] = $base2;
+ }
+ }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard \
Network'){ + $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
+ }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom \
Network'){ + $$hash{$key}[0]=&fwlib::get_net_ip($base2);
+ }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom \
Host'){ + $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
+ }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN \
static network'){ + $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
+ }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN \
static host'){ + $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
+ }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN \
N-2-N'){ + $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
+ }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec \
Network'){ + $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
+ }elsif($base eq 'ipfire_src' ){
+ if($base2 eq 'GREEN'){
+ $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
+ }
+ if($base2 eq 'BLUE'){
+ $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
+ }
+ if($base2 eq 'ORANGE'){
+ $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
+ }
+ if($base2 eq 'ALL'){
+ $$hash{$key}[0]='0.0.0.0/0';
+ }
+ if($base2 eq 'RED' || $base2 eq 'RED1'){
+ open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open \
local-ipaddress"; + $$hash{$key}[0]= <FILE>;
+ close(FILE);
+ }else{
+ foreach my $alias (sort keys %aliases){
+ if ($base2 eq $alias){
+ $$hash{$key}[0]=$aliases{$alias}{'IPT'};
+ }
+ }
+ }
+ }
+}
+sub get_prot
+{
+ my $hash=shift;
+ my $key=shift;
+ #check AH,GRE,ESP or ICMP
+ if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){
+ return "$$hash{$key}[8]";
+ }
+ if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){
+ #check if servicegroup or service
+ if($$hash{$key}[14] eq 'cust_srv'){
+ return &fwlib::get_srv_prot($$hash{$key}[15]);
+ }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
+ return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
+ }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq \
''){ #when ports are used and prot set to "all" + return "TCP,UDP";
+ }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq \
'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or \
"udp" + return "$$hash{$key}[8]";
+ }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne \
'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP" + return \
"$$hash{$key}[8]"; + }else{
+ return "$$hash{$key}[8]";
+ }
+ }
+ #DNAT
+ if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && \
$$hash{$key}[12] ne ''){ + return "$$hash{$key}[8]";
+ }
+}
+sub get_port
+{
+ my $hash=shift;
+ my $key=shift;
+ my $prot=shift;
+ if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
+ if ($$hash{$key}[10] ne ''){
+ $$hash{$key}[10] =~ s/\|/,/g;
+ if(index($$hash{$key}[10],",") > 0){
+ return "-m multiport --sport $$hash{$key}[10] ";
+ }else{
+ if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq \
'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') ){ + return \
"--sport $$hash{$key}[10] "; + }else{
+ return ":$$hash{$key}[10]";
+ }
+ }
+ }
+ }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
+ if($$hash{$key}[14] eq 'TGT_PORT'){
+ if ($$hash{$key}[15] ne ''){
+ $$hash{$key}[15] =~ s/\|/,/g;
+ if(index($$hash{$key}[15],",") > 0){
+ return "-m multiport --dport $$hash{$key}[15] ";
+ }else{
+ if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq \
'snat') ){ + return "--dport $$hash{$key}[15] ";
+ }else{
+ $$hash{$key}[15] =~ s/\:/-/g;
+ return ":$$hash{$key}[15]";
+ }
+ }
+ }
+ }elsif($$hash{$key}[14] eq 'cust_srv'){
+ if ($prot ne 'ICMP'){
+ if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
+ return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
+ }else{
+ return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
+ }
+ }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP \
and "use targetport is checked, this is an icmp-service + return "--icmp-type \
".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); + }
+ }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
+ if ($prot ne 'ICMP'){
+ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
+ }
+ elsif($prot eq 'ICMP'){
+ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
+ }
+ }
+ }
+ #CHECK ICMP
+ if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){
+ if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
+ return "--icmp-type $$hash{$key}[9] ";
+ }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
+ return;
+ }
+ }
+}
diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz
deleted file mode 100755
index efc4386..0000000
--- a/config/forwardfw/convert-dmz
+++ /dev/null
@@ -1,193 +0,0 @@
-#!/usr/bin/perl
-
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-# #
-# This script converts old dmz holes rules from old firewall #
-# to the new one. This is a 2-step process. #
-# STEP1: read old config and normalize settings #
-# STEP2: check valid ip and save valid rules to new firewall #
-# #
-###############################################################################
-my @current=();
-my @alias=();
-my %configdmz=();
-my %ifaces=();
-my %configfwdfw=();
-require '/var/ipfire/general-functions.pl';
-my $dmzconfig = "${General::swroot}/dmzholes/config";
-my $fwdfwconfig = "${General::swroot}/forward/config";
-my $ifacesettings = "${General::swroot}/ethernet/settings";
-my $field0 = 'ACCEPT';
-my $field1 = 'FORWARDFW';
-my $field2 = ''; #ON or emtpy
-my $field3 = ''; #std_net_src or src_addr
-my $field4 = ''; #ALL or IP-Address with /32
-my $field5 = ''; #std_net_tgt or tgt_addr
-my $field6 = ''; #IP or network name
-my $field11 = 'ON'; #use target port
-my $field12 = ''; #TCP or UDP
-my $field13 = 'All ICMP-Types';
-my $field14 = 'TGT_PORT';
-my $field15 = ''; #Port Number
-my $field16 = ''; #remark
-my $field26 = '00:00';
-my $field27 = '00:00';
-my $field28 = '';
-my $field29 = 'ALL';
-my $field30 = '';
-my $field31 = 'dnat';
-
-
-open(FILE, $dmzconfig) or die 'Unable to open config file.';
-my @current = <FILE>;
-close(FILE);
-#open LOGFILE
-open (LOG, ">/var/log/converters/dmz-convert.log") or die $!;
-&General::readhash($ifacesettings, \%ifaces);
-&General::readhasharray($fwdfwconfig,\%configfwdfw);
-&process_rules;
-sub process_rules{
- foreach my $line (@current){
- my $now=localtime;
- #get values from old configfile
- my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line);
- $h =~ s/\s*\n//gi;
- print LOG "$now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g \
H: $h\n";
- #Now convert values and check ip addresses
- $a=uc($a);
- $e=uc($e);
- $field2=$e if($e eq 'ON');
- #SOURCE IP-check
- $b=&check_ip($b);
- if (&General::validipandmask($b)){
- #When ip valid, check if we have a network
- my ($ip,$subnet) = split ("/",$b);
- if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){
- $field3='std_net_src';
- $field4='ORANGE';
- }elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
- $field3='std_net_src';
- $field4='BLUE';
- }elsif($f eq 'orange' && \
&General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){
- $field3='src_addr';
- $field4=$b;
- }elsif($f eq 'blue' && \
&General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
- $field3='src_addr';
- $field4=$b;
- }else{
- print LOG "$now ->NOT Converted, source ip $b not part of source network $f \
\n\n";
- next;
- }
- }else{
- print LOG "$now -> SOURCE IP INVALID. \n\n";
- next;
- }
- #TARGET IP-check
- $c=&check_ip($c);
- if (&General::validipandmask($c)){
- my $now=localtime;
- #When ip valid, check if we have a network
- my ($ip,$subnet) = split ("/",$c);
- if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){
- $field5='std_net_tgt';
- $field6='GREEN';
- }elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
- $field5='std_net_tgt';
- $field6='BLUE';
- }elsif($g eq 'green' && \
&General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){
- $field5='tgt_addr';
- $field6=$c;
- }elsif($g eq 'blue' && \
&General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
- $field5='tgt_addr';
- $field6=$c;
- }else{
- print LOG "$now ->NOT Converted, target ip $c not part of target network $g \
\n\n";
- next;
- }
- }else{
- print LOG "$now -> TARGET IP INVALID. \n\n";
- next;
- }
- $field12=$a;
- #convert portrange
- $d =~ tr/-/:/;
- $field15=$d;
- $field16=$h;
- my $key = &General::findhasharraykey (\%configfwdfw);
- foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";}
- $configfwdfw{$key}[0] = $field0;
- $configfwdfw{$key}[1] = $field1;
- $configfwdfw{$key}[2] = $field2;
- $configfwdfw{$key}[3] = $field3;
- $configfwdfw{$key}[4] = $field4;
- $configfwdfw{$key}[5] = $field5;
- $configfwdfw{$key}[6] = $field6;
- $configfwdfw{$key}[7] = '';
- $configfwdfw{$key}[8] = '';
- $configfwdfw{$key}[9] = '';
- $configfwdfw{$key}[10] = '';
- $configfwdfw{$key}[11] = $field11;
- $configfwdfw{$key}[12] = $field12;
- $configfwdfw{$key}[13] = $field13;
- $configfwdfw{$key}[14] = $field14;
- $configfwdfw{$key}[15] = $field15;
- $configfwdfw{$key}[16] = $field16;
- $configfwdfw{$key}[17] = '';
- $configfwdfw{$key}[18] = '';
- $configfwdfw{$key}[19] = '';
- $configfwdfw{$key}[20] = '';
- $configfwdfw{$key}[21] = '';
- $configfwdfw{$key}[22] = '';
- $configfwdfw{$key}[23] = '';
- $configfwdfw{$key}[24] = '';
- $configfwdfw{$key}[25] = '';
- $configfwdfw{$key}[26] = $field26;
- $configfwdfw{$key}[27] = $field27;
- $configfwdfw{$key}[28] = $field28;
- $configfwdfw{$key}[29] = $field29;
- $configfwdfw{$key}[30] = $field30;
- $configfwdfw{$key}[31] = $field31;
- print LOG "$Now -> Converted to \
$field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n";
- }
- &General::writehasharray($fwdfwconfig,\%configfwdfw);
-close (LOG);
-}
-
-sub check_ip
-{
- my $adr=shift;
- my $a;
- #ip with subnet in decimal
- if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
- $adr=int($1).".".int($2).".".int($3).".".int($4);
- my $b = &General::iporsubtodec($5);
- $a=$adr."/".$b;
- }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
- $adr=int($1).".".int($2).".".int($3).".".int($4);
- if(&General::validip($adr)){
- $a=$adr."/32";
- }
- }
- if(&General::validipandmask($adr)){
- $a=&General::iporsubtodec($adr);
- }
- return $a;
-}
diff --git a/config/forwardfw/convert-outgoingfw \
b/config/forwardfw/convert-outgoingfw deleted file mode 100755
index bd33059..0000000
--- a/config/forwardfw/convert-outgoingfw
+++ /dev/null
@@ -1,704 +0,0 @@
-#!/usr/bin/perl
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-# #
-# This script converts old groups and firewallrules #
-# to the new one. This is a 3-step process. #
-# STEP1: convert groups ->LOG /var/log/converters #
-# STEP2: convert rules ->LOG /var/log/converters #
-# STEP3: convert P2P rules #
-# #
-###############################################################################
-
-require '/var/ipfire/general-functions.pl';
-
-use Socket;
-use File::Path;
-use File::Copy;
-
-my $ipgrouppath = "${General::swroot}/outgoing/groups/ipgroups/";
-my $macgrouppath = "${General::swroot}/outgoing/groups/macgroups/";
-my $outgoingrules = "${General::swroot}/outgoing/rules";
-my $outfwsettings = "${General::swroot}/outgoing/settings";
-my $host = "Converted ";
-my $confighosts = "${General::swroot}/fwhosts/customhosts";
-my $confignets = "${General::swroot}/fwhosts/customnetworks";
-my $configgroups = "${General::swroot}/fwhosts/customgroups";
-my $ovpnsettings = "${General::swroot}/ovpn/settings";
-my $ovpnconfig = "${General::swroot}/ovpn/ovpnconfig";
-my $ccdconfig = "${General::swroot}/ovpn/ccd.conf";
-my $fwdfwconfig = "${General::swroot}/forward/config";
-my $outfwconfig = "${General::swroot}/forward/outgoing";
-my $fwdfwsettings = "${General::swroot}/forward/settings";
-my @ipgroups = qx(ls $ipgrouppath);
-my @macgroups = qx(ls $macgrouppath);
-my @hostarray=();
-my %outsettings=();
-my %hosts=();
-my %nets=();
-my %groups=();
-my %settingsovpn=();
-my %configovpn=();
-my %ccdconf=();
-my %fwconfig=();
-my %fwconfigout=();
-my %fwdsettings=();
-my %ownnet=();
-my %ovpnSettings = ();
-&General::readhash("${General::swroot}/ovpn/settings", \%ovpnSettings);
-&General::readhash($outfwsettings,\%outsettings);
-&General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
-#ONLY RUN if /var/ipfire/outgoing exists
-if ( -d "/var/ipfire/outgoing"){
- &process_groups;
- &process_rules;
- &process_p2p;
-}
-system("/usr/local/bin/forwardfwctrl");
-sub process_groups
-{
- if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
- if( -f "/var/log/converters/groups-convert.log"){rmtree("var/log/converters");}
- open (LOG, ">/var/log/converters/groups-convert.log") or die $!;
- #IP Group processing
- foreach my $group (@ipgroups){
- my $now=localtime;
- chomp $group;
- print LOG "\n$now Processing IP-GROUP: $group...\n";
- open (DATEI, "<$ipgrouppath/$group");
- my @zeilen = <DATEI>;
- foreach my $ip (@zeilen){
- chomp($ip);
- $ip =~ s/\s//gi;
- print LOG "$now Check IP $ip from Group $group ";
- my $val=&check_ip($ip);
- if($val){
- push(@hostarray,$val.",ip");
- print LOG "$now -> OK\n";
- }
- else{
- print LOG "$now -> IP \"$ip\" from group $group not converted (invalid IP) \n";
- }
- $val='';
- }
- &new_hostgrp($group,'ip');
- @hostarray=();
- }
- $group='';
- @zeilen=();
- @hostarray=();
- #MAC Group processing
- foreach my $group (@macgroups){
- chomp $group;
- print LOG "\nProcessing MAC-GROUP: $group...\n";
- open (DATEI, "<$macgrouppath/$group");
- my @zeilen = <DATEI>;
- foreach my $mac (@zeilen){
- chomp($mac);
- $mac =~ s/\s//gi;
- print LOG "$now Checking MAC $mac from group $group ";
- #MAC checking
- if(&General::validmac($mac)){
- $val=$mac;
- }
- if($val){
- push(@hostarray,$val.",mac");
- print LOG "$now -> OK\n";
- }
- else{
- print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n";
- }
- $val='';
- }
- &new_hostgrp($group,'mac');
- @hostarray=();
- @zeilen=();
- }
- close (LOG);
-}
-sub check_ip
-{
- my $adr=shift;
- my $a;
- #ip with subnet in decimal
- if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
- $adr=int($1).".".int($2).".".int($3).".".int($4);
- my $b = &General::iporsubtodec($5);
- $a=$adr."/".$b;
- }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
- $adr=int($1).".".int($2).".".int($3).".".int($4);
- if(&General::validip($adr)){
- $a=$adr."/255.255.255.255";
- }
- }
- if(&General::validipandmask($adr)){
- $a=&General::iporsubtodec($adr);
- }
- return $a;
-}
-sub new_hostgrp
-{
- &General::readhasharray($confighosts,\%hosts);
- &General::readhasharray($confignets,\%nets);
- &General::readhasharray($configgroups,\%groups);
- my $grp=shift;
- my $run=shift;
- my $name; #"converted"
- my $name2;
- my $name3; #custom host/custom net
- foreach my $adr (@hostarray){
- if($run eq 'ip'){
- my ($ip,$type) = split(",",$adr);
- my ($ippart,$subnet) = split("/",$ip);
- my ($byte1,$byte2,$byte3,$byte4) = split(/\./,$subnet);
- if($byte4 eq '255'){
- print LOG "Processing SINGLE HOST $ippart/$subnet from group $grp\n";
- if(!&check_host($ip)){
- my $key = &General::findhasharraykey(\%hosts);
- $name="host ";
- $name2=$name.$ippart;
- $name3="Custom Host";
- $hosts{$key}[0] = $name2;
- $hosts{$key}[1] = $type;
- $hosts{$key}[2] = $ip;
- $hosts{$key}[3] = '';
- $hosts{$key}[4] = 1;
- print LOG "->Host (IP) $ip added to custom hosts\n"
- }else{
- print LOG "->Host (IP) $ip already exists in custom hosts\n";
- $name="host ";
- $name2=$name.$ippart;
- foreach my $key (sort keys %hosts){
- if($hosts{$key}[0] eq $name2){
- $hosts{$key}[4]++;
- }
- }
- $name="host ";
- $name2=$name.$ippart;
- $name3="Custom Host";
- }
- }elsif($byte4 < '255'){
- print LOG "Processing NETWORK $ippart/$subnet from Group $grp\n";
- if(!&check_net($ippart,$subnet)){
- #Check if this network is one one of IPFire internal networks
- if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne \
'0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'GREEN_NETADDRESS'},$ownnet{'GREEN_NETMASK'}))
- {
- $name2='GREEN';
- $name3='Standard Network';
- }elsif (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne \
'0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'ORANGE_NETADDRESS'},$ownnet{'ORANGE_NETMASK'}))
- {
- $name2='ORANGE';
- $name3='Standard Network';
- }elsif (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne \
'0.0.0.0') && &General::IpInSubnet($ippart,$ownnet{'BLUE_NETADDRESS'},$ownnet{'BLUE_NETMASK'}))
- {
- $name2='BLUE';
- $name3='Standard Network';
- }elsif ($ippart eq '0.0.0.0')
- {
- $name2='ALL';
- $name3='Standard Network';
- }elsif(defined($ovpnSettings{'DOVPN_SUBNET'}) && \
"$ippart/".&General::iporsubtodec($subnet) eq \
$ovpnSettings{'DOVPN_SUBNET'})
- {
- $name2='OpenVPN-Dyn';
- $name3='Standard Network';
- }else{
- my $netkey = &General::findhasharraykey(\%nets);
- $name="net ";
- $name2=$name.$ippart;
- $name3="Custom Network";
- $nets{$netkey}[0] = $name2;
- $nets{$netkey}[1] = $ippart;
- $nets{$netkey}[2] = $subnet;
- $nets{$netkey}[3] = '';
- $nets{$netkey}[4] = 1;
- print LOG "->Network $ippart/$subnet added to custom networks\n";
- }
- }else{
- print LOG "Network $ippart already exists in custom networks\n";
- $name="net ";
- $name2=$name.$ippart;
- foreach my $key (sort keys %nets){
- if($nets{$key}[0] eq $name2){
- $nets{$key}[4]++;
- }
- }
- $name="net ";
- $name2=$name.$ippart;
- $name3="Custom Network";
- }
- }
- if($name2 && !&check_grp($grp,$name2)){
- my $grpkey = &General::findhasharraykey(\%groups);
- $groups{$grpkey}[0] = $grp;
- $groups{$grpkey}[1] = '';
- $groups{$grpkey}[2] = $name2;
- $groups{$grpkey}[3] = $name3;
- $groups{$grpkey}[4] = 0;
- print LOG "->$name2 added to group $grp\n";
- }
- }elsif($run eq 'mac'){
- #MACRUN
- my ($mac,$type) = split(",",$adr);
- print LOG "Processing HOST (MAC) $mac\n";
- if(!&check_host($mac)){
- my $key = &General::findhasharraykey(\%hosts);
- $name="host ";
- $name2=$name.$mac;
- $name3="Custom Host";
- $hosts{$key}[0] = $name2;
- $hosts{$key}[1] = $type;
- $hosts{$key}[2] = $mac;
- $hosts{$key}[3] = '';
- $hosts{$key}[4] = 1;
- print LOG "->Host (MAC) $mac added to custom hosts\n";
- }else{
- print LOG "->Host (MAC) $mac already exists in custom hosts \n";
- $name="host ";
- $name2=$name.$mac;
- foreach my $key (sort keys %hosts){
- if($hosts{$key}[0] eq $name2){
- $hosts{$key}[4]++;
- }
- }
- $name="host ";
- $name2=$name.$mac;
- $name3="Custom Host";
- }
- if($name2 && !&check_grp($grp,$name2)){
- my $grpkey = &General::findhasharraykey(\%groups);
- $groups{$grpkey}[0] = $grp;
- $groups{$grpkey}[1] = '';
- $groups{$grpkey}[2] = $name2;
- $groups{$grpkey}[3] = $name3;
- $groups{$grpkey}[4] = 0;
- print LOG "->$name2 added to group $grp\n";
- }
- }
- }
- @hostarray=();
- &General::writehasharray($confighosts,\%hosts);
- &General::writehasharray($configgroups,\%groups);
- &General::writehasharray($confignets,\%nets);
-
-}
-sub check_host
-{
- my $ip=shift;
- foreach my $key (sort keys %hosts)
- {
- if($hosts{$key}[2] eq $ip)
- {
- return 1;
- }
- }
- return 0;
-}
-sub check_net
-{
- my $ip=shift;
- my $sub=shift;
- foreach my $key (sort keys %nets)
- {
- if($nets{$key}[1] eq $ip && $nets{$key}[2] eq $sub)
- {
- return 1;
- }
- }
- return 0;
-}
-sub check_grp
-{
- my $grp=shift;
- my $value=shift;
- foreach my $key (sort keys %groups)
- {
- if($groups{$key}[0] eq $grp && $groups{$key}[2] eq $value)
- {
- return 1;
- }
- }
- return 0;
-}
-sub process_rules
-{
- my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$re \
mark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
- #open LOG
- if( -f "/var/log/converters/outgoingfw-convert.log"){unlink \
("/var/log/converters/outgoingfw-convert.log");}
- open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
-
- &General::readhash($fwdfwsettings,\%fwdsettings);
- if ($outsettings{'POLICY'} eq 'MODE1'){
- $fwdsettings{'POLICY'}='MODE1';
- $fwdsettings{'POLICY1'}='MODE2';
- $type='ALLOW';
- $action='ACCEPT';
- }else{
- $fwdsettings{'POLICY'}='MODE2';
- $fwdsettings{'POLICY1'}='MODE2';
- $type='DENY';
- $action='DROP';
- }
- &General::writehash($fwdfwsettings,\%fwdsettings);
- open (DATEI, "<$outgoingrules");
- my @lines = <DATEI>;
- foreach my $rule (@lines)
- {
- my $now=localtime;
- chomp($rule);
- $port='';
- print LOG "$now processing: $rule\n";
- my @configline=();
- @configline = split( /\;/, $rule );
- my @prot=();
- if($configline[0] eq $type){
- #some variables we can use from old config
- if($configline[1] eq 'on'){ $active='ON';}else{$active='';}
- if($configline[3] eq 'all' && $configline[8] ne ''){
- push(@prot,"TCP");
- push(@prot,"UDP");
- }elsif($configline[3] eq 'all' && $configline[8] eq ''){
- push(@prot,"");
- }else{
- push(@prot,$configline[3]);
- }
- if($configline[4] ne ''){
- $configline[4] =~ s/,/;/g;
- $remark = $configline[4];
- }else{$remark = '';}
- if($configline[9] eq 'Active'){ $log='ON';}else{$log='';}
- if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' \
&& $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && \
$configline[16] eq 'on'){
- if($configline[17] eq '00:00' && $configline[18] eq '00:00'){
- $time='';
- }else{
- $time='ON';
- }
- }else{
- $time='ON';
- }
- $time_mon=$configline[10];
- $time_tue=$configline[11];
- $time_wed=$configline[12];
- $time_thu=$configline[13];
- $time_fri=$configline[14];
- $time_sat=$configline[15];
- $time_sun=$configline[16];
- $time_from=$configline[17];
- $time_to=$configline[18];
- ############################################################
- #sourcepart
- if ($configline[2] eq 'green') {
- $grp1='std_net_src';
- $source='GREEN';
- }elsif ($configline[2] eq 'orange') {
- $grp1='std_net_src';
- $source='ORANGE';
- }elsif ($configline[2] eq 'red') {
- $grp1='std_net_src';
- $source='IPFire';
- &General::readhash($fwdfwsettings,\%fwdsettings);
- $fwdsettings{'POLICY1'}=$outsettings{'POLICY'};
- $fwdsettings{'POLICY'}=$outsettings{'POLICY'};
- &General::writehash($fwdfwsettings,\%fwdsettings);
- }elsif ($configline[2] eq 'blue') {
- $grp1='std_net_src';
- $source='BLUE';
- }elsif ($configline[2] eq 'ipsec') {
- print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire \
2.7 \n";
- next;
- }elsif ($configline[2] eq 'ovpn') {
- print LOG "$now ->Creating networks/groups for OpenVPN...\n";
- &build_ovpn_grp;
- $grp1='cust_grp_src';
- $source='ovpn'
- }elsif ($configline[2] eq 'ip') {
- my $z=&check_ip($configline[5]);
- if($z){
- my ($ipa,$subn) = split("/",$z);
- $subn=&General::iporsubtocidr($subn);
- $grp1='src_addr';
- $source="$ipa/$subn";
- }else{
- print LOG "$now -> Rule not converted, missing/invalid source ip \
\"$configline[5]\"\n";
- next;
- }
- }elsif ($configline[2] eq 'mac') {
- if(&General::validmac($configline[6])){
- $grp1='src_addr';
- $source=$configline[6];
- }else{
- print LOG"$now -> Rule not converted, invalid MAC \"$configline[6]\" \n";
- next;
- }
- }elsif ($configline[2] eq 'all') {
- $grp1='std_net_src';
- $source='ALL';
- }else{
- foreach my $key (sort keys %groups){
- if($groups{$key}[0] eq $configline[2]){
- $grp1='cust_grp_src';
- $source=$configline[2];
- }
- }
- if ($grp1 eq '' || $source eq ''){
- print LOG "$now -> Rule not converted, no valid source recognised\n";
- }
- }
- ############################################################
- #destinationpart
- if($configline[7] ne ''){
- my $address=&check_ip($configline[7]);
- if($address){
- my ($dip,$dsub) = split("/",$address);
- $dsub=&General::iporsubtocidr($dsub);
- $grp2='tgt_addr';
- $target="$dip/$dsub";
- }elsif(!$address){
- my $getwebsiteip=&get_ip_from_domain($configline[7]);
- if ($getwebsiteip){
- $grp2='tgt_addr';
- $target=$getwebsiteip;
- $remark.=" $configline[7]";
- }else{
- print LOG "$now -> Rule not converted, invalid domain \"$configline[7]\"\n";
- next;
- }
- }
- }else{
- $grp2='std_net_tgt';
- $target='ALL';
- }
- if($configline[8] ne '' && $configline[3] ne 'gre' && $configline[3] ne 'esp'){
- my @values=();
- my @parts=split(",",$configline[8]);
- foreach (@parts){
- $_=~ tr/-/:/;
- if (!($_ =~ /^(\d+)\:(\d+)$/)) {
- if(&General::validport($_)){
- $useport='ON';
- push (@values,$_);
- $grp3='TGT_PORT';
- }else{
- print LOG "$now -> Rule not converted, invalid destination Port \
\"$configline[8]\"\n";
- next;
- }
- }else{
- my ($a1,$a2) = split(/\:/,$_);
- if (&General::validport($a1) && &General::validport($a2) && $a1 < $a2){
- $useport='ON';
- push (@values,"$a1:$a2");
- $grp3='TGT_PORT';
- }else{
- print LOG "$now -> Rule not converted, invalid destination Port \
\"$configline[8]\"\n";
- next;
- }
- }
- }
- $port=join("|", at values);
- @values=();
- @parts=();
- }
- }else{
- print LOG "-> Rule not converted because not for Firewall mode \
$outsettings{'POLICY'} (we are only converting for actual mode)\n";
- }
- &General::readhasharray($fwdfwconfig,\%fwconfig);
- &General::readhasharray($outfwconfig,\%fwconfigout);
- my $check;
- my $chain;
- foreach my $protocol (@prot){
- my $now=localtime;
- if ($source eq 'IPFire'){
- $chain='OUTGOINGFW';
- }else{
- $chain='FORWARDFW';
- }
- $protocol=uc($protocol);
- print LOG "$now -> Converted: \
$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port \
,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
- #Put rules into system....
- ###########################
- #check for double rules
- foreach my $key (sort keys %fwconfig){
- if("$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$g \
rp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to"
- eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3], \
$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwco \
nfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{ \
$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[ \
21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){
- $check='on';
- next;
- }
- }
- if($check ne 'on'){
- #increase groupcounter
- my $check1;
- if($grp1 eq 'cust_grp_src'){
- foreach my $key (sort keys %groups){
- if($groups{$key}[0] eq $source){
- $groups{$key}[4]++;
- $check1='on';
- }
- }
- if($check1 eq 'on'){
- &General::writehasharray($configgroups,\%groups);
- }
- }
- if ($chain eq 'FORWARDFW'){
- my $key = &General::findhasharraykey(\%fwconfig);
- $fwconfig{$key}[0] = $action;
- $fwconfig{$key}[1] = $chain;
- $fwconfig{$key}[2] = $active;
- $fwconfig{$key}[3] = $grp1;
- $fwconfig{$key}[4] = $source;
- $fwconfig{$key}[5] = $grp2;
- $fwconfig{$key}[6] = $target;
- $fwconfig{$key}[11] = $useport;
- $fwconfig{$key}[12] = $protocol;
- $fwconfig{$key}[14] = $grp3;
- $fwconfig{$key}[15] = $port;
- $fwconfig{$key}[16] = $remark;
- $fwconfig{$key}[17] = $log;
- $fwconfig{$key}[18] = $time;
- $fwconfig{$key}[19] = $time_mon;
- $fwconfig{$key}[20] = $time_tue;
- $fwconfig{$key}[21] = $time_wed;
- $fwconfig{$key}[22] = $time_thu;
- $fwconfig{$key}[23] = $time_fri;
- $fwconfig{$key}[24] = $time_sat;
- $fwconfig{$key}[25] = $time_sun;
- $fwconfig{$key}[26] = $time_from;
- $fwconfig{$key}[27] = $time_to;
- $fwconfig{$key}[28] = '';
- $fwconfig{$key}[29] = 'ALL';
- $fwconfig{$key}[30] = '';
- $fwconfig{$key}[31] = 'dnat';
- }else{
- my $key = &General::findhasharraykey(\%fwconfigout);
- $fwconfigout{$key}[0] = $action;
- $fwconfigout{$key}[1] = $chain;
- $fwconfigout{$key}[2] = $active;
- $fwconfigout{$key}[3] = $grp1;
- $fwconfigout{$key}[4] = $source;
- $fwconfigout{$key}[5] = $grp2;
- $fwconfigout{$key}[6] = $target;
- $fwconfigout{$key}[11] = $useport;
- $fwconfigout{$key}[12] = $protocol;
- $fwconfigout{$key}[14] = $grp3;
- $fwconfigout{$key}[15] = $port;
- $fwconfigout{$key}[16] = $remark;
- $fwconfigout{$key}[17] = $log;
- $fwconfigout{$key}[18] = $time;
- $fwconfigout{$key}[19] = $time_mon;
- $fwconfigout{$key}[20] = $time_tue;
- $fwconfigout{$key}[21] = $time_wed;
- $fwconfigout{$key}[22] = $time_thu;
- $fwconfigout{$key}[23] = $time_fri;
- $fwconfigout{$key}[24] = $time_sat;
- $fwconfigout{$key}[25] = $time_sun;
- $fwconfigout{$key}[26] = $time_from;
- $fwconfigout{$key}[27] = $time_to;
- $fwconfigout{$key}[28] = '';
- $fwconfigout{$key}[29] = 'ALL';
- $fwconfigout{$key}[30] = '';
- $fwconfigout{$key}[31] = 'dnat';
- }
- &General::writehasharray($fwdfwconfig,\%fwconfig);
- &General::writehasharray($outfwconfig,\%fwconfigout);
- }
- }
- @prot=();
- }
- close(LOG);
- @lines=();
-}
-sub get_ip_from_domain
-{
- $web=shift;
- my $resolvedip;
- my $checked;
- my ($name,$aliases,$addrtype,$length, at addrs) = gethostbyname($web);
- if(@addrs){
- $resolvedip=inet_ntoa($addrs[0]);
- return $resolvedip;
- }
- return;
-}
-sub build_ovpn_grp
-{
- my $now=localtime;
- &General::readhasharray($confighosts,\%hosts);
- &General::readhasharray($confignets,\%nets);
- &General::readhasharray($configgroups,\%groups);
- &General::readhasharray($ovpnconfig,\%configovpn);
- &General::readhasharray($ccdconfig,\%ccdconf);
- &General::readhash($ovpnsettings,\%settingsovpn);
- #get ovpn nets
- my @ovpnnets=();
- if($settingsovpn{'DOVPN_SUBNET'}){
- my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'});
- push (@ovpnnets,"$net,$subnet,dynamic");
- print LOG "$now ->found dynamic OpenVPN net\n";
- }
- foreach my $key (sort keys %ccdconf){
- my ($net,$subnet)=split("/",$ccdconf{$key}[1]);
- $subnet=&General::iporsubtodec($subnet);
- push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]");
- print LOG "$now ->found OpenVPN static net $net/$subnet\n";
- }
- foreach my $key (sort keys %configovpn){
- if ($configovpn{$key}[3] eq 'net'){
- my ($net,$subnet)=split("/",$configovpn{$key}[27]);
- push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]");
- print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n";
- }
- }
- #add ovpn nets to customnetworks/groups
- foreach my $line (@ovpnnets){
- my $now=localtime;
- my ($net,$subnet,$name) = split(",",$line);
- if (!&check_net($net,$subnet)){
- my $netkey = &General::findhasharraykey(\%nets);
- $name2=$name."(ovpn)".$net;
- $name3="Custom Network";
- $nets{$netkey}[0] = $name2;
- $nets{$netkey}[1] = $net;
- $nets{$netkey}[2] = $subnet;
- $nets{$netkey}[3] = '';
- $nets{$netkey}[4] = 1;
- print LOG "$now ->added $name2 $net/$subnet to customnetworks\n";
- }else{
- print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can \
ignore this, if this run was manual from shell)\n";
- }
- if($name2){
- my $grpkey = &General::findhasharraykey(\%groups);
- $groups{$grpkey}[0] = "ovpn";
- $groups{$grpkey}[1] = '';
- $groups{$grpkey}[2] = $name2;
- $groups{$grpkey}[3] = "Custom Network";
- $groups{$grpkey}[4] = 0;
- print LOG "$now ->added $name2 to customgroup ovpn\n";
- }
- $name2='';
- }
- @ovpnnets=();
- &General::writehasharray($confighosts,\%hosts);
- &General::writehasharray($configgroups,\%groups);
- &General::writehasharray($confignets,\%nets);
- print LOG "$now ->finished OVPN\n";
-}
-sub process_p2p
-{
- copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/forward/p2protocols");
- chmod oct('0777'), '/var/ipfire/forward/p2protocols';
-}
diff --git a/config/forwardfw/convert-portfw b/config/forwardfw/convert-portfw
deleted file mode 100755
index a37383e..0000000
--- a/config/forwardfw/convert-portfw
+++ /dev/null
@@ -1,158 +0,0 @@
-#!/usr/bin/perl
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-# #
-# This script converts old portforwarding rules from old Firewall #
-# to the new one. This is a 3-step process. #
-# STEP1: read old config and normalize settings #
-# STEP2: create new rules from old ones #
-# STEP3: check if rule already exists, when not, put it into #
-# /var/ipfire/forward/nat #
-###############################################################################
-require '/var/ipfire/general-functions.pl';
-my @values=();
-my @built_rules=();
-my %nat=();
-my $portfwconfig = "${General::swroot}/portfw/config";
-my $confignat = "${General::swroot}/forward/config";
-my ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark);
-my ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1);
-my $count=0;
-my $jump;
-if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
-open(FILE, $portfwconfig) or die 'Unable to open config file.';
-my @current = <FILE>;
-close(FILE);
-open (LOG, ">/var/log/converters/portfw-convert.log") or die $!;
-open(ALIAS, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases \
file.';
-my @alias = <ALIAS>;
-close(ALIAS);
-&get_config;
-&build_rules;
-&write_rules;
-sub get_config
-{
- print LOG "STEP 1: Get config from old \
portforward\n#########################################\n";
- foreach my $line (@current){
- if($jump eq '1'){
- $jump='';
- $count++;
- next;
- }
- my $u=$count+1;
- ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) \
= split(",",$line);
- ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) \
= split(",",$current[$u]);
- if ($flag1 eq '1'){
- $source=$source1;
- $jump='1';
- }
- my $now=localtime;
- chomp($remark);
- print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: \
$ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias \
SOURCE: $source REM: $remark Doublerule: $jump\n";
- push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark);
- $count++;
- }
-}
-sub build_rules
-{
- print LOG "\nSTEP 2: Convert old portforwardrules in a useable \
format\n########################################################\n";
- my $src;
- my $src1;
- my $ipfireip;
- my $count=0;
- my $stop;
- #build rules for new firewall
- foreach my $line (@values){
- chomp ($line);
- ($prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark)=split(",",$line);
- $count++;
- #get sourcepart
- if($source eq '0.0.0.0/0'){
- $src = 'std_net_src';
- $src1 = 'ALL';
- }else{
- $src = 'src_addr';
- my ($a,$b) = split("/",$source);
- $src1 = $a."/32";
- }
- #get ipfire ip
- if($alias eq '0.0.0.0'){
- $alias='ALL';
- }else{
- foreach my $ali (@alias){
- my ($alias_ip,$alias_active,$alias_name) = split (",",$ali);
- if($alias eq $alias_ip){
- chomp($alias_name);
- $alias=$alias_name;
- }
- }
- }
- $active = uc $active;
- $prot = uc $prot;
- chomp($remark);
- push (@built_rules,"ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat");
- my $now=localtime;
- print LOG "$now Converted-> KEY: $count \
ACCEPT,FORWARDFW,$active,$src,$src1,tgt_addr,$target/32,ON,$prot,,TGT_PORT,$targetport,$remark,00:00,00:00,ON,$alias,$ipfireport,dnat\n";
- }
-}
-sub write_rules
-{
- my $skip='';
- my $id;
- print LOG "\nSTEP 3: Create DNAT rules in new \
firewall\n#########################################\n";
- &General::readhasharray($confignat,\%nat);
- foreach my $line (@built_rules){
- $skip='';
- my ($action,$chain,$active,$src,$src1,$tgt,$tgt1,$use_prot,$prot,$dummy,$tgt_port,$tgt_port1,$remark,$from,$to,$use_port,$alias,$ipfireport,$dnat) \
= split (",",$line);
- foreach my $key (sort keys %nat){
- if ($line eq "$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4 \
],$nat{$key}[5],$nat{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[ \
14],$nat{$key}[15],$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31]"){
- my $now=localtime;
- print LOG "$now SKIP-> Rule \
$nat{$key}[0],$nat{$key}[1],$nat{$key}[2],$nat{$key}[3],$nat{$key}[4],$nat{$key}[5],$n \
at{$key}[6],$nat{$key}[11],$nat{$key}[12],$nat{$key}[13],$nat{$key}[14],$nat{$key}[15] \
,$nat{$key}[16],$nat{$key}[26],$nat{$key}[27],$nat{$key}[28],$nat{$key}[29],$nat{$key}[30],$nat{$key}[31] \
->EXISTS\n";
- $skip='1';
- }
- }
- if ($skip ne '1'){
- $id = &General::findhasharraykey(\%nat);
- $nat{$id}[0] = $action;
- $nat{$id}[1] = $chain;
- $nat{$id}[2] = $active;
- $nat{$id}[3] = $src;
- $nat{$id}[4] = $src1;
- $nat{$id}[5] = $tgt;
- $nat{$id}[6] = $tgt1;
- $nat{$id}[11] = $use_prot;
- $nat{$id}[12] = $prot;
- $nat{$id}[13] = $dummy;
- $nat{$id}[14] = $tgt_port;
- $nat{$id}[15] = $tgt_port1;
- $nat{$id}[16] = $remark;
- $nat{$id}[26] = $from;
- $nat{$id}[27] = $to;
- $nat{$id}[28] = $use_port;
- $nat{$id}[29] = $alias;
- $nat{$id}[30] = $ipfireport;
- $nat{$id}[31] = $dnat;
- my $now=localtime;
- print LOG "$now NEW RULE-> Rule \
$nat{$id}[0],$nat{$id}[1],$nat{$id}[2],$nat{$id}[3],$nat{$id}[4],$nat{$id}[5],$nat{$id \
}[6],$nat{$id}[11],$nat{$id}[12],$nat{$id}[13],$nat{$id}[14],$nat{$id}[15],$nat{$id}[1 \
6],$nat{$id}[26],$nat{$id}[27],$nat{$id}[28],$nat{$id}[29],$nat{$id}[30],$nat{$id}[31]\n";
- }
- }
- &General::writehasharray($confignat,\%nat);
-}
-close (LOG);
diff --git a/config/forwardfw/convert-xtaccess b/config/forwardfw/convert-xtaccess
deleted file mode 100755
index d86c445..0000000
--- a/config/forwardfw/convert-xtaccess
+++ /dev/null
@@ -1,141 +0,0 @@
-#!/usr/bin/perl
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-# #
-#This script converts old xtaccess rules to new firewall #
-#Logfiles are created under /var/log/converters #
-# #
-###############################################################################
-my @current=();
-my @alias=();
-my %configinputfw=();
-require '/var/ipfire/general-functions.pl';
-my $xtaccessconfig = "${General::swroot}/xtaccess/config";
-my $inputfwconfig = "${General::swroot}/forward/input";
-my $aliasconfig = "${General::swroot}/ethernet/aliases";
-my $field0='ACCEPT';
-my $field1='INPUTFW';
-my $field2=''; #ON or emtpy
-my $field3=''; #std_net_src or src_addr
-my $field4=''; #ALL or IP-Address with /32
-my $field5='ipfire';
-my $field6=''; #Default IP or alias name
-my $field11='ON'; #use target port
-my $field12=''; #TCP or UDP
-my $field13='All ICMP-Types';
-my $field14='TGT_PORT';
-my $field15=''; #Port Number
-my $field16=''; #remark
-my $field26='00:00';
-my $field27='00:00';
-my $field28 = '';
-my $field29 = 'ALL';
-my $field30 = '';
-my $field31 = 'dnat';
-open(FILE, $xtaccessconfig) or die 'Unable to open config file.';
-my @current = <FILE>;
-close(FILE);
-open(FILE1, $aliasconfig) or die 'Unable to open config file.';
-my @alias = <FILE1>;
-close(FILE1);
-&General::readhasharray($inputfwconfig,\%configinputfw);
-
-foreach my $line (@current){
- my ($a,$b,$c,$d,$e,$f) = split (",",$line);
- $e =~ s/\R//g;
- if ($f gt ''){
- $f =~ s/\R//g;
- $field16=$f;
- }
- #active or not
- $field2=uc($d);
- #get protocol
- if ($a eq 'tcp'){ $field12 ='TCP';}else{$field12='UDP';}
- #check source address
- if ($b eq '0.0.0.0/0'){
- $field3='std_net_src';
- $field4='ALL';
- }elsif($b =~/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
- $field3='src_addr';
- $field4=$b."/32";
- }elsif ($b =~ /^(.*?)\/(.*?)$/) {
- $field3='src_addr';
- $field4=$b;
- }else{
- print "Regel konnte nicht konvertiert werden!\n";
- }
- #check ipfire address
- if ($e eq '0.0.0.0'){
- $field6 = 'RED1';
- }else{
- foreach my $line (@alias){
- my ($ip,$state,$aliasname) = split (",",$line);
- if ($ip eq $e){
- $aliasname =~ s/\R//g;
- $field6 = $aliasname;
- }
- }
- }
- #get target port
- $c=~ s/\R//g;
- $c=~ tr/-/:/;
- if ($c =~ /^(\D)\:(\d+)$/) {
- $c = "1:$2";
- }
- if ($c =~ /^(\d+)\:(\D)$/) {
- $c = "$1:65535";
- }
- $field15=$c;
- my $key = &General::findhasharraykey (\%configinputfw);
- foreach my $i (0 .. 31) { $configinputfw{$key}[$i] = "";}
- $configinputfw{$key}[0] = $field0;
- $configinputfw{$key}[1] = $field1;
- $configinputfw{$key}[2] = $field2;
- $configinputfw{$key}[3] = $field3;
- $configinputfw{$key}[4] = $field4;
- $configinputfw{$key}[5] = $field5;
- $configinputfw{$key}[6] = $field6;
- $configinputfw{$key}[7] = '';
- $configinputfw{$key}[8] = '';
- $configinputfw{$key}[9] = '';
- $configinputfw{$key}[10] = '';
- $configinputfw{$key}[11] = $field11;
- $configinputfw{$key}[12] = $field12;
- $configinputfw{$key}[13] = $field13;
- $configinputfw{$key}[14] = $field14;
- $configinputfw{$key}[15] = $field15;
- $configinputfw{$key}[16] = $field16;
- $configinputfw{$key}[17] = '';
- $configinputfw{$key}[18] = '';
- $configinputfw{$key}[19] = '';
- $configinputfw{$key}[20] = '';
- $configinputfw{$key}[21] = '';
- $configinputfw{$key}[22] = '';
- $configinputfw{$key}[23] = '';
- $configinputfw{$key}[24] = '';
- $configinputfw{$key}[25] = '';
- $configinputfw{$key}[26] = $field26;
- $configinputfw{$key}[27] = $field27;
- $configinputfw{$key}[28] = $field28;
- $configinputfw{$key}[29] = $field29;
- $configinputfw{$key}[30] = $field30;
- $configinputfw{$key}[31] = $field31;
- &General::writehasharray($inputfwconfig,\%configinputfw);
-}
diff --git a/config/forwardfw/firewall-lib.pl b/config/forwardfw/firewall-lib.pl
deleted file mode 100755
index f1e8403..0000000
--- a/config/forwardfw/firewall-lib.pl
+++ /dev/null
@@ -1,256 +0,0 @@
-#!/usr/bin/perl
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-use strict;
-no warnings 'uninitialized';
-
-package fwlib;
-
-my %customnetwork=();
-my %customhost=();
-my %customgrp=();
-my %customservice=();
-my %customservicegrp=();
-my %ccdnet=();
-my %ccdhost=();
-my %ipsecconf=();
-my %ipsecsettings=();
-my %netsettings=();
-my %ovpnsettings=();
-
-require '/var/ipfire/general-functions.pl';
-
-my $confignet = "${General::swroot}/fwhosts/customnetworks";
-my $confighost = "${General::swroot}/fwhosts/customhosts";
-my $configgrp = "${General::swroot}/fwhosts/customgroups";
-my $configsrv = "${General::swroot}/fwhosts/customservices";
-my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
-my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
-my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
-my $configipsec = "${General::swroot}/vpn/config";
-my $configovpn = "${General::swroot}/ovpn/settings";
-my $val;
-my $field;
-
-&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
-&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
-&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
-
-
-&General::readhasharray("$confignet", \%customnetwork);
-&General::readhasharray("$confighost", \%customhost);
-&General::readhasharray("$configgrp", \%customgrp);
-&General::readhasharray("$configccdnet", \%ccdnet);
-&General::readhasharray("$configccdhost", \%ccdhost);
-&General::readhasharray("$configipsec", \%ipsecconf);
-&General::readhasharray("$configsrv", \%customservice);
-&General::readhasharray("$configsrvgrp", \%customservicegrp);
-
-sub get_srv_prot
-{
- my $val=shift;
- foreach my $key (sort {$a <=> $b} keys %customservice){
- if($customservice{$key}[0] eq $val){
- if ($customservice{$key}[0] eq $val){
- return $customservice{$key}[2];
- }
- }
- }
-}
-sub get_srvgrp_prot
-{
- my $val=shift;
- my @ips=();
- my $tcp;
- my $udp;
- my $icmp;
- foreach my $key (sort {$a <=> $b} keys %customservicegrp){
- if($customservicegrp{$key}[0] eq $val){
- if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){
- $tcp=1;
- }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){
- $udp=1;
- }elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){
- $icmp=1;
- }
- }
- }
- if ($tcp eq '1'){push (@ips,'TCP');}
- if ($udp eq '1'){push (@ips,'UDP');}
- if ($icmp eq '1'){push (@ips,'ICMP');}
- my $back=join(",", at ips);
- return $back;
-
-}
-
-
-sub get_srv_port
-{
- my $val=shift;
- my $field=shift;
- my $prot=shift;
- foreach my $key (sort {$a <=> $b} keys %customservice){
- if($customservice{$key}[0] eq $val){
- if($customservice{$key}[2] eq $prot){
- return $customservice{$key}[$field];
- }
- }
- }
-}
-sub get_srvgrp_port
-{
- my $val=shift;
- my $prot=shift;
- my $back;
- my $value;
- my @ips=();
- foreach my $key (sort {$a <=> $b} keys %customservicegrp){
- if($customservicegrp{$key}[0] eq $val){
- if ($prot ne 'ICMP'){
- $value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
- }elsif ($prot eq 'ICMP'){
- $value=&get_srv_port($customservicegrp{$key}[2],3,$prot);
- }
- push (@ips,$value) if ($value ne '') ;
- }
- }
- if($prot ne 'ICMP'){
- if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
- }elsif ($prot eq 'ICMP'){
- $back="--icmp-type ";
- }
-
- $back.=join(",", at ips);
- return $back;
-}
-sub get_ipsec_net_ip
-{
- my $val=shift;
- my $field=shift;
- foreach my $key (sort {$a <=> $b} keys %ipsecconf){
- if($ipsecconf{$key}[1] eq $val){
- return $ipsecconf{$key}[$field];
- }
- }
-}
-sub get_ipsec_host_ip
-{
- my $val=shift;
- my $field=shift;
- foreach my $key (sort {$a <=> $b} keys %ipsecconf){
- if($ipsecconf{$key}[1] eq $val){
- return $ipsecconf{$key}[$field];
- }
- }
-}
-sub get_ovpn_n2n_ip
-{
- my $val=shift;
- my $field=shift;
- foreach my $key (sort {$a <=> $b} keys %ccdhost){
- if($ccdhost{$key}[1] eq $val){
- return $ccdhost{$key}[$field];
- }
- }
-}
-sub get_ovpn_host_ip
-{
- my $val=shift;
- my $field=shift;
- foreach my $key (sort {$a <=> $b} keys %ccdhost){
- if($ccdhost{$key}[1] eq $val){
- return $ccdhost{$key}[$field];
- }
- }
-}
-sub get_ovpn_net_ip
-{
-
- my $val=shift;
- my $field=shift;
- foreach my $key (sort {$a <=> $b} keys %ccdnet){
- if($ccdnet{$key}[0] eq $val){
- return $ccdnet{$key}[$field];
- }
- }
-}
-sub get_grp_ip
-{
- my $val=shift;
- my $src=shift;
- foreach my $key (sort {$a <=> $b} keys %customgrp){
- if ($customgrp{$key}[0] eq $val){
- &get_address($customgrp{$key}[3],$src);
- }
- }
-
-}
-sub get_std_net_ip
-{
- my $val=shift;
- my $con=shift;
- if ($val eq 'ALL'){
- return "0.0.0.0/0.0.0.0";
- }elsif($val eq 'GREEN'){
- return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
- }elsif($val eq 'ORANGE'){
- return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
- }elsif($val eq 'BLUE'){
- return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
- }elsif($val eq 'RED'){
- return "0.0.0.0/0 -o $con";
- }elsif($val =~ /OpenVPN/i){
- return "$ovpnsettings{'DOVPN_SUBNET'}";
- }elsif($val =~ /IPsec/i){
- return "$ipsecsettings{'RW_NET'}";
- }elsif($val eq 'IPFire'){
- return ;
- }
-}
-sub get_net_ip
-{
- my $val=shift;
- foreach my $key (sort {$a <=> $b} keys %customnetwork){
- if($customnetwork{$key}[0] eq $val){
- return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
- }
- }
-}
-sub get_host_ip
-{
- my $val=shift;
- my $src=shift;
- foreach my $key (sort {$a <=> $b} keys %customhost){
- if($customhost{$key}[0] eq $val){
- if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
- return "-m mac --mac-source $customhost{$key}[2]";
- }elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){
- return "$customhost{$key}[2]";
- }elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){
- return "$customhost{$key}[2]";
- }elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){
- return "none";
- }
- }
- }
-}
-
-return 1;
diff --git a/config/forwardfw/firewall-policy b/config/forwardfw/firewall-policy
deleted file mode 100755
index 6f7e95c..0000000
--- a/config/forwardfw/firewall-policy
+++ /dev/null
@@ -1,124 +0,0 @@
-#!/bin/sh
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/forward/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
-
-iptables -F POLICYFWD
-iptables -F POLICYOUT
-iptables -F POLICYIN
-
-if [ -f "/var/ipfire/red/iface" ]; then
- IFACE="$(</var/ipfire/red/iface)"
-fi
-
-# Figure out what devices are configured.
-HAVE_BLUE="false"
-HAVE_ORANGE="false"
-
-case "${CONFIG_TYPE}" in
- 2)
- HAVE_BLUE="true"
- ;;
- 3)
- HAVE_ORANGE="true"
- ;;
- 4)
- HAVE_BLUE="true"
- HAVE_ORANGE="true"
- ;;
-esac
-
-# INPUT
-case "${FWPOLICY2}" in
- REJECT)
- if [ "${DROPINPUT}" = "on" ]; then
- /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix \
"REJECT_INPUT"
- fi
- /sbin/iptables -A POLICYIN -j REJECT --reject-with icmp-host-unreachable -m \
comment --comment "DROP_INPUT"
- ;;
- *) # DROP
- if [ "${DROPINPUT}" = "on" ]; then
- /sbin/iptables -A POLICYIN -m limit --limit 10/minute -j LOG --log-prefix \
"DROP_INPUT"
- fi
- /sbin/iptables -A POLICYIN -j DROP -m comment --comment "DROP_INPUT"
- ;;
-esac
-
-# FORWARD
-case "${POLICY}" in
- MODE1)
- case "${FWPOLICY}" in
- REJECT)
- if [ "${DROPFORWARD}" = "on" ]; then
- /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix \
"REJECT_FORWARD"
- fi
- /sbin/iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m \
comment --comment "DROP_FORWARD"
- ;;
- *) # DROP
- if [ "${DROPFORWARD}" = "on" ]; then
- /sbin/iptables -A POLICYFWD -m limit --limit 10/minute -j LOG --log-prefix \
"DROP_FORWARD"
- fi
- /sbin/iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
- ;;
- esac
- ;;
-
- *)
- if [ -n "${IFACE}" ]; then
- if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
- /sbin/iptables -A POLICYFWD -i "${BLUE_DEV}" ! -o "${IFACE}" -j DROP
- fi
- if [ "${HAVE_ORANGE}" = "true" ] && [ -n "${ORANGE_DEV}" ]; then
- /sbin/iptables -A POLICYFWD -i "${ORANGE_DEV}" ! -o "${IFACE}" -j DROP
- fi
- fi
- /sbin/iptables -A POLICYFWD -j ACCEPT
- /sbin/iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
- ;;
-esac
-
-# OUTGOING
-case "${POLICY1}" in
- MODE1)
- case "${FWPOLICY1}" in
- REJECT)
- if [ "${DROPOUTGOING}" = "on" ]; then
- /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix \
"REJECT_OUTPUT"
- fi
- /sbin/iptables -A POLICYOUT -j REJECT --reject-with icmp-host-unreachable -m \
comment --comment "DROP_OUTPUT"
- ;;
- *) # DROP
- if [ "${DROPOUTGOING}" == "on" ]; then
- /sbin/iptables -A POLICYOUT -m limit --limit 10/minute -j LOG --log-prefix \
"DROP_OUTPUT"
- fi
- /sbin/iptables -A POLICYOUT -j DROP -m comment --comment "DROP_OUTPUT"
- ;;
- esac
- ;;
- *)
- /sbin/iptables -A POLICYOUT -j ACCEPT
- /sbin/iptables -A POLICYOUT -m comment --comment "DROP_OUTPUT" -j DROP
- ;;
-esac
-
-exit 0
diff --git a/config/forwardfw/p2protocols b/config/forwardfw/p2protocols
deleted file mode 100644
index 7000581..0000000
--- a/config/forwardfw/p2protocols
+++ /dev/null
@@ -1,9 +0,0 @@
-Applejuice;apple;off;
-Ares;ares;off;
-Bittorrent;bit;off;
-DirectConnect;dc;off;
-Edonkey;edk;off;
-Gnutella;gnu;off;
-KaZaA;kazaa;off;
-SoulSeek;soul;off;
-WinMX;winmx;off;
diff --git a/config/forwardfw/rules.pl b/config/forwardfw/rules.pl
deleted file mode 100755
index b3be47d..0000000
--- a/config/forwardfw/rules.pl
+++ /dev/null
@@ -1,635 +0,0 @@
-#!/usr/bin/perl
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx at ipfire.org> #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-use strict;
-use Time::Local;
-no warnings 'uninitialized';
-
-# enable only the following on debugging purpose
-#use warnings;
-#use CGI::Carp 'fatalsToBrowser';
-
-my %fwdfwsettings=();
-my %defaultNetworks=();
-my %configfwdfw=();
-my %color=();
-my %icmptypes=();
-my %ovpnSettings=();
-my %customgrp=();
-our %sourcehash=();
-our %targethash=();
-my @timeframe=();
-my %configinputfw=();
-my %configoutgoingfw=();
-my %confignatfw=();
-my %aliases=();
-my @DPROT=();
-my @p2ps=();
-require '/var/ipfire/general-functions.pl';
-require "${General::swroot}/lang.pl";
-require "${General::swroot}/forward/bin/firewall-lib.pl";
-
-my $configfwdfw = "${General::swroot}/forward/config";
-my $configinput = "${General::swroot}/forward/input";
-my $configoutgoing = "${General::swroot}/forward/outgoing";
-my $p2pfile = "${General::swroot}/forward/p2protocols";
-my $configgrp = "${General::swroot}/fwhosts/customgroups";
-my $netsettings = "${General::swroot}/ethernet/settings";
-my $errormessage = '';
-my $orange = '';
-my $green = '';
-my $blue = '';
-my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
-my $CHAIN = "FORWARDFW";
-my $conexists = 'off';
-my $command = 'iptables -A';
-my $dnat ='';
-my $snat ='';
-
-&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
-&General::readhash("$netsettings", \%defaultNetworks);
-&General::readhasharray($configfwdfw, \%configfwdfw);
-&General::readhasharray($configinput, \%configinputfw);
-&General::readhasharray($configoutgoing, \%configoutgoingfw);
-&General::readhasharray($configgrp, \%customgrp);
-&General::get_aliases(\%aliases);
-
-#check if we have an internetconnection
-open (CONN,"/var/ipfire/red/iface");
-my $con = <CONN>;
-close(CONN);
-if (-f "/var/ipfire/red/active"){
- $conexists='on';
-}
-open (CONN1,"/var/ipfire/red/local-ipaddress");
-my $redip = <CONN1>;
-close(CONN1);
-#################
-# DEBUG/TEST #
-#################
-my $MODE=0; # 0 - normal operation
- # 1 - print configline and rules to console
- #
-#################
-my $param=shift;
-
-if($param eq 'flush'){
- if ($MODE eq '1'){
- print " Flushing chains...\n";
- }
- &flush;
-}else{
- if ($MODE eq '1'){
- print " Flushing chains...\n";
- }
- &flush;
- if ($MODE eq '1'){
- print " Preparing rules...\n";
- }
- &preparerules;
- if($MODE eq '0'){
- if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
- &p2pblock;
- system ("/usr/sbin/firewall-policy");
- }elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
- &p2pblock;
- system ("iptables -A $CHAIN -m conntrack --ctstate NEW -j ACCEPT");
- system ("/usr/sbin/firewall-policy");
- system ("/etc/sysconfig/firewall.local reload");
- }
- }
-}
-sub flush
-{
- system ("iptables -F FORWARDFW");
- system ("iptables -F INPUTFW");
- system ("iptables -F OUTGOINGFW");
- system ("iptables -t nat -F NAT_DESTINATION");
- system ("iptables -t nat -F NAT_SOURCE");
-}
-sub preparerules
-{
- if (! -z "${General::swroot}/forward/config"){
- &buildrules(\%configfwdfw);
- }
- if (! -z "${General::swroot}/forward/input"){
- &buildrules(\%configinputfw);
- }
- if (! -z "${General::swroot}/forward/outgoing"){
- &buildrules(\%configoutgoingfw);
- }
-}
-sub buildrules
-{
- my $hash=shift;
- my $STAG;
- my $natip;
- my $snatport;
- my $fireport;
- my $nat;
- my $fwaccessdport;
- my $natchain;
- my $icmptype;
- foreach my $key (sort {$a <=> $b} keys %$hash){
- next if (($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1') && $conexists eq \
'off' );
- $command="iptables -A";
- if ($$hash{$key}[28] eq 'ON'){
- $command='iptables -t nat -A';
- $natip=&get_nat_ip($$hash{$key}[29],$$hash{$key}[31]);
- if($$hash{$key}[31] eq 'dnat'){
- $nat='DNAT';
- if ($$hash{$key}[30] =~ /\|/){
- $$hash{$key}[30]=~ tr/|/,/;
- $fireport='-m multiport --dport '.$$hash{$key}[30];
- }else{
- $fireport='--dport '.$$hash{$key}[30] if ($$hash{$key}[30]>0);
- }
- }else{
- $nat='SNAT';
- }
- }
- $STAG='';
- if($$hash{$key}[2] eq 'ON'){
- #get source ip's
- if ($$hash{$key}[3] eq 'cust_grp_src'){
- foreach my $grp (sort {$a <=> $b} keys %customgrp){
- if($customgrp{$grp}[0] eq $$hash{$key}[4]){
- &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
- }
- }
- }else{
- &get_address($$hash{$key}[3],$$hash{$key}[4],"src");
- }
- #get target ip's
- if ($$hash{$key}[5] eq 'cust_grp_tgt'){
- foreach my $grp (sort {$a <=> $b} keys %customgrp){
- if($customgrp{$grp}[0] eq $$hash{$key}[6]){
- &get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
- }
- }
- }elsif($$hash{$key}[5] eq 'ipfire' ){
- if($$hash{$key}[6] eq 'GREEN'){
- $targethash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
- }
- if($$hash{$key}[6] eq 'BLUE'){
- $targethash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
- }
- if($$hash{$key}[6] eq 'ORANGE'){
- $targethash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
- }
- if($$hash{$key}[6] eq 'ALL'){
- $targethash{$key}[0]='0.0.0.0/0';
- }
- if($$hash{$key}[6] eq 'RED' || $$hash{$key}[6] eq 'RED1'){
- open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open \
local-ipaddress";
- $targethash{$key}[0]= <FILE>;
- close(FILE);
- }else{
- foreach my $alias (sort keys %aliases){
- if ($$hash{$key}[6] eq $alias){
- $targethash{$key}[0]=$aliases{$alias}{'IPT'};
- }
- }
- }
- }else{
- &get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
- }
- ##get source prot and port
- $SRC_TGT='SRC';
- $SPORT = &get_port($hash,$key);
- $SRC_TGT='';
-
- ##get target prot and port
- $DPROT=&get_prot($hash,$key);
-
- if ($DPROT eq ''){$DPROT=' ';}
- @DPROT=split(",",$DPROT);
-
- #get time if defined
- if($$hash{$key}[18] eq 'ON'){
- my ($time1,$time2,$daylight);
- my $daylight=$$hash{$key}[28];
- $time1=&get_time($$hash{$key}[26],$daylight);
- $time2=&get_time($$hash{$key}[27],$daylight);
- if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
- if($$hash{$key}[20] ne ''){push (@timeframe,"Tue");}
- if($$hash{$key}[21] ne ''){push (@timeframe,"Wed");}
- if($$hash{$key}[22] ne ''){push (@timeframe,"Thu");}
- if($$hash{$key}[23] ne ''){push (@timeframe,"Fri");}
- if($$hash{$key}[24] ne ''){push (@timeframe,"Sat");}
- if($$hash{$key}[25] ne ''){push (@timeframe,"Sun");}
- $TIME=join(",", at timeframe);
-
- $TIMEFROM="--timestart $time1 ";
- $TIMETILL="--timestop $time2 ";
- $TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
- }
- if ($MODE eq '1'){
- print "NR:$key ";
- foreach my $i (0 .. $#{$$hash{$key}}){
- print "$i: $$hash{$key}[$i] ";
- }
- print "\n";
- print"##################################\n";
- #print rules to console
- foreach my $DPROT (@DPROT){
- $DPORT = &get_port($hash,$key,$DPROT);
- $PROT=$DPROT;
- $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
- foreach my $a (sort keys %sourcehash){
- foreach my $b (sort keys %targethash){
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' \
|| $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
- if($DPROT ne ''){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ \
$STAG="-s";}
- if(substr($DPORT, 2, 4) eq 'icmp'){
- my @icmprule= split(",",substr($DPORT, 12,));
- foreach (@icmprule){
- $icmptype="--icmp-type ";
- if ($_ eq "BLANK") {
- $icmptype="";
- $_="";
- }
- if ($$hash{$key}[17] eq 'ON'){
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $icmptype $_ $TIME -j LOG\n";
- }
- print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n";
- }
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
- $natchain='NAT_DESTINATION';
- if ($$hash{$key}[17] eq 'ON'){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME \
-j LOG --log-prefix 'DNAT' \n";
- }
- my ($ip,$sub) =split("/",$targethash{$b}[0]);
- #Process NAT with servicegroup used
- if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && \
$$hash{$key}[14] eq 'cust_srvgrp'){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip \
$fireport $TIME -j $nat --to $ip $DPORT\n";
- $fwaccessdport=$DPORT;
- }else{
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip \
$fireport $TIME -j $nat --to $ip$DPORT\n";
- $DPORT =~ s/\-/:/g;
- if ($DPORT){
- $fwaccessdport="--dport ".substr($DPORT,1,);
- }elsif(! $DPORT && $$hash{$key}[30] ne ''){
- if ($$hash{$key}[30]=~m/|/i){
- $$hash{$key}[30] =~ s/\|/,/g;
- $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
- }else{
- $fwaccessdport="--dport $$hash{$key}[30]";
- }
- }
- }
- print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip \
$fwaccessdport $TIME -j $$hash{$key}[0]\n";
- next;
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
- $natchain='NAT_SOURCE';
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
- }
- if ($$hash{$key}[17] eq 'ON' ){
- print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $DPORT $TIME -j LOG\n";
- }
- if ($PROT ne '-p ICMP'){
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
- }
- if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
- }
- }
- }
- }
- }
- print"\n";
- }
- }elsif($MODE eq '0'){
- foreach my $DPROT (@DPROT){
- $DPORT = &get_port($hash,$key,$DPROT);
- $PROT=$DPROT;
- $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
- foreach my $a (sort keys %sourcehash){
- foreach my $b (sort keys %targethash){
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' \
|| $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
- if($DPROT ne ''){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ \
$STAG="-s";}
- #Process ICMP RULE
- if(substr($DPORT, 2, 4) eq 'icmp'){
- my @icmprule= split(",",substr($DPORT, 12,));
- foreach (@icmprule){
- $icmptype="--icmp-type ";
- if ($_ eq "BLANK") {
- $icmptype="";
- $_="";
- }
- if ($$hash{$key}[17] eq 'ON'){
- system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $icmptype $_ $TIME -j LOG");
- }
- system ("$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]");
- }
- #PROCESS DNAT RULE (Portforward)
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){
- $natchain='NAT_DESTINATION';
- if ($$hash{$key}[17] eq 'ON'){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME \
-j LOG --log-prefix 'DNAT' \n";
- }
- my ($ip,$sub) =split("/",$targethash{$b}[0]);
- #Process NAT with servicegroup used
- if ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat' && \
$$hash{$key}[14] eq 'cust_srvgrp'){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip \
$fireport $TIME -j $nat --to $ip $DPORT\n";
- $fwaccessdport=$DPORT;
- }else{
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip \
$fireport $TIME -j $nat --to $ip$DPORT\n";
- $DPORT =~ s/\-/:/g;
- if ($DPORT){
- $fwaccessdport="--dport ".substr($DPORT,1,);
- }elsif(! $DPORT && $$hash{$key}[30] ne ''){
- if ($$hash{$key}[30]=~m/|/i){
- $$hash{$key}[30] =~ s/\|/,/g;
- $fwaccessdport="-m multiport --dport $$hash{$key}[30]";
- }else{
- $fwaccessdport="--dport $$hash{$key}[30]";
- }
- }
- }
- system "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d \
$ip $fwaccessdport $TIME -j $$hash{$key}[0]\n";
- next;
- #PROCESS SNAT RULE
- }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){
- $natchain='NAT_SOURCE';
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n";
- }
- if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){
- system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d \
$targethash{$b}[0] $DPORT $TIME -j LOG\n";
- }
- #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied \
double)
- if ($PROT ne '-p ICMP'){
- system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
- }
- #PROCESS Prot ICMP and type = All ICMP-Types
- if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){
- system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT \
-d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
- }
- }
- }
- }
- }
- }
- }
- }
- %sourcehash=();
- %targethash=();
- undef $TIME;
- undef $TIMEFROM;
- undef $TIMETILL;
- undef $fireport;
- }
-}
-sub get_nat_ip
-{
- my $val=shift;
- my $type=shift;
- my $result;
- if($val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE'){
- $result=$defaultNetworks{$val.'_ADDRESS'};
- }elsif($val eq 'ALL'){
- $result='-i '.$con;
- }elsif($val eq 'Default IP' && $type eq 'dnat'){
- $result='-d '.$redip;
- }elsif($val eq 'Default IP' && $type eq 'snat'){
- $result=$redip;
- }else{
- foreach my $al (sort keys %aliases){
- if($val eq $al && $type eq 'dnat'){
- $result='-d '.$aliases{$al}{'IPT'};
- }elsif($val eq $al && $type eq 'snat'){
- $result=$aliases{$al}{'IPT'};
- }
- }
- }
- return $result;
-}
-sub get_time
-{
- my $val=shift;
- my $val1=shift;
- my $time;
- my $minutes;
- my $ruletime;
- $minutes = &utcmin($val);
- $ruletime = $minutes + &time_get_utc($val);
- if ($ruletime < 0){$ruletime +=1440;}
- if ($ruletime > 1440){$ruletime -=1440;}
- $time=sprintf "%02d:%02d", $ruletime / 60, $ruletime % 60;
- return $time;
-}
-sub time_get_utc
-{
- # Calculates the UTCtime from a given time
- my $val=shift;
- my @localtime=localtime(time);
- my @gmtime=gmtime(time);
- my $diff = ($gmtime[2]*60+$gmtime[1]%60)-($localtime[2]*60+$localtime[1]%60);
- return $diff;
-}
-sub utcmin
-{
- my $ruletime=shift;
- my ($hrs,$min) = split(":",$ruletime);
- my $newtime = $hrs*60+$min;
- return $newtime;
-}
-sub p2pblock
-{
- my $P2PSTRING;
- my $DO;
- open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
- @p2ps = <FILE>;
- close FILE;
- my $CMD = "-m ipp2p";
- foreach my $p2pentry (sort @p2ps) {
- my @p2pline = split( /\;/, $p2pentry );
- if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
- $DO = "ACCEPT";
- if ("$p2pline[2]" eq "on") {
- $P2PSTRING = "$P2PSTRING --$p2pline[1]";
- }
- }else {
- $DO = "RETURN";
- if ("$p2pline[2]" eq "off") {
- $P2PSTRING = "$P2PSTRING --$p2pline[1]";
- }
- }
- }
- if ($MODE eq 1){
- if($P2PSTRING){
- print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
- }
- }else{
- if($P2PSTRING){
- system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
- }
- }
-}
-sub get_address
-{
- my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
- my $base2=shift;
- my $type=shift; #src or tgt
- my $hash;
- if ($type eq 'src'){
- $hash=\%sourcehash;
- }else{
- $hash=\%targethash;
- }
- my $key = &General::findhasharraykey($hash);
- if($base eq 'src_addr' || $base eq 'tgt_addr' ){
- if (&General::validmac($base2)){
- $$hash{$key}[0] = "-m mac --mac-source $base2";
- }else{
- $$hash{$key}[0] = $base2;
- }
- }elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard \
Network'){
- $$hash{$key}[0]=&fwlib::get_std_net_ip($base2,$con);
- }elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom \
Network'){
- $$hash{$key}[0]=&fwlib::get_net_ip($base2);
- }elsif($base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom \
Host'){
- $$hash{$key}[0]=&fwlib::get_host_ip($base2,$type);
- }elsif($base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN \
static network'){
- $$hash{$key}[0]=&fwlib::get_ovpn_net_ip($base2,1);
- }elsif($base eq 'ovpn_host_src' ||$base eq 'ovpn_host_tgt' || $base eq 'OpenVPN \
static host'){
- $$hash{$key}[0]=&fwlib::get_ovpn_host_ip($base2,33);
- }elsif($base eq 'ovpn_n2n_src' ||$base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN \
N-2-N'){
- $$hash{$key}[0]=&fwlib::get_ovpn_n2n_ip($base2,11);
- }elsif($base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec \
Network'){
- $$hash{$key}[0]=&fwlib::get_ipsec_net_ip($base2,11);
- }elsif($base eq 'ipfire_src' ){
- if($base2 eq 'GREEN'){
- $$hash{$key}[0]=$defaultNetworks{'GREEN_ADDRESS'};
- }
- if($base2 eq 'BLUE'){
- $$hash{$key}[0]=$defaultNetworks{'BLUE_ADDRESS'};
- }
- if($base2 eq 'ORANGE'){
- $$hash{$key}[0]=$defaultNetworks{'ORANGE_ADDRESS'};
- }
- if($base2 eq 'ALL'){
- $$hash{$key}[0]='0.0.0.0/0';
- }
- if($base2 eq 'RED' || $base2 eq 'RED1'){
- open(FILE, "/var/ipfire/red/local-ipaddress")or die "Couldn't open \
local-ipaddress";
- $$hash{$key}[0]= <FILE>;
- close(FILE);
- }else{
- foreach my $alias (sort keys %aliases){
- if ($base2 eq $alias){
- $$hash{$key}[0]=$aliases{$alias}{'IPT'};
- }
- }
- }
- }
-}
-sub get_prot
-{
- my $hash=shift;
- my $key=shift;
- #check AH,GRE,ESP or ICMP
- if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON'){
- return "$$hash{$key}[8]";
- }
- if ($$hash{$key}[7] eq 'ON' || $$hash{$key}[11] eq 'ON'){
- #check if servicegroup or service
- if($$hash{$key}[14] eq 'cust_srv'){
- return &fwlib::get_srv_prot($$hash{$key}[15]);
- }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
- return &fwlib::get_srvgrp_prot($$hash{$key}[15]);
- }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && $$hash{$key}[8] eq \
''){ #when ports are used and prot set to "all"
- return "TCP,UDP";
- }elsif (($$hash{$key}[10] ne '' || $$hash{$key}[15] ne '') && ($$hash{$key}[8] eq \
'TCP' || $$hash{$key}[8] eq 'UDP')){ #when ports are used and prot set to "tcp" or \
"udp"
- return "$$hash{$key}[8]";
- }elsif (($$hash{$key}[10] eq '' && $$hash{$key}[15] eq '') && $$hash{$key}[8] ne \
'ICMP'){ #when ports are NOT used and prot NOT set to "ICMP"
- return "$$hash{$key}[8]";
- }else{
- return "$$hash{$key}[8]";
- }
- }
- #DNAT
- if ($SRC_TGT eq '' && $$hash{$key}[31] eq 'dnat' && $$hash{$key}[11] eq '' && \
$$hash{$key}[12] ne ''){
- return "$$hash{$key}[8]";
- }
-}
-sub get_port
-{
- my $hash=shift;
- my $key=shift;
- my $prot=shift;
- if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
- if ($$hash{$key}[10] ne ''){
- $$hash{$key}[10] =~ s/\|/,/g;
- if(index($$hash{$key}[10],",") > 0){
- return "-m multiport --sport $$hash{$key}[10] ";
- }else{
- if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq \
'snat') ||($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat') \
){
- return "--sport $$hash{$key}[10] ";
- }else{
- return ":$$hash{$key}[10]";
- }
- }
- }
- }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){
- if($$hash{$key}[14] eq 'TGT_PORT'){
- if ($$hash{$key}[15] ne ''){
- $$hash{$key}[15] =~ s/\|/,/g;
- if(index($$hash{$key}[15],",") > 0){
- return "-m multiport --dport $$hash{$key}[15] ";
- }else{
- if($$hash{$key}[28] ne 'ON' || ($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq \
'snat') ){
- return "--dport $$hash{$key}[15] ";
- }else{
- $$hash{$key}[15] =~ s/\:/-/g;
- return ":$$hash{$key}[15]";
- }
- }
- }
- }elsif($$hash{$key}[14] eq 'cust_srv'){
- if ($prot ne 'ICMP'){
- if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){
- return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
- }else{
- return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot);
- }
- }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP \
and "use targetport is checked, this is an icmp-service
- return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot);
- }
- }elsif($$hash{$key}[14] eq 'cust_srvgrp'){
- if ($prot ne 'ICMP'){
- return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
- }
- elsif($prot eq 'ICMP'){
- return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
- }
- }
- }
- #CHECK ICMP
- if ($$hash{$key}[7] ne 'ON' && $$hash{$key}[11] ne 'ON' && $SRC_TGT eq ''){
- if($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
- return "--icmp-type $$hash{$key}[9] ";
- }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
- return;
- }
- }
-}
diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
index 7796d86..7fdc983 100644
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -49,17 +49,17 @@ var/ipfire/extrahd
#var/ipfire/extrahd/partitions
#var/ipfire/extrahd/scan
#var/ipfire/extrahd/settings
-var/ipfire/forward
-#var/ipfire/forward/bin
-#var/ipfire/forward/bin/firewall-lib.pl
-#var/ipfire/forward/bin/rules.pl
-#var/ipfire/forward/config
-#var/ipfire/forward/dmz
-#var/ipfire/forward/input
-#var/ipfire/forward/nat
-#var/ipfire/forward/outgoing
-#var/ipfire/forward/p2protocols
-#var/ipfire/forward/settings
+var/ipfire/firewall
+#var/ipfire/firewall/bin
+#var/ipfire/firewall/bin/firewall-lib.pl
+#var/ipfire/firewall/bin/rules.pl
+#var/ipfire/firewall/config
+#var/ipfire/firewall/dmz
+#var/ipfire/firewall/input
+#var/ipfire/firewall/nat
+#var/ipfire/firewall/outgoing
+#var/ipfire/firewall/p2protocols
+#var/ipfire/firewall/settings
var/ipfire/fwhosts
#var/ipfire/fwhosts/customgroups
#var/ipfire/fwhosts/customhosts
diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs
index 2463ba2..1ab4dec 100644
--- a/config/rootfiles/common/misc-progs
+++ b/config/rootfiles/common/misc-progs
@@ -16,7 +16,7 @@ usr/local/bin/logwatch
#usr/local/bin/mpfirectrl
usr/local/bin/openvpnctrl
#usr/local/bin/outgoingfwctrl
-usr/local/bin/forwardfwctrl
+usr/local/bin/firewallctrl
usr/local/bin/pakfire
usr/local/bin/qosctrl
usr/local/bin/rebuildhosts
diff --git a/config/rootfiles/core/fifteen/filelists/firewall \
b/config/rootfiles/core/fifteen/filelists/firewall index c5c0dac..3edde8e 100644
--- a/config/rootfiles/core/fifteen/filelists/firewall
+++ b/config/rootfiles/core/fifteen/filelists/firewall
@@ -9,16 +9,14 @@ usr/sbin/convert-outgoingfw
usr/sbin/convert-portfw
usr/sbin/convert-xtaccess
usr/sbin/firewall-policy
-var/ipfire/forward
-var/ipfire/forward/bin/firewall-lib.pl
-var/ipfire/forward/bin/rules.pl
-var/ipfire/forward/config
-var/ipfire/forward/dmz
-var/ipfire/forward/input
-var/ipfire/forward/nat
-var/ipfire/forward/outgoing
-var/ipfire/forward/p2protocols
-var/ipfire/forward/settings
+var/ipfire/firewall
+var/ipfire/firewall/bin/firewall-lib.pl
+var/ipfire/firewall/bin/rules.pl
+var/ipfire/firewall/config
+var/ipfire/firewall/input
+var/ipfire/firewall/outgoing
+var/ipfire/firewall/p2protocols
+var/ipfire/firewall/settings
var/ipfire/fwhosts
var/ipfire/fwhosts/customhosts
var/ipfire/fwhosts/customnetworks
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index fde7e5e..802b2be 100755
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -29,13 +29,13 @@ no warnings 'uninitialized';
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
-require "${General::swroot}/forward/bin/firewall-lib.pl";
+require "${General::swroot}/firewall/bin/firewall-lib.pl";
-unless (-d "${General::swroot}/forward") { system("mkdir \
${General::swroot}/forward"); }
-unless (-e "${General::swroot}/forward/settings") { system("touch \
${General::swroot}/forward/settings"); }
-unless (-e "${General::swroot}/forward/config") { system("touch \
${General::swroot}/forward/config"); }
-unless (-e "${General::swroot}/forward/input") { system("touch \
${General::swroot}/forward/input"); }
-unless (-e "${General::swroot}/forward/outgoing") { system("touch \
${General::swroot}/forward/outgoing"); } +unless (-d \
"${General::swroot}/firewall") { system("mkdir ${General::swroot}/firewall"); } \
+unless (-e "${General::swroot}/firewall/settings") { system("touch \
${General::swroot}/firewall/settings"); } +unless (-e \
"${General::swroot}/firewall/config") { system("touch \
${General::swroot}/firewall/config"); } +unless (-e \
"${General::swroot}/firewall/input") { system("touch \
${General::swroot}/firewall/input"); } +unless (-e \
"${General::swroot}/firewall/outgoing") { system("touch \
${General::swroot}/firewall/outgoing"); }
my %fwdfwsettings=();
my %selected=() ;
@@ -63,7 +63,7 @@ my %aliases=();
my %optionsfw=();
my %ifaces=();
-my @PROTOCOLS = ("TCP", "UDP", "ICMP", "IGMP", "AH", "ESP", "GRE");
+my @PROTOCOLS = ("TCP", "UDP", "ICMP", "IGMP", "AH", "ESP", "GRE","IPv6","IPIP");
my $color;
my $confignet = "${General::swroot}/fwhosts/customnetworks";
@@ -75,9 +75,9 @@ my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
my $configipsec = "${General::swroot}/vpn/config";
my $configipsecrw = "${General::swroot}/vpn/settings";
-my $configfwdfw = "${General::swroot}/forward/config";
-my $configinput = "${General::swroot}/forward/input";
-my $configoutgoing = "${General::swroot}/forward/outgoing";
+my $configfwdfw = "${General::swroot}/firewall/config";
+my $configinput = "${General::swroot}/firewall/input";
+my $configoutgoing = "${General::swroot}/firewall/outgoing";
my $configovpn = "${General::swroot}/ovpn/settings";
my $fwoptions = "${General::swroot}/optionsfw/settings";
my $ifacesettings = "${General::swroot}/ethernet/settings";
@@ -87,7 +87,7 @@ my $ipgrp="${General::swroot}/outgoing/groups";
my $tdcolor='';
my $checkorange='';
my @protocols;
-&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \
\%color); &General::readhash($fwoptions, \%optionsfw);
@@ -919,6 +919,18 @@ sub checkrule
$fwdfwsettings{'ICMP_TYPES'}='';
$fwdfwsettings{'USESRV'}='';
$fwdfwsettings{'TGT_PORT'}='';
+ }elsif($fwdfwsettings{'PROT'} eq 'IPv6'){
+ $fwdfwsettings{'USE_SRC_PORT'}='';
+ $fwdfwsettings{'SRC_PORT'}='';
+ $fwdfwsettings{'ICMP_TYPES'}='';
+ $fwdfwsettings{'USESRV'}='';
+ $fwdfwsettings{'TGT_PORT'}='';
+ }elsif($fwdfwsettings{'PROT'} eq 'IPIP'){
+ $fwdfwsettings{'USE_SRC_PORT'}='';
+ $fwdfwsettings{'SRC_PORT'}='';
+ $fwdfwsettings{'ICMP_TYPES'}='';
+ $fwdfwsettings{'USESRV'}='';
+ $fwdfwsettings{'TGT_PORT'}='';
}elsif($fwdfwsettings{'PROT'} ne 'TCP' && $fwdfwsettings{'PROT'} ne 'UDP' && \
$fwdfwsettings{'PROT'} ne 'ICMP'){ $fwdfwsettings{'ICMP_TYPES'}='';
$fwdfwsettings{'PROT'} = '';
@@ -1718,17 +1730,25 @@ END
print"<hr>";
&Header::closebox;
#---PROTOCOL------------------------------------------------------
+ $fwdfwsettings{'SRC_PORT'} =~ s/\|/,/g;
+ $fwdfwsettings{'TGT_PORT'} =~ s/\|/,/g;
+ $fwdfwsettings{'dnatport'} =~ tr/|/,/;
+
+ # The dnatport may be empty, if it matches TGT_PORT
+ if ($fwdfwsettings{'dnatport'} eq $fwdfwsettings{'TGT_PORT'}) {
+ $fwdfwsettings{'dnatport'} = "";
+ }
+
&Header::openbox('100%', 'left', $Lang::tr{'fwhost prot'});
#Fix Protocol for JQuery
if ($fwdfwsettings{'grp3'} eq 'cust_srv' || $fwdfwsettings{'grp3'} eq \
'cust_srvgrp'){ $fwdfwsettings{'PROT'} = 'template';
}
print<<END;
- <div id="prt">
- <table width='15%' border='0' style="float:left;">
+ <table width='100%' border='0'>
<tr>
- <td>
- <select name='PROT' id='protocol'>
+ <td width="25%">
+ <select name='PROT' id='protocol' style="width: 95px;">
END
print "<option value=\"\"";
if ($fwdfwsettings{'PROT'} eq '') {
@@ -1745,21 +1765,22 @@ END
if ($_ eq $fwdfwsettings{'PROT'}) {
print " selected=\"selected\"";
}
- print ">$_</option>";
+ if($_ eq "IPv6"){
+ print ">$Lang::tr{'fwdfw prot41'}</option>";
+ }else{
+ print ">$_</option>";
+ }
}
+
print<<END;
</select>
</td>
- </tr>
- </table>
- </div>
-
- <div id="PROTOCOL_ICMP_TYPES">
- <table width='50%' border='0' style="float:left;">
- <tr>
- <td width='20%'>$Lang::tr{'fwhost icmptype'}</td>
- <td colspan='2'>
- <select name='ICMP_TYPES' style='min-width:230px;'>
+ <td width="75%">
+ <table width='100%' border='0' id="PROTOCOL_ICMP_TYPES">
+ <tr>
+ <td width='20%'>$Lang::tr{'fwhost icmptype'}</td>
+ <td colspan='2'>
+ <select name='ICMP_TYPES' style='min-width:230px;'>
END
&General::readhasharray("${General::swroot}/fwhosts/icmp-types", \%icmptypes);
print"<option value='All ICMP-Types'>$Lang::tr{'fwdfw all icmp'}</option>";
@@ -1772,66 +1793,51 @@ END
}
print <<END;
- </select>
- </td>
- </tr>
- </table>
- </div>
+ </select>
+ </td>
+ </tr>
+ </table>
+
+ <table width="100%" border="0" id="PROTOCOL_PORTS">
+ <tr>
+ <!-- #SOURCEPORT -->
+ <td>
+ $Lang::tr{'fwdfw use srcport'}
+ </td>
+ <td>
+ <input type='text' name='SRC_PORT' value='$fwdfwsettings{'SRC_PORT'}' \
maxlength='20' size='18'> + </td>
+ <td width='10%'>
+ </td>
+
+ <!-- #TARGETPORT -->
+ <td>
+ $Lang::tr{'fwdfw use srv'}
+ </td>
+
+ <td>
+ <input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' \
maxlength='20' size='18'> + </td>
+ </tr>
+ <tr class="NAT">
+ <td colspan='3'></td>
+ <td>$Lang::tr{'fwdfw external port nat'}:</td>
+ <td>
+ <input type='text' name='dnatport' value=\"$fwdfwsettings{'dnatport'}\" \
maxlength='20' size='18'> + </td>
+ </tr>
+ </table>
+
+ <table width="100%" border="0" id="PROTOCOL_TEMPLATE">
+ <tr>
+ <td>
+ <input type='radio' name='grp3' id='cust_srv' value='cust_srv' checked>
+ $Lang::tr{'fwhost cust service'}
+ </td>
+ <td>
+ <select name='cust_srv' style='min-width: 230px;'>
END
- $fwdfwsettings{'SRC_PORT'} =~ s/\|/,/g;
- $fwdfwsettings{'TGT_PORT'} =~ s/\|/,/g;
- $fwdfwsettings{'dnatport'} =~ tr/|/,/;
-
- # The dnatport may be empty, if it matches TGT_PORT
- if ($fwdfwsettings{'dnatport'} eq $fwdfwsettings{'TGT_PORT'}) {
- $fwdfwsettings{'dnatport'} = "";
- }
-
- print <<END;
-
- <div id="PROTOCOL_PORTS">
- <table border="0">
- <tr>
- <!-- #SOURCEPORT -->
- <td>
- $Lang::tr{'fwdfw use srcport'}
- </td>
- <td>
- <input type='text' name='SRC_PORT' value='$fwdfwsettings{'SRC_PORT'}' \
maxlength='20' size='18'>
- </td>
- <td width='10%'>
- </td>
-
- <!-- #TARGETPORT -->
- <td>
- $Lang::tr{'fwdfw use srv'}
- </td>
-
- <td>
- <input type='text' name='TGT_PORT' value='$fwdfwsettings{'TGT_PORT'}' \
maxlength='20' size='18'>
- </td>
- </tr>
- <tr class="NAT">
- <td colspan='3'></td>
- <td>$Lang::tr{'fwdfw external port nat'}:</td>
- <td>
- <input type='text' name='dnatport' value=\"$fwdfwsettings{'dnatport'}\" \
maxlength='20' size='18'>
- </td>
- </tr>
- </table>
- </div>
-
- <div id="PROTOCOL_TEMPLATE">
- <table border="0">
- <tr>
- <td>
- <input type='radio' name='grp3' id='cust_srv' value='cust_srv' checked>
- $Lang::tr{'fwhost cust service'}
- </td>
- <td>
- <select name='cust_srv' style='min-width: 230px;'>
-END
&General::readhasharray("$configsrv", \%customservice);
foreach my $key (sort { ncmp($customservice{$a}[0],$customservice{$b}[0]) } keys \
%customservice){ print"<option ";
@@ -1839,17 +1845,17 @@ END
print"value='$customservice{$key}[0]'>$customservice{$key}[0]</option>";
}
- print<<END;
- </select>
- </td>
- </tr>
- <tr>
- <td>
- <input type='radio' name='grp3' id='cust_srvgrp' value='cust_srvgrp' \
$checked{'grp3'}{'cust_srvgrp'}>
- $Lang::tr{'fwhost cust srvgrp'}
- </td>
- <td>
- <select name='cust_srvgrp' style='min-width:230px;'>
+ print <<END;
+ </select>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <input type='radio' name='grp3' id='cust_srvgrp' value='cust_srvgrp' \
$checked{'grp3'}{'cust_srvgrp'}> + $Lang::tr{'fwhost cust srvgrp'}
+ </td>
+ <td>
+ <select name='cust_srvgrp' style='min-width:230px;'>
END
&General::readhasharray("$configsrvgrp", \%customservicegrp);
@@ -1861,15 +1867,16 @@ END
print">$customservicegrp{$key}[0]</option>";
}
$helper=$customservicegrp{$key}[0];
- }
+ }
+
print<<END;
- </select>
+ </select>
+ </td>
+ </tr>
+ </table>
</td>
</tr>
</table>
- </div>
-
- <br><br><br>
END
&Header::closebox;
@@ -2455,7 +2462,11 @@ END
#Get Protocol
my $prot;
if ($$hash{$key}[8]){
- push (@protocols,$$hash{$key}[8]);
+ if ($$hash{$key}[8] eq "IPv6"){
+ push (@protocols,$Lang::tr{'fwdfw prot41 short'})
+ }else{
+ push (@protocols,$$hash{$key}[8]);
+ }
}elsif($$hash{$key}[14] eq 'cust_srv'){
&get_serviceports("service",$$hash{$key}[15]);
}elsif($$hash{$key}[14] eq 'cust_srvgrp'){
@@ -2675,7 +2686,7 @@ END
#SHOW FINAL RULE
print "<table width='100%'rules='cols' border='1'>";
my $col;
- if ($config eq '/var/ipfire/forward/config'){
+ if ($config eq '/var/ipfire/firewall/config'){
my $pol='fwdfw '.$fwdfwsettings{'POLICY'};
if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
$col="bgcolor='darkred'";
@@ -2683,7 +2694,7 @@ END
$col="bgcolor='green'";
}
&show_defaultrules($col,$pol);
- }elsif ($config eq '/var/ipfire/forward/outgoing'){
+ }elsif ($config eq '/var/ipfire/firewall/outgoing'){
if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){
$col="bgcolor='darkred'";
print"<tr><td $col width='20%' align='center'><font \
color='#FFFFFF'>$Lang::tr{'fwdfw final_rule'}</td><td $col align='center'><font \
color='#FFFFFF' >$Lang::tr{'fwdfw pol block'}</font></td></tr>"; @@ -2703,7 +2714,7 \
@@ END print "<b>$title1</b><br>";
print"<table width='100%' border='0' rules='none'><tr><td height='30' \
bgcolor=$color{'color22'} align='center'>$Lang::tr{'fwhost \
empty'}</td></tr></table>"; my $col;
- if ($config eq '/var/ipfire/forward/config'){
+ if ($config eq '/var/ipfire/firewall/config'){
my $pol='fwdfw '.$fwdfwsettings{'POLICY'};
if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
$col="bgcolor='darkred'";
@@ -2711,7 +2722,7 @@ END
$col="bgcolor='green'";
}
&show_defaultrules($col,$pol);
- }elsif ($config eq '/var/ipfire/forward/outgoing'){
+ }elsif ($config eq '/var/ipfire/firewall/outgoing'){
print "<table width='100%' rules='cols' border='1'>";
my $pol='fwdfw '.$fwdfwsettings{'POLICY1'};
if ($fwdfwsettings{'POLICY1'} eq 'MODE1'){
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index ebd1fdc..fd66a49 100755
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -60,8 +60,8 @@ my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
my $configipsec = "${General::swroot}/vpn/config";
my $configsrv = "${General::swroot}/fwhosts/customservices";
my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
-my $fwconfigfwd = "${General::swroot}/forward/config";
-my $fwconfiginp = "${General::swroot}/forward/input";
+my $fwconfigfwd = "${General::swroot}/firewall/config";
+my $fwconfiginp = "${General::swroot}/firewall/input";
my $configovpn = "${General::swroot}/ovpn/settings";
my $tdcolor='';
my $configipsecrw = "${General::swroot}/vpn/settings";
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index 713f37f..9563aab 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -26,13 +26,13 @@ my %fwdfwsettings=();
my %configfwdfw=();
my %configoutgoingfw=();
-my $configfwdfw = "${General::swroot}/forward/config";
-my $configoutgoing = "${General::swroot}/forward/outgoing";
+my $configfwdfw = "${General::swroot}/firewall/config";
+my $configoutgoing = "${General::swroot}/firewall/outgoing";
my $errormessage = '';
my $warnmessage = '';
my $filename = "${General::swroot}/optionsfw/settings";
-&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
&Header::showhttpheaders();
#Get GUI values
@@ -41,7 +41,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
if ($settings{'defpol'} ne '1'){
$errormessage .= $Lang::tr{'new optionsfw later'};
&General::writehash($filename, \%settings); # Save good settings
- system("/usr/local/bin/forwardfwctrl");
+ system("/usr/local/bin/firewallctrl");
}else{
if ($settings{'POLICY'} ne ''){
$fwdfwsettings{'POLICY'} = $settings{'POLICY'};
@@ -54,9 +54,9 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
%fwdfwsettings = ();
$fwdfwsettings{'POLICY'} = "$MODE";
$fwdfwsettings{'POLICY1'} = "$MODE1";
- &General::writehash("${General::swroot}/forward/settings", \%fwdfwsettings);
- &General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
- system("/usr/local/bin/forwardfwctrl");
+ &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings);
+ &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
+ system("/usr/local/bin/firewallctrl");
}
&General::readhash($filename, \%settings); # Load good settings
}
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index f012358..7eccf98 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -170,7 +170,7 @@ sub checkportfw {
my $DPORT = shift;
my $DPROT = shift;
my %natconfig =();
- my $confignat = "${General::swroot}/forward/config";
+ my $confignat = "${General::swroot}/firewall/config";
$DPROT= uc ($DPROT);
&General::readhasharray($confignat, \%natconfig);
foreach my $key (sort keys %natconfig){
diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi
index bb0d0ae..aab2d3d 100755
--- a/html/cgi-bin/p2p-block.cgi
+++ b/html/cgi-bin/p2p-block.cgi
@@ -32,7 +32,7 @@ require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
my $errormessage = '';
-my $p2pfile = "${General::swroot}/forward/p2protocols";
+my $p2pfile = "${General::swroot}/firewall/p2protocols";
my @p2ps = ();
my %fwdfwsettings = ();
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index ce48d69..92847ca 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -963,6 +963,8 @@
'fwdfw pol text' => 'Firewall-Standardverhalten f??r Verbindungen aus lokalen \
Netzwerken: Alle Verbindungen k??nnen entweder zugelassen oder geblockt werden, wenn \
keine Ausnahmeregel zutrifft. "Blockiert" trennt ebenfalls die Kommunikation zwischen \
den lokalen Netzwerken.', 'fwdfw pol text1' => 'Firewall-Standardverhalten f??r von \
der Firewall selbst initiierte Verbindungen.', 'fwdfw pol title' => \
'Standardverhalten der Firewall', +'fwdfw prot41' => 'IPv6 Encapsulation (Protokoll \
41)', +'fwdfw prot41 short' => 'IPv6 Encap',
'fwdfw red' => 'ROT',
'fwdfw reread' => '??nderungen ??bernehmen',
'fwdfw rule action' => 'Regelaktion:',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index c3e4c3e..2d36cdb 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -988,6 +988,8 @@
'fwdfw pol text' => 'Sets the default firewall behaviour for connections from local \
networks. You may either allow all new connections or block them by default. \
Connections between the local networks are also blocked in the latter mode.', 'fwdfw \
pol text1' => 'Sets the default firewall behaviour for connections initiated by the \
firewall itself. Attention! You may lock yourself out.', 'fwdfw pol title' => \
'Default firewall behaviour', +'fwdfw prot41' => 'IPv6 Encapsulation (Protocol 41)',
+'fwdfw prot41 short' => 'IPv6 Encap',
'fwdfw red' => 'RED',
'fwdfw reread' => 'Apply changes',
'fwdfw rule action' => 'Rule action:',
diff --git a/lfs/configroot b/lfs/configroot
index 555c782..f73453d 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -51,7 +51,7 @@ $(TARGET) :
# Create all directories
for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns \
dnsforward \
- ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging \
mac main \ + ethernet extrahd/bin fwlogs fwhosts firewall firewall/bin isdn key \
langs logging mac main \ menu.d modem net-traffic net-traffic/templates nfs \
optionsfw \ ovpn patches pakfire portfw ppp private proxy/advanced/cre \
proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \
@@ -64,7 +64,7 @@ $(TARGET) :
for i in auth/users backup/include.user backup/exclude.user \
certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache \
dhcp/settings \ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings \
dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics \
ethernet/scanned_nics \
- ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions \
extrahd/settings forward/settings forward/config forward/input forward/outgoing \
forward/dmz forward/nat \ + ethernet/wireless extrahd/scan extrahd/devices \
extrahd/partitions extrahd/settings firewall/settings firewall/config firewall/input \
firewall/outgoing \
fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups \
fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing \
main/settings net-traffic/settings optionsfw/settings \
ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config \
ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ @@ -99,14 +99,14 @@ \
$(TARGET) : cp $(DIR_SRC)/config/cfgroot/useragents $(CONFIG_ROOT)/proxy/advanced
cp $(DIR_SRC)/config/cfgroot/ethernet-vlans $(CONFIG_ROOT)/ethernet/vlans
cp $(DIR_SRC)/langs/list $(CONFIG_ROOT)/langs/
- cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl
- cp $(DIR_SRC)/config/forwardfw/convert-xtaccess /usr/sbin/convert-xtaccess
- cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw
- cp $(DIR_SRC)/config/forwardfw/convert-dmz /usr/sbin/convert-dmz
- cp $(DIR_SRC)/config/forwardfw/convert-portfw /usr/sbin/convert-portfw
- cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols
- cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
- cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy
+ cp $(DIR_SRC)/config/firewall/rules.pl $(CONFIG_ROOT)/firewall/bin/rules.pl
+ cp $(DIR_SRC)/config/firewall/convert-xtaccess /usr/sbin/convert-xtaccess
+ cp $(DIR_SRC)/config/firewall/convert-outgoingfw /usr/sbin/convert-outgoingfw
+ cp $(DIR_SRC)/config/firewall/convert-dmz /usr/sbin/convert-dmz
+ cp $(DIR_SRC)/config/firewall/convert-portfw /usr/sbin/convert-portfw
+ cp $(DIR_SRC)/config/firewall/p2protocols $(CONFIG_ROOT)/firewall/p2protocols
+ cp $(DIR_SRC)/config/firewall/firewall-lib.pl $(CONFIG_ROOT)/firewall/bin/firewall-lib.pl
+ cp $(DIR_SRC)/config/firewall/firewall-policy /usr/sbin/firewall-policy
cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types
cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices
# Oneliner configfiles
@@ -130,11 +130,11 @@ $(TARGET) :
echo "SHOWDROPDOWN=off" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPWIRELESSINPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
- echo "POLICY=MODE2" >> $(CONFIG_ROOT)/forward/settings
- echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/forward/settings
+ echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings
+ echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
# set rules.pl executable
- chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl
+ chmod 755 $(CONFIG_ROOT)/firewall/bin/rules.pl
# set converters executable
chmod 755 /usr/sbin/convert-*
diff --git a/lfs/initscripts b/lfs/initscripts
index 0b2dbee..eae451b 100644
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -179,7 +179,7 @@ $(TARGET) :
ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
ln -sf ../../firewall /etc/rc.d/init.d/networking/red.up/20-RL-firewall
- ln -sf ../../../../../usr/local/bin/forwardfwctrl \
+ ln -sf ../../../../../usr/local/bin/firewallctrl \
/etc/rc.d/init.d/networking/red.up/22-forwardfwctrl
ln -sf ../../../../../usr/local/bin/snortctrl \
/etc/rc.d/init.d/networking/red.up/23-RS-snort
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index fc49da4..36d7e44 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -223,7 +223,7 @@ iptables_init() {
/usr/sbin/firewall-policy
# read new firewall
- /usr/local/bin/forwardfwctrl
+ /usr/local/bin/firewallctrl
if [ "$DROPINPUT" == "on" ]; then
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix \
"DROP_INPUT"
diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile
index c748a66..b447435 100644
--- a/src/misc-progs/Makefile
+++ b/src/misc-progs/Makefile
@@ -27,7 +27,7 @@ PROGS = iowrap
SUID_PROGS = squidctrl sshctrl ipfirereboot \
ipsecctrl timectrl dhcpctrl snortctrl \
applejuicectrl rebuildhosts backupctrl \
- logwatch openvpnctrl forwardfwctrl \
+ logwatch openvpnctrl firewallctrl \
wirelessctrl getipstat qosctrl launch-ether-wake \
redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \
smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
@@ -86,8 +86,8 @@ smartctrl: smartctrl.c setuid.o ../install+setup/libsmooth/varval.o
clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ clamavctrl.c setuid.o \
../install+setup/libsmooth/varval.o -o $@
-forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o
- $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o \
../install+setup/libsmooth/varval.o -o $@ +firewallctrl: firewallctrl.c setuid.o \
../install+setup/libsmooth/varval.o + $(COMPILE) -I../install+setup/libsmooth/ \
firewallctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o \
../install+setup/libsmooth/varval.o -o $@
diff --git a/src/misc-progs/firewallctrl.c b/src/misc-progs/firewallctrl.c
new file mode 100644
index 0000000..97de271
--- /dev/null
+++ b/src/misc-progs/firewallctrl.c
@@ -0,0 +1,25 @@
+/* This file is part of the IPFire Firewall.
+ *
+ * This program is distributed under the terms of the GNU General Public
+ * Licence. See the file COPYING for details.
+ *
+ */
+
+#include <unistd.h>
+
+#include "setuid.h"
+
+int main(int argc, char *argv[]) {
+ if (!(initsetuid()))
+ exit(1);
+
+ int retval = safe_system("/var/ipfire/firewall/bin/rules.pl");
+
+ /* If rules.pl has been successfully executed, the indicator
+ * file is removed. */
+ if (retval == 0) {
+ unlink("/var/ipfire/firewall/reread");
+ }
+
+ return 0;
+}
diff --git a/src/misc-progs/forwardfwctrl.c b/src/misc-progs/forwardfwctrl.c
deleted file mode 100644
index 9f3f28e..0000000
--- a/src/misc-progs/forwardfwctrl.c
+++ /dev/null
@@ -1,25 +0,0 @@
-/* This file is part of the IPFire Firewall.
- *
- * This program is distributed under the terms of the GNU General Public
- * Licence. See the file COPYING for details.
- *
- */
-
-#include <unistd.h>
-
-#include "setuid.h"
-
-int main(int argc, char *argv[]) {
- if (!(initsetuid()))
- exit(1);
-
- int retval = safe_system("/var/ipfire/forward/bin/rules.pl");
-
- /* If rules.pl has been successfully executed, the indicator
- * file is removed. */
- if (retval == 0) {
- unlink("/var/ipfire/forward/reread");
- }
-
- return 0;
-}
hooks/post-receive
--
IPFire 2.x development tree
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic