+++ /dev/null
-###############################################################################
-# IPFire.org - An Open Source Firewall Solution #
-# Copyright (C) - IPFire Development Team <info@ipfire.org> #
-###############################################################################
-
-name = firewall
-version = 0.1
-release = 2
-
-maintainer = Michael Tremer <michael.tremer@ipfire.org>
-groups = Networking/Firewall
-url = http://www.ipfire.org/
-license = GPLv3+
-summary = The IPFire Firewall Engine.
-
-description
- This script installs IPFire's firewall.
-end
-
-# No tarball.
-sources =
-
-build
- DIR_APP = %{DIR_SOURCE}/src
-
- build
- : # Do nothing.
- end
-
- install
- mkdir -pv %{BUILDROOT}/usr/{lib,share}/firewall %{BUILDROOT}/usr/bin
- for i in %{DIR_APP}/{functions,zones}*; do \
- install -m 644 -v $i %{BUILDROOT}/usr/lib/firewall; \
- done
- cp -avf %{DIR_APP}/macros %{BUILDROOT}/usr/share/firewall/
- install -m 755 -v %{DIR_APP}/firewall %{BUILDROOT}/usr/bin
- end
-end
-
-packages
- package %{name}
- requires = iproute2 iptables
- end
-
- package %{name}-debuginfo
- template DEBUGINFO
- end
-end
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-###############################################################################
-# This is the script, that is runned by the user to contol the firewall #
-# We only do some actions here and call the functions from the libs. #
-# #
-# Actions (as known at the moment): #
-# - start/stop/restart/reload #
-# - show #
-# - running? #
-# - serveral config #
-# - calc (cidr|subnets|...) #
-# - ... #
-# #
-###############################################################################
-
-PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin
-
-LIBDIR=/usr/lib/firewall
-
-function include() {
- local file=$1
- local path
- for path in $LIBDIR .; do
- if [ -f "$path/$file" ]; then
- . $path/$file
- return # found
- fi
- done
- echo "Couldn't include $file. File was not found!" >&2
- _exit 1
-}
-
-function usage() {
- echo "Usage: $0 [global options] command [command options]"
- echo
- _exit ${1-1}
-}
-
-include functions
-
-while [ "$#" -gt 0 ]; do
- arg=$1
- shift
- case "$arg" in
- --debug|-d)
- debug 1
- decho "Debug mode is enabled."
- ;;
- --verbose|-v)
- verbose 1
- vecho "${BOLD}Verbose mode is enabled.${NORMAL}"
- ;;
- calc)
- shift
- case "$1" in
- mask2cidr)
- mask_to_cidr $@
- _exit $?
- ;;
- *)
- usage
- ;;
- esac
- ;;
- config)
- config_load $@
- _exit $?
- ;;
- help|-h|--help)
- usage 0
- ;;
- notify)
- ;;
- reload)
- ;;
- start|restart)
- _start
- _exit $@
- ;;
- stop)
- _stop
- _exit $@
- ;;
- *)
- usage
- ;;
- esac
-done
-
-error "No command was given."
-usage
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-DEBUG=
-VERBOSE=
-TMPDIR=$(mktemp -d)
-
-BOLD="\\033[1;39m"
-NORMAL="\\033[0;39m"
-ERROR="\\033[1;31m"
-
-function debug() {
- if [ -n "$1" ]; then
- DEBUG=$1
- verbose $1
- return
- else
- if [ "$DEBUG" = "1" ]; then
- return 0
- else
- return 1
- fi
- fi
-
-}
-
-function verbose() {
- if [ -n "$1" ]; then
- VERBOSE=$1
- return
- else
- if [ "$VERBOSE" = "1" ]; then
- return 0
- else
- return 1
- fi
- fi
-}
-
-function decho() {
- debug && echo -e "${ERROR}$@${NORMAL}"
-}
-
-function vecho() {
- verbose && echo -e "$@"
-}
-
-function error() {
- echo -e "${ERROR}ERROR${NORMAL}: $@" >&2
- _exit 1
-}
-
-function ifs() {
- if [ -n "$1" ]; then
- IFS_SAVE=$IFS
- echo $1
- else
- echo $IFS_SAVE
- fi
-}
-
-function uppercase() {
- tr [a-z] [A-Z] <<< "$@"
-}
-
-include functions.commands
-include functions.config
-include functions.firewall
-include functions.ip
-include functions.iptables
-include functions.macros
-include functions.zones
-
-function _start() {
- local zone
- local policy
-
- firewall_init
- zones_local_add
-
- for zone in $(network zone list); do
- zone=$(basename ${zone})
- policy=${zone%%[0-9]*}
- zones_${policy}_add ${zone}
- done
-
- iptables_commit
-}
-
-function _stop() {
- iptables_flush
- iptables_commit
-}
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-function cmd_quiet() {
- $@ &>/dev/null
-}
-
-function _exit() {
- rm -rf $TMPDIR
- exit $@
-}
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-CONFIG_NONE=0
-CONFIG_TEXT=1
-CONFIG_SQLITE=2
-
-function config_type() {
- if _config_is_sqlite $1; then
- echo $CONFIG_SQLITE
- else
- echo $CONFIG_TEXT
- fi
-}
-
-function config_load() {
- local file
- local type
- file=$1
-
- if ! [ -f "$file" ]; then
- error "Cannot load config file $file. File does not exist!"
- exit 1
- fi
-
- vecho "Loading config file: $file"
-
- type=$(config_type $file)
- if [ "$type" = "$CONFIG_SQLITE" ]; then
- eval $(_config_load_sqlite $file)
- else
- eval $(_config_load_text $file)
- fi
-}
-
-function _config_is_sqlite() {
- file $1 2>/dev/null | grep -q "SQLite 3.x database"
-}
-
-function _config_dump_sqlite() {
- sqlite3 -noheader -column $1 "SELECT * FROM config;"
-}
-
-function _config_load_sqlite() {
- _config_dump_sqlite $1 | while read KEY VALUE; do
- echo "$KEY=$VALUE"
- done
-}
-
-function _config_load_text() {
- readhash $1
-}
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-function firewall_init() {
- decho "Initializing firewall interface."
- iptables_init
- firewall_tcp_state_flags
- firewall_connection_tracking
-}
-
-function firewall_tcp_state_flags() {
- vecho "Adding ${BOLD}TCP State Flags${NORMAL} chain..."
- chain_create BADTCP_LOG
- iptables -A BADTCP_LOG -p tcp -j $(iptables_LOG "Illegal TCP state: ")
- iptables -A BADTCP_LOG -j DROP
-
- chain_create BADTCP
- iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
- iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
- iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
- iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
- iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG
- iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG
- iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG
-
- iptables -A INPUT -p tcp -j BADTCP
- iptables -A OUTPUT -p tcp -j BADTCP
- iptables -A FORWARD -p tcp -j BADTCP
-}
-
-function firewall_connection_tracking() {
- vecho "Adding ${BOLD}Connection Tracking${NORMAL} chain..."
- chain_create CONNTRACK
- iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ")
- iptables -A CONNTRACK -m state --state INVALID -j DROP
-
- iptables -A INPUT -p tcp -j CONNTRACK
- iptables -A OUTPUT -p tcp -j CONNTRACK
- iptables -A FORWARD -p tcp -j CONNTRACK
-}
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-###############################################################################
-# General IP address manipulation functions
-# ip_encode - Encodes an IP to an integer
-# Parameters: ip address (e.g. 192.168.0.1)
-# Returns : integer
-# ip_decode - Decodes an integer to an IP
-# Parameters: integer
-# Returns : ip address
-# ip_valid - Checks if given IP is valid
-# Parameters: IP
-# Returns : boolean
-#
-# General subnet functions
-# ip_range - Enumerates members of an IP range
-# Parameters: ip range (e.g. 192.168.0.1-192.168.0.128)
-# Returns : several subnets/IPs
-# ip_range_explicit - Enumerates ALL IP addresses of an IP range
-# Parameters: ip range
-# Returns : several IPs
-# subnet_network - Calculates the network address of a CIDR
-# Parameters: CIDR network (e.g. 192.168.0.0/24)
-# Returns : Network address
-# subnet_broadcast - Calculates the broadcast address of a CIDR
-# Parameters: CIDR network
-# Returns : Broadcast address
-# ip_in_subnet - Checks if an IP is in given subnet
-# Parameters: IP address, subnet
-# Returns : Boolean
-# mask_to_cidr - Converts a subnet mask to cidr type
-# Parameters: subnet (e.g. 255.255.255.0)
-# Returns : CIDR (e.g. 24)
-#
-
-function ip_encode() {
- IFS=$(ifs .)
-
- local int=0
- for field in $1; do
- int=$(( $(( $int << 8 )) | $field ))
- done
-
- echo $int
- IFS=$(ifs)
-}
-
-function ip_decode() {
- addr=$1
-
- local x
- local y
-
- y=$(($addr & 255))
- for x in 1 2 3; do
- addr=$(($addr >> 8))
- y=$(($addr & 255)).$y
- done
-
- echo $y
-}
-
-function ip_range() {
- local first
- local last
- local l
- local x
- local y
- local z
- local vlsm
-
- case "$1" in
- !*)
- echo $1
- return
- ;;
- [0-9]*.*.*.*-*.*.*.*)
- ;;
- *)
- echo $1
- return
- ;;
- esac
-
- first=$(ip_encode ${1%-*})
- last=$(ip_encode ${1#*-})
-
- if [ $first -gt $last ]; then
- error "Invalid IP address range: $1"
- fi
-
- l=$(( $last + 1 ))
-
- while [ $l -gt $first ]; do
- vlsm=
- x=31
- y=2
- z=1
-
- while [ $(( $first % $y )) -eq 0 ] && [ $l -gt $(( $first + $y )) ]; do
- vlsm=/$x
- x=$(( $x - 1 ))
- z=$y
- y=$(( $y * 2 ))
- done
-
- echo $(ip_decode $first)$vlsm
- first=$(($first + $z))
- done
-}
-
-function ip_range_explicit() {
- local first
- local last
-
- case $1 in
- [0-9]*.*.*.*-*.*.*.*)
- ;;
- *)
- echo $1
- return
- ;;
- esac
-
- first=$(ip_encode ${1%-*})
- last=$(ip_encode ${1#*-})
-
- if [ $first -gt $last ]; then
- error "Invalid IP address range: $1"
- fi
-
- while ! [ $first -gt $last ]; do
- echo $(ip_decode $first)
- first=$(($first + 1))
- done
-}
-
-function _netmask() {
- local vlsm
- vlsm=${1#*/}
- [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
-}
-
-function subnet_network() {
- local encodedaddr
- encodedaddr=$(ip_encode ${1%/*})
- local netmask
- netmask=$(_netmask $1)
-
- echo $(ip_decode $(($encodedaddr & $netmask)))
-}
-
-function _broadcast() {
- local x
- x=$(( 32 - ${1#*/} ))
- [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 << $x )) - 1 ))
-}
-
-function subnet_broadcast() {
- local encodedaddr
- encodedaddr=$(ip_encode ${1%/*})
- local netmask
- netmask=$(_netmask $1)
- local broadcast
- broadcast=$(_broadcast $1)
-
- echo $(ip_decode $(( $(($encodedaddr & $netmask)) | $broadcast )))
-}
-
-function ip_in_subnet() {
- local netmask
- netmask=$(_netmask $2)
- [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
-}
-
-function mask_to_cidr() {
- local mask
- mask=$(ip_encode $1)
- local cidr
- cidr=0
- local x
- x=$(( 128 << 24 )) # 0x80000000
-
- while [ $(( $x & $mask )) -ne 0 ]; do
- [ $mask -eq $x ] && mask=0 || mask=$(( $mask << 1 ))
- cidr=$(($cidr + 1))
- done
-
- if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
- echo "Invalid net mask: $1" >&2
- else
- echo $cidr
- fi
-}
-
-function ip_valid() {
- local x
- IFS=$(ifs .)
- for x in $1; do
- case $x in
- [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
- [ $x -lt 256 ] || { IFS=$(ifs); return 1; }
- ;;
- *)
- IFS=$(ifs)
- return 1
- ;;
- esac
- done
- IFS=$(ifs)
- return 0
-}
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-IPTABLES_FILE=$TMPDIR/iptables
-
-function iptables() {
- local arg
- local args
- local table
-
- table=filter
-
- # Parsing arguments
- while [ $# -gt 0 ]; do
- arg=${1}
- shift
- case "${arg}" in
- -t)
- table=${1}
- shift
- ;;
- -A)
- args="${args} -A $(uppercase ${1})"
- shift
- ;;
- *)
- args="${args} ${arg}"
- ;;
- esac
- done
- echo "${args:1:${#args}}" >> ${IPTABLES_FILE}-${table}
-}
-
-function iptables_flush() {
- decho "Flushing iptables"
- iptables "* filter"
- chain_create INPUT ACCEPT
- chain_create OUTPUT ACCEPT
- chain_create FORWARD ACCEPT
-}
-
-function iptables_init() {
- iptables "* filter"
- chain_create -t filter INPUT DROP
- chain_create -t filter OUTPUT DROP
- chain_create -t filter FORWARD DROP
-
- iptables -t mangle "* mangle"
- chain_create -t mangle PREROUTING ACCEPT
- chain_create -t mangle INPUT ACCEPT
- chain_create -t mangle OUTPUT ACCEPT
- chain_create -t mangle FORWARD ACCEPT
- chain_create -t mangle POSTROUTING ACCEPT
-
- iptables -t nat "* nat"
- chain_create -t nat PREROUTING ACCEPT
- chain_create -t nat OUTPUT ACCEPT
- chain_create -t nat POSTROUTING ACCEPT
-}
-
-function iptables_commit() {
- local chain
-
- vecho "Committing firewall configuration."
- iptables -t filter "COMMIT"
- iptables -t mangle "COMMIT"
- iptables -t nat "COMMIT"
-
- for table in filter mangle nat; do
- [ -e ${IPTABLES_FILE}-${table} ] || continue
- cat ${IPTABLES_FILE}-${table} >> $IPTABLES_FILE
- done
-
- decho "Dumping iptables output"
- if debug; then
- counter=1
- cat $IPTABLES_FILE | while read LINE; do
- printf "%4d | %s\n" "$counter" "$LINE"
- counter=$(( $counter + 1 ))
- done
- fi
-
- iptables-restore $(debug && echo "-v") < $IPTABLES_FILE
-}
-
-function chain_create() {
- local args
- if [ "${1}" = "-t" ]; then
- args="${1} ${2}"
- shift 2
- fi
- iptables ${args} ":$1 ${2--} [0:0]"
-}
-
-function iptables_LOG() {
- local prefix
- prefix=$1
-
- if [ "$LOG_FACILITY" = "syslog" ]; then
- echo -n "LOG"
- [ -n "$prefix" ] && echo -n " --log-prefix \"$prefix\""
- else
- echo -n "NFLOG"
- [ -n "$prefix" ] && echo -n " --nflog-prefix \"$prefix\""
- echo -n " --nflog-threshold 30"
- fi
- echo
-}
-
-function iptables_protocol() {
- local PROTO
- PROTO=$1
- for proto in tcp udp esp ah; do
- if [ "$PROTO" = "$proto" ]; then
- echo "-p $PROTO"
- break
- fi
- done
-}
-
-IPTABLES_PORT=0
-IPTABLES_MULTIPORT=1
-IPTABLES_PORTRANGE=2
-
-function _iptables_port_range() {
- grep -q ":" <<< $@
-}
-
-function _iptables_port_multiport() {
- grep -q "," <<< $@
-}
-
-function _iptables_port() {
- if _iptables_port_range "$@"; then
- echo $IPTABLES_PORTRANGE
- elif _iptables_port_multiport "$@"; then
- echo $IPTABLES_MULTIPORT
- else
- echo $IPTABLES_PORT
- fi
-}
-
-function iptables_source_port() {
- [ -z "$@" ] && return
- local type
- type=$(_iptables_port $@)
- if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
- echo "-m multiport --source-ports $@"
- else
- echo "--sport $@"
- fi
-}
-
-function iptables_destination_port() {
- [ -z "$@" ] && return
- local type
- type=$(_iptables_port $@)
- if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
- echo "-m multiport --destination-ports $@"
- else
- echo "--dport $@"
- fi
-}
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-function macro() {
- local file
- local line
- local rules
-
- file=$1
- if [ "${file:0:1}" != "/" ]; then
- file="/usr/share/firewall/macros/$file"
- fi
- shift
-
- if _config_is_sqlite $file; then
- rules=$(macro_parse $@ < $file)
- else
- rules=$(sqlite3 -noheader -column $file | macro_parse $@)
- fi
-
- while read line <<< ${rules}; do
- iptables ${line}
- done
-}
-
-function macro_parse() {
- local STRING
- grep -v "^#" | while read ACTION SOURCE DESTINATION PROTOCOL LOCAL_PORT REMOTE_PORT RATE; do
- STRING=""
-
- # Handle inlcudes
- if [ "$ACTION" = "INCLUDE" ]; then
- marco $SOURCE $@
- fi
-
- # Protocol
- STRING="$STRING $(iptables_protocol $PROTOCOL)"
- # Ports
- if [ -n "$PORT_SWITCH" ]; then
- # Switch ports for upload rule
- STRING="$STRING $(iptables_source_port $REMOTE_PORT)"
- STRING="$STRING $(iptables_destination_port $LOCAL_PORT)"
- else
- STRING="$STRING $(iptables_source_port $LOCAL_PORT)"
- STRING="$STRING $(iptables_destination_port $REMOTE_PORT)"
- fi
-
- if [ "$ACTION" = "ACCEPT" ]; then
- STRING="$STRING -j ACCEPT"
-
- elif [ "$ACTION" = "DROP" ]; then
- STRING="$STRING -j DROP"
-
- fi
- [ -n "$STRING" ] && echo "$STRING $@"
- done
-}
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-include zones.green
-include zones.orange
-include zones.red
-
-function zones_global_add() {
- local device
- local name
-
- device=$1
-
- vecho "Adding zone \"$device\""
-
- name=$(uppercase "ZONE_$device")
-
- ### FILTER
- chain_create $name
- iptables -A INPUT -i $device -j $name
- iptables -A FORWARD -i $device -j $name
- iptables -A FORWARD -o $device -j $name
- iptables -A OUTPUT -o $device -j $name
-
- # Leave some space for own rules
- chain_create ${name}_CUSTOM
- iptables -A $name -j ${name}_CUSTOM
-
- # Intrusion Preventions System
- chain_create ${name}_IPS
- iptables -A $name -i $device -j ${name}_IPS
-
- # Portforwarding
- chain_create ${name}_PORTFW
- iptables -A $name -i $device -j ${name}_PORTFW
-
- # Outgoing firewall
- chain_create ${name}_OUTFW
- iptables -A $name -o $device -j ${name}_OUTFW
-
- # Policy rules
- chain_create ${name}_POLICY
- iptables -A $name -j ${name}_POLICY
-
- ### MANGLE
- chain_create -t mangle $name
- iptables -t mangle -A PREROUTING -i $device -j $name
- iptables -t mangle -A POSTROUTING -o $device -j $name
-
- # Quality of Service
- chain_create -t mangle ${name}_QOS_INC
- iptables -t mangle -A $name -i $device -j ${name}_QOS_INC
- chain_create -t mangle ${name}_QOS_OUT
- iptables -t mangle -A $name -o $device -j ${name}_QOS_OUT
-
- ### NAT
- chain_create -t nat ${name}
- iptables -t nat -A PREROUTING -i $device -j ${name}
- iptables -t nat -A POSTROUTING -o $device -j ${name}
-
- # Network Address Translation
- chain_create -t nat ${name}_NAT
- iptables -t nat -A $name -i $device -j ${name}_NAT
-
- # Portforwarding
- chain_create -t nat ${name}_PORTFW
- iptables -t nat -A $name -i $device -j ${name}_PORTFW
-
- # UPNP
- chain_create -t nat ${name}_UPNP
- iptables -t nat -A $name -j ${name}_UPNP
-}
-
-
-### LOCAL ZONE
-function zones_local_add() {
-
- decho "Adding zone \"local\""
-
- # Accept everything on lo
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
-
-}
+++ /dev/null
-# IPFire Macro
-# This macro handles the dynamic host configuration protocol.
-# ACTION SRC DST PROTO LOCAL_PORT REMOTE_PORT RATE
-CUSTOM - - tcp 68 67
-CUSTOM - - udp 68 67
+++ /dev/null
-# IPFire Macro
-# This macro handles plaintext HTTP (WWW) traffic.
-# ACTION SRC DST PROTO LOCAL_PORT REMOTE_PORT RATE
-CUSTOM - - tcp - 80
+++ /dev/null
-# IPFire Macro
-# This macro handles secure HTTP (WWW) traffic.
-# ACTION SRC DST PROTO LOCAL_PORT REMOTE_PORT RATE
-CUSTOM - - tcp - 443
+++ /dev/null
-# IPFire Macro
-# This macro handles WWW traffic.
-# ACTION SRC DST PROTO SRC_PORT DST_PORT RATE
-INCLUDE HTTP
-INCLUDE HTTPS
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-function zones_green_add() {
- # $1 = device
-
- zones_global_add $1
- zones_policy_green $1
-
-}
-
-function zones_policy_green() {
- local device
-
- device=$1
-
- # Accept any traffic from green
- iptables -A ZONE_${device}_POLICY -i $device -j ACCEPT
- iptables -A ZONE_${device}_POLICY -o $device -j ACCEPT
-}
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-function zones_orange_add() {
- # $1 = device
-
- zones_global_add $1
- zones_policy_orange $1
-
-}
-
-function zones_policy_orange() {
- local device
- local name
-
- device=$1
- name=$(uppercase "$device")
-
- : # TODO
-}
+++ /dev/null
-#!/bin/bash
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-function zones_red_add() {
- # $1 = device
-
- zones_global_add $1
- zones_policy_red $1
-
-}
-
-function zones_policy_red() {
- local device
- local name
-
- device=$1
- name=$(uppercase "$device")
-
- : # TODO
-}
+++ /dev/null
-
-[Unit]
-Description=Firewall
-After=network.target
-
-[Service]
-ExecStart=/usr/bin/firewall start
-ExecStop=/usr/bin/firewall stop
-ExecReload=/usr/bin/firewall restart
-
-[Install]
-WantedBy=multi-user.target
-