###############################################################################
require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/lang.pl";
use Socket;
use File::Path;
my $fwdfwconfig = "${General::swroot}/firewall/config";
my $outfwconfig = "${General::swroot}/firewall/outgoing";
my $fwdfwsettings = "${General::swroot}/firewall/settings";
-my @ipgroups = qx(ls $ipgrouppath);
-my @macgroups = qx(ls $macgrouppath);
+my @ipgroups = qx(ls $ipgrouppath 2>/dev/null);
+my @macgroups = qx(ls $macgrouppath 2>/dev/null);
my @hostarray=();
my %outsettings=();
my %hosts=();
my %fwdsettings=();
my %ownnet=();
my %ovpnSettings = ();
+my @active= ('Aktiv', 'aktiv', 'Active', 'Activo', 'Actif', 'Actief', 'Aktywne', 'Активен', 'Aktif');
&General::readhash("${General::swroot}/ovpn/settings", \%ovpnSettings);
-&General::readhash($outfwsettings,\%outsettings);
&General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
+
+if (-e "$outfwsettings") {
+ &General::readhash($outfwsettings,\%outsettings);
+}
+else
+{
+ print "Config file for outgoing-firewall not found. Exiting!\n";
+ exit(1);
+}
+
+if (! -s "$outfwsettings") {
+ print "Empty DMZ configuration file. Nothing to do. Exiting...\n";
+ #Fill the firewall settings file
+ open (SETTINGS, ">/var/ipfire/firewall/settings");
+ print SETTINGS "POLICY=MODE2\n";
+ print SETTINGS "POLICY1=MODE2\n";
+ close (SETTINGS);
+ exit(0);
+}
+
#ONLY RUN if /var/ipfire/outgoing exists
if ( -d "/var/ipfire/outgoing"){
&process_groups;
&process_rules;
&process_p2p;
}
+else
+{
+ print "/var/ipfire/outgoing not found. Exiting!\n";
+ exit 1
+}
+
system("/usr/local/bin/firewallctrl");
+
sub process_groups
{
if(! -d "/var/log/converters"){ mkdir("/var/log/converters");}
foreach my $group (@macgroups){
chomp $group;
print LOG "\nProcessing MAC-GROUP: $group...\n";
- open (DATEI, "<$macgrouppath/$group");
+ open (DATEI, "<$macgrouppath/$group") or die 'Unable to open config file.';
my @zeilen = <DATEI>;
foreach my $mac (@zeilen){
chomp($mac);
my $name; #"converted"
my $name2;
my $name3; #custom host/custom net
+ my $mac2;
foreach my $adr (@hostarray){
if($run eq 'ip'){
my ($ip,$type) = split(",",$adr);
$hosts{$key}[1] = $type;
$hosts{$key}[2] = $ip;
$hosts{$key}[3] = '';
- $hosts{$key}[4] = 1;
print LOG "->Host (IP) $ip added to custom hosts\n"
}else{
print LOG "->Host (IP) $ip already exists in custom hosts\n";
$name="host ";
$name2=$name.$ippart;
- foreach my $key (sort keys %hosts){
- if($hosts{$key}[0] eq $name2){
- $hosts{$key}[4]++;
- }
- }
$name="host ";
$name2=$name.$ippart;
$name3="Custom Host";
$nets{$netkey}[1] = $ippart;
$nets{$netkey}[2] = $subnet;
$nets{$netkey}[3] = '';
- $nets{$netkey}[4] = 1;
print LOG "->Network $ippart/$subnet added to custom networks\n";
}
}else{
print LOG "Network $ippart already exists in custom networks\n";
$name="net ";
$name2=$name.$ippart;
- foreach my $key (sort keys %nets){
- if($nets{$key}[0] eq $name2){
- $nets{$key}[4]++;
- }
- }
$name="net ";
$name2=$name.$ippart;
$name3="Custom Network";
$groups{$grpkey}[1] = '';
$groups{$grpkey}[2] = $name2;
$groups{$grpkey}[3] = $name3;
- $groups{$grpkey}[4] = 0;
print LOG "->$name2 added to group $grp\n";
}
}elsif($run eq 'mac'){
#MACRUN
- my ($mac,$type) = split(",",$adr);
+ my ($mac,$type) = split(",",$adr);
print LOG "Processing HOST (MAC) $mac\n";
if(!&check_host($mac)){
- my $key = &General::findhasharraykey(\%hosts);
+ my $key = &General::findhasharraykey(\%hosts);
$name="host ";
- $name2=$name.$mac;
+ $mac2=$mac;
+ $mac2 =~ s/:/-/g;
+ $name2=$name.$mac2;
$name3="Custom Host";
$hosts{$key}[0] = $name2;
$hosts{$key}[1] = $type;
$hosts{$key}[2] = $mac;
- $hosts{$key}[3] = '';
- $hosts{$key}[4] = 1;
print LOG "->Host (MAC) $mac added to custom hosts\n";
}else{
+ $mac2=mac;
+ $mac2 =~ s/:/-/g;
print LOG "->Host (MAC) $mac already exists in custom hosts \n";
$name="host ";
- $name2=$name.$mac;
- foreach my $key (sort keys %hosts){
- if($hosts{$key}[0] eq $name2){
- $hosts{$key}[4]++;
- }
- }
- $name="host ";
- $name2=$name.$mac;
+ $name2=$name.$mac2;
$name3="Custom Host";
}
if($name2 && !&check_grp($grp,$name2)){
$groups{$grpkey}[1] = '';
$groups{$grpkey}[2] = $name2;
$groups{$grpkey}[3] = $name3;
- $groups{$grpkey}[4] = 0;
print LOG "->$name2 added to group $grp\n";
}
}
my @lines = <DATEI>;
foreach my $rule (@lines)
{
+ &General::readhasharray($fwdfwconfig,\%fwconfig);
+ &General::readhasharray($outfwconfig,\%fwconfigout);
my $now=localtime;
chomp($rule);
$port='';
$configline[4] =~ s/,/;/g;
$remark = $configline[4];
}else{$remark = '';}
- if($configline[9] eq 'Active'){ $log='ON';}else{$log='';}
+ #find all "active" tags in all language files and check them against the old config
+ my $logging='0';
+ foreach (@active){
+ $logging='1' if ($_ eq $configline[9]);
+ }
+ if($logging eq '1' ){ $log='ON';}else{$log='';}
if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){
if($configline[17] eq '00:00' && $configline[18] eq '00:00'){
$time='';
}
############################################################
#destinationpart
- if($configline[7] ne ''){
+ if($configline[7] ne '' && $configline[7] ne '0.0.0.0'){
my $address=&check_ip($configline[7]);
if($address){
my ($dip,$dsub) = split("/",$address);
}else{
print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n";
}
- &General::readhasharray($fwdfwconfig,\%fwconfig);
- &General::readhasharray($outfwconfig,\%fwconfigout);
my $check;
my $chain;
foreach my $protocol (@prot){
$chain='FORWARDFW';
}
$protocol=uc($protocol);
- print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
+ print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,$protocol,,,$useport,,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
#Put rules into system....
###########################
#check for double rules
foreach my $key (sort keys %fwconfig){
- if("$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to"
- eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwconfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){
+ if("$action,$chain,$active,$grp1,$source,$grp2,$target,$protocol,$useport,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to"
+ eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],$fwconfig{$key}[8],$fwconfig{$key}[11],$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){
$check='on';
next;
}
}
if($check ne 'on'){
- #increase groupcounter
- my $check1;
- if($grp1 eq 'cust_grp_src'){
- foreach my $key (sort keys %groups){
- if($groups{$key}[0] eq $source){
- $groups{$key}[4]++;
- $check1='on';
- }
- }
- if($check1 eq 'on'){
- &General::writehasharray($configgroups,\%groups);
- }
- }
if ($chain eq 'FORWARDFW'){
my $key = &General::findhasharraykey(\%fwconfig);
$fwconfig{$key}[0] = $action;
$fwconfig{$key}[4] = $source;
$fwconfig{$key}[5] = $grp2;
$fwconfig{$key}[6] = $target;
+ $fwconfig{$key}[8] = $protocol;
$fwconfig{$key}[11] = $useport;
- $fwconfig{$key}[12] = $protocol;
$fwconfig{$key}[14] = $grp3;
$fwconfig{$key}[15] = $port;
$fwconfig{$key}[16] = $remark;
$fwconfig{$key}[29] = 'ALL';
$fwconfig{$key}[30] = '';
$fwconfig{$key}[31] = 'dnat';
+ &General::writehasharray($fwdfwconfig,\%fwconfig);
}else{
my $key = &General::findhasharraykey(\%fwconfigout);
$fwconfigout{$key}[0] = $action;
$fwconfigout{$key}[4] = $source;
$fwconfigout{$key}[5] = $grp2;
$fwconfigout{$key}[6] = $target;
+ $fwconfigout{$key}[8] = $protocol;
$fwconfigout{$key}[11] = $useport;
- $fwconfigout{$key}[12] = $protocol;
$fwconfigout{$key}[14] = $grp3;
$fwconfigout{$key}[15] = $port;
$fwconfigout{$key}[16] = $remark;
$fwconfigout{$key}[29] = 'ALL';
$fwconfigout{$key}[30] = '';
$fwconfigout{$key}[31] = 'dnat';
+ &General::writehasharray($outfwconfig,\%fwconfigout);
}
- &General::writehasharray($fwdfwconfig,\%fwconfig);
- &General::writehasharray($outfwconfig,\%fwconfigout);
}
}
@prot=();
$nets{$netkey}[1] = $net;
$nets{$netkey}[2] = $subnet;
$nets{$netkey}[3] = '';
- $nets{$netkey}[4] = 1;
print LOG "$now ->added $name2 $net/$subnet to customnetworks\n";
}else{
print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n";
$groups{$grpkey}[1] = '';
$groups{$grpkey}[2] = $name2;
$groups{$grpkey}[3] = "Custom Network";
- $groups{$grpkey}[4] = 0;
print LOG "$now ->added $name2 to customgroup ovpn\n";
}
$name2='';
sub process_p2p
{
copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/firewall/p2protocols");
- chmod oct('0777'), '/var/ipfire/firewall/p2protocols';
+ chown 99, 99, '/var/ipfire/firewall/p2protocols';
}