system("cd / && tar -xvz -p -f /tmp/restore.ipf");
#Here some converter scripts to correct old Backups (before core 65)
system("/usr/sbin/ovpn-ccd-convert");
+ #OUTGOINGFW CONVERTER
if( -d "${General::swroot}/outgoing"){
if( -f "${General::swroot}/forward/config" ){
unlink("${General::swroot}/forward/config");
system("touch ${General::swroot}/forward/config");
chown 99,99,"${General::swroot}/forward/config";
}
- if( -f "${General::swroot}/forward/input" ){
- unlink("${General::swroot}/forward/input");
- system("touch ${General::swroot}/forward/input");
- chown 99,99,"${General::swroot}/forward/input";
- }
+ if( -f "${General::swroot}/forward/outgoing" ){
+ unlink("${General::swroot}/forward/outgoing");
+ system("touch ${General::swroot}/forward/outgoing");
+ chown 99,99,"${General::swroot}/forward/outgoing";
+ }
+ unlink("${General::swroot}/fwhosts/*");
+ system("touch ${General::swroot}/fwhosts/customgroups");
+ system("touch ${General::swroot}/fwhosts/customhosts");
+ system("touch ${General::swroot}/fwhosts/customnetworks");
+ system("touch ${General::swroot}/fwhosts/customservicegrp");
+ system("touch ${General::swroot}/fwhosts/customservices");
+ chown 99,99,"${General::swroot}/fwhosts/*";
+ #START CONVERTER "OUTGOINGFW"
system("/usr/sbin/convert-outgoingfw");
rmtree("${General::swroot}/outgoing");
- system("/usr/local/bin/forwrdfwctrl");
}
+ #XTACCESS CONVERTER
if( -d "${General::swroot}/xtaccess"){
+ if( -f "${General::swroot}/forward/input" ){
+ unlink("${General::swroot}/forward/input");
+ system("touch ${General::swroot}/forward/input");
+ chown 99,99,"${General::swroot}/forward/input";
+ }
+ #START CONVERTER "XTACCESS"
system("/usr/sbin/convert-xtaccess");
rmtree("${General::swroot}/xtaccess");
}
+ #DMZ-HOLES CONVERTER
+ if( -d "${General::swroot}/dmz-holes"){
+ if( -f "${General::swroot}/forward/dmz" ){
+ unlink("${General::swroot}/forward/dmz");
+ system("touch ${General::swroot}/forward/dmz");
+ chown 99,99,"${General::swroot}/forward/dmz";
+ }
+ #START CONVERTER "DMZ-HOLES"
+ system("/usr/sbin/convert-dmz");
+ rmtree("${General::swroot}/xtaccess");
+ }
+ #PORTFORWARD CONVERTER
+ if( -d "${General::swroot}/portfw"){
+ if( -f "${General::swroot}/forward/nat" ){
+ unlink("${General::swroot}/forward/nat");
+ system("touch ${General::swroot}/forward/nat");
+ chown 99,99,"${General::swroot}/forward/nat";
+ }
+ #START CONVERTER "PORTFW"
+ system("/usr/sbin/convert-portfw");
+ rmtree("${General::swroot}/portfw");
+ }
+ system("/usr/local/bin/forwardfwctrl");
}
elsif ($ARGV[0] eq 'restoreaddon') {
if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");}
--- /dev/null
+#!/usr/bin/perl
+
+########################################################################
+# Script: convert-dmz
+# Date: 03.04.2013
+# Author: Alexander Marx (amarx@ipfire.org)
+########################################################################
+#
+# This script converts old dmz holes rules from old Firewall
+# to the new one. This is a 2-step process.
+# STEP1: read old config and normalize settings
+# STEP2: check valid ip and save valid rules to new firewall
+#
+########################################################################
+my @current=();
+my @alias=();
+my %configdmz=();
+my %ifaces=();
+my %configfwdfw=();
+require '/var/ipfire/general-functions.pl';
+my $dmzconfig = "${General::swroot}/dmzholes/config";
+my $fwdfwconfig = "${General::swroot}/forward/dmz";
+my $ifacesettings = "${General::swroot}/ethernet/settings";
+my $field0 = 'ACCEPT';
+my $field1 = 'FORWARDFW';
+my $field2 = ''; #ON or emtpy
+my $field3 = ''; #std_net_src or src_addr
+my $field4 = ''; #ALL or IP-Address with /32
+my $field5 = ''; #std_net_tgt or tgt_addr
+my $field6 = ''; #IP or network name
+my $field11 = 'ON'; #use target port
+my $field12 = ''; #TCP or UDP
+my $field13 = 'All ICMP-Types';
+my $field14 = 'TGT_PORT';
+my $field15 = ''; #Port Number
+my $field16 = ''; #remark
+my $field26 = '00:00';
+my $field27 = '00:00';
+open(FILE, $dmzconfig) or die 'Unable to open config file.';
+my @current = <FILE>;
+close(FILE);
+#open LOGFILE
+open (LOG, ">/var/log/converters/dmz-convert.log") or die $!;
+&General::readhash($ifacesettings, \%ifaces);
+&General::readhasharray($fwdfwconfig,\%configfwdfw);
+&process_rules;
+sub process_rules{
+ foreach my $line (@current){
+ my $now=localtime;
+ #get values from old configfile
+ my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line);
+ $h =~ s/\s//gi;
+ print LOG "$Now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
+ #Now convert values and check ip addresses
+ $a=uc($a);
+ $e=uc($e);
+ $field2=$e if($e eq 'ON');
+ #SOURCE IP-check
+ $b=&check_ip($b);
+ if (&General::validipandmask($b)){
+ #When ip valid, check if we have a network
+ my ($ip,$subnet) = split ("/",$b);
+ if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){
+ $field3='std_net_src';
+ $field4='ORANGE';
+ }elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
+ $field3='std_net_src';
+ $field4='BLUE';
+ }elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){
+ $field3='src_addr';
+ $field4=$b;
+ }elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
+ $field3='src_addr';
+ $field4=$b;
+ }else{
+ print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n";
+ next;
+ }
+ }else{
+ print LOG "$now -> SOURCE IP INVALID. \n\n";
+ next;
+ }
+ #TARGET IP-check
+ $c=&check_ip($c);
+ if (&General::validipandmask($c)){
+ my $now=localtime;
+ #When ip valid, check if we have a network
+ my ($ip,$subnet) = split ("/",$c);
+ if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){
+ $field5='std_net_tgt';
+ $field6='GREEN';
+ }elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
+ $field5='std_net_tgt';
+ $field6='BLUE';
+ }elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){
+ $field5='tgt_addr';
+ $field6=$c;
+ }elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
+ $field5='tgt_addr';
+ $field6=$c;
+ }else{
+ print LOG "$Now ->NOT Converted, invalid Source IP $b\n\n";
+ next;
+ }
+ }else{
+ print LOG "$now -> SOURCE IP INVALID. \n\n";
+ next;
+ }
+ $field12=$a;
+ #convert portrange
+ $d =~ tr/-/:/;
+ $field15=$d;
+ $field16=$h;
+ ##Ausgabe
+ #print "A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
+ #print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n\n\n";
+ my $key = &General::findhasharraykey (\%configfwdfw);
+ foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";}
+ $configfwdfw{$key}[0] = $field0;
+ $configfwdfw{$key}[1] = $field1;
+ $configfwdfw{$key}[2] = $field2;
+ $configfwdfw{$key}[3] = $field3;
+ $configfwdfw{$key}[4] = $field4;
+ $configfwdfw{$key}[5] = $field5;
+ $configfwdfw{$key}[6] = $field6;
+ $configfwdfw{$key}[7] = '';
+ $configfwdfw{$key}[8] = '';
+ $configfwdfw{$key}[9] = '';
+ $configfwdfw{$key}[10] = '';
+ $configfwdfw{$key}[11] = $field11;
+ $configfwdfw{$key}[12] = $field12;
+ $configfwdfw{$key}[13] = $field13;
+ $configfwdfw{$key}[14] = $field14;
+ $configfwdfw{$key}[15] = $field15;
+ $configfwdfw{$key}[16] = $field16;
+ $configfwdfw{$key}[17] = '';
+ $configfwdfw{$key}[18] = '';
+ $configfwdfw{$key}[19] = '';
+ $configfwdfw{$key}[20] = '';
+ $configfwdfw{$key}[21] = '';
+ $configfwdfw{$key}[22] = '';
+ $configfwdfw{$key}[23] = '';
+ $configfwdfw{$key}[24] = '';
+ $configfwdfw{$key}[25] = '';
+ $configfwdfw{$key}[26] = $field26;
+ $configfwdfw{$key}[27] = $field27;
+ print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n";
+ }
+ &General::writehasharray($fwdfwconfig,\%configfwdfw);
+close (LOG);
+}
+
+sub check_ip
+{
+ my $adr=shift;
+ my $a;
+ #ip with subnet in decimal
+ if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
+ $adr=int($1).".".int($2).".".int($3).".".int($4);
+ my $b = &General::iporsubtodec($5);
+ $a=$adr."/".$b;
+ }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
+ $adr=int($1).".".int($2).".".int($3).".".int($4);
+ if(&General::validip($adr)){
+ $a=$adr."/32";
+ }
+ }
+ if(&General::validipandmask($adr)){
+ $a=&General::iporsubtodec($adr);
+ }
+ return $a;
+}