From e09884e04f0aab0c9b4f2f3d22f9f653e93d0cb9 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 2 Apr 2013 11:24:22 +0200 Subject: [PATCH] Forward Firewall: some fixes: 1) Counter was not correctly decreased when deleting a network from a customgroup 2) Convert-outgoingfw improved 3) Backup didn't set filepermissions correctly --- config/backup/backup.pl | 20 ++++++--- config/forwardfw/convert-outgoingfw | 63 +++++++++++++++++------------ html/cgi-bin/fwhosts.cgi | 2 +- 3 files changed, 53 insertions(+), 32 deletions(-) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 4662a8a1d..28e2dd89e 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -76,15 +76,23 @@ elsif ($ARGV[0] eq 'restore') { system("touch ${General::swroot}/forward/outgoing"); chown 99,99,"${General::swroot}/forward/outgoing"; } - unlink("${General::swroot}/fwhosts/*"); + unlink("${General::swroot}/fwhosts/customgroups"); + unlink("${General::swroot}/fwhosts/customhosts"); + unlink("${General::swroot}/fwhosts/customgroups"); + unlink("${General::swroot}/fwhosts/customnetworks"); + unlink("${General::swroot}/fwhosts/customservicegrp"); + unlink("${General::swroot}/fwhosts/customnetworks"); system("touch ${General::swroot}/fwhosts/customgroups"); system("touch ${General::swroot}/fwhosts/customhosts"); system("touch ${General::swroot}/fwhosts/customnetworks"); system("touch ${General::swroot}/fwhosts/customservicegrp"); - system("touch ${General::swroot}/fwhosts/customservices"); - chown 99,99,"${General::swroot}/fwhosts/*"; #START CONVERTER "OUTGOINGFW" system("/usr/sbin/convert-outgoingfw"); + chown 99,99,"${General::swroot}/fwhosts/customgroups"; + chown 99,99,"${General::swroot}/fwhosts/customhosts"; + chown 99,99,"${General::swroot}/fwhosts/customnetworks"; + chown 99,99,"${General::swroot}/fwhosts/customservicegrp"; + #START CONVERTER "OUTGOINGFW" rmtree("${General::swroot}/outgoing"); } #XTACCESS CONVERTER @@ -92,10 +100,10 @@ elsif ($ARGV[0] eq 'restore') { if( -f "${General::swroot}/forward/input" ){ unlink("${General::swroot}/forward/input"); system("touch ${General::swroot}/forward/input"); - chown 99,99,"${General::swroot}/forward/input"; } #START CONVERTER "XTACCESS" system("/usr/sbin/convert-xtaccess"); + chown 99,99,"${General::swroot}/forward/input"; rmtree("${General::swroot}/xtaccess"); } #DMZ-HOLES CONVERTER @@ -103,10 +111,10 @@ elsif ($ARGV[0] eq 'restore') { if( -f "${General::swroot}/forward/dmz" ){ unlink("${General::swroot}/forward/dmz"); system("touch ${General::swroot}/forward/dmz"); - chown 99,99,"${General::swroot}/forward/dmz"; } #START CONVERTER "DMZ-HOLES" system("/usr/sbin/convert-dmz"); + chown 99,99,"${General::swroot}/forward/dmz"; rmtree("${General::swroot}/dmzholes"); } #PORTFORWARD CONVERTER @@ -114,10 +122,10 @@ elsif ($ARGV[0] eq 'restore') { if( -f "${General::swroot}/forward/nat" ){ unlink("${General::swroot}/forward/nat"); system("touch ${General::swroot}/forward/nat"); - chown 99,99,"${General::swroot}/forward/nat"; } #START CONVERTER "PORTFW" system("/usr/sbin/convert-portfw"); + chown 99,99,"${General::swroot}/forward/nat"; rmtree("${General::swroot}/portfw"); } system("/usr/local/bin/forwardfwctrl"); diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw index d065b5acd..54ba70987 100755 --- a/config/forwardfw/convert-outgoingfw +++ b/config/forwardfw/convert-outgoingfw @@ -61,21 +61,22 @@ sub process_groups open (LOG, ">/var/log/converters/groups-convert.log") or die $!; #IP Group processing foreach my $group (@ipgroups){ + my $now=localtime; chomp $group; - print LOG "\nProcessing IP-GROUP: $group...\n"; + print LOG "\n$now Processing IP-GROUP: $group...\n"; open (DATEI, "<$ipgrouppath/$group"); my @zeilen = ; foreach my $ip (@zeilen){ chomp($ip); $ip =~ s/\s//gi; - print LOG "Check IP $ip from Group $group "; + print LOG "$now Check IP $ip from Group $group "; my $val=&check_ip($ip); if($val){ push(@hostarray,$val.",ip"); - print LOG "-> OK\n"; + print LOG "$now -> OK\n"; } else{ - print LOG "-> IP \"$ip\" from group $group not converted (invalid IP) \n"; + print LOG "$now -> IP \"$ip\" from group $group not converted (invalid IP) \n"; } $val=''; } @@ -94,17 +95,17 @@ sub process_groups foreach my $mac (@zeilen){ chomp($mac); $mac =~ s/\s//gi; - print LOG "Checking MAC $mac from group $group "; + print LOG "$now Checking MAC $mac from group $group "; #MAC checking if(&General::validmac($mac)){ $val=$mac; } if($val){ push(@hostarray,$val.",mac"); - print LOG "-> OK\n"; + print LOG "$now -> OK\n"; } else{ - print LOG "-> Mac $mac from group $group not converted (invalid MAC)\n"; + print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n"; } $val=''; } @@ -297,30 +298,31 @@ sub check_grp sub process_rules { my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to); + #open LOG + if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");} + open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!; + &General::readhash($fwdfwsettings,\%fwdsettings); if ($outsettings{'POLICY'} eq 'MODE1'){ - $fwdfwsettings{'POLICY'}='MODE1'; + $fwdsettings{'POLICY'}='MODE1'; + $fwdsettings{'POLICY1'}='MODE2'; $type='ALLOW'; $action='ACCEPT'; - }elsif($outsettings{'POLICY'} eq 'MODE2'){ + }else{ $fwdsettings{'POLICY'}='MODE2'; + $fwdsettings{'POLICY1'}='MODE2'; $type='DENY'; $action='DROP'; - }else{ - return; } &General::writehash($fwdfwsettings,\%fwdsettings); - - #open LOG - if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");} - open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!; open (DATEI, "<$outgoingrules"); my @lines = ; foreach my $rule (@lines) { + my $now=localtime; chomp($rule); $port=''; - print LOG "processing: $rule\n"; + print LOG "$now processing: $rule\n"; my @configline=(); @configline = split( /\;/, $rule ); my @prot=(); @@ -377,9 +379,10 @@ sub process_rules $grp1='std_net_src'; $source='BLUE'; }elsif ($configline[2] eq 'ipsec') { - print LOG "-> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n"; + print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n"; next; }elsif ($configline[2] eq 'ovpn') { + print LOG "$now ->Creating networks/groups for OpenVPN...\n"; &build_ovpn_grp; $grp1='cust_grp_src'; $source='ovpn' @@ -391,7 +394,7 @@ sub process_rules $grp1='src_addr'; $source="$ipa/$subn"; }else{ - print LOG "-> Rule not converted, missing/invalid source ip \"$configline[5]\"\n"; + print LOG "$now -> Rule not converted, missing/invalid source ip \"$configline[5]\"\n"; next; } }elsif ($configline[2] eq 'mac') { @@ -399,7 +402,7 @@ sub process_rules $grp1='src_addr'; $source=$configline[6]; }else{ - print LOG"-> Rule not converted, invalid MAC \"$configline[6]\" \n"; + print LOG"$now -> Rule not converted, invalid MAC \"$configline[6]\" \n"; next; } }elsif ($configline[2] eq 'all') { @@ -413,7 +416,7 @@ sub process_rules } } if ($grp1 eq '' || $source eq ''){ - print LOG "-> Rule not converted, no valid source recognised\n"; + print LOG "$now -> Rule not converted, no valid source recognised\n"; } } ############################################################ @@ -432,7 +435,7 @@ sub process_rules $target=$getwebsiteip; $remark.=" $configline[7]"; }else{ - print LOG "-> Rule not converted, invalid domain \"$configline[7]\"\n"; + print LOG "$now -> Rule not converted, invalid domain \"$configline[7]\"\n"; next; } } @@ -451,7 +454,7 @@ sub process_rules push (@values,$_); $grp3='TGT_PORT'; }else{ - print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; + print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n"; next; } }else{ @@ -461,7 +464,7 @@ sub process_rules push (@values,"$a1:$a2"); $grp3='TGT_PORT'; }else{ - print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; + print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n"; next; } } @@ -478,13 +481,14 @@ sub process_rules my $check; my $chain; foreach my $protocol (@prot){ + my $now=localtime; if ($source eq 'IPFire'){ $chain='OUTGOINGFW'; }else{ $chain='FORWARDFW'; } $protocol=uc($protocol); - print LOG "-> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; + print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; #Put rules into system.... ########################### #check for double rules @@ -583,6 +587,7 @@ sub get_ip_from_domain } sub build_ovpn_grp { + my $now=localtime; &General::readhasharray($confighosts,\%hosts); &General::readhasharray($confignets,\%nets); &General::readhasharray($configgroups,\%groups); @@ -594,20 +599,24 @@ sub build_ovpn_grp if($settingsovpn{'DOVPN_SUBNET'}){ my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'}); push (@ovpnnets,"$net,$subnet,dynamic"); + print LOG "$now ->found dynamic OpenVPN net\n"; } foreach my $key (sort keys %ccdconf){ my ($net,$subnet)=split("/",$ccdconf{$key}[1]); $subnet=&General::iporsubtodec($subnet); push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]"); + print LOG "$now ->found OpenVPN static net $net/$subnet\n"; } foreach my $key (sort keys %configovpn){ if ($configovpn{$key}[3] eq 'net'){ my ($net,$subnet)=split("/",$configovpn{$key}[27]); push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]"); + print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n"; } } #add ovpn nets to customnetworks/groups foreach my $line (@ovpnnets){ + my $now=localtime; my ($net,$subnet,$name) = split(",",$line); if (!&check_net($net,$subnet)){ my $netkey = &General::findhasharraykey(\%nets); @@ -616,7 +625,9 @@ sub build_ovpn_grp $nets{$netkey}[0] = $name2; $nets{$netkey}[1] = $net; $nets{$netkey}[2] = $subnet; - $nets{$netkey}[3] = 1; + $nets{$netkey}[3] = ''; + $nets{$netkey}[4] = 1; + print LOG "$now ->added $name2 $net/$subnet to customnetworks\n"; }else{ print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n"; } @@ -627,6 +638,7 @@ sub build_ovpn_grp $groups{$grpkey}[2] = $name2; $groups{$grpkey}[3] = "Custom Network"; $groups{$grpkey}[4] = 0; + print LOG "$now ->added $name2 to customgroup ovpn\n"; } $name2=''; } @@ -634,6 +646,7 @@ sub build_ovpn_grp &General::writehasharray($confighosts,\%hosts); &General::writehasharray($configgroups,\%groups); &General::writehasharray($confignets,\%nets); + print LOG "$now ->finished OVPN\n"; } sub process_p2p { diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index a0bb21fb8..8581141e9 100755 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -863,7 +863,7 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost') &General::readhasharray("$confignet", \%customnetwork); foreach my $key1 (keys %customnetwork){ if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){ - $customnetwork{$key1}[3] = $customnetwork{$key1}[3]-1; + $customnetwork{$key1}[4] = $customnetwork{$key1}[4]-1; last; } } -- 2.39.2