From 2ecc38fce958a68d93451745e639b16a4d82dd5c Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Sat, 1 Nov 2014 20:21:51 +0100
Subject: [PATCH] guardian: Do not require an active red interface.

This allows to use sort or the SSH and HTTPD bruteforce detection on the "internal"
zones, if the red zone is not used or down.
---
 config/guardian/guardian | 42 +++++++++++++++++++++++++++-------------
 1 file changed, 29 insertions(+), 13 deletions(-)

diff --git a/config/guardian/guardian b/config/guardian/guardian
index 5dcbdda064..8d38e3f183 100644
--- a/config/guardian/guardian
+++ b/config/guardian/guardian
@@ -60,6 +60,13 @@ my $syslogfile = "/var/log/messages";
 my $alert_file = "/var/log/snort.alert";
 my $httpdlog_file = "/var/log/httpd/error_log";
 
+# Variable to store if the red interface is active and in use.
+my $red_active;
+
+# Variables to store IP information of the red device.
+my $hostipaddr;
+my $gatewayaddr;
+
 # Files for red and gateway addresses.
 my $redaddress_file = "/var/ipfire/red/local-ipaddress";
 my $gatewayaddress_file = "/var/ipfire/red/remote-ipaddress";
@@ -114,18 +121,19 @@ if (defined($options{"h"})) {
 # Setup signal handler.
 &sig_handler_setup;
 
-# Get host address.
-my $hostipaddr = &get_address("$redaddress_file");
+# Check if the red interface is active.
+if (-e "/var/ipfire/red/active") {
+	# Get host address.
+	$hostipaddr = &get_address("$redaddress_file");
 
-# Check if we got an address, otherwise we have to cancel here.
-if (! $hostipaddr) {
-	die "Invalid $hostipaddr. Cannot go further!\n";
-}
-&logger("debug", "My host IP-address is: $hostipaddr\n");
+	&logger("debug", "My host IP-address is: $hostipaddr\n");
 
-# Get gateway address.
-my $gatewayaddr = &get_address("$gatewayaddress_file");
-&logger("debug", "My gatewayaddess is: $gatewayaddr\n");
+	# Get gateway address.
+	$gatewayaddr = &get_address("$gatewayaddress_file");
+	&logger("debug", "My gatewayaddess is: $gatewayaddr\n");
+} else {
+	&logger("debug", "RED interface not active.\n");
+}
 
 # Generate hash for ignored hosts or networks.
 &build_ignore_hash;
@@ -417,9 +425,12 @@ sub build_ignore_hash {
 	my $count = 0;
 	my @subnets;
 
-	# Add our gatewayaddress and hostipaddr to the ignore hash.
-	$ignorehash{$gatewayaddr} = 1;
-	$ignorehash{$hostipaddr} = 1;
+	# Add our gatewayaddress and hostipaddr to the ignore hash
+	# if the red interface is in use.
+	if ($red_active) {
+		$ignorehash{$gatewayaddr} = 1;
+		$ignorehash{$hostipaddr} = 1;
+	}
 
 	# Read-in the file if an ignorefile has been provided.
 	if ($ignorefile ne "") {
@@ -835,6 +846,11 @@ sub clean_up_and_exit {
 sub get_aliases {
 	my $ip;
 
+	# Skip if the red interface is not active.
+	unless($red_active) {
+		return 0;
+	}
+
 	# Get name of the red interface.
 	my $interface = &General::get_red_interface;
 
-- 
2.39.5