]>
git.ipfire.org Git - ipfire-2.x.git/blob - config/firewall/rules.pl
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
24 no warnings
'uninitialized' ;
26 # enable only the following on debugging purpose
28 #use CGI::Carp 'fatalsToBrowser';
31 my %defaultNetworks =();
41 my %configoutgoingfw =();
46 require '/var/ipfire/general-functions.pl' ;
47 require "${General::swroot}/lang.pl" ;
48 require "/usr/lib/firewall/firewall-lib.pl" ;
50 my $configfwdfw = "${General::swroot}/firewall/config" ;
51 my $configinput = "${General::swroot}/firewall/input" ;
52 my $configoutgoing = "${General::swroot}/firewall/outgoing" ;
53 my $p2pfile = "${General::swroot}/firewall/p2protocols" ;
54 my $configgrp = "${General::swroot}/fwhosts/customgroups" ;
55 my $netsettings = "${General::swroot}/ethernet/settings" ;
56 my $errormessage = '' ;
60 my ( $TYPE , $PROT , $SPROT , $DPROT , $SPORT , $DPORT , $TIME , $TIMEFROM , $TIMETILL , $SRC_TGT );
61 my $CHAIN = "FORWARDFW" ;
62 my $conexists = 'off' ;
63 my $command = 'iptables --wait -A' ;
67 & General
:: readhash
( "${General::swroot}/firewall/settings" , \
%fwdfwsettings );
68 & General
:: readhash
( " $netsettings " , \
%defaultNetworks );
69 & General
:: readhasharray
( $configfwdfw , \
%configfwdfw );
70 & General
:: readhasharray
( $configinput , \
%configinputfw );
71 & General
:: readhasharray
( $configoutgoing , \
%configoutgoingfw );
72 & General
:: readhasharray
( $configgrp , \
%customgrp );
73 & General
:: get_aliases
( \
%aliases );
75 #check if we have an internetconnection
76 open ( CONN
, "/var/ipfire/red/iface" );
79 if (- f
"/var/ipfire/red/active" ){
82 open ( CONN1
, "/var/ipfire/red/local-ipaddress" );
88 my $MODE = 0 ; # 0 - normal operation
89 # 1 - print configline and rules to console
94 if ( $param eq 'flush' ){
96 print " Flushing chains... \n " ;
101 print " Flushing chains... \n " ;
105 print " Preparing rules... \n " ;
109 if ( $fwdfwsettings { 'POLICY' } eq 'MODE1' ){
111 system ( "/usr/sbin/firewall-policy" );
112 } elsif ( $fwdfwsettings { 'POLICY' } eq 'MODE2' ){
114 system ( "/usr/sbin/firewall-policy" );
120 system ( "iptables --wait -F FORWARDFW" );
121 system ( "iptables --wait -F INPUTFW" );
122 system ( "iptables --wait -F OUTGOINGFW" );
123 system ( "iptables --wait -t nat -F NAT_DESTINATION" );
124 system ( "iptables --wait -t nat -F NAT_SOURCE" );
128 if (! - z
"${General::swroot}/firewall/config" ){
129 & buildrules
( \
%configfwdfw );
131 if (! - z
"${General::swroot}/firewall/input" ){
132 & buildrules
( \
%configinputfw );
134 if (! - z
"${General::swroot}/firewall/outgoing" ){
135 & buildrules
( \
%configoutgoingfw );
149 foreach my $key ( sort { $a <=> $b } keys % $hash ){
150 next if (($ $hash { $key }[ 6 ] eq 'RED' || $ $hash { $key }[ 6 ] eq 'RED1' ) && $conexists eq 'off' );
151 $command = "iptables --wait -A" ;
152 if ($ $hash { $key }[ 28 ] eq 'ON' ){
153 $command = 'iptables --wait -t nat -A' ;
154 $natip =& get_nat_ip
($ $hash { $key }[ 29 ],$ $hash { $key }[ 31 ]);
155 if ($ $hash { $key }[ 31 ] eq 'dnat' ){
157 if ($ $hash { $key }[ 30 ] =~ /\|/ ){
158 $ $hash { $key }[ 30 ]=~ tr/|/,/ ;
159 $fireport = '-m multiport --dport ' .$ $hash { $key }[ 30 ];
161 $fireport = '--dport ' .$ $hash { $key }[ 30 ] if ($ $hash { $key }[ 30 ]> 0 );
168 if ($ $hash { $key }[ 2 ] eq 'ON' ){
170 if ($ $hash { $key }[ 3 ] eq 'cust_grp_src' ){
171 foreach my $grp ( sort { $a <=> $b } keys %customgrp ){
172 if ( $customgrp { $grp }[ 0 ] eq $ $hash { $key }[ 4 ]){
173 & get_address
( $customgrp { $grp }[ 3 ], $customgrp { $grp }[ 2 ], "src" );
177 & get_address
($ $hash { $key }[ 3 ],$ $hash { $key }[ 4 ], "src" );
180 if ($ $hash { $key }[ 5 ] eq 'cust_grp_tgt' ){
181 foreach my $grp ( sort { $a <=> $b } keys %customgrp ){
182 if ( $customgrp { $grp }[ 0 ] eq $ $hash { $key }[ 6 ]){
183 & get_address
( $customgrp { $grp }[ 3 ], $customgrp { $grp }[ 2 ], "tgt" );
186 } elsif ($ $hash { $key }[ 5 ] eq 'ipfire' ){
187 if ($ $hash { $key }[ 6 ] eq 'GREEN' ){
188 $targethash { $key }[ 0 ]= $defaultNetworks { 'GREEN_ADDRESS' };
190 if ($ $hash { $key }[ 6 ] eq 'BLUE' ){
191 $targethash { $key }[ 0 ]= $defaultNetworks { 'BLUE_ADDRESS' };
193 if ($ $hash { $key }[ 6 ] eq 'ORANGE' ){
194 $targethash { $key }[ 0 ]= $defaultNetworks { 'ORANGE_ADDRESS' };
196 if ($ $hash { $key }[ 6 ] eq 'ALL' ){
197 $targethash { $key }[ 0 ]= '0.0.0.0/0' ;
199 if ($ $hash { $key }[ 6 ] eq 'RED' || $ $hash { $key }[ 6 ] eq 'RED1' ){
200 open ( FILE
, "/var/ipfire/red/local-ipaddress" ) or die "Couldn't open local-ipaddress" ;
201 $targethash { $key }[ 0 ]= < FILE
>;
204 foreach my $alias ( sort keys %aliases ){
205 if ($ $hash { $key }[ 6 ] eq $alias ){
206 $targethash { $key }[ 0 ]= $aliases { $alias }{ 'IPT' };
211 & get_address
($ $hash { $key }[ 5 ],$ $hash { $key }[ 6 ], "tgt" );
213 ##get source prot and port
215 $SPORT = & get_port
( $hash , $key );
218 ##get target prot and port
219 $DPROT =& get_prot
( $hash , $key );
221 if ( $DPROT eq '' ){ $DPROT = ' ' ;}
222 @DPROT = split ( "," , $DPROT );
225 if ($ $hash { $key }[ 18 ] eq 'ON' ){
226 my ( $time1 , $time2 , $daylight );
227 my $daylight =$ $hash { $key }[ 28 ];
228 $time1 =& get_time
($ $hash { $key }[ 26 ], $daylight );
229 $time2 =& get_time
($ $hash { $key }[ 27 ], $daylight );
230 if ($ $hash { $key }[ 19 ] ne '' ){ push ( @timeframe , "Mon" );}
231 if ($ $hash { $key }[ 20 ] ne '' ){ push ( @timeframe , "Tue" );}
232 if ($ $hash { $key }[ 21 ] ne '' ){ push ( @timeframe , "Wed" );}
233 if ($ $hash { $key }[ 22 ] ne '' ){ push ( @timeframe , "Thu" );}
234 if ($ $hash { $key }[ 23 ] ne '' ){ push ( @timeframe , "Fri" );}
235 if ($ $hash { $key }[ 24 ] ne '' ){ push ( @timeframe , "Sat" );}
236 if ($ $hash { $key }[ 25 ] ne '' ){ push ( @timeframe , "Sun" );}
237 $TIME = join ( "," , @timeframe );
239 $TIMEFROM = "--timestart $time1 " ;
240 $TIMETILL = "--timestop $time2 " ;
241 $TIME = "-m time --weekdays $TIME $TIMEFROM $TIMETILL " ;
245 foreach my $i ( 0 .. $ #{$$hash{$key}}){
246 print " $i : $ $hash { $key }[ $i ] " ;
249 print "################################## \n " ;
250 #print rules to console
251 foreach my $DPROT ( @DPROT ){
252 $DPORT = & get_port
( $hash , $key , $DPROT );
253 if ( $DPROT ne 'TCP' && $DPROT ne 'UDP' && $DPROT ne 'ICMP' ){
257 $PROT = "-p $PROT " if ( $PROT ne '' && $PROT ne ' ' );
258 foreach my $a ( sort keys %sourcehash ){
259 foreach my $b ( sort keys %targethash ){
260 if (! $sourcehash { $a }[ 0 ] || ! $targethash { $b }[ 0 ] || ( $natip eq '-d ' && $ $hash { $key }[ 28 ] eq 'ON' ) || (! $natip && $ $hash { $key }[ 28 ] eq 'ON' )){
261 #Skip rules when no RED IP is set (DHCP,DSL)
264 next if ( $targethash { $b }[ 0 ] eq 'none' );
266 if ( $sourcehash { $a }[ 0 ] ne $targethash { $b }[ 0 ] && $targethash { $b }[ 0 ] ne 'none' || $sourcehash { $a }[ 0 ] eq '0.0.0.0/0.0.0.0' ){
268 if ( substr ( $sourcehash { $a }[ 0 ], 3 , 3 ) ne 'mac' && $sourcehash { $a }[ 0 ] ne '' ){ $STAG = "-s" ;}
270 if ( substr ( $DPORT , 2 , 4 ) eq 'icmp' ){
271 my @icmprule = split ( "," , substr ( $DPORT , 12 ,));
273 $icmptype = "--icmp-type " ;
278 if ($ $hash { $key }[ 17 ] eq 'ON' ){
279 print " $command $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $icmptype $_ $TIME -j LOG \n " ;
281 print " $command $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $icmptype $_ $TIME -j $ $hash { $key }[0] \n " ;
283 #PROCESS DNAT RULE (Portforward)
284 } elsif ($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'dnat' ){
285 $natchain = 'NAT_DESTINATION' ;
286 if ($ $hash { $key }[ 17 ] eq 'ON' ){
287 print " $command $natchain $PROT $STAG $sourcehash { $a }[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n " ;
289 my ( $ip , $sub ) = split ( "/" , $targethash { $b }[ 0 ]);
290 #Process NAT with servicegroup used
291 if ($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'dnat' && $ $hash { $key }[ 14 ] eq 'cust_srvgrp' ){
292 print " $command $natchain $PROT $STAG $sourcehash { $a }[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT \n " ;
293 $fwaccessdport = $DPORT ;
295 print " $command $natchain $PROT $STAG $sourcehash { $a }[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT \n " ;
298 $fwaccessdport = "--dport " . substr ( $DPORT , 1 ,);
299 } elsif (! $DPORT && $ $hash { $key }[ 30 ] ne '' ){
300 if ($ $hash { $key }[ 30 ]=~ m/|/i ){
301 $ $hash { $key }[ 30 ] =~ s/\|/,/g ;
302 $fwaccessdport = "-m multiport --dport $ $hash { $key }[30]" ;
304 $fwaccessdport = "--dport $ $hash { $key }[30]" ;
308 print "iptables --wait -A FORWARDFW $PROT $STAG $sourcehash { $a }[0] -d $ip $fwaccessdport $TIME -j $ $hash { $key }[0] \n " ;
311 } elsif ($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'snat' ){
312 $natchain = 'NAT_SOURCE' ;
313 if ($ $hash { $key }[ 17 ] eq 'ON' ){
314 print " $command $natchain $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n " ;
316 print " $command $natchain $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j $nat --to-source $natip \n " ;
318 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
319 if ( $PROT ne '-p ICMP' ){
320 if ($ $hash { $key }[ 17 ] eq 'ON' && $ $hash { $key }[ 28 ] ne 'ON' ){
321 print " $command $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j LOG \n " ;
323 print "iptables --wait -A $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j $ $hash { $key }[0] \n " ;
325 #PROCESS Prot ICMP and type = All ICMP-Types
326 if ( $PROT eq '-p ICMP' && $ $hash { $key }[ 9 ] eq 'All ICMP-Types' ){
327 if ($ $hash { $key }[ 17 ] eq 'ON' && $ $hash { $key }[ 28 ] ne 'ON' ){
328 print " $command $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j LOG \n " ;
330 print "iptables --wait -A $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j $ $hash { $key }[0] \n " ;
338 } elsif ( $MODE eq '0' ){
339 foreach my $DPROT ( @DPROT ){
340 $DPORT = & get_port
( $hash , $key , $DPROT );
342 $PROT = "-p $PROT " if ( $PROT ne '' && $PROT ne ' ' );
343 if ( $DPROT ne 'TCP' && $DPROT ne 'UDP' && $DPROT ne 'ICMP' ){
346 foreach my $a ( sort keys %sourcehash ){
347 foreach my $b ( sort keys %targethash ){
348 if (! $sourcehash { $a }[ 0 ] || ! $targethash { $b }[ 0 ] || ( $natip eq '-d ' && $ $hash { $key }[ 28 ] eq 'ON' ) || (! $natip && $ $hash { $key }[ 28 ] eq 'ON' )){
349 #Skip rules when no RED IP is set (DHCP,DSL)
352 next if ( $targethash { $b }[ 0 ] eq 'none' );
354 if ( $sourcehash { $a }[ 0 ] ne $targethash { $b }[ 0 ] && $targethash { $b }[ 0 ] ne 'none' || $sourcehash { $a }[ 0 ] eq '0.0.0.0/0.0.0.0' ){
356 if ( substr ( $sourcehash { $a }[ 0 ], 3 , 3 ) ne 'mac' && $sourcehash { $a }[ 0 ] ne '' ){ $STAG = "-s" ;}
358 if ( substr ( $DPORT , 2 , 4 ) eq 'icmp' ){
359 my @icmprule = split ( "," , substr ( $DPORT , 12 ,));
361 $icmptype = "--icmp-type " ;
366 if ($ $hash { $key }[ 17 ] eq 'ON' ){
367 system ( " $command $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $icmptype $_ $TIME -j LOG" );
369 system ( " $command $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $icmptype $_ $TIME -j $ $hash { $key }[0]" );
371 #PROCESS DNAT RULE (Portforward)
372 } elsif ($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'dnat' ){
373 $natchain = 'NAT_DESTINATION' ;
374 if ($ $hash { $key }[ 17 ] eq 'ON' ){
375 system " $command $natchain $PROT $STAG $sourcehash { $a }[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n " ;
377 my ( $ip , $sub ) = split ( "/" , $targethash { $b }[ 0 ]);
378 #Process NAT with servicegroup used
379 if ($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'dnat' && $ $hash { $key }[ 14 ] eq 'cust_srvgrp' ){
380 system " $command $natchain $PROT $STAG $sourcehash { $a }[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT \n " ;
381 $fwaccessdport = $DPORT ;
383 system " $command $natchain $PROT $STAG $sourcehash { $a }[0] $SPORT $natip $fireport $TIME -j $nat --to-destination $ip $DPORT \n " ;
386 $fwaccessdport = "--dport " . substr ( $DPORT , 1 ,);
387 } elsif (! $DPORT && $ $hash { $key }[ 30 ] ne '' ){
388 if ($ $hash { $key }[ 30 ]=~ m/|/i ){
389 $ $hash { $key }[ 30 ] =~ s/\|/,/g ;
390 $fwaccessdport = "-m multiport --dport $ $hash { $key }[30]" ;
392 $fwaccessdport = "--dport $ $hash { $key }[30]" ;
396 system "iptables --wait -A FORWARDFW $PROT $STAG $sourcehash { $a }[0] -d $ip $fwaccessdport $TIME -j $ $hash { $key }[0] \n " ;
399 } elsif ($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'snat' ){
400 $natchain = 'NAT_SOURCE' ;
401 if ($ $hash { $key }[ 17 ] eq 'ON' ){
402 system " $command $natchain $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n " ;
404 system " $command $natchain $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j $nat --to-source $natip \n " ;
406 #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double)
407 if ( $PROT ne '-p ICMP' ){
408 if ($ $hash { $key }[ 17 ] eq 'ON' && $ $hash { $key }[ 28 ] ne 'ON' ){
409 system " $command $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j LOG \n " ;
411 system "iptables --wait -A $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j $ $hash { $key }[0] \n " ;
413 #PROCESS Prot ICMP and type = All ICMP-Types
414 if ( $PROT eq '-p ICMP' && $ $hash { $key }[ 9 ] eq 'All ICMP-Types' ){
415 if ($ $hash { $key }[ 17 ] eq 'ON' && $ $hash { $key }[ 28 ] ne 'ON' ){
416 system " $command $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j LOG \n " ;
418 system "iptables --wait -A $ $hash { $key }[1] $PROT $STAG $sourcehash { $a }[0] $SPORT -d $targethash { $b }[0] $DPORT $TIME -j $ $hash { $key }[0] \n " ;
440 if ( $val eq 'RED' || $val eq 'GREEN' || $val eq 'ORANGE' || $val eq 'BLUE' ){
441 $result = $defaultNetworks { $val . '_ADDRESS' };
442 } elsif ( $val eq 'ALL' ){
444 } elsif ( $val eq 'Default IP' && $type eq 'dnat' ){
445 $result = '-d ' . $redip ;
446 } elsif ( $val eq 'Default IP' && $type eq 'snat' ){
449 foreach my $al ( sort keys %aliases ){
450 if ( $val eq $al && $type eq 'dnat' ){
451 $result = '-d ' . $aliases { $al }{ 'IPT' };
452 } elsif ( $val eq $al && $type eq 'snat' ){
453 $result = $aliases { $al }{ 'IPT' };
466 $minutes = & utcmin
( $val );
467 $ruletime = $minutes + & time_get_utc
( $val );
468 if ( $ruletime < 0 ){ $ruletime += 1440 ;}
469 if ( $ruletime > 1440 ){ $ruletime -= 1440 ;}
470 $time = sprintf " %02d : %02d " , $ruletime / 60 , $ruletime % 60 ;
475 # Calculates the UTCtime from a given time
477 my @localtime = localtime ( time );
478 my @gmtime = gmtime ( time );
479 my $diff = ( $gmtime [ 2 ]* 60 + $gmtime [ 1 ] %60 )-( $localtime [ 2 ]* 60 + $localtime [ 1 ] %60 );
485 my ( $hrs , $min ) = split ( ":" , $ruletime );
486 my $newtime = $hrs * 60 + $min ;
493 open ( FILE
, "< $p2pfile " ) or die "Unable to read $p2pfile " ;
496 my $CMD = "-m ipp2p" ;
497 foreach my $p2pentry ( sort @p2ps ) {
498 my @p2pline = split ( /\;/ , $p2pentry );
499 if ( $fwdfwsettings { 'POLICY' } eq 'MODE1' ) {
501 if ( " $p2pline [2]" eq "on" ) {
502 $P2PSTRING = " $P2PSTRING -- $p2pline [1]" ;
506 if ( " $p2pline [2]" eq "off" ) {
507 $P2PSTRING = " $P2PSTRING -- $p2pline [1]" ;
513 print "/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO \n " ;
517 system ( "/sbin/iptables --wait -A FORWARDFW $CMD $P2PSTRING -j $DO " );
523 my $base = shift ; #source of checking ($configfwdfw{$key}[x] or groupkey
525 my $type = shift ; #src or tgt
532 my $key = & General
:: findhasharraykey
( $hash );
533 if ( $base eq 'src_addr' || $base eq 'tgt_addr' ){
534 if (& General
:: validmac
( $base2 )){
535 $ $hash { $key }[ 0 ] = "-m mac --mac-source $base2 " ;
537 $ $hash { $key }[ 0 ] = $base2 ;
539 } elsif ( $base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network' ){
540 $ $hash { $key }[ 0 ]=& fwlib
:: get_std_net_ip
( $base2 , $con );
541 } elsif ( $base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network' ){
542 $ $hash { $key }[ 0 ]=& fwlib
:: get_net_ip
( $base2 );
543 } elsif ( $base eq 'cust_host_src' || $base eq 'cust_host_tgt' || $base eq 'Custom Host' ){
544 $ $hash { $key }[ 0 ]=& fwlib
:: get_host_ip
( $base2 , $type );
545 } elsif ( $base eq 'ovpn_net_src' || $base eq 'ovpn_net_tgt' || $base eq 'OpenVPN static network' ){
546 $ $hash { $key }[ 0 ]=& fwlib
:: get_ovpn_net_ip
( $base2 , 1 );
547 } elsif ( $base eq 'ovpn_host_src' || $base eq 'ovpn_host_tgt' || $base eq 'OpenVPN static host' ){
548 $ $hash { $key }[ 0 ]=& fwlib
:: get_ovpn_host_ip
( $base2 , 33 );
549 } elsif ( $base eq 'ovpn_n2n_src' || $base eq 'ovpn_n2n_tgt' || $base eq 'OpenVPN N-2-N' ){
550 $ $hash { $key }[ 0 ]=& fwlib
:: get_ovpn_n2n_ip
( $base2 , 11 );
551 } elsif ( $base eq 'ipsec_net_src' || $base eq 'ipsec_net_tgt' || $base eq 'IpSec Network' ){
552 $ $hash { $key }[ 0 ]=& fwlib
:: get_ipsec_net_ip
( $base2 , 11 );
553 } elsif ( $base eq 'ipfire_src' ){
554 if ( $base2 eq 'GREEN' ){
555 $ $hash { $key }[ 0 ]= $defaultNetworks { 'GREEN_ADDRESS' };
557 if ( $base2 eq 'BLUE' ){
558 $ $hash { $key }[ 0 ]= $defaultNetworks { 'BLUE_ADDRESS' };
560 if ( $base2 eq 'ORANGE' ){
561 $ $hash { $key }[ 0 ]= $defaultNetworks { 'ORANGE_ADDRESS' };
564 $ $hash { $key }[ 0 ]= '0.0.0.0/0' ;
566 if ( $base2 eq 'RED' || $base2 eq 'RED1' ){
567 open ( FILE
, "/var/ipfire/red/local-ipaddress" );
568 $ $hash { $key }[ 0 ]= < FILE
>;
571 foreach my $alias ( sort keys %aliases ){
572 if ( $base2 eq $alias ){
573 $ $hash { $key }[ 0 ]= $aliases { $alias }{ 'IPT' };
583 #check AH,GRE,ESP or ICMP
584 if ($ $hash { $key }[ 7 ] ne 'ON' && $ $hash { $key }[ 11 ] ne 'ON' ){
585 return "$ $hash { $key }[8]" ;
587 if ($ $hash { $key }[ 7 ] eq 'ON' || $ $hash { $key }[ 11 ] eq 'ON' ){
588 #check if servicegroup or service
589 if ($ $hash { $key }[ 14 ] eq 'cust_srv' ){
590 return & fwlib
:: get_srv_prot
($ $hash { $key }[ 15 ]);
591 } elsif ($ $hash { $key }[ 14 ] eq 'cust_srvgrp' ){
592 return & fwlib
:: get_srvgrp_prot
($ $hash { $key }[ 15 ]);
593 } elsif (($ $hash { $key }[ 10 ] ne '' || $ $hash { $key }[ 15 ] ne '' ) && $ $hash { $key }[ 8 ] eq '' ){ #when ports are used and prot set to "all"
595 } elsif (($ $hash { $key }[ 10 ] ne '' || $ $hash { $key }[ 15 ] ne '' ) && ($ $hash { $key }[ 8 ] eq 'TCP' || $ $hash { $key }[ 8 ] eq 'UDP' )){ #when ports are used and prot set to "tcp" or "udp"
596 return "$ $hash { $key }[8]" ;
597 } elsif (($ $hash { $key }[ 10 ] eq '' && $ $hash { $key }[ 15 ] eq '' ) && $ $hash { $key }[ 8 ] ne 'ICMP' ){ #when ports are NOT used and prot NOT set to "ICMP"
598 return "$ $hash { $key }[8]" ;
600 return "$ $hash { $key }[8]" ;
604 if ( $SRC_TGT eq '' && $ $hash { $key }[ 31 ] eq 'dnat' && $ $hash { $key }[ 11 ] eq '' && $ $hash { $key }[ 12 ] ne '' ){
605 return "$ $hash { $key }[8]" ;
613 #Get manual defined Ports from SOURCE
614 if ($ $hash { $key }[ 7 ] eq 'ON' && $SRC_TGT eq 'SRC' ){
615 if ($ $hash { $key }[ 10 ] ne '' ){
616 $ $hash { $key }[ 10 ] =~ s/\|/,/g ;
617 if ( index ($ $hash { $key }[ 10 ], "," ) > 0 ){
618 return "-m multiport --sport $ $hash { $key }[10] " ;
620 if ($ $hash { $key }[ 28 ] ne 'ON' || ($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'snat' ) ||($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'dnat' ) ){
621 return "--sport $ $hash { $key }[10] " ;
623 return ":$ $hash { $key }[10]" ;
627 #Get manual ports from TARGET
628 } elsif ($ $hash { $key }[ 11 ] eq 'ON' && $SRC_TGT eq '' ){
629 if ($ $hash { $key }[ 14 ] eq 'TGT_PORT' ){
630 if ($ $hash { $key }[ 15 ] ne '' ){
631 $ $hash { $key }[ 15 ] =~ s/\|/,/g ;
632 if ( index ($ $hash { $key }[ 15 ], "," ) > 0 ){
633 return "-m multiport --dport $ $hash { $key }[15] " ;
635 if ($ $hash { $key }[ 28 ] ne 'ON' || ($ $hash { $key }[ 28 ] eq 'ON' && $ $hash { $key }[ 31 ] eq 'snat' ) ){
636 return "--dport $ $hash { $key }[15] " ;
638 $ $hash { $key }[ 15 ] =~ s/\:/-/g ;
639 return ":$ $hash { $key }[15]" ;
643 #Get ports defined in custom Service (firewall-groups)
644 } elsif ($ $hash { $key }[ 14 ] eq 'cust_srv' ){
645 if ( $prot ne 'ICMP' ){
646 if ($ $hash { $key }[ 31 ] eq 'dnat' && $ $hash { $key }[ 28 ] eq 'ON' ){
647 my $ports =& fwlib
:: get_srv_port
($ $hash { $key }[ 15 ], 1 , $prot );
651 return "--dport " .& fwlib
:: get_srv_port
($ $hash { $key }[ 15 ], 1 , $prot );
653 } elsif ( $prot eq 'ICMP' && $ $hash { $key }[ 11 ] eq 'ON' ){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service
654 return "--icmp-type " .& fwlib
:: get_srv_port
($ $hash { $key }[ 15 ], 3 , $prot );
656 #Get ports from services which are used in custom servicegroups (firewall-groups)
657 } elsif ($ $hash { $key }[ 14 ] eq 'cust_srvgrp' ){
658 if ( $prot ne 'ICMP' ){
659 return & fwlib
:: get_srvgrp_port
($ $hash { $key }[ 15 ], $prot );
661 elsif ( $prot eq 'ICMP' ){
662 return & fwlib
:: get_srvgrp_port
($ $hash { $key }[ 15 ], $prot );
667 if ($ $hash { $key }[ 7 ] ne 'ON' && $ $hash { $key }[ 11 ] ne 'ON' && $SRC_TGT eq '' ){
668 if ($ $hash { $key }[ 9 ] ne '' && $ $hash { $key }[ 9 ] ne 'All ICMP-Types' ){
669 return "--icmp-type $ $hash { $key }[9] " ;
670 } elsif ($ $hash { $key }[ 9 ] eq 'All ICMP-Types' ){