]> git.ipfire.org Git - ipfire-2.x.git/blob - html/cgi-bin/guardian.cgi
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
GUI: Some simple FW-Log cosmetics
[ipfire-2.x.git] / html / cgi-bin / guardian.cgi
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2016 IPFire Team <info@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use strict;
23 use Locale::Codes::Country;
24 use Guardian::Socket;
25
26 # enable only the following on debugging purpose
27 #use warnings;
28 #use CGI::Carp 'fatalsToBrowser';
29
30 require '/var/ipfire/general-functions.pl';
31 require "${General::swroot}/lang.pl";
32 require "${General::swroot}/header.pl";
33
34 #workaround to suppress a warning when a variable is used only once
35 my @dummy = (
36 ${Header::colourred},
37 ${Header::colourgreen}
38 );
39
40 undef (@dummy);
41
42 my $string=();
43 my $memory=();
44 my @memory=();
45 my @pid=();
46 my @guardian=();
47
48 # Path to the guardian.ignore file.
49 my $ignorefile ='/var/ipfire/guardian/guardian.ignore';
50
51 # Hash which contains the supported modules and the
52 # file locations on IPFire systems.
53 my %module_file_locations = (
54 "HTTPD" => "/var/log/httpd/error_log",
55 "OWNCLOUD" => "/var/owncloud/data/owncloud.log",
56 "SNORT" => "/var/log/snort/alert",
57 "SSH" => "/var/log/messages",
58 );
59
60 our %netsettings = ();
61 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
62
63 our %color = ();
64 our %mainsettings = ();
65 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
66 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
67
68 # Pakfire meta file for owncloud.
69 # (File exists when the addon is installed.)
70 my $owncloud_meta = "/opt/pakfire/db/installed/meta-owncloud";
71
72
73 # File declarations.
74 my $settingsfile = "${General::swroot}/guardian/settings";
75 my $ignoredfile = "${General::swroot}/guardian/ignored";
76
77 # Create empty settings and ignoredfile if they do not exist yet.
78 unless (-e "$settingsfile") { system("touch $settingsfile"); }
79 unless (-e "$ignoredfile") { system("touch $ignoredfile"); }
80
81 our %settings = ();
82 our %ignored = ();
83
84 $settings{'ACTION'} = '';
85
86 $settings{'GUARDIAN_ENABLED'} = 'off';
87 $settings{'GUARDIAN_MONITOR_SNORT'} = 'on';
88 $settings{'GUARDIAN_MONITOR_SSH'} = 'on';
89 $settings{'GUARDIAN_MONITOR_HTTPD'} = 'on';
90 $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = '';
91 $settings{'GUARDIAN_LOG_FACILITY'} = 'syslog';
92 $settings{'GUARDIAN_LOGLEVEL'} = 'info';
93 $settings{'GUARDIAN_BLOCKCOUNT'} = '3';
94 $settings{'GUARDIAN_BLOCKTIME'} = '86400';
95 $settings{'GUARDIAN_FIREWALL_ACTION'} = 'DROP';
96 $settings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log';
97 $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'} = '3';
98
99 # Default settings for owncloud if installed.
100 if ( -e "$owncloud_meta") {
101 $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = 'off';
102 }
103
104 my $errormessage = '';
105
106 &Header::showhttpheaders();
107
108 # Get GUI values.
109 &Header::getcgihash(\%settings);
110
111 # Check if guardian is running and grab some stats.
112 &daemonstats();
113 my $pid = $pid[0];
114
115 ## Perform input checks and save settings.
116 #
117 if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
118 # Check for valid blocktime.
119 unless(($settings{'GUARDIAN_BLOCKTIME'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKTIME'} ne "0")) {
120 $errormessage = "$Lang::tr{'guardian invalid blocktime'}";
121 }
122
123 # Check if the blockcount is valid.
124 unless(($settings{'GUARDIAN_BLOCKCOUNT'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKCOUNT'} ne "0")) {
125 $errormessage = "$Lang::tr{'guardian invalid blockcount'}";
126 }
127
128 # Check Logfile.
129 unless($settings{'GUARDIAN_LOGFILE'} =~ /^[a-zA-Z0-9\.\/]+$/) {
130 $errormessage = "$Lang::tr{'guardian invalid logfile'}";
131 }
132
133 # Only continue if no error message has been set.
134 if($errormessage eq '') {
135 # Write configuration settings to file.
136 &General::writehash("${General::swroot}/guardian/settings", \%settings);
137
138 # Update configuration files.
139 &BuildConfiguration();
140 }
141
142 ## Add/edit an entry to the ignore file.
143 #
144 } elsif (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::tr{'update'})) {
145
146 # Check if any input has been performed.
147 if ($settings{'IGNORE_ENTRY_ADDRESS'} ne '') {
148
149 # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
150 if ((!&General::validip($settings{'IGNORE_ENTRY_ADDRESS'})) && (!&General::validipandmask($settings{'IGNORE_ENTRY_ADDRESS'}))) {
151 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
152 }
153 } else {
154 $errormessage = "$Lang::tr{'guardian empty input'}";
155 }
156
157 # Go further if there was no error.
158 if ($errormessage eq '') {
159 my %ignored = ();
160 my $id;
161 my $status;
162
163 # Assign hash values.
164 my $new_entry_address = $settings{'IGNORE_ENTRY_ADDRESS'};
165 my $new_entry_remark = $settings{'IGNORE_ENTRY_REMARK'};
166
167 # Read-in ignoredfile.
168 &General::readhasharray($ignoredfile, \%ignored);
169
170 # Check if we should edit an existing entry and got an ID.
171 if (($settings{'ACTION'} eq $Lang::tr{'update'}) && ($settings{'ID'})) {
172 # Assin the provided id.
173 $id = $settings{'ID'};
174
175 # Undef the given ID.
176 undef($settings{'ID'});
177
178 # Grab the configured status of the corresponding entry.
179 $status = $ignored{$id}[2];
180 } else {
181 # Each newly added entry automatically should be enabled.
182 $status = "enabled";
183
184 # Generate the ID for the new entry.
185 #
186 # Sort the keys by their ID and store them in an array.
187 my @keys = sort { $a <=> $b } keys %ignored;
188
189 # Reverse the key array.
190 my @reversed = reverse(@keys);
191
192 # Obtain the last used id.
193 my $last_id = @reversed[0];
194
195 # Increase the last id by one and use it as id for the new entry.
196 $id = ++$last_id;
197 }
198
199 # Add/Modify the entry to/in the ignored hash.
200 $ignored{$id} = ["$new_entry_address", "$new_entry_remark", "$status"];
201
202 # Write the changed ignored hash to the ignored file.
203 &General::writehasharray($ignoredfile, \%ignored);
204
205 # Regenerate the ignore file.
206 &GenerateIgnoreFile();
207 }
208
209 # Check if guardian is running.
210 if ($pid > 0) {
211 # Send reload command through socket connection.
212 &Guardian::Socket::Client("reload-ignore-list");
213 }
214
215 ## Toggle Enabled/Disabled for an existing entry on the ignore list.
216 #
217
218 } elsif ($settings{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
219 my %ignored = ();
220
221 # Only go further, if an ID has been passed.
222 if ($settings{'ID'}) {
223 # Assign the given ID.
224 my $id = $settings{'ID'};
225
226 # Undef the given ID.
227 undef($settings{'ID'});
228
229 # Read-in ignoredfile.
230 &General::readhasharray($ignoredfile, \%ignored);
231
232 # Grab the configured status of the corresponding entry.
233 my $status = $ignored{$id}[2];
234
235 # Switch the status.
236 if ($status eq "disabled") {
237 $status = "enabled";
238 } else {
239 $status = "disabled";
240 }
241
242 # Modify the status of the existing entry.
243 $ignored{$id} = ["$ignored{$id}[0]", "$ignored{$id}[1]", "$status"];
244
245 # Write the changed ignored hash to the ignored file.
246 &General::writehasharray($ignoredfile, \%ignored);
247
248 # Regenerate the ignore file.
249 &GenerateIgnoreFile();
250
251 # Check if guardian is running.
252 if ($pid > 0) {
253 # Send reload command through socket connection.
254 &Guardian::Socket::Client("reload-ignore-list");
255 }
256 }
257
258 ## Remove entry from ignore list.
259 #
260 } elsif ($settings{'ACTION'} eq $Lang::tr{'remove'}) {
261 my %ignored = ();
262
263 # Read-in ignoredfile.
264 &General::readhasharray($ignoredfile, \%ignored);
265
266 # Drop entry from the hash.
267 delete($ignored{$settings{'ID'}});
268
269 # Undef the given ID.
270 undef($settings{'ID'});
271
272 # Write the changed ignored hash to the ignored file.
273 &General::writehasharray($ignoredfile, \%ignored);
274
275 # Regenerate the ignore file.
276 &GenerateIgnoreFile();
277
278 # Check if guardian is running.
279 if ($pid > 0) {
280 # Send reload command through socket connection.
281 &Guardian::Socket::Client("reload-ignore-list");
282 }
283
284 ## Block a user given address or subnet.
285 #
286 } elsif ($settings{'ACTION'} eq $Lang::tr{'block'}) {
287
288 # Assign some temporary variables used for input validation.
289 my $input = $settings{'ADDRESS_BLOCK'};
290 my $green = $netsettings{'GREEN_ADDRESS'};
291 my $blue = $netsettings{'BLUE_ADDRESS'};
292 my $orange = $netsettings{'ORANGE_ADDRESS'};
293 my $red = $netsettings{'RED_ADDRESS'};
294
295 # File declarations.
296 my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
297 my $dns1file = "${General::swroot}/red/dns1";
298 my $dns2file = "${General::swroot}/red/dns2";
299
300 # Get gateway address.
301 my $gateway = &_get_address_from_file($gatewayfile);
302
303 # Get addresses from the used dns servers.
304 my $dns1 = &_get_address_from_file($dns1file);
305 my $dns2 = &_get_address_from_file($dns2file);
306
307 # Check if any input has been performed.
308 if ($input eq '') {
309 $errormessage = "$Lang::tr{'guardian empty input'}";
310 }
311
312 # Check if the given input is localhost (127.0.0.1).
313 elsif ($input eq "127.0.0.1") {
314 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
315 }
316
317 # Check if the given input is anywhere (0.0.0.0).
318 elsif ($input eq "0.0.0.0") {
319 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
320 }
321
322 # Check if the given input is one of the interface addresses or our gateway.
323 elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway" || $input eq "$dns1" || $input eq "$dns2") {
324 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
325 }
326
327 # Check if the given input is a valid IP address.
328 elsif (!&General::validip($input)) {
329 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
330 }
331
332 # Go further if there was no error.
333 if ($errormessage eq '') {
334 my $block = $settings{'ADDRESS_BLOCK'};
335
336 # Send command to block the specified address through socket connection.
337 &Guardian::Socket::Client("block $block");
338 }
339
340 ## Unblock address or subnet.
341 #
342 } elsif ($settings{'ACTION'} eq $Lang::tr{'unblock'}) {
343
344 # Check if no empty input has been performed.
345 if ($settings{'ADDRESS_UNBLOCK'} ne '') {
346
347 # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
348 if ((!&General::validip($settings{'ADDRESS_UNBLOCK'})) && (!&General::validipandmask($settings{'ADDRESS_UNBLOCK'}))) {
349 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
350 }
351
352 } else {
353 $errormessage = "$Lang::tr{'guardian empty input'}";
354 }
355
356 # Go further if there was no error.
357 if ($errormessage eq '') {
358 my $unblock = $settings{'ADDRESS_UNBLOCK'};
359
360 # Send command to unblock the given address through socket connection.
361 &Guardian::Socket::Client("unblock $unblock");
362 }
363
364 ## Unblock all.
365 #
366 } elsif ($settings{'ACTION'} eq $Lang::tr{'unblock all'}) {
367
368 # Send flush command through socket connection.
369 &Guardian::Socket::Client("flush");
370 }
371
372 # Load settings from files.
373 &General::readhash("${General::swroot}/guardian/settings", \%settings);
374 &General::readhasharray("${General::swroot}/guardian/ignored", \%ignored);
375
376 # Call functions to generate whole page.
377 &showMainBox();
378 &showIgnoreBox();
379
380 # Display area only if guardian is running.
381 if ( ($memory != 0) && ($pid > 0) ) {
382 &showBlockedBox();
383 }
384
385 # Function to display the status of guardian and allow base configuration.
386 sub showMainBox() {
387 my %checked = ();
388 my %selected = ();
389
390 $checked{'GUARDIAN_ENABLED'}{'on'} = '';
391 $checked{'GUARDIAN_ENABLED'}{'off'} = '';
392 $checked{'GUARDIAN_ENABLED'}{$settings{'GUARDIAN_ENABLED'}} = 'checked';
393 $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} = '';
394 $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} = '';
395 $checked{'GUARDIAN_MONITOR_SNORT'}{$settings{'GUARDIAN_MONITOR_SNORT'}} = "checked='checked'";
396 $checked{'GUARDIAN_MONITOR_SSH'}{'off'} = '';
397 $checked{'GUARDIAN_MONITOR_SSH'}{'on'} = '';
398 $checked{'GUARDIAN_MONITOR_SSH'}{$settings{'GUARDIAN_MONITOR_SSH'}} = "checked='checked'";
399 $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} = '';
400 $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} = '';
401 $checked{'GUARDIAN_MONITOR_HTTPD'}{$settings{'GUARDIAN_MONITOR_HTTPD'}} = "checked='checked'";
402 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} = '';
403 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} = '';
404 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{$settings{'GUARDIAN_MONITOR_OWNCLOUD'}} = "checked='checked'";
405
406 $selected{'GUARDIAN_LOG_FACILITY'}{$settings{'GUARDIAN_LOG_FACILITY'}} = 'selected';
407 $selected{'GUARDIAN_LOGLEVEL'}{$settings{'GUARDIAN_LOGLEVEL'}} = 'selected';
408 $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{$settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}} = 'selected';
409 $selected{'GUARDIAN_FIREWALL_ACTION'}{$settings{'GUARDIAN_FIREWALL_ACTION'}} = 'selected';
410
411 &Header::openpage($Lang::tr{'guardian configuration'}, 1, '');
412 &Header::openbigbox('100%', 'left', '', $errormessage);
413
414 # Print errormessage if there is one.
415 if ($errormessage) {
416 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
417 print "<font class='base'>$errormessage&nbsp;</font>\n";
418 &Header::closebox();
419 }
420
421 ### Java Script ###
422 print<<END;
423 <script>
424 var update_options = function() {
425
426 var logfacility = \$("#GUARDIAN_LOG_FACILITY").val();
427 var loglevel = \$("#GUARDIAN_LOGLEVEL").val();
428
429 if (logfacility === undefined)
430 return;
431
432 if (loglevel === undefined)
433 return;
434
435 // Show / Hide input for specifying the path to the logfile.
436 if (logfacility === "file") {
437 \$(".GUARDIAN_LOGFILE").show();
438 } else {
439 \$(".GUARDIAN_LOGFILE").hide();
440 }
441
442 // Show / Hide loglevel debug if the facility is set to syslog.
443 if (logfacility === "syslog") {
444 \$("#loglevel_debug").hide();
445 } else {
446 \$("#loglevel_debug").show();
447 }
448
449 // Show / Hide logfacility syslog if the loglevel is set to debug.
450 if (loglevel === "debug") {
451 \$("#logfacility_syslog").hide();
452 } else {
453 \$("#logfacility_syslog").show();
454 }
455 };
456
457 \$(document).ready(function() {
458 \$("#GUARDIAN_LOG_FACILITY").change(update_options);
459 \$("#GUARDIAN_LOGLEVEL").change(update_options);
460 update_options();
461
462 // Show / Hide snort priority level option, based if
463 // snort is enabled / disabled.
464 if (\$('input[name=GUARDIAN_MONITOR_SNORT]:checked').val() == 'on') {
465 \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').show();
466 } else {
467 \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').hide();
468 }
469
470 // Show/Hide snort priority level when GUARDIAN_MONITOR_SNORT get changed.
471 \$('input[name=GUARDIAN_MONITOR_SNORT]').change(function() {
472 \$('.GUARDIAN_SNORT_PRIORITY_LEVEL').toggle();
473 });
474 });
475 </script>
476 END
477
478
479
480 # Draw current guardian state.
481 &Header::openbox('100%', 'center', $Lang::tr{'guardian'});
482
483 # Get current status of guardian.
484 &daemonstats();
485 $pid = $pid[0];
486
487 # Display some useful information related to guardian, if daemon is running.
488 if ( ($memory != 0) && ($pid > 0) ){
489 print <<END;
490 <table width='95%' cellspacing='0' class='tbl'>
491 <tr>
492 <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th>
493 </tr>
494 <tr>
495 <td class='base'>$Lang::tr{'guardian daemon'}</td>
496 <td align='center' colspan='2' width='75%' bgcolor='${Header::colourgreen}'><font color='white'><strong>$Lang::tr{'running'}</strong></font></td>
497 </tr>
498 <tr>
499 <td class='base'></td>
500 <td bgcolor='$color{'color20'}' align='center'><strong>PID</strong></td>
501 <td bgcolor='$color{'color20'}' align='center'><strong>$Lang::tr{'memory'}</strong></td>
502 </tr>
503 <tr>
504 <td class='base'></td>
505 <td bgcolor='$color{'color22'}' align='center'>$pid</td>
506 <td bgcolor='$color{'color22'}' align='center'>$memory KB</td>
507 </tr>
508 </table>
509 END
510 } else {
511 # Otherwise display a hint that the service is not launched.
512 print <<END;
513 <table width='95%' cellspacing='0' class='tbl'>
514 <tr>
515 <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th>
516 </tr>
517 <tr>
518 <td class='base'>$Lang::tr{'guardian daemon'}</td>
519 <td align='center' width='75%' bgcolor='${Header::colourred}'><font color='white'><strong>$Lang::tr{'stopped'}</strong></font></td>
520 </tr>
521 </table>
522 END
523 }
524
525 &Header::closebox();
526
527 # Draw elements for guardian configuration.
528 &Header::openbox('100%', 'center', $Lang::tr{'guardian configuration'});
529
530 print <<END;
531 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
532
533 <table width='95%'>
534 <tr>
535 <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian common settings'}</b></td>
536 </tr>
537
538 <tr>
539 <td width='25%' class='base'>$Lang::tr{'guardian enabled'}:</td>
540 <td><input type='checkbox' name='GUARDIAN_ENABLED' $checked{'GUARDIAN_ENABLED'}{'on'} /></td>
541 </tr>
542
543 <tr>
544 <td colspan='2'><br></td>
545 </tr>
546
547 <tr>
548 <td width='25%' class='base'>$Lang::tr{'guardian watch snort alertfile'}</td>
549 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='on' $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} /> /
550 <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='off' $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} /> off</td>
551 </tr>
552
553 <tr>
554 <td width='25%' class='base'>$Lang::tr{'guardian block ssh brute-force'}</td>
555 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SSH' value='on' $checked{'GUARDIAN_MONITOR_SSH'}{'on'} /> /
556 <input type='radio' name='GUARDIAN_MONITOR_SSH' value='off' $checked{'GUARDIAN_MONITOR_SSH'}{'off'} /> off</td>
557 </tr>
558
559 <tr>
560 <td width='25%' class='base'>$Lang::tr{'guardian block httpd brute-force'}</td>
561 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='on' $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} /> /
562 <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='off' $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} /> off</td>
563 </tr>
564 END
565
566 # Display owncloud checkbox when the addon is installed.
567 if ( -e "$owncloud_meta" ) {
568 print"<tr>\n";
569 print"<td width='25%' class='base'>$Lang::tr{'guardian block owncloud brute-force'}</td>\n";
570 print"<td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='on' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} /> /\n";
571 print"<input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='off' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} /> off</td>\n";
572 print"</tr>\n";
573 }
574 print <<END;
575 <tr>
576 <td colspan='2'><br></td>
577 </tr>
578
579 <tr>
580 <td align='left' width='20%'>$Lang::tr{'guardian logfacility'}:</td>
581 <td width='25%'><select id='GUARDIAN_LOG_FACILITY' name='GUARDIAN_LOG_FACILITY'>
582 <option id='logfacility_syslog' value='syslog' $selected{'GUARDIAN_LOG_FACILITY'}{'syslog'}>$Lang::tr{'guardian logtarget_syslog'}</option>
583 <option id='logfacility_file' value='file' $selected{'GUARDIAN_LOG_FACILITY'}{'file'}>$Lang::tr{'guardian logtarget_file'}</option>
584 <option id='logfacility_console' value='console' $selected{'GUARDIAN_LOG_FACILITY'}{'console'}>$Lang::tr{'guardian logtarget_console'}</option>
585 </select></td>
586
587 <td align='left' width='20%'>$Lang::tr{'guardian loglevel'}:</td>
588 <td width='25%'><select id='GUARDIAN_LOGLEVEL' name='GUARDIAN_LOGLEVEL'>
589 <option id='loglevel_off' value='off' $selected{'GUARDIAN_LOGLEVEL'}{'off'}>$Lang::tr{'guardian loglevel_off'}</option>
590 <option id='loglevel_info' value='info' $selected{'GUARDIAN_LOGLEVEL'}{'info'}>$Lang::tr{'guardian loglevel_info'}</option>
591 <option id='loglevel_debug' value='debug' $selected{'GUARDIAN_LOGLEVEL'}{'debug'}>$Lang::tr{'guardian loglevel_debug'}</option>
592 </select></td>
593 </tr>
594
595 <tr class="GUARDIAN_LOGFILE">
596 <td colspan='2'><br></td>
597 </tr>
598
599 <tr class="GUARDIAN_LOGFILE">
600 <td width='25%' class='base'>$Lang::tr{'guardian logfile'}:</td>
601 <td><input type='text' name='GUARDIAN_LOGFILE' value='$settings{'GUARDIAN_LOGFILE'}' size='30' /></td>
602 </tr>
603
604 <tr class="GUARDIAN_SNORT_PRIORITY_LEVEL">
605 <td colspan='2'><br></td>
606 </tr>
607
608 <tr class="GUARDIAN_SNORT_PRIORITY_LEVEL">
609 <td align='left' width='20%'>$Lang::tr{'guardian priority level'}:</td>
610 <td><select name='GUARDIAN_SNORT_PRIORITY_LEVEL'>
611 <option value='1' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'1'}>$Lang::tr{'guardian priolevel_high'}</option>
612 <option value='2' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'2'}>$Lang::tr{'guardian priolevel_medium'}</option>
613 <option value='3' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'3'}>$Lang::tr{'guardian priolevel_low'}</option>
614 <option value='4' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'4'}>$Lang::tr{'guardian priolevel_very_low'}</option>
615 </select></td>
616
617 <td width='25%' class='base'>$Lang::tr{'guardian blockcount'}:</td>
618 <td><input type='text' name='GUARDIAN_BLOCKCOUNT' value='$settings{'GUARDIAN_BLOCKCOUNT'}' size='5' /></td>
619 </tr>
620
621 <tr>
622 <td colspan='2'><br></td>
623 </tr>
624
625 <tr>
626 <td width='25%' class='base'>$Lang::tr{'guardian firewallaction'}:</td>
627 <td><select name='GUARDIAN_FIREWALL_ACTION'>
628 <option value='DROP' $selected{'GUARDIAN_FIREWALL_ACTION'}{'DROP'}>Drop</option>
629 <option value='REJECT' $selected{'GUARDIAN_FIREWALL_ACTION'}{'REJECT'}>Reject</option>
630 </select></td>
631
632 <td width='25%' class='base'>$Lang::tr{'guardian blocktime'}:</td>
633 <td><input type='text' name='GUARDIAN_BLOCKTIME' value='$settings{'GUARDIAN_BLOCKTIME'}' size='10' /></td>
634 </tr>
635
636 </table>
637 END
638
639 print <<END;
640 <hr>
641
642 <table width='95%'>
643 <tr>
644 <td>&nbsp;</td>
645 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
646 <td>&nbsp;</td>
647 </tr>
648 </table>
649 </form>
650 END
651
652 &Header::closebox();
653 }
654
655 # Function to show elements of the guardian ignorefile and allow to add or remove single members of it.
656 sub showIgnoreBox() {
657 &Header::openbox('100%', 'center', $Lang::tr{'guardian ignored hosts'});
658
659 print <<END;
660 <table width='80%'>
661 <tr>
662 <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td>
663 <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td>
664 <td class='base' colspan='3' bgcolor='$color{'color20'}'></td>
665 </tr>
666 END
667 # Check if some hosts have been added to be ignored.
668 if (keys (%ignored)) {
669 my $col = "";
670
671 # Loop through all entries of the hash.
672 while( (my $key) = each %ignored) {
673 # Assign data array positions to some nice variable names.
674 my $address = $ignored{$key}[0];
675 my $remark = $ignored{$key}[1];
676 my $status = $ignored{$key}[2];
677
678 # Check if the key (id) number is even or not.
679 if ($settings{'ID'} eq $key) {
680 $col="bgcolor='${Header::colouryellow}'";
681 } elsif ($key % 2) {
682 $col="bgcolor='$color{'color22'}'";
683 } else {
684 $col="bgcolor='$color{'color20'}'";
685 }
686
687 # Choose icon for the checkbox.
688 my $gif;
689 my $gdesc;
690
691 # Check if the status is enabled and select the correct image and description.
692 if ($status eq 'enabled' ) {
693 $gif = 'on.gif';
694 $gdesc = $Lang::tr{'click to disable'};
695 } else {
696 $gif = 'off.gif';
697 $gdesc = $Lang::tr{'click to enable'};
698 }
699
700 print <<END;
701 <tr>
702 <td width='20%' class='base' $col>$address</td>
703 <td width='65%' class='base' $col>$remark</td>
704
705 <td align='center' $col>
706 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
707 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
708 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' />
709 <input type='hidden' name='ID' value='$key' />
710 </form>
711 </td>
712
713 <td align='center' $col>
714 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
715 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
716 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
717 <input type='hidden' name='ID' value='$key' />
718 </form>
719 </td>
720
721 <td align='center' $col>
722 <form method='post' name='$key' action='$ENV{'SCRIPT_NAME'}'>
723 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' title='$Lang::tr{'remove'}' alt='$Lang::tr{'remove'}'>
724 <input type='hidden' name='ID' value='$key'>
725 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}'>
726 </form>
727 </td>
728 </tr>
729 END
730 }
731 } else {
732 # Print notice that currently no hosts are ignored.
733 print "<tr>\n";
734 print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
735 print "</tr>\n";
736 }
737
738 print "</table>\n";
739
740 # Section to add new elements or edit existing ones.
741 print <<END;
742 <br>
743 <hr>
744 <br>
745
746 <div align='center'>
747 <table width='100%'>
748 END
749
750 # Assign correct headline and button text.
751 my $buttontext;
752 my $entry_address;
753 my $entry_remark;
754
755 # Check if an ID (key) has been given, in this case an existing entry should be edited.
756 if ($settings{'ID'} ne '') {
757 $buttontext = $Lang::tr{'update'};
758 print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n";
759
760 # Grab address and remark for the given key.
761 $entry_address = $ignored{$settings{'ID'}}[0];
762 $entry_remark = $ignored{$settings{'ID'}}[1];
763 } else {
764 $buttontext = $Lang::tr{'add'};
765 print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n";
766 }
767
768 print <<END;
769 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
770 <input type='hidden' name='ID' value='$settings{'ID'}'>
771 <tr>
772 <td width='30%'>$Lang::tr{'ip address'}: </td>
773 <td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td>
774
775 <td width='30%'>$Lang::tr{'remark'}: </td>
776 <td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td>
777 <td align='center' width='20%'><input type='submit' name='ACTION' value='$buttontext' /></td>
778 </tr>
779 </form>
780 </table>
781 </div>
782 END
783
784 &Header::closebox();
785 }
786
787 # Function to list currently blocked addresses from guardian and unblock them or add custom entries to block.
788 sub showBlockedBox() {
789 &Header::openbox('100%', 'center', $Lang::tr{'guardian blocked hosts'});
790
791 print <<END;
792 <table width='60%'>
793 <tr>
794 <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian blocked hosts'}</b></td>
795 </tr>
796 END
797
798 # Launch function to get the currently blocked hosts.
799 my @blocked_hosts = &GetBlockedHosts();
800
801 my $id = 0;
802 my $col = "";
803
804 # Loop through our blocked hosts array.
805 foreach my $blocked_host (@blocked_hosts) {
806
807 # Increase id number for each element in the ignore file.
808 $id++;
809
810 # Check if the id number is even or not.
811 if ($id % 2) {
812 $col="bgcolor='$color{'color22'}'";
813 } else {
814 $col="bgcolor='$color{'color20'}'";
815 }
816
817 print <<END;
818 <tr>
819 <td width='80%' class='base' $col><a href='/cgi-bin/ipinfo.cgi?ip=$blocked_host'>$blocked_host</a></td>
820 <td width='20%' align='center' $col>
821 <form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'>
822 <input type='image' name='$Lang::tr{'unblock'}' src='/images/delete.gif' title='$Lang::tr{'unblock'}' alt='$Lang::tr{'unblock'}'>
823 <input type='hidden' name='ADDRESS_UNBLOCK' value='$blocked_host'>
824 <input type='hidden' name='ACTION' value='$Lang::tr{'unblock'}'>
825 </form>
826 </td>
827 </tr>
828 END
829 }
830
831 # If the loop only has been run once the id still is "0", which means there are no
832 # additional entries (blocked hosts) in the iptables chain.
833 if ($id == 0) {
834
835 # Print notice that currently no hosts are blocked.
836 print "<tr>\n";
837 print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
838 print "</tr>\n";
839 }
840
841 print "</table>\n";
842
843 # Section for a manual block of an IP-address.
844 print <<END;
845 <br>
846 <div align='center'>
847 <table width='60%' border='0'>
848 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
849 <tr>
850 <td width='30%'>$Lang::tr{'guardian block a host'}: </td>
851 <td width='40%'><input type='text' name='ADDRESS_BLOCK' value='' size='24' /></td>
852 <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'block'}'></td>
853 <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'unblock all'}'></td>
854 </tr>
855 </form>
856 </table>
857 </div>
858 END
859
860 &Header::closebox();
861 }
862
863 &Header::closebigbox();
864 &Header::closepage();
865
866 # Function to check if guardian has been started.
867 # Grab process id and consumed memory if the daemon is running.
868 sub daemonstats() {
869 $memory = 0;
870 # for pid and memory
871 open(FILE, '/usr/local/bin/addonctrl guardian status | ');
872 @guardian = <FILE>;
873 close(FILE);
874 $string = join("", @guardian);
875 $string =~ s/[a-z_]//gi;
876 $string =~ s/\[[0-1]\;[0-9]+//gi;
877 $string =~ s/[\(\)\.]//gi;
878 $string =~ s/ //gi;
879 $string =~ s/\e//gi;
880 @pid = split(/\s/,$string);
881 if (open(FILE, "/proc/$pid[0]/statm")){
882 my $temp = <FILE>;
883 @memory = split(/ /,$temp);
884 close(FILE);
885 }
886 $memory+=$memory[0];
887 }
888
889 sub GetBlockedHosts() {
890 # Create new, empty array.
891 my @hosts;
892
893 # Launch helper to get chains from iptables.
894 system('/usr/local/bin/getipstat');
895
896 # Open temporary file which contains the chains and rules.
897 open (FILE, '/var/tmp/iptables.txt');
898
899 # Loop through the entire file.
900 while (<FILE>) {
901 my $line = $_;
902
903 # Search for the guardian chain and extract
904 # the lines between it and the next empty line
905 # which is placed before the next firewall
906 # chain starts.
907 if ($line =~ /^Chain GUARDIAN/ .. /^\s*$/) {
908 # Skip descriptive lines.
909 next if ($line =~ /^Chain/);
910 next if ($line =~ /^ pkts/);
911
912 # Generate array, based on the line content (separator is a single or multiple space)
913 my @comps = split(/\s{1,}/, $line);
914 my ($lead, $pkts, $bytes, $target, $prot, $opt, $in, $out, $source, $destination) = @comps;
915
916 # Assign different variable names.
917 my $blocked_host = $source;
918
919 # Add host to our hosts array.
920 if ($blocked_host) {
921 push(@hosts, $blocked_host);
922 }
923 }
924 }
925
926 # Close filehandle.
927 close(FILE);
928
929 # Remove recently created temporary files of the "getipstat" binary.
930 system("rm -f /var/tmp/iptables.txt");
931 system("rm -f /var/tmp/iptablesmangle.txt");
932 system("rm -f /var/tmp/iptablesnat.txt");
933
934 # Convert entries, sort them, write back and store the sorted entries into new array.
935 my @sorted = map { $_->[0] }
936 sort { $a->[1] <=> $b->[1] }
937 map { [$_, int sprintf("%03.f%03.f%03.f%03.f", split(/\./, $_))] }
938 @hosts;
939
940 # Return our sorted list.
941 return @sorted
942 }
943
944 sub BuildConfiguration() {
945 my %settings = ();
946 &General::readhash("${General::swroot}/guardian/settings", \%settings);
947
948 my $configfile = "${General::swroot}/guardian/guardian.conf";
949
950 # Create the configfile if none exists yet.
951 unless (-e "$configfile") { system("touch $configfile"); }
952
953 # Open configfile for writing.
954 open(FILE, ">$configfile");
955
956 # Config file header.
957 print FILE "# Autogenerated configuration file.\n";
958 print FILE "# All user modifications will be overwritten.\n\n";
959
960 # Settings for the logging mechanism.
961 print FILE "# Log settings.\n";
962 print FILE "LogFacility = $settings{'GUARDIAN_LOG_FACILITY'}\n";
963
964 if ($settings{'GUARDIAN_LOG_FACILITY'} eq "file") {
965 print FILE "LogFile = $settings{'GUARDIAN_LOGFILE'}\n";
966 }
967
968 print FILE "LogLevel = $settings{'GUARDIAN_LOGLEVEL'}\n\n";
969
970 # IPFire related static settings.
971 print FILE "# IPFire related settings.\n";
972 print FILE "FirewallEngine = IPtables\n";
973 print FILE "SocketOwner = nobody:nobody\n";
974 print FILE "IgnoreFile = $ignorefile\n\n";
975
976 # Configured block values.
977 print FILE "# Configured block settings.\n";
978 print FILE "BlockCount = $settings{'GUARDIAN_BLOCKCOUNT'}\n";
979 print FILE "BlockTime = $settings{'GUARDIAN_BLOCKTIME'}\n";
980 print FILE "FirewallAction = $settings{'GUARDIAN_FIREWALL_ACTION'}\n\n";
981
982 # Enabled modules.
983 # Loop through whole settings hash.
984 print FILE "# Enabled modules.\n";
985 foreach my $option (keys %settings) {
986 # Search for enabled modules.
987 if ($option =~ /GUARDIAN_MONITOR_(.*)/) {
988 # Skip if module is not enabled.
989 next unless($settings{$option} eq "on");
990
991 # Skip module if no file location is available.
992 next unless(exists($module_file_locations{$1}));
993
994 # Add enabled module and defined path to the config file.
995 print FILE "Monitor_$1 = $module_file_locations{$1}\n";
996 }
997 }
998
999 # Module settings.
1000 print FILE "\n# Module settings.\n";
1001 # Check if SNORT is enabled and add snort priority.
1002 if ($settings{'GUARDIAN_MONITOR_SNORT'} eq "on") {
1003 print FILE "SnortPriorityLevel = $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}\n";
1004 }
1005
1006 close(FILE);
1007
1008 # Generate ignore file.
1009 &GenerateIgnoreFile();
1010
1011 # Check if guardian should be started or stopped.
1012 if($settings{'GUARDIAN_ENABLED'} eq 'on') {
1013 if($pid > 0) {
1014 # Send reload command through socket connection.
1015 &Guardian::Socket::Client("reload");
1016 } else {
1017 # Launch guardian.
1018 system("/usr/local/bin/addonctrl guardian start &>/dev/null");
1019 }
1020 } else {
1021 # Stop the daemon.
1022 system("/usr/local/bin/addonctrl guardian stop &>/dev/null");
1023 }
1024 }
1025
1026 sub GenerateIgnoreFile() {
1027 my %ignored = ();
1028
1029 # Read-in ignoredfile.
1030 &General::readhasharray($ignoredfile, \%ignored);
1031
1032 # Create the guardian.ignore file if not exist yet.
1033 unless (-e "$ignorefile") { system("touch $ignorefile"); }
1034
1035 # Open ignorefile for writing.
1036 open(FILE, ">$ignorefile");
1037
1038 # Config file header.
1039 print FILE "# Autogenerated configuration file.\n";
1040 print FILE "# All user modifications will be overwritten.\n\n";
1041
1042 # Add IFPire interfaces and gateway to the ignore file.
1043 #
1044 # Assign some temporary variables for the IPFire interfaces.
1045 my $green = $netsettings{'GREEN_ADDRESS'};
1046 my $blue = $netsettings{'BLUE_ADDRESS'};
1047 my $orange = $netsettings{'ORANGE_ADDRESS'};
1048
1049 # File declarations.
1050 my $public_address_file = "${General::swroot}/red/local-ipaddress";
1051 my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
1052 my $dns1file = "${General::swroot}/red/dns1";
1053 my $dns2file = "${General::swroot}/red/dns2";
1054
1055 # Write the obtained addresses to the ignore file.
1056 print FILE "# IPFire local interfaces.\n";
1057 print FILE "$green\n";
1058
1059 # Check if a blue interface exists.
1060 if ($blue) {
1061 # Add blue address.
1062 print FILE "$blue\n";
1063 }
1064
1065 # Check if an orange interface exists.
1066 if ($orange) {
1067 # Add orange address.
1068 print FILE "$orange\n";
1069 }
1070
1071 print FILE "\n# IPFire red interface, gateway and used DNS-servers.\n";
1072 print FILE "# Include the corresponding files to obtain the addresses.\n";
1073 print FILE "Include_File = $public_address_file\n";
1074 print FILE "Include_File = $gatewayfile\n";
1075 print FILE "Include_File = $dns1file\n";
1076 print FILE "Include_File = $dns2file\n";
1077
1078 # Add all user defined hosts and networks to the ignore file.
1079 #
1080 # Check if the hash contains any elements.
1081 if (keys (%ignored)) {
1082 # Write headline.
1083 print FILE "\n# User defined hosts/networks.\n";
1084
1085 # Loop through the entire hash and write the host/network
1086 # and remark to the ignore file.
1087 while ( (my $key) = each %ignored) {
1088 my $address = $ignored{$key}[0];
1089 my $remark = $ignored{$key}[1];
1090 my $status = $ignored{$key}[2];
1091
1092 # Check if the status of the entry is "enabled".
1093 if ($status eq "enabled") {
1094 # Check if the address/network is valid.
1095 if ((&General::validip($address)) || (&General::validipandmask($address))) {
1096 # Write the remark to the file.
1097 print FILE "# $remark\n";
1098
1099 # Write the address/network to the ignore file.
1100 print FILE "$address\n\n";
1101 }
1102 }
1103 }
1104 }
1105
1106 close(FILE);
1107 }
1108
1109 # Private subfunction to obtain IP-addresses from given file names.
1110 #
1111 sub _get_address_from_file ($) {
1112 my $file = shift;
1113
1114 # Check if the file exists.
1115 if (-e $file) {
1116 # Open the given file.
1117 open(FILE, "$file") or die "Could not open $file.";
1118
1119 # Obtain the address from the first line of the file.
1120 my $address = <FILE>;
1121
1122 # Close filehandle
1123 close(FILE);
1124
1125 # Remove newlines.
1126 chomp $address;
1127
1128 # Check if the grabbed address is valid.
1129 if (&General::validip($address)) {
1130 # Return the address.
1131 return $address;
1132 }
1133 }
1134
1135 # Return nothing.
1136 return;
1137 }
IPFire 2.x development tree