]>
git.ipfire.org Git - ipfire-2.x.git/blob - html/cgi-bin/guardian.cgi
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2016 IPFire Team <info@ipfire.org> #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
23 use Locale
::Codes
::Country
;
26 # enable only the following on debugging purpose
28 #use CGI::Carp 'fatalsToBrowser';
30 require '/var/ipfire/general-functions.pl';
31 require "${General::swroot}/lang.pl";
32 require "${General::swroot}/header.pl";
34 #workaround to suppress a warning when a variable is used only once
37 ${Header
::colourgreen
}
48 # Path to the guardian.ignore file.
49 my $ignorefile ='/var/ipfire/guardian/guardian.ignore';
51 # Hash which contains the supported modules and the
52 # file locations on IPFire systems.
53 my %module_file_locations = (
54 "HTTPD" => "/var/log/httpd/error_log",
55 "OWNCLOUD" => "/var/owncloud/data/owncloud.log",
56 "SNORT" => "/var/log/snort.alert",
57 "SSH" => "/var/log/messages",
60 our %netsettings = ();
61 &General
::readhash
("${General::swroot}/ethernet/settings", \
%netsettings);
64 our %mainsettings = ();
65 &General
::readhash
("${General::swroot}/main/settings", \
%mainsettings);
66 &General
::readhash
("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \
%color);
68 # Pakfire meta file for owncloud.
69 # (File exists when the addon is installed.)
70 my $owncloud_meta = "/opt/pakfire/db/installed/meta-owncloud";
74 my $settingsfile = "${General::swroot}/guardian/settings";
75 my $ignoredfile = "${General::swroot}/guardian/ignored";
77 # Create empty settings and ignoredfile if they do not exist yet.
78 unless (-e
"$settingsfile") { system("touch $settingsfile"); }
79 unless (-e
"$ignoredfile") { system("touch $ignoredfile"); }
84 $settings{'ACTION'} = '';
86 $settings{'GUARDIAN_ENABLED'} = 'off';
87 $settings{'GUARDIAN_MONITOR_SNORT'} = 'on';
88 $settings{'GUARDIAN_MONITOR_SSH'} = 'on';
89 $settings{'GUARDIAN_MONITOR_HTTPD'} = 'on';
90 $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = '';
91 $settings{'GUARDIAN_LOG_FACILITY'} = 'syslog';
92 $settings{'GUARDIAN_LOGLEVEL'} = 'info';
93 $settings{'GUARDIAN_BLOCKCOUNT'} = '3';
94 $settings{'GUARDIAN_BLOCKTIME'} = '86400';
95 $settings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log';
96 $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'} = '3';
98 # Default settings for owncloud if installed.
99 if ( -e
"$owncloud_meta") {
100 $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = 'off';
103 my $errormessage = '';
105 &Header
::showhttpheaders
();
108 &Header
::getcgihash
(\
%settings);
110 # Check if guardian is running and grab some stats.
114 ## Perform input checks and save settings.
116 if ($settings{'ACTION'} eq $Lang::tr
{'save'}) {
117 # Check for valid blocktime.
118 unless(($settings{'GUARDIAN_BLOCKTIME'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKTIME'} ne "0")) {
119 $errormessage = "$Lang::tr{'guardian invalid blocktime'}";
122 # Check if the bloccount is valid.
123 unless(($settings{'GUARDIAN_BLOCKCOUNT'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKCOUNT'} ne "0")) {
124 $errormessage = "$Lang::tr{'guardian invalid blockcount'}";
128 unless($settings{'GUARDIAN_LOGFILE'} =~ /^[a-zA-Z0-9\.\/]+$/) {
129 $errormessage = "$Lang::tr{'guardian invalid logfile'}";
132 # Only continue if no error message has been set.
133 if($errormessage eq '') {
134 # Write configuration settings to file.
135 &General
::writehash
("${General::swroot}/guardian/settings", \
%settings);
137 # Update configuration files.
138 &BuildConfiguration
();
141 ## Add/edit an entry to the ignore file.
143 } elsif (($settings{'ACTION'} eq $Lang::tr
{'add'}) || ($settings{'ACTION'} eq $Lang::tr
{'update'})) {
145 # Check if any input has been performed.
146 if ($settings{'IGNORE_ENTRY_ADDRESS'} ne '') {
148 # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
149 if ((!&General
::validip
($settings{'IGNORE_ENTRY_ADDRESS'})) && (!&General
::validipandmask
($settings{'IGNORE_ENTRY_ADDRESS'}))) {
150 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
153 $errormessage = "$Lang::tr{'guardian empty input'}";
156 # Go further if there was no error.
157 if ($errormessage eq '') {
162 # Assign hash values.
163 my $new_entry_address = $settings{'IGNORE_ENTRY_ADDRESS'};
164 my $new_entry_remark = $settings{'IGNORE_ENTRY_REMARK'};
166 # Read-in ignoredfile.
167 &General
::readhasharray
($ignoredfile, \
%ignored);
169 # Check if we should edit an existing entry and got an ID.
170 if (($settings{'ACTION'} eq $Lang::tr
{'update'}) && ($settings{'ID'})) {
171 # Assin the provided id.
172 $id = $settings{'ID'};
174 # Undef the given ID.
175 undef($settings{'ID'});
177 # Grab the configured status of the corresponding entry.
178 $status = $ignored{$id}[2];
180 # Each newly added entry automatically should be enabled.
183 # Generate the ID for the new entry.
185 # Sort the keys by it's ID and store them in an array.
186 my @keys = sort { $a <=> $b } keys %ignored;
188 # Reverse the key array.
189 my @reversed = reverse(@keys);
191 # Obtain the last used id.
192 my $last_id = @reversed[0];
194 # Increase the last id by one and use it as id for the new entry.
198 # Add/Modify the entry to/in the ignored hash.
199 $ignored{$id} = ["$new_entry_address", "$new_entry_remark", "$status"];
201 # Write the changed ignored hash to the ignored file.
202 &General
::writehasharray
($ignoredfile, \
%ignored);
204 # Regenerate the ignore file.
205 # &GenerateIgnoreFile();
208 # Check if guardian is running.
210 # Send reload command through socket connection.
211 &Guardian
::Socket
::Client
("reload");
214 ## Toggle Enabled/Disabled for an existing entry on the ignore list.
217 } elsif ($settings{'ACTION'} eq $Lang::tr
{'toggle enable disable'}) {
220 # Only go further, if an ID has been passed.
221 if ($settings{'ID'}) {
222 # Assign the given ID.
223 my $id = $settings{'ID'};
225 # Undef the given ID.
226 undef($settings{'ID'});
228 # Read-in ignoredfile.
229 &General
::readhasharray
($ignoredfile, \
%ignored);
231 # Grab the configured status of the corresponding entry.
232 my $status = $ignored{$id}[2];
235 if ($status eq "disabled") {
238 $status = "disabled";
241 # Modify the status of the existing entry.
242 $ignored{$id} = ["$ignored{$id}[0]", "$ignored{$id}[1]", "$status"];
244 # Write the changed ignored hash to the ignored file.
245 &General
::writehasharray
($ignoredfile, \
%ignored);
247 # Regenerate the ignore file.
248 # &GenerateIgnoreFile();
250 # Check if guardian is running.
252 # Send reload command through socket connection.
253 &Guardian
::Socket
::Client
("reload");
257 ## Remove entry from ignore list.
259 } elsif ($settings{'ACTION'} eq $Lang::tr
{'remove'}) {
262 # Read-in ignoredfile.
263 &General
::readhasharray
($ignoredfile, \
%ignored);
265 # Drop entry from the hash.
266 delete($ignored{$settings{'ID'}});
268 # Undef the given ID.
269 undef($settings{'ID'});
271 # Write the changed ignored hash to the ignored file.
272 &General
::writehasharray
($ignoredfile, \
%ignored);
274 # Regenerate the ignore file.
275 # &GenerateIgnoreFile();
277 # Check if guardian is running.
279 # Send reload command through socket connection.
280 &Guardian
::Socket
::Client
("reload");
283 ## Block a user given address or subnet.
285 } elsif ($settings{'ACTION'} eq $Lang::tr
{'block'}) {
287 # Assign some temporary variables used for input validation.
288 my $input = $settings{'ADDRESS_BLOCK'};
289 my $green = $netsettings{'GREEN_ADDRESS'};
290 my $blue = $netsettings{'BLUE_ADDRESS'};
291 my $orange = $netsettings{'ORANGE_ADDRESS'};
292 my $red = $netsettings{'RED_ADDRESS'};
294 # Get gateway address.
295 my $gateway = &General
::get_gateway
();
297 # Check if any input has been performed.
299 $errormessage = "$Lang::tr{'guardian empty input'}";
302 # Check if the given input is localhost (127.0.0.1).
303 elsif ($input eq "127.0.0.1") {
304 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
307 # Check if the given input is anywhere (0.0.0.0).
308 elsif ($input eq "0.0.0.0") {
309 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
312 # Check if the given input is one of the interface addresses or our gateway.
313 elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway") {
314 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
317 # Check if the given input is a valid IP address.
318 elsif (!&General
::validip
($input)) {
319 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
322 # Go further if there was no error.
323 if ($errormessage eq '') {
324 my $block = $settings{'ADDRESS_BLOCK'};
326 # Send command to block the specified address through socket connection.
327 &Guardian
::Socket
::Client
("block $block");
330 ## Unblock address or subnet.
332 } elsif ($settings{'ACTION'} eq $Lang::tr
{'unblock'}) {
334 # Check if no empty input has been performed.
335 if ($settings{'ADDRESS_UNBLOCK'} ne '') {
337 # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
338 if ((!&General
::validip
($settings{'ADDRESS_UNBLOCK'})) && (!&General
::validipandmask
($settings{'ADDRESS_UNBLOCK'}))) {
339 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
343 $errormessage = "$Lang::tr{'guardian empty input'}";
346 # Go further if there was no error.
347 if ($errormessage eq '') {
348 my $unblock = $settings{'ADDRESS_UNBLOCK'};
350 # Send command to unblock the given address through socket connection.
351 &Guardian
::Socket
::Client
("unblock $unblock");
356 } elsif ($settings{'ACTION'} eq $Lang::tr
{'unblock all'}) {
358 # Send flush command through socket connection.
359 &Guardian
::Socket
::Client
("flush");
362 # Load settings from files.
363 &General
::readhash
("${General::swroot}/guardian/settings", \
%settings);
364 &General
::readhasharray
("${General::swroot}/guardian/ignored", \
%ignored);
366 # Call functions to generate whole page.
370 # Display area only if guardian is running.
371 if ( ($memory != 0) && ($pid > 0) ) {
375 # Function to display the status of guardian and allow base configuration.
380 $checked{'GUARDIAN_ENABLED'}{'on'} = '';
381 $checked{'GUARDIAN_ENABLED'}{'off'} = '';
382 $checked{'GUARDIAN_ENABLED'}{$settings{'GUARDIAN_ENABLED'}} = 'checked';
383 $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} = '';
384 $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} = '';
385 $checked{'GUARDIAN_MONITOR_SNORT'}{$settings{'GUARDIAN_MONITOR_SNORT'}} = "checked='checked'";
386 $checked{'GUARDIAN_MONITOR_SSH'}{'off'} = '';
387 $checked{'GUARDIAN_MONITOR_SSH'}{'on'} = '';
388 $checked{'GUARDIAN_MONITOR_SSH'}{$settings{'GUARDIAN_MONITOR_SSH'}} = "checked='checked'";
389 $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} = '';
390 $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} = '';
391 $checked{'GUARDIAN_MONITOR_HTTPD'}{$settings{'GUARDIAN_MONITOR_HTTPD'}} = "checked='checked'";
392 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} = '';
393 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} = '';
394 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{$settings{'GUARDIAN_MONITOR_OWNCLOUD'}} = "checked='checked'";
396 $selected{'GUARDIAN_LOG_FACILITY'}{$settings{'GUARDIAN_LOG_FACILITY'}} = 'selected';
397 $selected{'GUARDIAN_LOGLEVEL'}{$settings{'GUARDIAN_LOGLEVEL'}} = 'selected';
398 $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{$settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}} = 'selected';
400 &Header
::openpage
($Lang::tr
{'guardian configuration'}, 1, '');
401 &Header
::openbigbox
('100%', 'left', '', $errormessage);
403 # Print errormessage if there is one.
405 &Header
::openbox
('100%', 'left', $Lang::tr
{'error messages'});
406 print "<font class='base'>$errormessage </font>\n";
411 # Draw current guardian state.
412 &Header
::openbox
('100%', 'center', $Lang::tr
{'guardian'});
414 # Get current status of guardian.
418 # Display some useful information related to guardian, if daemon is running.
419 if ( ($memory != 0) && ($pid > 0) ){
421 <table width='95%' cellspacing='0' class='tbl'>
423 <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th>
426 <td class='base'>$Lang::tr{'guardian daemon'}</td>
427 <td align='center' colspan='2' width='75%' bgcolor='${Header::colourgreen}'><font color='white'><strong>$Lang::tr{'running'}</strong></font></td>
430 <td class='base'></td>
431 <td bgcolor='$color{'color20'}' align='center'><strong>PID</strong></td>
432 <td bgcolor='$color{'color20'}' align='center'><strong>$Lang::tr{'memory'}</strong></td>
435 <td class='base'></td>
436 <td bgcolor='$color{'color22'}' align='center'>$pid</td>
437 <td bgcolor='$color{'color22'}' align='center'>$memory KB</td>
442 # Otherwise display a hint that the service is not launched.
444 <table width='95%' cellspacing='0' class='tbl'>
446 <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th>
449 <td class='base'>$Lang::tr{'guardian daemon'}</td>
450 <td align='center' width='75%' bgcolor='${Header::colourred}'><font color='white'><strong>$Lang::tr{'stopped'}</strong></font></td>
458 # Draw elements for guardian configuration.
459 &Header
::openbox
('100%', 'center', $Lang::tr
{'guardian configuration'});
462 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
466 <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian common settings'}</b></td>
469 <td width='20%' class='base'>$Lang::tr{'guardian enabled'}:</td>
470 <td><input type='checkbox' name='GUARDIAN_ENABLED' $checked{'GUARDIAN_ENABLED'}{'on'} /></td>
473 <td colspan='2'><br></td>
476 <td width='20%' class='base'>$Lang::tr{'guardian watch snort alertfile'}</td>
477 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='on' $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} /> /
478 <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='off' $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} /> off</td>
481 <td width='20%' class='base'>$Lang::tr{'guardian block ssh brute-force'}</td>
482 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SSH' value='on' $checked{'GUARDIAN_MONITOR_SSH'}{'on'} /> /
483 <input type='radio' name='GUARDIAN_MONITOR_SSH' value='off' $checked{'GUARDIAN_MONITOR_SSH'}{'off'} /> off</td>
486 <td width='20%' class='base'>$Lang::tr{'guardian block httpd brute-force'}</td>
487 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='on' $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} /> /
488 <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='off' $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} /> off</td>
491 # Display owncloud checkbox when the addon is installed.
492 if ( -e
"$owncloud_meta" ) {
494 print"<td width='20%' class='base'>$Lang::tr{'guardian block owncloud brute-force'}</td>\n";
495 print"<td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='on' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} /> /\n";
496 print"<input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='off' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} /> off</td>\n";
501 <td colspan='2'><br></td>
504 <td align='left' width='20%'>$Lang::tr{'guardian logfacility'}:</td>
505 <td><select name='GUARDIAN_LOG_FACILITY'>
506 <option value='syslog' $selected{'GUARDIAN_LOG_FACILITY'}{'syslog'}>syslog</option>
507 <option value='file' $selected{'GUARDIAN_LOG_FACILITY'}{'file'}>file</option>
508 <option value='console' $selected{'GUARDIAN_LOG_FACILITY'}{'console'}>console</option>
512 <td colspan='2'><br></td>
515 <td align='left' width='20%'>$Lang::tr{'guardian loglevel'}:</td>
516 <td><select name='GUARDIAN_LOGLEVEL'>
517 <option value='off' $selected{'GUARDIAN_LOGLEVEL'}{'off'}>off</option>
518 <option value='info' $selected{'GUARDIAN_LOGLEVEL'}{'info'}>info</option>
519 <option value='debug' $selected{'GUARDIAN_LOGLEVEL'}{'debug'}>debug</option>
523 <td colspan='2'><br></td>
526 <td align='left' width='20%'>$Lang::tr{'guardian priority level'}:</td>
527 <td><select name='GUARDIAN_SNORT_PRIORITY_LEVEL'>
528 <option value='1' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'1'}>1</option>
529 <option value='2' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'2'}>2</option>
530 <option value='3' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'3'}>3</option>
531 <option value='4' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'4'}>4</option>
535 <td colspan='2'><br></td>
538 <td width='20%' class='base'>$Lang::tr{'guardian blockcount'}:</td>
539 <td><input type='text' name='GUARDIAN_BLOCKCOUNT' value='$settings{'GUARDIAN_BLOCKCOUNT'}' size='5' /></td>
542 <td width='20%' class='base'>$Lang::tr{'guardian blocktime'}:</td>
543 <td><input type='text' name='GUARDIAN_BLOCKTIME' value='$settings{'GUARDIAN_BLOCKTIME'}' size='10' /></td>
546 <td width='20%' class='base'>$Lang::tr{'guardian logfile'}:</td>
547 <td><input type='text' name='GUARDIAN_LOGFILE' value='$settings{'GUARDIAN_LOGFILE'}' size='30' /></td>
558 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
568 # Function to show elements of the guardian ignorefile and allow to add or remove single members of it.
569 sub showIgnoreBox
() {
570 &Header
::openbox
('100%', 'center', $Lang::tr
{'guardian ignored hosts'});
575 <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td>
576 <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td>
577 <td class='base' colspan='3' bgcolor='$color{'color20'}'></td>
580 # Check if some hosts have been add to be ignored.
581 if (keys (%ignored)) {
584 # Loop through all entries of the hash..
585 while( (my $key) = each %ignored) {
586 # Assign data array positions to some nice variable names.
587 my $address = $ignored{$key}[0];
588 my $remark = $ignored{$key}[1];
589 my $status = $ignored{$key}[2];
591 # Check if the key (id) number is even or not.
592 if ($settings{'ID'} eq $key) {
593 $col="bgcolor='${Header::colouryellow}'";
595 $col="bgcolor='$color{'color22'}'";
597 $col="bgcolor='$color{'color20'}'";
600 # Choose icon for the checkbox.
604 # Check if the status is enabled and select the correct image and description.
605 if ($status eq 'enabled' ) {
607 $gdesc = $Lang::tr
{'click to disable'};
610 $gdesc = $Lang::tr
{'click to enable'};
615 <td width='20%' class='base' $col>$address</td>
616 <td width='65%' class='base' $col>$remark</td>
618 <td align='center' $col>
619 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
620 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
621 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' />
622 <input type='hidden' name='ID' value='$key' />
626 <td align='center' $col>
627 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
628 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
629 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
630 <input type='hidden' name='ID' value='$key' />
634 <td align='center' $col>
635 <form method='post' name='$key' action='$ENV{'SCRIPT_NAME'}'>
636 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' title='$Lang::tr{'remove'}' alt='$Lang::tr{'remove'}'>
637 <input type='hidden' name='ID' value='$key'>
638 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}'>
645 # Print notice that currently no hosts are ignored.
647 print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
653 # Section to add new elements or edit existing ones.
663 # Assign correct headline and button text.
668 # Check if an ID (key) has been given, in this case an existing entry should be edited.
669 if ($settings{'ID'} ne '') {
670 $buttontext = $Lang::tr
{'update'};
671 print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n";
673 # Grab address and remark for the given key.
674 $entry_address = $ignored{$settings{'ID'}}[0];
675 $entry_remark = $ignored{$settings{'ID'}}[1];
677 $buttontext = $Lang::tr
{'add'};
678 print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n";
682 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
683 <input type='hidden' name='ID' value='$settings{'ID'}'>
685 <td width='30%'>$Lang::tr{'ip address'}: </td>
686 <td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td>
688 <td width='30%'>$Lang::tr{'remark'}: </td>
689 <td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td>
690 <td align='center' width='20%'><input type='submit' name='ACTION' value='$buttontext' /></td>
700 # Function to list currently bocked addresses from guardian and unblock them or add custom entries to block.
701 sub showBlockedBox
() {
702 &Header
::openbox
('100%', 'center', $Lang::tr
{'guardian blocked hosts'});
707 <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian blocked hosts'}</b></td>
711 # Lauch function to get the currently blocked hosts.
712 my @blocked_hosts = &GetBlockedHosts
();
717 # Loop through our blocked hosts array.
718 foreach my $blocked_host (@blocked_hosts) {
720 # Increase id number for each element in the ignore file.
723 # Check if the id number is even or not.
725 $col="bgcolor='$color{'color22'}'";
727 $col="bgcolor='$color{'color20'}'";
732 <td width='80%' class='base' $col><a href='/cgi-bin/ipinfo.cgi?ip=$blocked_host'>$blocked_host</a></td>
733 <td width='20%' align='center' $col>
734 <form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'>
735 <input type='image' name='$Lang::tr{'unblock'}' src='/images/delete.gif' title='$Lang::tr{'unblock'}' alt='$Lang::tr{'unblock'}'>
736 <input type='hidden' name='ADDRESS_UNBLOCK' value='$blocked_host'>
737 <input type='hidden' name='ACTION' value='$Lang::tr{'unblock'}'>
744 # If the loop only has been runs once the id still is "0", which means there are no
745 # additional entries (blocked hosts) in the iptables chain.
748 # Print notice that currently no hosts are blocked.
750 print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
756 # Section for a manual block of an IP-address.
760 <table width='60%' border='0'>
761 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
763 <td width='30%'>$Lang::tr{'guardian block a host'}: </td>
764 <td width='40%'><input type='text' name='ADDRESS_BLOCK' value='' size='24' /></td>
765 <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'block'}'></td>
766 <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'unblock all'}'></td>
776 &Header
::closebigbox
();
777 &Header
::closepage
();
779 # Function to check if guardian has been started.
780 # Grab process id and consumed memory if the daemon is running.
784 open(FILE
, '/usr/local/bin/addonctrl guardian status | ');
787 $string = join("", @guardian);
788 $string =~ s/[a-z_]//gi;
789 $string =~ s/\[[0-1]\;[0-9]+//gi;
790 $string =~ s/[\(\)\.]//gi;
793 @pid = split(/\s/,$string);
794 if (open(FILE
, "/proc/$pid[0]/statm")){
796 @memory = split(/ /,$temp);
802 sub GetBlockedHosts
() {
803 # Create new, empty array.
806 # Lauch helper to get chains from iptables.
807 system('/usr/local/bin/getipstat');
809 # Open temporary file which contains the chains and rules.
810 open (FILE
, '/srv/web/ipfire/html/iptables.txt');
812 # Loop through the entire file.
816 # Search for the guardian chain and extract
817 # the lines between it and the next empty line
818 # which is placed before the next firewall
820 if ($line =~ /^Chain GUARDIAN/ .. /^\s*$/) {
821 # Skip descriptive lines.
822 next if ($line =~ /^Chain/);
823 next if ($line =~ /^ pkts/);
825 # Generate array, based on the line content (seperator is a single or multiple space's)
826 my @comps = split(/\s{1,}/, $line);
827 my ($lead, $pkts, $bytes, $target, $prot, $opt, $in, $out, $source, $destination) = @comps;
829 # Assign different variable names.
830 my $blocked_host = $source;
832 # Add host to our hosts array.
834 push(@hosts, $blocked_host);
842 # Remove recently created temporary files of the "getipstat" binary.
843 system(rm
-f
"/srv/web/ipfire/html/iptables.txt");
844 system(rm
-f
"/srv/web/ipfire/html/iptablesmangle.txt");
845 system(rm
-f
"/srv/web/ipfire/html/iptablesnat.txt");
847 # Convert entries, sort them, write back and store the sorted entries into new array.
848 my @sorted = map { $_->[0] }
849 sort { $a->[1] <=> $b->[1] }
850 map { [$_, int sprintf("%03.f%03.f%03.f%03.f", split(/\./, $_))] }
853 # Return our sorted list.
857 sub BuildConfiguration
() {
859 &General
::readhash
("${General::swroot}/guardian/settings", \
%settings);
861 my $configfile = "${General::swroot}/guardian/guardian.conf";
863 # Open configfile for writing.
864 open(FILE
, ">$configfile");
866 # Config file header.
867 print FILE
"# Autogenerated configuration file.\n";
868 print FILE
"# All user modifications will be overwritten.\n\n";
870 # Settings for the logging mechanism.
871 print FILE
"# Log settings.\n";
872 print FILE
"LogFacility = $settings{'GUARDIAN_LOG_FACILITY'}\n";
874 if ($settings{'GUARDIAN_LOG_FACILITY'} eq "file") {
875 print FILE
"LogFile = $settings{'GUARDIAN_LOGFILE'}\n";
878 print FILE
"LogLevel = $settings{'GUARDIAN_LOGLEVEL'}\n\n";
880 # IPFire related static settings.
881 print FILE
"# IPFire related settings.\n";
882 print FILE
"FirewallEngine = IPtables\n";
883 print FILE
"SocketOwner = nobody:nobody\n";
884 print FILE
"IgnoreFile = $ignorefile\n\n";
886 # Configured block values.
887 print FILE
"# Configured block values.\n";
888 print FILE
"BlockCount = $settings{'GUARDIAN_BLOCKCOUNT'}\n";
889 print FILE
"BlockTime = $settings{'GUARDIAN_BLOCKTIME'}\n\n";
892 # Loop through whole settings hash.
893 print FILE
"# Enabled modules.\n";
894 foreach my $option (keys %settings) {
895 # Search for enabled modules.
896 if ($option =~ /GUARDIAN_MONITOR_(.*)/) {
897 # Skip if module is not enabled.
898 next unless($settings{$option} eq "on");
900 # Skip module if no file location is available.
901 next unless(exists($module_file_locations{$1}));
903 # Add enabled module and defined path to the config file.
904 print FILE
"Monitor_$1 = $module_file_locations{$1}\n";
909 print FILE
"\n# Module settings.\n";
910 # Check if SNORT is enabled and add snort priority.
911 if ($settings{'GUARDIAN_MONITOR_SNORT'} eq "on") {
912 print FILE
"SnortPriorityLevel = $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}\n";
917 # Check if guardian should be started or stopped.
918 if($settings{'GUARDIAN_ENABLED'} eq 'on') {
920 # Send reload command through socket connection.
921 &Guardian
::Socket
::Client
("reload");
924 system("/usr/local/bin/addonctrl guardian start &>/dev/null");
928 system("/usr/local/bin/addonctrl guardian stop &>/dev/null");