From 231499fcc85bfb6ae4fbb03fbaca2873984be103 Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Thu, 3 Jan 2013 08:14:28 +0100 Subject: [PATCH] Forward Firewall: build iso with new firewall --- config/outgoingfw/defaultservices | 34 --- config/outgoingfw/outgoingfw.pl | 286 ------------------ config/rootfiles/common/configroot | 2 +- lfs/configroot | 18 +- src/initscripts/init.d/firewall | 16 +- src/misc-progs/Makefile | 9 +- .../{outgoingfwctrl.c => forwardfwctrl.c} | 7 +- 7 files changed, 22 insertions(+), 350 deletions(-) delete mode 100644 config/outgoingfw/defaultservices delete mode 100644 config/outgoingfw/outgoingfw.pl rename src/misc-progs/{outgoingfwctrl.c => forwardfwctrl.c} (75%) diff --git a/config/outgoingfw/defaultservices b/config/outgoingfw/defaultservices deleted file mode 100644 index f2cf475142..0000000000 --- a/config/outgoingfw/defaultservices +++ /dev/null @@ -1,34 +0,0 @@ -bootpc,68,tcp&udp,Bootstrap Protocol Client -bootps,67,tcp&udp,Bootstrap Protocol Server -domain,53,tcp&udp,Domain Name Server -echo,7,tcp&udp,Echo -ftp,21,tcp&udp,File Transfer Control -ftp-data,20,tcp&udp,File Control Data -http,80,tcp,Hypertext Transfer Protocol -https,443,tcp,secure HTTP -imap,143,tcp,Interactive Mail Access Protocol -imap3,220,tcp,Interactive Mail Access Protocol v3 -imaps,993,tcp,secure IMAP -ipfire-https,444,tcp,IPFire HTTPS -ipfire-ssh,222,tcp&udp,IPFire SSH -irc,194,tcp&udp,Internet Relay Chat -ircd,6667,tcp&udp,Internet Relay Chat -microsoft-ds,445,tcp&udp,Netbios Filesharing -nameserver,42,tcp&udp,Host Name Server -netbios-dgm,138,tcp&udp,NETBIOS Datagram Service -netbios-ns,137,tcp&udp,NETBIOS Name Server -netbios-ssn,139,tcp&udp,NETBIOS Session Service -nfs,2049,tcp&udp,Network File System -ntp,123,udp,Network Time Protocol -pop3,110,tcp,POP3 Email -pop3s,995,tcp,secure POP3 Email -sftp,115,tcp&udp,secure File Transfer Protocol -smtp,25,tcp,Simple Mail Transfer Protocol -smtps,465,tcp,secure Simple Mail Transfer Protocol -snmp,161,tcp&udp,Simple Network Management -snmptrap,162,udp,SNMP Trap -ssh,22,tcp&udp,SSH -telnet,23,tcp&udp,Telnet -tftp,69,tcp&udp,Trivial File Transfer -time,37,tcp&udp,Time -wins,1512,tcp&udp,Windows Internet Name Service diff --git a/config/outgoingfw/outgoingfw.pl b/config/outgoingfw/outgoingfw.pl deleted file mode 100644 index 1208567dd7..0000000000 --- a/config/outgoingfw/outgoingfw.pl +++ /dev/null @@ -1,286 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007-2011 IPFire Team # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see . # -# # -############################################################################### - - -use strict; -# enable only the following on debugging purpose -#use warnings; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; - -my %outfwsettings = (); -my %checked = (); -my %selected= () ; -my %netsettings = (); -my $errormessage = ""; -my $configentry = ""; -my @configs = (); -my @configline = (); -my $p2pentry = ""; -my @p2ps = (); -my @p2pline = (); -my $CMD = ""; -my $P2PSTRING = ""; - -my $DEBUG = 0; - -my $configfile = "/var/ipfire/outgoing/rules"; -my $p2pfile = "/var/ipfire/outgoing/p2protocols"; - -### Values that have to be initialized -$outfwsettings{'ACTION'} = ''; -$outfwsettings{'VALID'} = 'yes'; -$outfwsettings{'EDIT'} = 'no'; -$outfwsettings{'NAME'} = ''; -$outfwsettings{'SNET'} = ''; -$outfwsettings{'SIP'} = ''; -$outfwsettings{'SPORT'} = ''; -$outfwsettings{'SMAC'} = ''; -$outfwsettings{'DIP'} = ''; -$outfwsettings{'DPORT'} = ''; -$outfwsettings{'PROT'} = ''; -$outfwsettings{'STATE'} = ''; -$outfwsettings{'DISPLAY_DIP'} = ''; -$outfwsettings{'DISPLAY_DPORT'} = ''; -$outfwsettings{'DISPLAY_SMAC'} = ''; -$outfwsettings{'DISPLAY_SIP'} = ''; -$outfwsettings{'POLICY'} = 'MODE0'; - -my @SOURCE = ""; -my $SOURCE = ""; -my $DESTINATION = ""; -my @PROTO = ""; -my $PROTO = ""; -my $DPORT = ""; -my $DEV = ""; -my $MAC = ""; -my $DO = ""; -my $DAY = ""; - -# read files -&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings); -&General::readhash("${General::swroot}/ethernet/settings", \%netsettings); - -$netsettings{'RED_DEV'}=`cat /var/ipfire/red/iface`; -$netsettings{'RED_IP'}=`cat /var/ipfire/red/local-ipaddress`; - -open( FILE, "< $configfile" ) or die "Unable to read $configfile"; -@configs = ; -close FILE; - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $outfwsettings{'STATE'} = "ALLOW"; - $DO = "RETURN"; -} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) { - $outfwsettings{'STATE'} = "DENY"; - $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW '"; -} - -### Initialize IPTables -system("/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1"); -system("/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1"); -system("/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1"); - -system("/sbin/iptables --flush OUTGOINGFWMAC >/dev/null 2>&1"); -system("/sbin/iptables --delete-chain OUTGOINGFWMAC >/dev/null 2>&1"); -system("/sbin/iptables -N OUTGOINGFWMAC >/dev/null 2>&1"); - -if ( $outfwsettings{'POLICY'} eq 'MODE0' ) { - &firewall_local_reload(); - exit 0 -} - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - $CMD = "/sbin/iptables -A OUTGOINGFW -m state --state ESTABLISHED,RELATED -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -m state --state ESTABLISHED,RELATED -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFW -p icmp -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } - $CMD = "/sbin/iptables -A OUTGOINGFWMAC -p icmp -j RETURN"; - if ($DEBUG) { print "$CMD\n"; } else { system("$CMD"); } -} - -foreach $configentry (sort @configs) -{ - @SOURCE = ""; - $DESTINATION = ""; - $PROTO = ""; - $DPORT = ""; - $DEV = ""; - $MAC = ""; - @configline = split( /\;/, $configentry ); - - if ($outfwsettings{'STATE'} eq $configline[0]) { - if ($configline[2] eq 'green') { - @SOURCE = ("$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"); - $DEV = $netsettings{'GREEN_DEV'}; - } elsif ($configline[2] eq 'red') { - @SOURCE = ("$netsettings{'RED_IP'}"); - $DEV = ""; - } elsif ($configline[2] eq 'blue') { - @SOURCE = ("$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}"); - $DEV = $netsettings{'BLUE_DEV'}; - } elsif ($configline[2] eq 'orange') { - @SOURCE = ("$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}"); - $DEV = $netsettings{'ORANGE_DEV'}; - } elsif ($configline[2] eq 'ipsec') { - @SOURCE = ""; - $DEV = "ipsec+"; - } elsif ($configline[2] eq 'ovpn') { - @SOURCE = ""; - $DEV = "tun+"; - } elsif ($configline[2] eq 'ip') { - @SOURCE = ("$configline[5]"); - $DEV = ""; - } elsif ($configline[2] eq 'mac') { - @SOURCE = ("$configline[6]"); - $DEV = ""; - } elsif ($configline[2] eq 'all') { - @SOURCE = ("0/0"); - $DEV = ""; - } else { - if ( -e "/var/ipfire/outgoing/groups/ipgroups/$configline[2]" ) { - @SOURCE = `cat /var/ipfire/outgoing/groups/ipgroups/$configline[2]`; - } elsif ( -e "/var/ipfire/outgoing/groups/macgroups/$configline[2]" ) { - @SOURCE = `cat /var/ipfire/outgoing/groups/macgroups/$configline[2]`; - $configline[2] = "mac"; - } - $DEV = ""; - } - - if ($configline[7]) { $DESTINATION = "$configline[7]"; } else { $DESTINATION = "0/0"; } - - if ($configline[3] eq 'tcp') { - @PROTO = ("tcp"); - } elsif ($configline[3] eq 'udp') { - @PROTO = ("udp"); - } elsif ($configline[3] eq 'esp') { - @PROTO = ("esp"); - } elsif ($configline[3] eq 'gre') { - @PROTO = ("gre"); - } else { - @PROTO = ("tcp","udp"); - } - - my $macrule = 0; - foreach $PROTO (@PROTO){ - foreach $SOURCE (@SOURCE) { - $SOURCE =~ s/\s//gi; - - if ( $SOURCE eq "" || $configline[1] eq "" ){next;} - - if ( ( $configline[6] ne "" || $configline[2] eq 'mac' ) && $configline[2] ne 'all'){ - $SOURCE =~ s/[^a-zA-Z0-9]/:/gi; - $CMD = "-m mac --mac-source $SOURCE -d $DESTINATION -p $PROTO"; - $macrule = 1; - } else { - $CMD = "-s $SOURCE -d $DESTINATION -p $PROTO"; - } - - if ($configline[8] && ( $configline[3] ne 'esp' || $configline[3] ne 'gre') ) { - $DPORT = "$configline[8]"; - $CMD = "$CMD -m multiport --destination-port $DPORT"; - } - - if ($DEV) { - $CMD = "$CMD -i $DEV"; - } - - if ($configline[17] && $configline[18]) { - $DAY = ""; - if ($configline[10]){$DAY = "Mon,"} - if ($configline[11]){$DAY .= "Tue,"} - if ($configline[12]){$DAY .= "Wed,"} - if ($configline[13]){$DAY .= "Thu,"} - if ($configline[14]){$DAY .= "Fri,"} - if ($configline[15]){$DAY .= "Sat,"} - if ($configline[16]){$DAY .= "Sun"} - $CMD = "$CMD -m time --timestart $configline[17] --timestop $configline[18] --weekdays $DAY"; - } - - $CMD = "$CMD -o $netsettings{'RED_DEV'}"; - - if ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE1' ) { - applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'LOG_OUTGOINGFW '", $macrule); - } elsif ( $configline[9] eq $Lang::tr{'aktiv'} && $outfwsettings{'POLICY'} eq 'MODE2' ) { - applyrule("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", $macrule); - } - - applyrule("$CMD -j $DO", $macrule); - } - } - } -} - -### Do the P2P-Stuff here -open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile"; -@p2ps = ; -close FILE; - -$CMD = "-m ipp2p"; - -foreach $p2pentry (sort @p2ps) { - @p2pline = split( /\;/, $p2pentry ); - if ( $outfwsettings{'POLICY'} eq 'MODE2' ) { - $DO = "DROP"; - if ("$p2pline[2]" eq "off") { - $P2PSTRING = "$P2PSTRING --$p2pline[1]"; - } - } else { - $DO = "RETURN"; - if ("$p2pline[2]" eq "on") { - $P2PSTRING = "$P2PSTRING --$p2pline[1]"; - } - } -} -if ($P2PSTRING) { - applyrule("$CMD $P2PSTRING -j $DO", 0); -} - -if ( $outfwsettings{'POLICY'} eq 'MODE1' ) { - if ( $outfwsettings{'MODE1LOG'} eq 'on' ) { - applyrule("-o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW '", 0); - } - - applyrule("-o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW '", 0); -} - -&firewall_local_reload(); - -sub applyrule($$) { - my $cmd = shift; - my $macrule = shift; - - system("/sbin/iptables -A OUTGOINGFWMAC $cmd"); - if ($macrule == 0) { - system("/sbin/iptables -A OUTGOINGFW $cmd"); - } -} - -sub firewall_local_reload() { - my $script = "/etc/sysconfig/firewall.local"; - - if ( -x $script ) { - system("$script reload >/dev/null 2>&1"); - } -} diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 7a23b8c61c..d4c7390f2e 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -120,7 +120,7 @@ var/ipfire/optionsfw var/ipfire/outgoing #var/ipfire/outgoing/bin #var/ipfire/outgoing/bin/outgoingfw.pl -var/ipfire/outgoing/defaultservices +#var/ipfire/outgoing/defaultservices #var/ipfire/outgoing/groups #var/ipfire/outgoing/groups/ipgroups #var/ipfire/outgoing/groups/macgroups diff --git a/lfs/configroot b/lfs/configroot index 5280d8c286..6327c1274a 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -53,7 +53,7 @@ $(TARGET) : for i in addon-lang auth backup ca certs connscheduler crls ddns dhcp dhcpc dns dnsforward \ ethernet extrahd/bin fwlogs isdn key langs logging mac main menu.d modem net-traffic \ ethernet extrahd/bin fwlogs fwhosts forward forward/bin isdn key langs logging mac main menu.d modem net-traffic \ - net-traffic/templates nfs optionsfw outgoing/bin outgoing/groups outgoing/groups/ipgroups \ + net-traffic/templates nfs optionsfw outgoing/bin \ outgoing/groups/macgroups ovpn patches pakfire portfw ppp private proxy/advanced/cre \ proxy/calamaris/bin qos/bin red remote sensors snort time tripwire/report \ updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \ @@ -65,9 +65,9 @@ $(TARGET) : for i in auth/users backup/include.user backup/exclude.user \ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ - ethernet/wireless extrahd/scan extrahd/devices extrahd/partitions extrahd/settings fwlogs/ipsettings fwlogs/portsettings \ - forward/settings forward/config forward/input fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ - isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings outgoing/settings outgoing/rules \ + extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input \ + fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservices fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ + isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ ppp/settings-5 ppp/settings proxy/settings proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \ qos/tosconfig snort/settings tripwire/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \ @@ -93,8 +93,6 @@ $(TARGET) : cp $(DIR_SRC)/config/cfgroot/net-traffic-admin.pl $(CONFIG_ROOT)/net-traffic/net-traffic-admin.pl cp $(DIR_SRC)/config/cfgroot/nfs-server $(CONFIG_ROOT)/nfs/nfs-server cp $(DIR_SRC)/config/cfgroot/p2protocols $(CONFIG_ROOT)/outgoing/p2protocols - cp $(DIR_SRC)/config/outgoingfw/outgoingfw.pl $(CONFIG_ROOT)/outgoing/bin/ - cp $(DIR_SRC)/config/outgoingfw/defaultservices $(CONFIG_ROOT)/outgoing/ cp $(DIR_SRC)/config/cfgroot/proxy-acl $(CONFIG_ROOT)/proxy/acl-1.4 cp $(DIR_SRC)/config/qos/* $(CONFIG_ROOT)/qos/bin/ cp $(DIR_SRC)/config/cfgroot/ssh-settings $(CONFIG_ROOT)/remote/settings @@ -118,14 +116,8 @@ $(TARGET) : echo "DROPOUTPUT=on" >> $(CONFIG_ROOT)/optionsfw/settings echo "DROPPORTSCAN=on" >> $(CONFIG_ROOT)/optionsfw/settings - # Set outgoingfw.pl executable - chmod 755 $(CONFIG_ROOT)/outgoing/bin/outgoingfw.pl - # set rules.pl executable chmod 755 $(CONFIG_ROOT)/forward/bin/rules.pl - - - # Modify variables in header.pl sed -i -e "s+CONFIG_ROOT+$(CONFIG_ROOT)+g" \ -e "s+VERSION+$(VERSION)+g" \ @@ -142,7 +134,7 @@ $(TARGET) : # Language files cp $(DIR_SRC)/langs/*/cgi-bin/*.pl $(CONFIG_ROOT)/langs/ - + # Configroot permissions chown -R nobody:nobody $(CONFIG_ROOT) chown root:root $(CONFIG_ROOT) diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 467d1b9ab7..4287d33f18 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -195,14 +195,14 @@ case "$1" in # Outgoing Firewall /sbin/iptables -A FORWARD -j OUTGOINGFWMAC - # Forward Firewall - /sbin/iptables -N FORWARDFW - /sbin/iptables -A FORWARD -j FORWARDFW - - # Input Firewall - /sbin/iptables -N INPUTFW - /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW - + # Forward Firewall + /sbin/iptables -N FORWARDFW + /sbin/iptables -A FORWARD -j FORWARDFW + + # Input Firewall + /sbin/iptables -N INPUTFW + /sbin/iptables -A INPUT -m state --state NEW -j INPUTFW + # localhost and ethernet. /sbin/iptables -A INPUT -i lo -m state --state NEW -j ACCEPT /sbin/iptables -A INPUT -s 127.0.0.0/8 -m state --state NEW -j DROP # Loopback not on lo diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index 306773fb67..c3f3b6c2f1 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -28,7 +28,7 @@ SUID_PROGS = setportfw \ squidctrl sshctrl ipfirereboot \ ipsecctrl timectrl dhcpctrl snortctrl \ applejuicectrl rebuildhosts backupctrl \ - logwatch openvpnctrl outgoingfwctrl forwardfwctrl \ + logwatch openvpnctrl forwardfwctrl \ wirelessctrl getipstat qosctrl launch-ether-wake \ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl tripwirectrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ @@ -86,13 +86,10 @@ smartctrl: smartctrl.c setuid.o ../install+setup/libsmooth/varval.o clamavctrl: clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ clamavctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - -outgoingfwctrl: outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o - $(COMPILE) -I../install+setup/libsmooth/ outgoingfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - + forwardfwctrl: forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ forwardfwctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ - + timectrl: timectrl.c setuid.o ../install+setup/libsmooth/varval.o $(COMPILE) -I../install+setup/libsmooth/ timectrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@ diff --git a/src/misc-progs/outgoingfwctrl.c b/src/misc-progs/forwardfwctrl.c similarity index 75% rename from src/misc-progs/outgoingfwctrl.c rename to src/misc-progs/forwardfwctrl.c index 2d993d940f..a02b462bad 100644 --- a/src/misc-progs/outgoingfwctrl.c +++ b/src/misc-progs/forwardfwctrl.c @@ -18,7 +18,10 @@ int main(int argc, char *argv[]) { if (!(initsetuid())) exit(1); - safe_system("chmod 755 /var/ipfire/outgoing/bin/outgoingfw.pl"); - safe_system("/var/ipfire/outgoing/bin/outgoingfw.pl"); + if(argc > 1) + safe_system("/var/ipfire/forward/bin/rules.pl flush"); + else + safe_system("/var/ipfire/forward/bin/rules.pl"); + return 0; } -- 2.39.2