--- /dev/null
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+PKG_NAME = firewall
+PKG_VER =
+PKG_REL = 0
+
+THISAPP = $(PKG_NAME)
+DIR_APP = $(DIR_SOURCE)/$(PKG_NAME)
+
+OBJECT = $(DIR_INFO)/$(STAGE_ORDER)_$(STAGE)/$(THISAPP)
+
+MAINTAINER = Michael Tremer <michael.tremer@ipfire.org>
+GROUP = Networking/Firewall
+EXTRA = no
+DEBUG = no
+DEPS =
+
+URL = http://www.ipfire.org/
+LICENSE = GPL3+
+SHORT_DESC = The IPFire Firewall Engine.
+
+define LONG_DESC
+ This script installs IPFire's firewall.
+endef
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects =
+
+download: $(objects)
+
+info:
+ $(DO_PKG_INFO)
+
+install: $(OBJECT)
+
+package:
+ @$(DO_PACKAGE)
+
+$(objects):
+ @$(LOAD)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(OBJECT): $(objects)
+ @$(PREBUILD)
+ -mkdir -pv /usr/lib/firewall
+ for i in $(DIR_APP)/{functions,zones}*; do \
+ install -m 644 -v $$i /usr/lib/firewall; \
+ done
+ install -m 755 -v $(DIR_APP)/firewall /usr/bin
+ @$(POSTBUILD)
#ipfire_make wireless
ipfire_make pyfire
+ ipfire_make firewall
}
################################################################################
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# This is the script, that is runned by the user to contol the firewall #
+# We only do some actions here and call the functions from the libs. #
+# #
+# Actions (as known at the moment): #
+# - start/stop/restart/reload #
+# - show #
+# - running? #
+# - serveral config #
+# - calc (cidr|subnets|...) #
+# - ... #
+# #
+###############################################################################
+
+LIBDIR=/usr/lib/firewall
+
+function include() {
+ local file=$1
+ local path
+ for path in $LIBDIR .; do
+ if [ -f "$path/$file" ]; then
+ . $path/$file
+ return # found
+ fi
+ done
+ echo "Couldn't include $file. File was not found!" >&2
+ _exit 1
+}
+
+function usage() {
+ echo "Usage: $0 [global options] command [command options]"
+ echo
+ _exit ${1-1}
+}
+
+include functions
+
+while [ "$#" -gt 0 ]; do
+ case "$1" in
+ --verbose|-v)
+ verbose 1
+ vecho "${BOLD}Verbose mode is enabled.${NORMAL}"
+ ;;
+ calc)
+ shift
+ case "$1" in
+ mask2cidr)
+ mask_to_cidr $2
+ _exit $?
+ ;;
+ *)
+ usage
+ ;;
+ esac
+ ;;
+ config)
+ config_load $2
+ _exit $?
+ ;;
+ help|-h|--help)
+ usage 0
+ ;;
+ notify)
+ ;;
+ reload)
+ ;;
+ restart)
+ ;;
+ start)
+ _start
+ _exit $?
+ ;;
+ stop)
+ ;;
+ *)
+ usage
+ ;;
+ esac
+ shift
+done
+
+error "No command was given."
+usage
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+VERBOSE=
+TMPDIR=$(mktemp -d)
+
+BOLD="\\033[1;39m"
+NORMAL="\\033[0;39m"
+ERROR="\\033[1;31m"
+
+function verbose() {
+ if [ -n "$1" ]; then
+ VERBOSE=$1
+ return
+ else
+ if [ "$VERBOSE" = "1" ]; then
+ return 0
+ else
+ return 1
+ fi
+ fi
+}
+
+function vecho() {
+ verbose && echo -e "$@"
+}
+
+function error() {
+ echo -e "${ERROR}ERROR${NORMAL}: $@" >&2
+ _exit 1
+}
+
+function ifs() {
+ if [ -n "$1" ]; then
+ IFS_SAVE=$IFS
+ echo $1
+ else
+ echo $IFS_SAVE
+ fi
+}
+
+function uppercase() {
+ tr [a-z] [A-Z] <<< "$@"
+}
+
+include functions.commands
+include functions.config
+include functions.firewall
+include functions.ip
+include functions.iptables
+include functions.macros
+include functions.zones
+
+function _start() {
+ firewall_init
+ zones_init
+ zones_add green0
+ iptables_commit
+}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+function cmd_quiet() {
+ $@ &>/dev/null
+}
+
+function _exit() {
+ rm -rf $TMPDIR
+ exit $@
+}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+CONFIG_NONE=0
+CONFIG_TEXT=1
+CONFIG_SQLITE=2
+
+function config_type() {
+ if _config_is_sqlite $1; then
+ echo $CONFIG_SQLITE
+ else
+ echo $CONFIG_TEXT
+ fi
+}
+
+function config_load() {
+ local file
+ local type
+ file=$1
+
+ if ! [ -f "$file" ]; then
+ error "Cannot load config file $file. File does not exist!"
+ exit 1
+ fi
+
+ vecho "Loading config file: $file"
+
+ type=$(config_type $file)
+ if [ "$type" = "$CONFIG_SQLITE" ]; then
+ eval $(_config_load_sqlite $file)
+ else
+ eval $(_config_load_text $file)
+ fi
+}
+
+function _config_is_sqlite() {
+ file $1 2>/dev/null | grep -q "SQLite 3.x database"
+}
+
+function _config_dump_sqlite() {
+ sqlite3 -noheader -column $1 "SELECT * FROM config;"
+}
+
+function _config_load_sqlite() {
+ _config_dump_sqlite $1 | while read KEY VALUE; do
+ echo "$KEY=$VALUE"
+ done
+}
+
+function _config_load_text() {
+ readhash $1
+}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+function firewall_init() {
+ iptables_init
+ firewall_tcp_state_flags
+ firewall_connection_tracking
+}
+
+function firewall_tcp_state_flags() {
+ vecho "Adding ${BOLD}TCP State Flags${NORMAL} chain..."
+ chain_create BADTCP_LOG
+ iptables -A BADTCP_LOG -p tcp -j LOG --log-prefix \"Illegal TCP state: \" \
+ --log-ip-options --log-tcp-options
+ iptables -A BADTCP_LOG -j DROP
+
+ chain_create BADTCP
+ iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j BADTCP_LOG
+ iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADTCP_LOG
+ iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j BADTCP_LOG
+ iptables -A BADTCP -p tcp --tcp-flags FIN,RST FIN,RST -j BADTCP_LOG
+ iptables -A BADTCP -p tcp --tcp-flags ACK,FIN FIN -j BADTCP_LOG
+ iptables -A BADTCP -p tcp --tcp-flags ACK,PSH PSH -j BADTCP_LOG
+ iptables -A BADTCP -p tcp --tcp-flags ACK,URG URG -j BADTCP_LOG
+
+ iptables -A INPUT -p tcp -j BADTCP
+ iptables -A OUTPUT -p tcp -j BADTCP
+ iptables -A FORWARD -p tcp -j BADTCP
+}
+
+function firewall_connection_tracking() {
+ vecho "Adding ${BOLD}Connection Tracking${NORMAL} chain..."
+ chain_create CONNTRACK
+ iptables -A CONNTRACK -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A CONNTRACK -m state --state INVALID -j $(iptables_LOG "INVALID packet: ")
+ iptables -A CONNTRACK -m state --state INVALID -j DROP
+
+ iptables -A INPUT -p tcp -j CONNTRACK
+ iptables -A OUTPUT -p tcp -j CONNTRACK
+ iptables -A FORWARD -p tcp -j CONNTRACK
+}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# General IP address manipulation functions
+# ip_encode - Encodes an IP to an integer
+# Parameters: ip address (e.g. 192.168.0.1)
+# Returns : integer
+# ip_decode - Decodes an integer to an IP
+# Parameters: integer
+# Returns : ip address
+# ip_valid - Checks if given IP is valid
+# Parameters: IP
+# Returns : boolean
+#
+# General subnet functions
+# ip_range - Enumerates members of an IP range
+# Parameters: ip range (e.g. 192.168.0.1-192.168.0.128)
+# Returns : several subnets/IPs
+# ip_range_explicit - Enumerates ALL IP addresses of an IP range
+# Parameters: ip range
+# Returns : several IPs
+# subnet_network - Calculates the network address of a CIDR
+# Parameters: CIDR network (e.g. 192.168.0.0/24)
+# Returns : Network address
+# subnet_broadcast - Calculates the broadcast address of a CIDR
+# Parameters: CIDR network
+# Returns : Broadcast address
+# ip_in_subnet - Checks if an IP is in given subnet
+# Parameters: IP address, subnet
+# Returns : Boolean
+# mask_to_cidr - Converts a subnet mask to cidr type
+# Parameters: subnet (e.g. 255.255.255.0)
+# Returns : CIDR (e.g. 24)
+#
+
+function ip_encode() {
+ IFS=$(ifs .)
+
+ local int=0
+ for field in $1; do
+ int=$(( $(( $int << 8 )) | $field ))
+ done
+
+ echo $int
+ IFS=$(ifs)
+}
+
+function ip_decode() {
+ addr=$1
+
+ local x
+ local y
+
+ y=$(($addr & 255))
+ for x in 1 2 3; do
+ addr=$(($addr >> 8))
+ y=$(($addr & 255)).$y
+ done
+
+ echo $y
+}
+
+function ip_range() {
+ local first
+ local last
+ local l
+ local x
+ local y
+ local z
+ local vlsm
+
+ case "$1" in
+ !*)
+ echo $1
+ return
+ ;;
+ [0-9]*.*.*.*-*.*.*.*)
+ ;;
+ *)
+ echo $1
+ return
+ ;;
+ esac
+
+ first=$(ip_encode ${1%-*})
+ last=$(ip_encode ${1#*-})
+
+ if [ $first -gt $last ]; then
+ error "Invalid IP address range: $1"
+ fi
+
+ l=$(( $last + 1 ))
+
+ while [ $l -gt $first ]; do
+ vlsm=
+ x=31
+ y=2
+ z=1
+
+ while [ $(( $first % $y )) -eq 0 ] && [ $l -gt $(( $first + $y )) ]; do
+ vlsm=/$x
+ x=$(( $x - 1 ))
+ z=$y
+ y=$(( $y * 2 ))
+ done
+
+ echo $(ip_decode $first)$vlsm
+ first=$(($first + $z))
+ done
+}
+
+function ip_range_explicit() {
+ local first
+ local last
+
+ case $1 in
+ [0-9]*.*.*.*-*.*.*.*)
+ ;;
+ *)
+ echo $1
+ return
+ ;;
+ esac
+
+ first=$(ip_encode ${1%-*})
+ last=$(ip_encode ${1#*-})
+
+ if [ $first -gt $last ]; then
+ error "Invalid IP address range: $1"
+ fi
+
+ while ! [ $first -gt $last ]; do
+ echo $(ip_decode $first)
+ first=$(($first + 1))
+ done
+}
+
+function _netmask() {
+ local vlsm
+ vlsm=${1#*/}
+ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+}
+
+function subnet_network() {
+ local encodedaddr
+ encodedaddr=$(ip_encode ${1%/*})
+ local netmask
+ netmask=$(_netmask $1)
+
+ echo $(ip_decode $(($encodedaddr & $netmask)))
+}
+
+function _broadcast() {
+ local x
+ x=$(( 32 - ${1#*/} ))
+ [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 << $x )) - 1 ))
+}
+
+function subnet_broadcast() {
+ local encodedaddr
+ encodedaddr=$(ip_encode ${1%/*})
+ local netmask
+ netmask=$(_netmask $1)
+ local broadcast
+ broadcast=$(_broadcast $1)
+
+ echo $(ip_decode $(( $(($encodedaddr & $netmask)) | $broadcast )))
+}
+
+function ip_in_subnet() {
+ local netmask
+ netmask=$(_netmask $2)
+ [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+}
+
+function mask_to_cidr() {
+ local mask
+ mask=$(ip_encode $1)
+ local cidr
+ cidr=0
+ local x
+ x=$(( 128 << 24 )) # 0x80000000
+
+ while [ $(( $x & $mask )) -ne 0 ]; do
+ [ $mask -eq $x ] && mask=0 || mask=$(( $mask << 1 ))
+ cidr=$(($cidr + 1))
+ done
+
+ if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
+ echo "Invalid net mask: $1" >&2
+ else
+ echo $cidr
+ fi
+}
+
+function ip_valid() {
+ local x
+ IFS=$(ifs .)
+ for x in $1; do
+ case $x in
+ [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
+ [ $x -lt 256 ] || { IFS=$(ifs); return 1; }
+ ;;
+ *)
+ IFS=$(ifs)
+ return 1
+ ;;
+ esac
+ done
+ IFS=$(ifs)
+ return 0
+}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+IPTABLES_FILE=$TMPDIR/iptables
+
+function iptables() {
+ echo "$@" >> $IPTABLES_FILE
+}
+
+function iptables_flush() {
+ : # TODO
+}
+
+function iptables_init() {
+ iptables_flush
+
+ iptables "* filter"
+ chain_create INPUT DROP
+ chain_create OUTPUT DROP
+ chain_create FORWARD DROP
+}
+
+function iptables_commit() {
+ vecho "Committing firewall configuration."
+ iptables "COMMIT"
+ verbose && cat $IPTABLES_FILE
+ #iptables-restore < $IPTABLES_FILE
+}
+
+function chain_create() {
+ iptables ":$1 ${2--} [0:0]"
+}
+
+function iptables_LOG() {
+ local prefix
+ prefix=$1
+
+ if [ "$LOG_FACILITY" = "ulogd2" ]; then
+ echo -n "NFLOG"
+ [ -n "$prefix" ] && echo -n " --nflog-prefix \"$prefix\""
+ echo -n " --nflog-threshold 30"
+ else
+ echo -n "LOG"
+ [ -n "$prefix" ] && echo -n " --log-prefix \"$prefix\""
+ fi
+ echo
+}
+
+function iptables_protocol() {
+ local PROTO
+ PROTO=$1
+ for proto in tcp udp esp ah; do
+ if [ "$PROTO" = "$proto" ]; then
+ echo "-p $PROTO"
+ break
+ fi
+ done
+}
+
+IPTABLES_PORT=0
+IPTABLES_MULTIPORT=1
+IPTABLES_PORTRANGE=2
+
+function _iptables_port_range() {
+ grep -q ":" <<< $@
+}
+
+function _iptables_port_multiport() {
+ grep -q "," <<< $@
+}
+
+function _iptables_port() {
+ if _iptables_port_range "$@"; then
+ echo $IPTABLES_PORTRANGE
+ elif _iptables_port_multiport "$@"; then
+ echo $IPTABLES_MULTIPORT
+ else
+ echo $IPTABLES_PORT
+ fi
+}
+
+function iptables_source_port() {
+ [ -z "$@" ] && return
+ local type
+ type=$(_iptables_port $@)
+ if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
+ echo "-m multiport --source-ports $@"
+ else
+ echo "--sport $@"
+ fi
+}
+
+function iptables_destination_port() {
+ [ -z "$@" ] && return
+ local type
+ type=$(_iptables_port $@)
+ if [ "$type" = "$IPTABLES_MULTIPORT" ]; then
+ echo "-m multiport --destination-ports $@"
+ else
+ echo "--dport $@"
+ fi
+}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+function macro() {
+ local file
+ file=$1
+
+ vecho "Parsing macro: $file"
+
+ if _config_is_sqlite $file; then
+ macro_sqlite $file
+ else
+ macro_text $file
+ fi
+}
+
+function macro_text() {
+ macro_parse < $1
+}
+
+function macro_sqlite() {
+ sqlite3 -noheader -column $1 | macro_parse
+}
+
+# Just a scatch of concept... Need a lot to do here
+function macro_parse() {
+ local STRING
+ grep -v "^#" | while read TARGET SOURCE DESTINATION PROTOCOL SOURCE_PORT DESTINATION_PORT RATE; do
+ STRING=""
+ # Protocol
+ STRING="$STRING $(iptables_protocol $PROTOCOL)"
+ # Ports
+ STRING="$STRING $(iptables_source_port $SOURCE_PORT)"
+ STRING="$STRING $(iptables_destination_port $DESTINATION_PORT)"
+
+ if [ "$TARGET" = "ACCEPT" ]; then
+ STRING="$STRING -j ACCEPT"
+
+ elif [ "$TARGET" = "DROP" ]; then
+ STRING="$STRING -j DROP"
+
+ # elif ...
+
+ fi
+ [ -n "$STRING" ] && echo $STRING
+ done
+}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+include zones.local
+
+function zones_init() {
+
+ zones_local_init
+
+}
+
+function zones_add() {
+ local device
+ local name
+
+ device=$1
+ zones_exists $device || error "Zone $device does not exist."
+
+ name=$(uppercase "ZONE_$device")
+ chain_create $name
+ iptables -A FORWARD -i $device -j $name
+ iptables -A FORWARD -o $device -j $name
+
+ chain_create ${name}_CUSTOM
+ iptables -A $name -j ${name}_CUSTOM
+}
+
+function zones_exists() {
+ cmd_quiet ip link show $1
+}
--- /dev/null
+# IPFire Macro
+# This macro handles plaintext HTTP (WWW) traffic.
+# ACTION SRC DST PROTO SRC_PORT DST_PORT RATE
+CUSTOM - - tcp 80
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+function zones_local_init() {
+
+ # Accept everything on lo
+ iptables -A INPUT -i lo -j ACCEPT
+ iptables -A OUTPUT -o lo -j ACCEPT
+
+}
--- /dev/null
+usr/bin/firewall
+usr/lib/firewall
+usr/lib/firewall/functions
+usr/lib/firewall/functions.commands
+usr/lib/firewall/functions.config
+usr/lib/firewall/functions.firewall
+usr/lib/firewall/functions.ip
+usr/lib/firewall/functions.iptables
+usr/lib/firewall/functions.macros
+usr/lib/firewall/functions.zones
+usr/lib/firewall/zones.local
lib/xtables/libxt_tos.so
lib/xtables/libxt_u32.so
lib/xtables/libxt_udp.so
-#sbin/ip6tables
+sbin/ip6tables
#sbin/ip6tables-multi
-#sbin/ip6tables-restore
-#sbin/ip6tables-save
+sbin/ip6tables-restore
+sbin/ip6tables-save
sbin/iptables
#sbin/iptables-multi
-#sbin/iptables-restore
-#sbin/iptables-save
+sbin/iptables-restore
+sbin/iptables-save
#usr/include/ip6tables.h
#usr/include/iptables.h
#usr/include/libipq.h