]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - config/outgoingfw/outgoingfw.pl
5 # This code is distributed under the terms of the GPL
11 # enable only the following on debugging purpose
14 require '/var/ipfire/general-functions.pl' ;
16 my %outfwsettings = ();
20 my $errormessage = "" ;
31 my $configfile = "/var/ipfire/outgoing/rules" ;
32 my $p2pfile = "/var/ipfire/outgoing/p2protocols" ;
34 & General
:: readhash
( "${General::swroot}/ethernet/settings" , \
%netsettings );
36 ### Values that have to be initialized
37 $outfwsettings { 'ACTION' } = '' ;
38 $outfwsettings { 'VALID' } = 'yes' ;
39 $outfwsettings { 'EDIT' } = 'no' ;
40 $outfwsettings { 'NAME' } = '' ;
41 $outfwsettings { 'SNET' } = '' ;
42 $outfwsettings { 'SIP' } = '' ;
43 $outfwsettings { 'SPORT' } = '' ;
44 $outfwsettings { 'SMAC' } = '' ;
45 $outfwsettings { 'DIP' } = '' ;
46 $outfwsettings { 'DPORT' } = '' ;
47 $outfwsettings { 'PROT' } = '' ;
48 $outfwsettings { 'STATE' } = '' ;
49 $outfwsettings { 'DISPLAY_DIP' } = '' ;
50 $outfwsettings { 'DISPLAY_DPORT' } = '' ;
51 $outfwsettings { 'DISPLAY_SMAC' } = '' ;
52 $outfwsettings { 'DISPLAY_SIP' } = '' ;
53 $outfwsettings { 'POLICY' } = 'MODE0' ;
64 & General
:: readhash
( "${General::swroot}/outgoing/settings" , \
%outfwsettings );
65 & General
:: readhash
( "${General::swroot}/ethernet/settings" , \
%netsettings );
67 open ( FILE
, "< $configfile " ) or die "Unable to read $configfile " ;
72 print "Outgoing firewall for IPFire - $outfwsettings {'POLICY'} \n " ;
73 if ( $DEBUG ) { print "Debugging mode! \n " ; }
77 if ( $outfwsettings { 'POLICY' } eq 'MODE0' ) {
78 system ( "/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1" );
79 system ( "/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1" );
82 } elsif ( $outfwsettings { 'POLICY' } eq 'MODE1' ) {
83 $outfwsettings { 'STATE' } = "ALLOW" ;
86 } elsif ( $outfwsettings { 'POLICY' } eq 'MODE2' ) {
87 $outfwsettings { 'STATE' } = "DENY" ;
92 ### Initialize IPTables
93 system ( "/sbin/iptables --flush OUTGOINGFW >/dev/null 2>&1" );
94 system ( "/sbin/iptables --delete-chain OUTGOINGFW >/dev/null 2>&1" );
95 system ( "/sbin/iptables -N OUTGOINGFW >/dev/null 2>&1" );
97 foreach $configentry ( sort @configs )
105 @configline = split ( /\;/ , $configentry );
106 if ( $outfwsettings { 'STATE' } eq $configline [ 0 ]) {
107 if ( $configline [ 2 ] eq 'green' ) {
108 $SOURCE = " $netsettings {'GREEN_NETADDRESS'}/ $netsettings {'GREEN_NETMASK'}" ;
109 $DEV = $netsettings { 'GREEN_DEV' };
110 } elsif ( $configline [ 2 ] eq 'blue' ) {
111 $SOURCE = " $netsettings {'BLUE_NETADDRESS'}/ $netsettings {'BLUE_NETMASK'}" ;
112 $DEV = $netsettings { 'BLUE_DEV' };
113 } elsif ( $configline [ 2 ] eq 'orange' ) {
114 $SOURCE = " $netsettings {'ORANGE_NETADDRESS'}/ $netsettings {'ORANGE_NETMASK'}" ;
115 $DEV = $netsettings { 'ORANGE_DEV' };
116 } elsif ( $configline [ 2 ] eq 'ip' ) {
117 $SOURCE = " $configline [5]" ;
124 if ( $configline [ 7 ]) { $DESTINATION = " $configline [7]" ; } else { $DESTINATION = "0/0" ; }
126 $CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION " ;
128 if ( $configline [ 3 ] ne 'tcp&udp' ) {
129 $PROTO = " $configline [3]" ;
130 $CMD = " $CMD -p $PROTO " ;
131 if ( $configline [ 8 ]) {
132 $DPORT = " $configline [8]" ;
133 $CMD = " $CMD --dport $DPORT " ;
138 $CMD = " $CMD -i $DEV " ;
141 if ( $configline [ 6 ]) {
142 $MAC = " $configline [6]" ;
143 $CMD = " $CMD -m mac --mac-source $MAC " ;
146 $CMD = " $CMD -o $netsettings {'RED_DEV'}" ;
147 if ( $DEBUG ) { print " $CMD -j $DO \n " ; } else { system ( " $CMD -j $DO " ); }
149 if ( $configline [ 9 ] eq "log" ) {
150 if ( $DEBUG ) { print " $CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW ' \n " ; } else { system ( " $CMD -m state --state NEW -j LOG --log-prefix 'OUTGOINGFW '" ); }