]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - html/cgi-bin/guardian.cgi
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
guardian: Remove snort related options.
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / guardian.cgi
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2016 IPFire Team <info@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use strict;
23 use Locale::Codes::Country;
24 use Guardian::Socket;
25
26 # enable only the following on debugging purpose
27 #use warnings;
28 #use CGI::Carp 'fatalsToBrowser';
29
30 require '/var/ipfire/general-functions.pl';
31 require "${General::swroot}/lang.pl";
32 require "${General::swroot}/header.pl";
33
34 #workaround to suppress a warning when a variable is used only once
35 my @dummy = (
36 ${Header::colourred},
37 ${Header::colourgreen}
38 );
39
40 undef (@dummy);
41
42 my $string=();
43 my $memory=();
44 my @memory=();
45 my @pid=();
46 my @guardian=();
47
48 # Path to the guardian.ignore file.
49 my $ignorefile ='/var/ipfire/guardian/guardian.ignore';
50
51 # Hash which contains the supported modules and the
52 # file locations on IPFire systems.
53 my %module_file_locations = (
54 "HTTPD" => "/var/log/httpd/error_log",
55 "SSH" => "/var/log/messages",
56 );
57
58 our %netsettings = ();
59 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
60
61 our %color = ();
62 our %mainsettings = ();
63 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
64 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
65
66 # File declarations.
67 my $settingsfile = "${General::swroot}/guardian/settings";
68 my $ignoredfile = "${General::swroot}/guardian/ignored";
69
70 # Create empty settings and ignoredfile if they do not exist yet.
71 unless (-e "$settingsfile") { system("touch $settingsfile"); }
72 unless (-e "$ignoredfile") { system("touch $ignoredfile"); }
73
74 our %settings = ();
75 our %ignored = ();
76
77 $settings{'ACTION'} = '';
78
79 $settings{'GUARDIAN_ENABLED'} = 'off';
80 $settings{'GUARDIAN_MONITOR_SSH'} = 'on';
81 $settings{'GUARDIAN_MONITOR_HTTPD'} = 'on';
82 $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = '';
83 $settings{'GUARDIAN_LOG_FACILITY'} = 'syslog';
84 $settings{'GUARDIAN_LOGLEVEL'} = 'info';
85 $settings{'GUARDIAN_BLOCKCOUNT'} = '3';
86 $settings{'GUARDIAN_BLOCKTIME'} = '86400';
87 $settings{'GUARDIAN_FIREWALL_ACTION'} = 'DROP';
88 $settings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log';
89
90 my $errormessage = '';
91
92 &Header::showhttpheaders();
93
94 # Get GUI values.
95 &Header::getcgihash(\%settings);
96
97 # Check if guardian is running and grab some stats.
98 &daemonstats();
99 my $pid = $pid[0];
100
101 ## Perform input checks and save settings.
102 #
103 if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
104 # Check for valid blocktime.
105 unless(($settings{'GUARDIAN_BLOCKTIME'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKTIME'} ne "0")) {
106 $errormessage = "$Lang::tr{'guardian invalid blocktime'}";
107 }
108
109 # Check if the blockcount is valid.
110 unless(($settings{'GUARDIAN_BLOCKCOUNT'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKCOUNT'} ne "0")) {
111 $errormessage = "$Lang::tr{'guardian invalid blockcount'}";
112 }
113
114 # Check Logfile.
115 unless($settings{'GUARDIAN_LOGFILE'} =~ /^[a-zA-Z0-9\.\/]+$/) {
116 $errormessage = "$Lang::tr{'guardian invalid logfile'}";
117 }
118
119 # Only continue if no error message has been set.
120 if($errormessage eq '') {
121 # Write configuration settings to file.
122 &General::writehash("${General::swroot}/guardian/settings", \%settings);
123
124 # Update configuration files.
125 &BuildConfiguration();
126 }
127
128 ## Add/edit an entry to the ignore file.
129 #
130 } elsif (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::tr{'update'})) {
131
132 # Check if any input has been performed.
133 if ($settings{'IGNORE_ENTRY_ADDRESS'} ne '') {
134
135 # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
136 if ((!&General::validip($settings{'IGNORE_ENTRY_ADDRESS'})) && (!&General::validipandmask($settings{'IGNORE_ENTRY_ADDRESS'}))) {
137 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
138 }
139 } else {
140 $errormessage = "$Lang::tr{'guardian empty input'}";
141 }
142
143 # Go further if there was no error.
144 if ($errormessage eq '') {
145 my %ignored = ();
146 my $id;
147 my $status;
148
149 # Assign hash values.
150 my $new_entry_address = $settings{'IGNORE_ENTRY_ADDRESS'};
151 my $new_entry_remark = $settings{'IGNORE_ENTRY_REMARK'};
152
153 # Read-in ignoredfile.
154 &General::readhasharray($ignoredfile, \%ignored);
155
156 # Check if we should edit an existing entry and got an ID.
157 if (($settings{'ACTION'} eq $Lang::tr{'update'}) && ($settings{'ID'})) {
158 # Assin the provided id.
159 $id = $settings{'ID'};
160
161 # Undef the given ID.
162 undef($settings{'ID'});
163
164 # Grab the configured status of the corresponding entry.
165 $status = $ignored{$id}[2];
166 } else {
167 # Each newly added entry automatically should be enabled.
168 $status = "enabled";
169
170 # Generate the ID for the new entry.
171 #
172 # Sort the keys by their ID and store them in an array.
173 my @keys = sort { $a <=> $b } keys %ignored;
174
175 # Reverse the key array.
176 my @reversed = reverse(@keys);
177
178 # Obtain the last used id.
179 my $last_id = @reversed[0];
180
181 # Increase the last id by one and use it as id for the new entry.
182 $id = ++$last_id;
183 }
184
185 # Add/Modify the entry to/in the ignored hash.
186 $ignored{$id} = ["$new_entry_address", "$new_entry_remark", "$status"];
187
188 # Write the changed ignored hash to the ignored file.
189 &General::writehasharray($ignoredfile, \%ignored);
190
191 # Regenerate the ignore file.
192 &GenerateIgnoreFile();
193 }
194
195 # Check if guardian is running.
196 if ($pid > 0) {
197 # Send reload command through socket connection.
198 &Guardian::Socket::Client("reload-ignore-list");
199 }
200
201 ## Toggle Enabled/Disabled for an existing entry on the ignore list.
202 #
203
204 } elsif ($settings{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
205 my %ignored = ();
206
207 # Only go further, if an ID has been passed.
208 if ($settings{'ID'}) {
209 # Assign the given ID.
210 my $id = $settings{'ID'};
211
212 # Undef the given ID.
213 undef($settings{'ID'});
214
215 # Read-in ignoredfile.
216 &General::readhasharray($ignoredfile, \%ignored);
217
218 # Grab the configured status of the corresponding entry.
219 my $status = $ignored{$id}[2];
220
221 # Switch the status.
222 if ($status eq "disabled") {
223 $status = "enabled";
224 } else {
225 $status = "disabled";
226 }
227
228 # Modify the status of the existing entry.
229 $ignored{$id} = ["$ignored{$id}[0]", "$ignored{$id}[1]", "$status"];
230
231 # Write the changed ignored hash to the ignored file.
232 &General::writehasharray($ignoredfile, \%ignored);
233
234 # Regenerate the ignore file.
235 &GenerateIgnoreFile();
236
237 # Check if guardian is running.
238 if ($pid > 0) {
239 # Send reload command through socket connection.
240 &Guardian::Socket::Client("reload-ignore-list");
241 }
242 }
243
244 ## Remove entry from ignore list.
245 #
246 } elsif ($settings{'ACTION'} eq $Lang::tr{'remove'}) {
247 my %ignored = ();
248
249 # Read-in ignoredfile.
250 &General::readhasharray($ignoredfile, \%ignored);
251
252 # Drop entry from the hash.
253 delete($ignored{$settings{'ID'}});
254
255 # Undef the given ID.
256 undef($settings{'ID'});
257
258 # Write the changed ignored hash to the ignored file.
259 &General::writehasharray($ignoredfile, \%ignored);
260
261 # Regenerate the ignore file.
262 &GenerateIgnoreFile();
263
264 # Check if guardian is running.
265 if ($pid > 0) {
266 # Send reload command through socket connection.
267 &Guardian::Socket::Client("reload-ignore-list");
268 }
269
270 ## Block a user given address or subnet.
271 #
272 } elsif ($settings{'ACTION'} eq $Lang::tr{'block'}) {
273
274 # Assign some temporary variables used for input validation.
275 my $input = $settings{'ADDRESS_BLOCK'};
276 my $green = $netsettings{'GREEN_ADDRESS'};
277 my $blue = $netsettings{'BLUE_ADDRESS'};
278 my $orange = $netsettings{'ORANGE_ADDRESS'};
279 my $red = $netsettings{'RED_ADDRESS'};
280
281 # File declarations.
282 my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
283 my $dns1file = "${General::swroot}/red/dns1";
284 my $dns2file = "${General::swroot}/red/dns2";
285
286 # Get gateway address.
287 my $gateway = &_get_address_from_file($gatewayfile);
288
289 # Get addresses from the used dns servers.
290 my $dns1 = &_get_address_from_file($dns1file);
291 my $dns2 = &_get_address_from_file($dns2file);
292
293 # Check if any input has been performed.
294 if ($input eq '') {
295 $errormessage = "$Lang::tr{'guardian empty input'}";
296 }
297
298 # Check if the given input is localhost (127.0.0.1).
299 elsif ($input eq "127.0.0.1") {
300 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
301 }
302
303 # Check if the given input is anywhere (0.0.0.0).
304 elsif ($input eq "0.0.0.0") {
305 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
306 }
307
308 # Check if the given input is one of the interface addresses or our gateway.
309 elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway" || $input eq "$dns1" || $input eq "$dns2") {
310 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
311 }
312
313 # Check if the given input is a valid IP address.
314 elsif (!&General::validip($input)) {
315 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
316 }
317
318 # Go further if there was no error.
319 if ($errormessage eq '') {
320 my $block = $settings{'ADDRESS_BLOCK'};
321
322 # Send command to block the specified address through socket connection.
323 &Guardian::Socket::Client("block $block");
324 }
325
326 ## Unblock address or subnet.
327 #
328 } elsif ($settings{'ACTION'} eq $Lang::tr{'unblock'}) {
329
330 # Check if no empty input has been performed.
331 if ($settings{'ADDRESS_UNBLOCK'} ne '') {
332
333 # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
334 if ((!&General::validip($settings{'ADDRESS_UNBLOCK'})) && (!&General::validipandmask($settings{'ADDRESS_UNBLOCK'}))) {
335 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
336 }
337
338 } else {
339 $errormessage = "$Lang::tr{'guardian empty input'}";
340 }
341
342 # Go further if there was no error.
343 if ($errormessage eq '') {
344 my $unblock = $settings{'ADDRESS_UNBLOCK'};
345
346 # Send command to unblock the given address through socket connection.
347 &Guardian::Socket::Client("unblock $unblock");
348 }
349
350 ## Unblock all.
351 #
352 } elsif ($settings{'ACTION'} eq $Lang::tr{'unblock all'}) {
353
354 # Send flush command through socket connection.
355 &Guardian::Socket::Client("flush");
356 }
357
358 # Load settings from files.
359 &General::readhash("${General::swroot}/guardian/settings", \%settings);
360 &General::readhasharray("${General::swroot}/guardian/ignored", \%ignored);
361
362 # Call functions to generate whole page.
363 &showMainBox();
364 &showIgnoreBox();
365
366 # Display area only if guardian is running.
367 if ( ($memory != 0) && ($pid > 0) ) {
368 &showBlockedBox();
369 }
370
371 # Function to display the status of guardian and allow base configuration.
372 sub showMainBox() {
373 my %checked = ();
374 my %selected = ();
375
376 $checked{'GUARDIAN_ENABLED'}{'on'} = '';
377 $checked{'GUARDIAN_ENABLED'}{'off'} = '';
378 $checked{'GUARDIAN_ENABLED'}{$settings{'GUARDIAN_ENABLED'}} = 'checked';
379 $checked{'GUARDIAN_MONITOR_SSH'}{'off'} = '';
380 $checked{'GUARDIAN_MONITOR_SSH'}{'on'} = '';
381 $checked{'GUARDIAN_MONITOR_SSH'}{$settings{'GUARDIAN_MONITOR_SSH'}} = "checked='checked'";
382 $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} = '';
383 $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} = '';
384 $checked{'GUARDIAN_MONITOR_HTTPD'}{$settings{'GUARDIAN_MONITOR_HTTPD'}} = "checked='checked'";
385 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} = '';
386 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} = '';
387 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{$settings{'GUARDIAN_MONITOR_OWNCLOUD'}} = "checked='checked'";
388
389 $selected{'GUARDIAN_LOG_FACILITY'}{$settings{'GUARDIAN_LOG_FACILITY'}} = 'selected';
390 $selected{'GUARDIAN_LOGLEVEL'}{$settings{'GUARDIAN_LOGLEVEL'}} = 'selected';
391 $selected{'GUARDIAN_FIREWALL_ACTION'}{$settings{'GUARDIAN_FIREWALL_ACTION'}} = 'selected';
392
393 &Header::openpage($Lang::tr{'guardian configuration'}, 1, '');
394 &Header::openbigbox('100%', 'left', '', $errormessage);
395
396 # Print errormessage if there is one.
397 if ($errormessage) {
398 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
399 print "<font class='base'>$errormessage&nbsp;</font>\n";
400 &Header::closebox();
401 }
402
403 ### Java Script ###
404 print<<END;
405 <script>
406 var update_options = function() {
407
408 var logfacility = \$("#GUARDIAN_LOG_FACILITY").val();
409 var loglevel = \$("#GUARDIAN_LOGLEVEL").val();
410
411 if (logfacility === undefined)
412 return;
413
414 if (loglevel === undefined)
415 return;
416
417 // Show / Hide input for specifying the path to the logfile.
418 if (logfacility === "file") {
419 \$(".GUARDIAN_LOGFILE").show();
420 } else {
421 \$(".GUARDIAN_LOGFILE").hide();
422 }
423
424 // Show / Hide loglevel debug if the facility is set to syslog.
425 if (logfacility === "syslog") {
426 \$("#loglevel_debug").hide();
427 } else {
428 \$("#loglevel_debug").show();
429 }
430
431 // Show / Hide logfacility syslog if the loglevel is set to debug.
432 if (loglevel === "debug") {
433 \$("#logfacility_syslog").hide();
434 } else {
435 \$("#logfacility_syslog").show();
436 }
437 };
438
439 \$(document).ready(function() {
440 \$("#GUARDIAN_LOG_FACILITY").change(update_options);
441 \$("#GUARDIAN_LOGLEVEL").change(update_options);
442 update_options();
443 });
444 </script>
445 END
446
447
448
449 # Draw current guardian state.
450 &Header::openbox('100%', 'center', $Lang::tr{'guardian'});
451
452 # Get current status of guardian.
453 &daemonstats();
454 $pid = $pid[0];
455
456 # Display some useful information related to guardian, if daemon is running.
457 if ( ($memory != 0) && ($pid > 0) ){
458 print <<END;
459 <table width='95%' cellspacing='0' class='tbl'>
460 <tr>
461 <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th>
462 </tr>
463 <tr>
464 <td class='base'>$Lang::tr{'guardian daemon'}</td>
465 <td align='center' colspan='2' width='75%' bgcolor='${Header::colourgreen}'><font color='white'><strong>$Lang::tr{'running'}</strong></font></td>
466 </tr>
467 <tr>
468 <td class='base'></td>
469 <td bgcolor='$color{'color20'}' align='center'><strong>PID</strong></td>
470 <td bgcolor='$color{'color20'}' align='center'><strong>$Lang::tr{'memory'}</strong></td>
471 </tr>
472 <tr>
473 <td class='base'></td>
474 <td bgcolor='$color{'color22'}' align='center'>$pid</td>
475 <td bgcolor='$color{'color22'}' align='center'>$memory KB</td>
476 </tr>
477 </table>
478 END
479 } else {
480 # Otherwise display a hint that the service is not launched.
481 print <<END;
482 <table width='95%' cellspacing='0' class='tbl'>
483 <tr>
484 <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th>
485 </tr>
486 <tr>
487 <td class='base'>$Lang::tr{'guardian daemon'}</td>
488 <td align='center' width='75%' bgcolor='${Header::colourred}'><font color='white'><strong>$Lang::tr{'stopped'}</strong></font></td>
489 </tr>
490 </table>
491 END
492 }
493
494 &Header::closebox();
495
496 # Draw elements for guardian configuration.
497 &Header::openbox('100%', 'center', $Lang::tr{'guardian configuration'});
498
499 print <<END;
500 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
501
502 <table width='95%'>
503 <tr>
504 <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian common settings'}</b></td>
505 </tr>
506
507 <tr>
508 <td width='25%' class='base'>$Lang::tr{'guardian enabled'}:</td>
509 <td><input type='checkbox' name='GUARDIAN_ENABLED' $checked{'GUARDIAN_ENABLED'}{'on'} /></td>
510 </tr>
511
512 <tr>
513 <td colspan='2'><br></td>
514 </tr>
515
516 <tr>
517 <td width='25%' class='base'>$Lang::tr{'guardian block ssh brute-force'}</td>
518 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SSH' value='on' $checked{'GUARDIAN_MONITOR_SSH'}{'on'} /> /
519 <input type='radio' name='GUARDIAN_MONITOR_SSH' value='off' $checked{'GUARDIAN_MONITOR_SSH'}{'off'} /> off</td>
520 </tr>
521
522 <tr>
523 <td width='25%' class='base'>$Lang::tr{'guardian block httpd brute-force'}</td>
524 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='on' $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} /> /
525 <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='off' $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} /> off</td>
526 </tr>
527
528 <tr>
529 <td colspan='2'><br></td>
530 </tr>
531
532 <tr>
533 <td align='left' width='20%'>$Lang::tr{'guardian logfacility'}:</td>
534 <td width='25%'><select id='GUARDIAN_LOG_FACILITY' name='GUARDIAN_LOG_FACILITY'>
535 <option id='logfacility_syslog' value='syslog' $selected{'GUARDIAN_LOG_FACILITY'}{'syslog'}>$Lang::tr{'guardian logtarget_syslog'}</option>
536 <option id='logfacility_file' value='file' $selected{'GUARDIAN_LOG_FACILITY'}{'file'}>$Lang::tr{'guardian logtarget_file'}</option>
537 <option id='logfacility_console' value='console' $selected{'GUARDIAN_LOG_FACILITY'}{'console'}>$Lang::tr{'guardian logtarget_console'}</option>
538 </select></td>
539
540 <td align='left' width='20%'>$Lang::tr{'guardian loglevel'}:</td>
541 <td width='25%'><select id='GUARDIAN_LOGLEVEL' name='GUARDIAN_LOGLEVEL'>
542 <option id='loglevel_off' value='off' $selected{'GUARDIAN_LOGLEVEL'}{'off'}>$Lang::tr{'guardian loglevel_off'}</option>
543 <option id='loglevel_info' value='info' $selected{'GUARDIAN_LOGLEVEL'}{'info'}>$Lang::tr{'guardian loglevel_info'}</option>
544 <option id='loglevel_debug' value='debug' $selected{'GUARDIAN_LOGLEVEL'}{'debug'}>$Lang::tr{'guardian loglevel_debug'}</option>
545 </select></td>
546 </tr>
547
548 <tr class="GUARDIAN_LOGFILE">
549 <td colspan='2'><br></td>
550 </tr>
551
552 <tr class="GUARDIAN_LOGFILE">
553 <td width='25%' class='base'>$Lang::tr{'guardian logfile'}:</td>
554 <td><input type='text' name='GUARDIAN_LOGFILE' value='$settings{'GUARDIAN_LOGFILE'}' size='30' /></td>
555 </tr>
556
557 <tr>
558 <td colspan='2'><br></td>
559 </tr>
560
561 <tr>
562 <td width='25%' class='base'>$Lang::tr{'guardian firewallaction'}:</td>
563 <td><select name='GUARDIAN_FIREWALL_ACTION'>
564 <option value='DROP' $selected{'GUARDIAN_FIREWALL_ACTION'}{'DROP'}>Drop</option>
565 <option value='REJECT' $selected{'GUARDIAN_FIREWALL_ACTION'}{'REJECT'}>Reject</option>
566 </select></td>
567
568 <td width='25%' class='base'>$Lang::tr{'guardian blockcount'}:</td>
569 <td><input type='text' name='GUARDIAN_BLOCKCOUNT' value='$settings{'GUARDIAN_BLOCKCOUNT'}' size='5' /></td>
570 </tr>
571
572 <tr>
573 <td colspan='2'><br></td>
574 </tr>
575
576 <tr>
577 <td width='25%' class='base'>$Lang::tr{'guardian blocktime'}:</td>
578 <td><input type='text' name='GUARDIAN_BLOCKTIME' value='$settings{'GUARDIAN_BLOCKTIME'}' size='10' /></td>
579 </tr>
580
581 </table>
582 END
583
584 print <<END;
585 <hr>
586
587 <table width='95%'>
588 <tr>
589 <td>&nbsp;</td>
590 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
591 <td>&nbsp;</td>
592 </tr>
593 </table>
594 </form>
595 END
596
597 &Header::closebox();
598 }
599
600 # Function to show elements of the guardian ignorefile and allow to add or remove single members of it.
601 sub showIgnoreBox() {
602 &Header::openbox('100%', 'center', $Lang::tr{'guardian ignored hosts'});
603
604 print <<END;
605 <table width='80%'>
606 <tr>
607 <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td>
608 <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td>
609 <td class='base' colspan='3' bgcolor='$color{'color20'}'></td>
610 </tr>
611 END
612 # Check if some hosts have been added to be ignored.
613 if (keys (%ignored)) {
614 my $col = "";
615
616 # Loop through all entries of the hash.
617 while( (my $key) = each %ignored) {
618 # Assign data array positions to some nice variable names.
619 my $address = $ignored{$key}[0];
620 my $remark = $ignored{$key}[1];
621 my $status = $ignored{$key}[2];
622
623 # Check if the key (id) number is even or not.
624 if ($settings{'ID'} eq $key) {
625 $col="bgcolor='${Header::colouryellow}'";
626 } elsif ($key % 2) {
627 $col="bgcolor='$color{'color22'}'";
628 } else {
629 $col="bgcolor='$color{'color20'}'";
630 }
631
632 # Choose icon for the checkbox.
633 my $gif;
634 my $gdesc;
635
636 # Check if the status is enabled and select the correct image and description.
637 if ($status eq 'enabled' ) {
638 $gif = 'on.gif';
639 $gdesc = $Lang::tr{'click to disable'};
640 } else {
641 $gif = 'off.gif';
642 $gdesc = $Lang::tr{'click to enable'};
643 }
644
645 print <<END;
646 <tr>
647 <td width='20%' class='base' $col>$address</td>
648 <td width='65%' class='base' $col>$remark</td>
649
650 <td align='center' $col>
651 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
652 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
653 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' />
654 <input type='hidden' name='ID' value='$key' />
655 </form>
656 </td>
657
658 <td align='center' $col>
659 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
660 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
661 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
662 <input type='hidden' name='ID' value='$key' />
663 </form>
664 </td>
665
666 <td align='center' $col>
667 <form method='post' name='$key' action='$ENV{'SCRIPT_NAME'}'>
668 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' title='$Lang::tr{'remove'}' alt='$Lang::tr{'remove'}'>
669 <input type='hidden' name='ID' value='$key'>
670 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}'>
671 </form>
672 </td>
673 </tr>
674 END
675 }
676 } else {
677 # Print notice that currently no hosts are ignored.
678 print "<tr>\n";
679 print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
680 print "</tr>\n";
681 }
682
683 print "</table>\n";
684
685 # Section to add new elements or edit existing ones.
686 print <<END;
687 <br>
688 <hr>
689 <br>
690
691 <div align='center'>
692 <table width='100%'>
693 END
694
695 # Assign correct headline and button text.
696 my $buttontext;
697 my $entry_address;
698 my $entry_remark;
699
700 # Check if an ID (key) has been given, in this case an existing entry should be edited.
701 if ($settings{'ID'} ne '') {
702 $buttontext = $Lang::tr{'update'};
703 print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n";
704
705 # Grab address and remark for the given key.
706 $entry_address = $ignored{$settings{'ID'}}[0];
707 $entry_remark = $ignored{$settings{'ID'}}[1];
708 } else {
709 $buttontext = $Lang::tr{'add'};
710 print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n";
711 }
712
713 print <<END;
714 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
715 <input type='hidden' name='ID' value='$settings{'ID'}'>
716 <tr>
717 <td width='30%'>$Lang::tr{'ip address'}: </td>
718 <td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td>
719
720 <td width='30%'>$Lang::tr{'remark'}: </td>
721 <td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td>
722 <td align='center' width='20%'><input type='submit' name='ACTION' value='$buttontext' /></td>
723 </tr>
724 </form>
725 </table>
726 </div>
727 END
728
729 &Header::closebox();
730 }
731
732 # Function to list currently blocked addresses from guardian and unblock them or add custom entries to block.
733 sub showBlockedBox() {
734 &Header::openbox('100%', 'center', $Lang::tr{'guardian blocked hosts'});
735
736 print <<END;
737 <table width='60%'>
738 <tr>
739 <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian blocked hosts'}</b></td>
740 </tr>
741 END
742
743 # Launch function to get the currently blocked hosts.
744 my @blocked_hosts = &GetBlockedHosts();
745
746 my $id = 0;
747 my $col = "";
748
749 # Loop through our blocked hosts array.
750 foreach my $blocked_host (@blocked_hosts) {
751
752 # Increase id number for each element in the ignore file.
753 $id++;
754
755 # Check if the id number is even or not.
756 if ($id % 2) {
757 $col="bgcolor='$color{'color22'}'";
758 } else {
759 $col="bgcolor='$color{'color20'}'";
760 }
761
762 print <<END;
763 <tr>
764 <td width='80%' class='base' $col><a href='/cgi-bin/ipinfo.cgi?ip=$blocked_host'>$blocked_host</a></td>
765 <td width='20%' align='center' $col>
766 <form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'>
767 <input type='image' name='$Lang::tr{'unblock'}' src='/images/delete.gif' title='$Lang::tr{'unblock'}' alt='$Lang::tr{'unblock'}'>
768 <input type='hidden' name='ADDRESS_UNBLOCK' value='$blocked_host'>
769 <input type='hidden' name='ACTION' value='$Lang::tr{'unblock'}'>
770 </form>
771 </td>
772 </tr>
773 END
774 }
775
776 # If the loop only has been run once the id still is "0", which means there are no
777 # additional entries (blocked hosts) in the iptables chain.
778 if ($id == 0) {
779
780 # Print notice that currently no hosts are blocked.
781 print "<tr>\n";
782 print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
783 print "</tr>\n";
784 }
785
786 print "</table>\n";
787
788 # Section for a manual block of an IP-address.
789 print <<END;
790 <br>
791 <div align='center'>
792 <table width='60%' border='0'>
793 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
794 <tr>
795 <td width='30%'>$Lang::tr{'guardian block a host'}: </td>
796 <td width='40%'><input type='text' name='ADDRESS_BLOCK' value='' size='24' /></td>
797 <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'block'}'></td>
798 <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'unblock all'}'></td>
799 </tr>
800 </form>
801 </table>
802 </div>
803 END
804
805 &Header::closebox();
806 }
807
808 &Header::closebigbox();
809 &Header::closepage();
810
811 # Function to check if guardian has been started.
812 # Grab process id and consumed memory if the daemon is running.
813 sub daemonstats() {
814 $memory = 0;
815 # for pid and memory
816 open(FILE, '/usr/local/bin/addonctrl guardian status | ');
817 @guardian = <FILE>;
818 close(FILE);
819 $string = join("", @guardian);
820 $string =~ s/[a-z_]//gi;
821 $string =~ s/\[[0-1]\;[0-9]+//gi;
822 $string =~ s/[\(\)\.]//gi;
823 $string =~ s/ //gi;
824 $string =~ s/\e//gi;
825 @pid = split(/\s/,$string);
826 if (open(FILE, "/proc/$pid[0]/statm")){
827 my $temp = <FILE>;
828 @memory = split(/ /,$temp);
829 close(FILE);
830 }
831 $memory+=$memory[0];
832 }
833
834 sub GetBlockedHosts() {
835 # Create new, empty array.
836 my @hosts;
837
838 # Launch helper to get chains from iptables.
839 system('/usr/local/bin/getipstat');
840
841 # Open temporary file which contains the chains and rules.
842 open (FILE, '/var/tmp/iptables.txt');
843
844 # Loop through the entire file.
845 while (<FILE>) {
846 my $line = $_;
847
848 # Search for the guardian chain and extract
849 # the lines between it and the next empty line
850 # which is placed before the next firewall
851 # chain starts.
852 if ($line =~ /^Chain GUARDIAN/ .. /^\s*$/) {
853 # Skip descriptive lines.
854 next if ($line =~ /^Chain/);
855 next if ($line =~ /^ pkts/);
856
857 # Generate array, based on the line content (separator is a single or multiple space)
858 my @comps = split(/\s{1,}/, $line);
859 my ($lead, $pkts, $bytes, $target, $prot, $opt, $in, $out, $source, $destination) = @comps;
860
861 # Assign different variable names.
862 my $blocked_host = $source;
863
864 # Add host to our hosts array.
865 if ($blocked_host) {
866 push(@hosts, $blocked_host);
867 }
868 }
869 }
870
871 # Close filehandle.
872 close(FILE);
873
874 # Remove recently created temporary files of the "getipstat" binary.
875 system("rm -f /var/tmp/iptables.txt");
876 system("rm -f /var/tmp/iptablesmangle.txt");
877 system("rm -f /var/tmp/iptablesnat.txt");
878
879 # Convert entries, sort them, write back and store the sorted entries into new array.
880 my @sorted = map { $_->[0] }
881 sort { $a->[1] <=> $b->[1] }
882 map { [$_, int sprintf("%03.f%03.f%03.f%03.f", split(/\./, $_))] }
883 @hosts;
884
885 # Return our sorted list.
886 return @sorted
887 }
888
889 sub BuildConfiguration() {
890 my %settings = ();
891 &General::readhash("${General::swroot}/guardian/settings", \%settings);
892
893 my $configfile = "${General::swroot}/guardian/guardian.conf";
894
895 # Create the configfile if none exists yet.
896 unless (-e "$configfile") { system("touch $configfile"); }
897
898 # Open configfile for writing.
899 open(FILE, ">$configfile");
900
901 # Config file header.
902 print FILE "# Autogenerated configuration file.\n";
903 print FILE "# All user modifications will be overwritten.\n\n";
904
905 # Settings for the logging mechanism.
906 print FILE "# Log settings.\n";
907 print FILE "LogFacility = $settings{'GUARDIAN_LOG_FACILITY'}\n";
908
909 if ($settings{'GUARDIAN_LOG_FACILITY'} eq "file") {
910 print FILE "LogFile = $settings{'GUARDIAN_LOGFILE'}\n";
911 }
912
913 print FILE "LogLevel = $settings{'GUARDIAN_LOGLEVEL'}\n\n";
914
915 # IPFire related static settings.
916 print FILE "# IPFire related settings.\n";
917 print FILE "FirewallEngine = IPtables\n";
918 print FILE "SocketOwner = nobody:nobody\n";
919 print FILE "IgnoreFile = $ignorefile\n\n";
920
921 # Configured block values.
922 print FILE "# Configured block settings.\n";
923 print FILE "BlockCount = $settings{'GUARDIAN_BLOCKCOUNT'}\n";
924 print FILE "BlockTime = $settings{'GUARDIAN_BLOCKTIME'}\n";
925 print FILE "FirewallAction = $settings{'GUARDIAN_FIREWALL_ACTION'}\n\n";
926
927 # Enabled modules.
928 # Loop through whole settings hash.
929 print FILE "# Enabled modules.\n";
930 foreach my $option (keys %settings) {
931 # Search for enabled modules.
932 if ($option =~ /GUARDIAN_MONITOR_(.*)/) {
933 # Skip if module is not enabled.
934 next unless($settings{$option} eq "on");
935
936 # Skip module if no file location is available.
937 next unless(exists($module_file_locations{$1}));
938
939 # Add enabled module and defined path to the config file.
940 print FILE "Monitor_$1 = $module_file_locations{$1}\n";
941 }
942 }
943
944 # Module settings.
945 print FILE "\n# Module settings.\n";
946 close(FILE);
947
948 # Generate ignore file.
949 &GenerateIgnoreFile();
950
951 # Check if guardian should be started or stopped.
952 if($settings{'GUARDIAN_ENABLED'} eq 'on') {
953 if($pid > 0) {
954 # Send reload command through socket connection.
955 &Guardian::Socket::Client("reload");
956 } else {
957 # Launch guardian.
958 system("/usr/local/bin/addonctrl guardian start &>/dev/null");
959 }
960 } else {
961 # Stop the daemon.
962 system("/usr/local/bin/addonctrl guardian stop &>/dev/null");
963 }
964 }
965
966 sub GenerateIgnoreFile() {
967 my %ignored = ();
968
969 # Read-in ignoredfile.
970 &General::readhasharray($ignoredfile, \%ignored);
971
972 # Create the guardian.ignore file if not exist yet.
973 unless (-e "$ignorefile") { system("touch $ignorefile"); }
974
975 # Open ignorefile for writing.
976 open(FILE, ">$ignorefile");
977
978 # Config file header.
979 print FILE "# Autogenerated configuration file.\n";
980 print FILE "# All user modifications will be overwritten.\n\n";
981
982 # Add IFPire interfaces and gateway to the ignore file.
983 #
984 # Assign some temporary variables for the IPFire interfaces.
985 my $green = $netsettings{'GREEN_ADDRESS'};
986 my $blue = $netsettings{'BLUE_ADDRESS'};
987 my $orange = $netsettings{'ORANGE_ADDRESS'};
988
989 # File declarations.
990 my $public_address_file = "${General::swroot}/red/local-ipaddress";
991 my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
992 my $dns1file = "${General::swroot}/red/dns1";
993 my $dns2file = "${General::swroot}/red/dns2";
994
995 # Write the obtained addresses to the ignore file.
996 print FILE "# IPFire local interfaces.\n";
997 print FILE "$green\n";
998
999 # Check if a blue interface exists.
1000 if ($blue) {
1001 # Add blue address.
1002 print FILE "$blue\n";
1003 }
1004
1005 # Check if an orange interface exists.
1006 if ($orange) {
1007 # Add orange address.
1008 print FILE "$orange\n";
1009 }
1010
1011 print FILE "\n# IPFire red interface, gateway and used DNS-servers.\n";
1012 print FILE "# Include the corresponding files to obtain the addresses.\n";
1013 print FILE "Include_File = $public_address_file\n";
1014 print FILE "Include_File = $gatewayfile\n";
1015 print FILE "Include_File = $dns1file\n";
1016 print FILE "Include_File = $dns2file\n";
1017
1018 # Add all user defined hosts and networks to the ignore file.
1019 #
1020 # Check if the hash contains any elements.
1021 if (keys (%ignored)) {
1022 # Write headline.
1023 print FILE "\n# User defined hosts/networks.\n";
1024
1025 # Loop through the entire hash and write the host/network
1026 # and remark to the ignore file.
1027 while ( (my $key) = each %ignored) {
1028 my $address = $ignored{$key}[0];
1029 my $remark = $ignored{$key}[1];
1030 my $status = $ignored{$key}[2];
1031
1032 # Check if the status of the entry is "enabled".
1033 if ($status eq "enabled") {
1034 # Check if the address/network is valid.
1035 if ((&General::validip($address)) || (&General::validipandmask($address))) {
1036 # Write the remark to the file.
1037 print FILE "# $remark\n";
1038
1039 # Write the address/network to the ignore file.
1040 print FILE "$address\n\n";
1041 }
1042 }
1043 }
1044 }
1045
1046 close(FILE);
1047 }
1048
1049 # Private subfunction to obtain IP-addresses from given file names.
1050 #
1051 sub _get_address_from_file ($) {
1052 my $file = shift;
1053
1054 # Check if the file exists.
1055 if (-e $file) {
1056 # Open the given file.
1057 open(FILE, "$file") or die "Could not open $file.";
1058
1059 # Obtain the address from the first line of the file.
1060 my $address = <FILE>;
1061
1062 # Close filehandle
1063 close(FILE);
1064
1065 # Remove newlines.
1066 chomp $address;
1067
1068 # Check if the grabbed address is valid.
1069 if (&General::validip($address)) {
1070 # Return the address.
1071 return $address;
1072 }
1073 }
1074
1075 # Return nothing.
1076 return;
1077 }
Peter's tree of IPFire 2.x