]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - html/cgi-bin/guardian.cgi
2 ###############################################################################
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2016 IPFire Team <info@ipfire.org> #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 ###############################################################################
23 use Locale
::Codes
::Country
;
26 # enable only the following on debugging purpose
28 #use CGI::Carp 'fatalsToBrowser';
30 require '/var/ipfire/general-functions.pl';
31 require "${General::swroot}/lang.pl";
32 require "${General::swroot}/header.pl";
34 #workaround to suppress a warning when a variable is used only once
37 ${Header
::colourgreen
}
48 # Path to the guardian.ignore file.
49 my $ignorefile ='/var/ipfire/guardian/guardian.ignore';
51 # Hash which contains the supported modules and the
52 # file locations on IPFire systems.
53 my %module_file_locations = (
54 "HTTPD" => "/var/log/httpd/error_log",
55 "SSH" => "/var/log/messages",
58 our %netsettings = ();
59 &General
::readhash
("${General::swroot}/ethernet/settings", \
%netsettings);
62 our %mainsettings = ();
63 &General
::readhash
("${General::swroot}/main/settings", \
%mainsettings);
64 &General
::readhash
("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \
%color);
67 my $settingsfile = "${General::swroot}/guardian/settings";
68 my $ignoredfile = "${General::swroot}/guardian/ignored";
70 # Create empty settings and ignoredfile if they do not exist yet.
71 unless (-e
"$settingsfile") { system("touch $settingsfile"); }
72 unless (-e
"$ignoredfile") { system("touch $ignoredfile"); }
77 $settings{'ACTION'} = '';
79 $settings{'GUARDIAN_ENABLED'} = 'off';
80 $settings{'GUARDIAN_MONITOR_SSH'} = 'on';
81 $settings{'GUARDIAN_MONITOR_HTTPD'} = 'on';
82 $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = '';
83 $settings{'GUARDIAN_LOG_FACILITY'} = 'syslog';
84 $settings{'GUARDIAN_LOGLEVEL'} = 'info';
85 $settings{'GUARDIAN_BLOCKCOUNT'} = '3';
86 $settings{'GUARDIAN_BLOCKTIME'} = '86400';
87 $settings{'GUARDIAN_FIREWALL_ACTION'} = 'DROP';
88 $settings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log';
90 my $errormessage = '';
92 &Header
::showhttpheaders
();
95 &Header
::getcgihash
(\
%settings);
97 # Check if guardian is running and grab some stats.
101 ## Perform input checks and save settings.
103 if ($settings{'ACTION'} eq $Lang::tr
{'save'}) {
104 # Check for valid blocktime.
105 unless(($settings{'GUARDIAN_BLOCKTIME'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKTIME'} ne "0")) {
106 $errormessage = "$Lang::tr{'guardian invalid blocktime'}";
109 # Check if the blockcount is valid.
110 unless(($settings{'GUARDIAN_BLOCKCOUNT'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKCOUNT'} ne "0")) {
111 $errormessage = "$Lang::tr{'guardian invalid blockcount'}";
115 unless($settings{'GUARDIAN_LOGFILE'} =~ /^[a-zA-Z0-9\.\/]+$/) {
116 $errormessage = "$Lang::tr{'guardian invalid logfile'}";
119 # Only continue if no error message has been set.
120 if($errormessage eq '') {
121 # Write configuration settings to file.
122 &General
::writehash
("${General::swroot}/guardian/settings", \
%settings);
124 # Update configuration files.
125 &BuildConfiguration
();
128 ## Add/edit an entry to the ignore file.
130 } elsif (($settings{'ACTION'} eq $Lang::tr
{'add'}) || ($settings{'ACTION'} eq $Lang::tr
{'update'})) {
132 # Check if any input has been performed.
133 if ($settings{'IGNORE_ENTRY_ADDRESS'} ne '') {
135 # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
136 if ((!&General
::validip
($settings{'IGNORE_ENTRY_ADDRESS'})) && (!&General
::validipandmask
($settings{'IGNORE_ENTRY_ADDRESS'}))) {
137 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
140 $errormessage = "$Lang::tr{'guardian empty input'}";
143 # Go further if there was no error.
144 if ($errormessage eq '') {
149 # Assign hash values.
150 my $new_entry_address = $settings{'IGNORE_ENTRY_ADDRESS'};
151 my $new_entry_remark = $settings{'IGNORE_ENTRY_REMARK'};
153 # Read-in ignoredfile.
154 &General
::readhasharray
($ignoredfile, \
%ignored);
156 # Check if we should edit an existing entry and got an ID.
157 if (($settings{'ACTION'} eq $Lang::tr
{'update'}) && ($settings{'ID'})) {
158 # Assin the provided id.
159 $id = $settings{'ID'};
161 # Undef the given ID.
162 undef($settings{'ID'});
164 # Grab the configured status of the corresponding entry.
165 $status = $ignored{$id}[2];
167 # Each newly added entry automatically should be enabled.
170 # Generate the ID for the new entry.
172 # Sort the keys by their ID and store them in an array.
173 my @keys = sort { $a <=> $b } keys %ignored;
175 # Reverse the key array.
176 my @reversed = reverse(@keys);
178 # Obtain the last used id.
179 my $last_id = @reversed[0];
181 # Increase the last id by one and use it as id for the new entry.
185 # Add/Modify the entry to/in the ignored hash.
186 $ignored{$id} = ["$new_entry_address", "$new_entry_remark", "$status"];
188 # Write the changed ignored hash to the ignored file.
189 &General
::writehasharray
($ignoredfile, \
%ignored);
191 # Regenerate the ignore file.
192 &GenerateIgnoreFile
();
195 # Check if guardian is running.
197 # Send reload command through socket connection.
198 &Guardian
::Socket
::Client
("reload-ignore-list");
201 ## Toggle Enabled/Disabled for an existing entry on the ignore list.
204 } elsif ($settings{'ACTION'} eq $Lang::tr
{'toggle enable disable'}) {
207 # Only go further, if an ID has been passed.
208 if ($settings{'ID'}) {
209 # Assign the given ID.
210 my $id = $settings{'ID'};
212 # Undef the given ID.
213 undef($settings{'ID'});
215 # Read-in ignoredfile.
216 &General
::readhasharray
($ignoredfile, \
%ignored);
218 # Grab the configured status of the corresponding entry.
219 my $status = $ignored{$id}[2];
222 if ($status eq "disabled") {
225 $status = "disabled";
228 # Modify the status of the existing entry.
229 $ignored{$id} = ["$ignored{$id}[0]", "$ignored{$id}[1]", "$status"];
231 # Write the changed ignored hash to the ignored file.
232 &General
::writehasharray
($ignoredfile, \
%ignored);
234 # Regenerate the ignore file.
235 &GenerateIgnoreFile
();
237 # Check if guardian is running.
239 # Send reload command through socket connection.
240 &Guardian
::Socket
::Client
("reload-ignore-list");
244 ## Remove entry from ignore list.
246 } elsif ($settings{'ACTION'} eq $Lang::tr
{'remove'}) {
249 # Read-in ignoredfile.
250 &General
::readhasharray
($ignoredfile, \
%ignored);
252 # Drop entry from the hash.
253 delete($ignored{$settings{'ID'}});
255 # Undef the given ID.
256 undef($settings{'ID'});
258 # Write the changed ignored hash to the ignored file.
259 &General
::writehasharray
($ignoredfile, \
%ignored);
261 # Regenerate the ignore file.
262 &GenerateIgnoreFile
();
264 # Check if guardian is running.
266 # Send reload command through socket connection.
267 &Guardian
::Socket
::Client
("reload-ignore-list");
270 ## Block a user given address or subnet.
272 } elsif ($settings{'ACTION'} eq $Lang::tr
{'block'}) {
274 # Assign some temporary variables used for input validation.
275 my $input = $settings{'ADDRESS_BLOCK'};
276 my $green = $netsettings{'GREEN_ADDRESS'};
277 my $blue = $netsettings{'BLUE_ADDRESS'};
278 my $orange = $netsettings{'ORANGE_ADDRESS'};
279 my $red = $netsettings{'RED_ADDRESS'};
282 my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
284 # Get gateway address.
285 my $gateway = &General
::grab_address_from_file
($gatewayfile);
287 # Check if any input has been performed.
289 $errormessage = "$Lang::tr{'guardian empty input'}";
292 # Check if the given input is localhost (127.0.0.1).
293 elsif ($input eq "127.0.0.1") {
294 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
297 # Check if the given input is anywhere (0.0.0.0).
298 elsif ($input eq "0.0.0.0") {
299 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
302 # Check if the given input is one of the interface addresses or our gateway.
303 elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway") {
304 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
307 # Check if the given input is a valid IP address.
308 elsif (!&General
::validip
($input)) {
309 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
312 # Go further if there was no error.
313 if ($errormessage eq '') {
314 my $block = $settings{'ADDRESS_BLOCK'};
316 # Send command to block the specified address through socket connection.
317 &Guardian
::Socket
::Client
("block $block");
320 ## Unblock address or subnet.
322 } elsif ($settings{'ACTION'} eq $Lang::tr
{'unblock'}) {
324 # Check if no empty input has been performed.
325 if ($settings{'ADDRESS_UNBLOCK'} ne '') {
327 # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
328 if ((!&General
::validip
($settings{'ADDRESS_UNBLOCK'})) && (!&General
::validipandmask
($settings{'ADDRESS_UNBLOCK'}))) {
329 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
333 $errormessage = "$Lang::tr{'guardian empty input'}";
336 # Go further if there was no error.
337 if ($errormessage eq '') {
338 my $unblock = $settings{'ADDRESS_UNBLOCK'};
340 # Send command to unblock the given address through socket connection.
341 &Guardian
::Socket
::Client
("unblock $unblock");
346 } elsif ($settings{'ACTION'} eq $Lang::tr
{'unblock all'}) {
348 # Send flush command through socket connection.
349 &Guardian
::Socket
::Client
("flush");
352 # Load settings from files.
353 &General
::readhash
("${General::swroot}/guardian/settings", \
%settings);
354 &General
::readhasharray
("${General::swroot}/guardian/ignored", \
%ignored);
356 # Call functions to generate whole page.
360 # Display area only if guardian is running.
361 if ( ($memory != 0) && ($pid > 0) ) {
365 # Function to display the status of guardian and allow base configuration.
370 $checked{'GUARDIAN_ENABLED'}{'on'} = '';
371 $checked{'GUARDIAN_ENABLED'}{'off'} = '';
372 $checked{'GUARDIAN_ENABLED'}{$settings{'GUARDIAN_ENABLED'}} = 'checked';
373 $checked{'GUARDIAN_MONITOR_SSH'}{'off'} = '';
374 $checked{'GUARDIAN_MONITOR_SSH'}{'on'} = '';
375 $checked{'GUARDIAN_MONITOR_SSH'}{$settings{'GUARDIAN_MONITOR_SSH'}} = "checked='checked'";
376 $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} = '';
377 $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} = '';
378 $checked{'GUARDIAN_MONITOR_HTTPD'}{$settings{'GUARDIAN_MONITOR_HTTPD'}} = "checked='checked'";
379 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} = '';
380 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} = '';
381 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{$settings{'GUARDIAN_MONITOR_OWNCLOUD'}} = "checked='checked'";
383 $selected{'GUARDIAN_LOG_FACILITY'}{$settings{'GUARDIAN_LOG_FACILITY'}} = 'selected';
384 $selected{'GUARDIAN_LOGLEVEL'}{$settings{'GUARDIAN_LOGLEVEL'}} = 'selected';
385 $selected{'GUARDIAN_FIREWALL_ACTION'}{$settings{'GUARDIAN_FIREWALL_ACTION'}} = 'selected';
387 &Header
::openpage
($Lang::tr
{'guardian configuration'}, 1, '');
388 &Header
::openbigbox
('100%', 'left', '', $errormessage);
390 # Print errormessage if there is one.
392 &Header
::openbox
('100%', 'left', $Lang::tr
{'error messages'});
393 print "<font class='base'>$errormessage </font>\n";
400 var update_options = function() {
402 var logfacility = \$("#GUARDIAN_LOG_FACILITY").val();
403 var loglevel = \$("#GUARDIAN_LOGLEVEL").val();
405 if (logfacility === undefined)
408 if (loglevel === undefined)
411 // Show / Hide input for specifying the path to the logfile.
412 if (logfacility === "file") {
413 \$(".GUARDIAN_LOGFILE").show();
415 \$(".GUARDIAN_LOGFILE").hide();
418 // Show / Hide loglevel debug if the facility is set to syslog.
419 if (logfacility === "syslog") {
420 \$("#loglevel_debug").hide();
422 \$("#loglevel_debug").show();
425 // Show / Hide logfacility syslog if the loglevel is set to debug.
426 if (loglevel === "debug") {
427 \$("#logfacility_syslog").hide();
429 \$("#logfacility_syslog").show();
433 \$(document).ready(function() {
434 \$("#GUARDIAN_LOG_FACILITY").change(update_options);
435 \$("#GUARDIAN_LOGLEVEL").change(update_options);
443 # Draw current guardian state.
444 &Header
::openbox
('100%', 'center', $Lang::tr
{'guardian'});
446 # Get current status of guardian.
450 # Display some useful information related to guardian, if daemon is running.
451 if ( ($memory != 0) && ($pid > 0) ){
453 <table width='95%' cellspacing='0' class='tbl'>
455 <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th>
458 <td class='base'>$Lang::tr{'guardian daemon'}</td>
459 <td align='center' colspan='2' width='75%' bgcolor='${Header::colourgreen}'><font color='white'><strong>$Lang::tr{'running'}</strong></font></td>
462 <td class='base'></td>
463 <td bgcolor='$color{'color20'}' align='center'><strong>PID</strong></td>
464 <td bgcolor='$color{'color20'}' align='center'><strong>$Lang::tr{'memory'}</strong></td>
467 <td class='base'></td>
468 <td bgcolor='$color{'color22'}' align='center'>$pid</td>
469 <td bgcolor='$color{'color22'}' align='center'>$memory KB</td>
474 # Otherwise display a hint that the service is not launched.
476 <table width='95%' cellspacing='0' class='tbl'>
478 <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th>
481 <td class='base'>$Lang::tr{'guardian daemon'}</td>
482 <td align='center' width='75%' bgcolor='${Header::colourred}'><font color='white'><strong>$Lang::tr{'stopped'}</strong></font></td>
490 # Draw elements for guardian configuration.
491 &Header
::openbox
('100%', 'center', $Lang::tr
{'guardian configuration'});
494 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
498 <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian common settings'}</b></td>
502 <td width='25%' class='base'>$Lang::tr{'guardian enabled'}:</td>
503 <td><input type='checkbox' name='GUARDIAN_ENABLED' $checked{'GUARDIAN_ENABLED'}{'on'} /></td>
507 <td colspan='2'><br></td>
511 <td width='25%' class='base'>$Lang::tr{'guardian block ssh brute-force'}</td>
512 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SSH' value='on' $checked{'GUARDIAN_MONITOR_SSH'}{'on'} /> /
513 <input type='radio' name='GUARDIAN_MONITOR_SSH' value='off' $checked{'GUARDIAN_MONITOR_SSH'}{'off'} /> off</td>
517 <td width='25%' class='base'>$Lang::tr{'guardian block httpd brute-force'}</td>
518 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='on' $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} /> /
519 <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='off' $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} /> off</td>
523 <td colspan='2'><br></td>
527 <td align='left' width='20%'>$Lang::tr{'guardian logfacility'}:</td>
528 <td width='25%'><select id='GUARDIAN_LOG_FACILITY' name='GUARDIAN_LOG_FACILITY'>
529 <option id='logfacility_syslog' value='syslog' $selected{'GUARDIAN_LOG_FACILITY'}{'syslog'}>$Lang::tr{'guardian logtarget_syslog'}</option>
530 <option id='logfacility_file' value='file' $selected{'GUARDIAN_LOG_FACILITY'}{'file'}>$Lang::tr{'guardian logtarget_file'}</option>
531 <option id='logfacility_console' value='console' $selected{'GUARDIAN_LOG_FACILITY'}{'console'}>$Lang::tr{'guardian logtarget_console'}</option>
534 <td align='left' width='20%'>$Lang::tr{'guardian loglevel'}:</td>
535 <td width='25%'><select id='GUARDIAN_LOGLEVEL' name='GUARDIAN_LOGLEVEL'>
536 <option id='loglevel_off' value='off' $selected{'GUARDIAN_LOGLEVEL'}{'off'}>$Lang::tr{'guardian loglevel_off'}</option>
537 <option id='loglevel_info' value='info' $selected{'GUARDIAN_LOGLEVEL'}{'info'}>$Lang::tr{'guardian loglevel_info'}</option>
538 <option id='loglevel_debug' value='debug' $selected{'GUARDIAN_LOGLEVEL'}{'debug'}>$Lang::tr{'guardian loglevel_debug'}</option>
542 <tr class="GUARDIAN_LOGFILE">
543 <td colspan='2'><br></td>
546 <tr class="GUARDIAN_LOGFILE">
547 <td width='25%' class='base'>$Lang::tr{'guardian logfile'}:</td>
548 <td><input type='text' name='GUARDIAN_LOGFILE' value='$settings{'GUARDIAN_LOGFILE'}' size='30' /></td>
552 <td colspan='2'><br></td>
556 <td width='25%' class='base'>$Lang::tr{'guardian firewallaction'}:</td>
557 <td><select name='GUARDIAN_FIREWALL_ACTION'>
558 <option value='DROP' $selected{'GUARDIAN_FIREWALL_ACTION'}{'DROP'}>Drop</option>
559 <option value='REJECT' $selected{'GUARDIAN_FIREWALL_ACTION'}{'REJECT'}>Reject</option>
562 <td width='25%' class='base'>$Lang::tr{'guardian blockcount'}:</td>
563 <td><input type='text' name='GUARDIAN_BLOCKCOUNT' value='$settings{'GUARDIAN_BLOCKCOUNT'}' size='5' /></td>
567 <td colspan='2'><br></td>
571 <td width='25%' class='base'>$Lang::tr{'guardian blocktime'}:</td>
572 <td><input type='text' name='GUARDIAN_BLOCKTIME' value='$settings{'GUARDIAN_BLOCKTIME'}' size='10' /></td>
584 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
594 # Function to show elements of the guardian ignorefile and allow to add or remove single members of it.
595 sub showIgnoreBox
() {
596 &Header
::openbox
('100%', 'center', $Lang::tr
{'guardian ignored hosts'});
601 <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td>
602 <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td>
603 <td class='base' colspan='3' bgcolor='$color{'color20'}'></td>
606 # Check if some hosts have been added to be ignored.
607 if (keys (%ignored)) {
610 # Loop through all entries of the hash.
611 while( (my $key) = each %ignored) {
612 # Assign data array positions to some nice variable names.
613 my $address = $ignored{$key}[0];
614 my $remark = $ignored{$key}[1];
615 my $status = $ignored{$key}[2];
617 # Check if the key (id) number is even or not.
618 if ($settings{'ID'} eq $key) {
619 $col="bgcolor='${Header::colouryellow}'";
621 $col="bgcolor='$color{'color22'}'";
623 $col="bgcolor='$color{'color20'}'";
626 # Choose icon for the checkbox.
630 # Check if the status is enabled and select the correct image and description.
631 if ($status eq 'enabled' ) {
633 $gdesc = $Lang::tr
{'click to disable'};
636 $gdesc = $Lang::tr
{'click to enable'};
641 <td width='20%' class='base' $col>$address</td>
642 <td width='65%' class='base' $col>$remark</td>
644 <td align='center' $col>
645 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
646 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
647 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' />
648 <input type='hidden' name='ID' value='$key' />
652 <td align='center' $col>
653 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
654 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
655 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
656 <input type='hidden' name='ID' value='$key' />
660 <td align='center' $col>
661 <form method='post' name='$key' action='$ENV{'SCRIPT_NAME'}'>
662 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' title='$Lang::tr{'remove'}' alt='$Lang::tr{'remove'}'>
663 <input type='hidden' name='ID' value='$key'>
664 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}'>
671 # Print notice that currently no hosts are ignored.
673 print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
679 # Section to add new elements or edit existing ones.
689 # Assign correct headline and button text.
694 # Check if an ID (key) has been given, in this case an existing entry should be edited.
695 if ($settings{'ID'} ne '') {
696 $buttontext = $Lang::tr
{'update'};
697 print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n";
699 # Grab address and remark for the given key.
700 $entry_address = $ignored{$settings{'ID'}}[0];
701 $entry_remark = $ignored{$settings{'ID'}}[1];
703 $buttontext = $Lang::tr
{'add'};
704 print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n";
708 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
709 <input type='hidden' name='ID' value='$settings{'ID'}'>
711 <td width='30%'>$Lang::tr{'ip address'}: </td>
712 <td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td>
714 <td width='30%'>$Lang::tr{'remark'}: </td>
715 <td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td>
716 <td align='center' width='20%'><input type='submit' name='ACTION' value='$buttontext' /></td>
726 # Function to list currently blocked addresses from guardian and unblock them or add custom entries to block.
727 sub showBlockedBox
() {
728 &Header
::openbox
('100%', 'center', $Lang::tr
{'guardian blocked hosts'});
733 <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian blocked hosts'}</b></td>
737 # Launch function to get the currently blocked hosts.
738 my @blocked_hosts = &GetBlockedHosts
();
743 # Loop through our blocked hosts array.
744 foreach my $blocked_host (@blocked_hosts) {
746 # Increase id number for each element in the ignore file.
749 # Check if the id number is even or not.
751 $col="bgcolor='$color{'color22'}'";
753 $col="bgcolor='$color{'color20'}'";
758 <td width='80%' class='base' $col><a href='/cgi-bin/ipinfo.cgi?ip=$blocked_host'>$blocked_host</a></td>
759 <td width='20%' align='center' $col>
760 <form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'>
761 <input type='image' name='$Lang::tr{'unblock'}' src='/images/delete.gif' title='$Lang::tr{'unblock'}' alt='$Lang::tr{'unblock'}'>
762 <input type='hidden' name='ADDRESS_UNBLOCK' value='$blocked_host'>
763 <input type='hidden' name='ACTION' value='$Lang::tr{'unblock'}'>
770 # If the loop only has been run once the id still is "0", which means there are no
771 # additional entries (blocked hosts) in the iptables chain.
774 # Print notice that currently no hosts are blocked.
776 print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
782 # Section for a manual block of an IP-address.
786 <table width='60%' border='0'>
787 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
789 <td width='30%'>$Lang::tr{'guardian block a host'}: </td>
790 <td width='40%'><input type='text' name='ADDRESS_BLOCK' value='' size='24' /></td>
791 <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'block'}'></td>
792 <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'unblock all'}'></td>
802 &Header
::closebigbox
();
803 &Header
::closepage
();
805 # Function to check if guardian has been started.
806 # Grab process id and consumed memory if the daemon is running.
810 open(FILE
, '/usr/local/bin/addonctrl guardian status | ');
813 $string = join("", @guardian);
814 $string =~ s/[a-z_]//gi;
815 $string =~ s/\[[0-1]\;[0-9]+//gi;
816 $string =~ s/[\(\)\.]//gi;
819 @pid = split(/\s/,$string);
820 if (open(FILE
, "/proc/$pid[0]/statm")){
822 @memory = split(/ /,$temp);
828 sub GetBlockedHosts
() {
829 # Create new, empty array.
832 # Launch helper to get chains from iptables.
833 system('/usr/local/bin/getipstat');
835 # Open temporary file which contains the chains and rules.
836 open (FILE
, '/var/tmp/iptables.txt');
838 # Loop through the entire file.
842 # Search for the guardian chain and extract
843 # the lines between it and the next empty line
844 # which is placed before the next firewall
846 if ($line =~ /^Chain GUARDIAN/ .. /^\s*$/) {
847 # Skip descriptive lines.
848 next if ($line =~ /^Chain/);
849 next if ($line =~ /^ pkts/);
851 # Generate array, based on the line content (separator is a single or multiple space)
852 my @comps = split(/\s{1,}/, $line);
853 my ($lead, $pkts, $bytes, $target, $prot, $opt, $in, $out, $source, $destination) = @comps;
855 # Assign different variable names.
856 my $blocked_host = $source;
858 # Add host to our hosts array.
860 push(@hosts, $blocked_host);
868 # Remove recently created temporary files of the "getipstat" binary.
869 system("rm -f /var/tmp/iptables.txt");
870 system("rm -f /var/tmp/iptablesmangle.txt");
871 system("rm -f /var/tmp/iptablesnat.txt");
873 # Convert entries, sort them, write back and store the sorted entries into new array.
874 my @sorted = map { $_->[0] }
875 sort { $a->[1] <=> $b->[1] }
876 map { [$_, int sprintf("%03.f%03.f%03.f%03.f", split(/\./, $_))] }
879 # Return our sorted list.
883 sub BuildConfiguration
() {
885 &General
::readhash
("${General::swroot}/guardian/settings", \
%settings);
887 my $configfile = "${General::swroot}/guardian/guardian.conf";
889 # Create the configfile if none exists yet.
890 unless (-e
"$configfile") { system("touch $configfile"); }
892 # Open configfile for writing.
893 open(FILE
, ">$configfile");
895 # Config file header.
896 print FILE
"# Autogenerated configuration file.\n";
897 print FILE
"# All user modifications will be overwritten.\n\n";
899 # Settings for the logging mechanism.
900 print FILE
"# Log settings.\n";
901 print FILE
"LogFacility = $settings{'GUARDIAN_LOG_FACILITY'}\n";
903 if ($settings{'GUARDIAN_LOG_FACILITY'} eq "file") {
904 print FILE
"LogFile = $settings{'GUARDIAN_LOGFILE'}\n";
907 print FILE
"LogLevel = $settings{'GUARDIAN_LOGLEVEL'}\n\n";
909 # IPFire related static settings.
910 print FILE
"# IPFire related settings.\n";
911 print FILE
"FirewallEngine = IPtables\n";
912 print FILE
"SocketOwner = nobody:nobody\n";
913 print FILE
"IgnoreFile = $ignorefile\n\n";
915 # Configured block values.
916 print FILE
"# Configured block settings.\n";
917 print FILE
"BlockCount = $settings{'GUARDIAN_BLOCKCOUNT'}\n";
918 print FILE
"BlockTime = $settings{'GUARDIAN_BLOCKTIME'}\n";
919 print FILE
"FirewallAction = $settings{'GUARDIAN_FIREWALL_ACTION'}\n\n";
922 # Loop through whole settings hash.
923 print FILE
"# Enabled modules.\n";
924 foreach my $option (keys %settings) {
925 # Search for enabled modules.
926 if ($option =~ /GUARDIAN_MONITOR_(.*)/) {
927 # Skip if module is not enabled.
928 next unless($settings{$option} eq "on");
930 # Skip module if no file location is available.
931 next unless(exists($module_file_locations{$1}));
933 # Add enabled module and defined path to the config file.
934 print FILE
"Monitor_$1 = $module_file_locations{$1}\n";
939 print FILE
"\n# Module settings.\n";
942 # Generate ignore file.
943 &GenerateIgnoreFile
();
945 # Check if guardian should be started or stopped.
946 if($settings{'GUARDIAN_ENABLED'} eq 'on') {
948 # Send reload command through socket connection.
949 &Guardian
::Socket
::Client
("reload");
952 system("/usr/local/bin/addonctrl guardian start &>/dev/null");
956 system("/usr/local/bin/addonctrl guardian stop &>/dev/null");
960 sub GenerateIgnoreFile
() {
963 # Read-in ignoredfile.
964 &General
::readhasharray
($ignoredfile, \
%ignored);
966 # Create the guardian.ignore file if not exist yet.
967 unless (-e
"$ignorefile") { system("touch $ignorefile"); }
969 # Open ignorefile for writing.
970 open(FILE
, ">$ignorefile");
972 # Config file header.
973 print FILE
"# Autogenerated configuration file.\n";
974 print FILE
"# All user modifications will be overwritten.\n\n";
976 # Add IFPire interfaces and gateway to the ignore file.
978 # Assign some temporary variables for the IPFire interfaces.
979 my $green = $netsettings{'GREEN_ADDRESS'};
980 my $blue = $netsettings{'BLUE_ADDRESS'};
981 my $orange = $netsettings{'ORANGE_ADDRESS'};
984 my $public_address_file = "${General::swroot}/red/local-ipaddress";
985 my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
987 # Write the obtained addresses to the ignore file.
988 print FILE
"# IPFire local interfaces.\n";
989 print FILE
"$green\n";
991 # Check if a blue interface exists.
994 print FILE
"$blue\n";
997 # Check if an orange interface exists.
999 # Add orange address.
1000 print FILE
"$orange\n";
1003 print FILE
"\n# IPFire red interface, gateway and used DNS-servers.\n";
1004 print FILE
"# Include the corresponding files to obtain the addresses.\n";
1005 print FILE
"Include_File = $public_address_file\n";
1006 print FILE
"Include_File = $gatewayfile\n";
1008 # Add all user defined hosts and networks to the ignore file.
1010 # Check if the hash contains any elements.
1011 if (keys (%ignored)) {
1013 print FILE
"\n# User defined hosts/networks.\n";
1015 # Loop through the entire hash and write the host/network
1016 # and remark to the ignore file.
1017 while ( (my $key) = each %ignored) {
1018 my $address = $ignored{$key}[0];
1019 my $remark = $ignored{$key}[1];
1020 my $status = $ignored{$key}[2];
1022 # Check if the status of the entry is "enabled".
1023 if ($status eq "enabled") {
1024 # Check if the address/network is valid.
1025 if ((&General
::validip
($address)) || (&General
::validipandmask
($address))) {
1026 # Write the remark to the file.
1027 print FILE
"# $remark\n";
1029 # Write the address/network to the ignore file.
1030 print FILE
"$address\n\n";