]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - html/cgi-bin/guardian.cgi
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
guardian.cgi: Use private subfunction for gateway and DNS server detection.
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / guardian.cgi
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2016 IPFire Team <info@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use strict;
23 use Locale::Codes::Country;
24 use Guardian::Socket;
25
26 # enable only the following on debugging purpose
27 #use warnings;
28 #use CGI::Carp 'fatalsToBrowser';
29
30 require '/var/ipfire/general-functions.pl';
31 require "${General::swroot}/lang.pl";
32 require "${General::swroot}/header.pl";
33
34 #workaround to suppress a warning when a variable is used only once
35 my @dummy = (
36 ${Header::colourred},
37 ${Header::colourgreen}
38 );
39
40 undef (@dummy);
41
42 my $string=();
43 my $memory=();
44 my @memory=();
45 my @pid=();
46 my @guardian=();
47
48 # Path to the guardian.ignore file.
49 my $ignorefile ='/var/ipfire/guardian/guardian.ignore';
50
51 # Hash which contains the supported modules and the
52 # file locations on IPFire systems.
53 my %module_file_locations = (
54 "HTTPD" => "/var/log/httpd/error_log",
55 "OWNCLOUD" => "/var/owncloud/data/owncloud.log",
56 "SNORT" => "/var/log/snort.alert",
57 "SSH" => "/var/log/messages",
58 );
59
60 our %netsettings = ();
61 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
62
63 our %color = ();
64 our %mainsettings = ();
65 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
66 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
67
68 # Pakfire meta file for owncloud.
69 # (File exists when the addon is installed.)
70 my $owncloud_meta = "/opt/pakfire/db/installed/meta-owncloud";
71
72
73 # File declarations.
74 my $settingsfile = "${General::swroot}/guardian/settings";
75 my $ignoredfile = "${General::swroot}/guardian/ignored";
76
77 # Create empty settings and ignoredfile if they do not exist yet.
78 unless (-e "$settingsfile") { system("touch $settingsfile"); }
79 unless (-e "$ignoredfile") { system("touch $ignoredfile"); }
80
81 our %settings = ();
82 our %ignored = ();
83
84 $settings{'ACTION'} = '';
85
86 $settings{'GUARDIAN_ENABLED'} = 'off';
87 $settings{'GUARDIAN_MONITOR_SNORT'} = 'on';
88 $settings{'GUARDIAN_MONITOR_SSH'} = 'on';
89 $settings{'GUARDIAN_MONITOR_HTTPD'} = 'on';
90 $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = '';
91 $settings{'GUARDIAN_LOG_FACILITY'} = 'syslog';
92 $settings{'GUARDIAN_LOGLEVEL'} = 'info';
93 $settings{'GUARDIAN_BLOCKCOUNT'} = '3';
94 $settings{'GUARDIAN_BLOCKTIME'} = '86400';
95 $settings{'GUARDIAN_LOGFILE'} = '/var/log/guardian/guardian.log';
96 $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'} = '3';
97
98 # Default settings for owncloud if installed.
99 if ( -e "$owncloud_meta") {
100 $settings{'GUARDIAN_MONITOR_OWNCLOUD'} = 'off';
101 }
102
103 my $errormessage = '';
104
105 &Header::showhttpheaders();
106
107 # Get GUI values.
108 &Header::getcgihash(\%settings);
109
110 # Check if guardian is running and grab some stats.
111 &daemonstats();
112 my $pid = $pid[0];
113
114 ## Perform input checks and save settings.
115 #
116 if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
117 # Check for valid blocktime.
118 unless(($settings{'GUARDIAN_BLOCKTIME'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKTIME'} ne "0")) {
119 $errormessage = "$Lang::tr{'guardian invalid blocktime'}";
120 }
121
122 # Check if the bloccount is valid.
123 unless(($settings{'GUARDIAN_BLOCKCOUNT'} =~ /^\d+$/) && ($settings{'GUARDIAN_BLOCKCOUNT'} ne "0")) {
124 $errormessage = "$Lang::tr{'guardian invalid blockcount'}";
125 }
126
127 # Check Logfile.
128 unless($settings{'GUARDIAN_LOGFILE'} =~ /^[a-zA-Z0-9\.\/]+$/) {
129 $errormessage = "$Lang::tr{'guardian invalid logfile'}";
130 }
131
132 # Only continue if no error message has been set.
133 if($errormessage eq '') {
134 # Write configuration settings to file.
135 &General::writehash("${General::swroot}/guardian/settings", \%settings);
136
137 # Update configuration files.
138 &BuildConfiguration();
139 }
140
141 ## Add/edit an entry to the ignore file.
142 #
143 } elsif (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang::tr{'update'})) {
144
145 # Check if any input has been performed.
146 if ($settings{'IGNORE_ENTRY_ADDRESS'} ne '') {
147
148 # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
149 if ((!&General::validip($settings{'IGNORE_ENTRY_ADDRESS'})) && (!&General::validipandmask($settings{'IGNORE_ENTRY_ADDRESS'}))) {
150 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
151 }
152 } else {
153 $errormessage = "$Lang::tr{'guardian empty input'}";
154 }
155
156 # Go further if there was no error.
157 if ($errormessage eq '') {
158 my %ignored = ();
159 my $id;
160 my $status;
161
162 # Assign hash values.
163 my $new_entry_address = $settings{'IGNORE_ENTRY_ADDRESS'};
164 my $new_entry_remark = $settings{'IGNORE_ENTRY_REMARK'};
165
166 # Read-in ignoredfile.
167 &General::readhasharray($ignoredfile, \%ignored);
168
169 # Check if we should edit an existing entry and got an ID.
170 if (($settings{'ACTION'} eq $Lang::tr{'update'}) && ($settings{'ID'})) {
171 # Assin the provided id.
172 $id = $settings{'ID'};
173
174 # Undef the given ID.
175 undef($settings{'ID'});
176
177 # Grab the configured status of the corresponding entry.
178 $status = $ignored{$id}[2];
179 } else {
180 # Each newly added entry automatically should be enabled.
181 $status = "enabled";
182
183 # Generate the ID for the new entry.
184 #
185 # Sort the keys by it's ID and store them in an array.
186 my @keys = sort { $a <=> $b } keys %ignored;
187
188 # Reverse the key array.
189 my @reversed = reverse(@keys);
190
191 # Obtain the last used id.
192 my $last_id = @reversed[0];
193
194 # Increase the last id by one and use it as id for the new entry.
195 $id = ++$last_id;
196 }
197
198 # Add/Modify the entry to/in the ignored hash.
199 $ignored{$id} = ["$new_entry_address", "$new_entry_remark", "$status"];
200
201 # Write the changed ignored hash to the ignored file.
202 &General::writehasharray($ignoredfile, \%ignored);
203
204 # Regenerate the ignore file.
205 &GenerateIgnoreFile();
206 }
207
208 # Check if guardian is running.
209 if ($pid > 0) {
210 # Send reload command through socket connection.
211 &Guardian::Socket::Client("reload");
212 }
213
214 ## Toggle Enabled/Disabled for an existing entry on the ignore list.
215 #
216
217 } elsif ($settings{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
218 my %ignored = ();
219
220 # Only go further, if an ID has been passed.
221 if ($settings{'ID'}) {
222 # Assign the given ID.
223 my $id = $settings{'ID'};
224
225 # Undef the given ID.
226 undef($settings{'ID'});
227
228 # Read-in ignoredfile.
229 &General::readhasharray($ignoredfile, \%ignored);
230
231 # Grab the configured status of the corresponding entry.
232 my $status = $ignored{$id}[2];
233
234 # Switch the status.
235 if ($status eq "disabled") {
236 $status = "enabled";
237 } else {
238 $status = "disabled";
239 }
240
241 # Modify the status of the existing entry.
242 $ignored{$id} = ["$ignored{$id}[0]", "$ignored{$id}[1]", "$status"];
243
244 # Write the changed ignored hash to the ignored file.
245 &General::writehasharray($ignoredfile, \%ignored);
246
247 # Regenerate the ignore file.
248 &GenerateIgnoreFile();
249
250 # Check if guardian is running.
251 if ($pid > 0) {
252 # Send reload command through socket connection.
253 &Guardian::Socket::Client("reload");
254 }
255 }
256
257 ## Remove entry from ignore list.
258 #
259 } elsif ($settings{'ACTION'} eq $Lang::tr{'remove'}) {
260 my %ignored = ();
261
262 # Read-in ignoredfile.
263 &General::readhasharray($ignoredfile, \%ignored);
264
265 # Drop entry from the hash.
266 delete($ignored{$settings{'ID'}});
267
268 # Undef the given ID.
269 undef($settings{'ID'});
270
271 # Write the changed ignored hash to the ignored file.
272 &General::writehasharray($ignoredfile, \%ignored);
273
274 # Regenerate the ignore file.
275 &GenerateIgnoreFile();
276
277 # Check if guardian is running.
278 if ($pid > 0) {
279 # Send reload command through socket connection.
280 &Guardian::Socket::Client("reload");
281 }
282
283 ## Block a user given address or subnet.
284 #
285 } elsif ($settings{'ACTION'} eq $Lang::tr{'block'}) {
286
287 # Assign some temporary variables used for input validation.
288 my $input = $settings{'ADDRESS_BLOCK'};
289 my $green = $netsettings{'GREEN_ADDRESS'};
290 my $blue = $netsettings{'BLUE_ADDRESS'};
291 my $orange = $netsettings{'ORANGE_ADDRESS'};
292 my $red = $netsettings{'RED_ADDRESS'};
293
294 # File declarations.
295 my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
296 my $dns1file = "${General::swroot}/red/dns1";
297 my $dns2file = "${General::swroot}/red/dns2";
298
299 # Get gateway address.
300 my $gateway = &_get_address_from_file($gatewayfile);
301
302 # Get addresses from the used dns servers.
303 my $dns1 = &_get_address_from_file($dns1file);
304 my $dns2 = &_get_address_from_file($dns2file);
305
306 # Check if any input has been performed.
307 if ($input eq '') {
308 $errormessage = "$Lang::tr{'guardian empty input'}";
309 }
310
311 # Check if the given input is localhost (127.0.0.1).
312 elsif ($input eq "127.0.0.1") {
313 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
314 }
315
316 # Check if the given input is anywhere (0.0.0.0).
317 elsif ($input eq "0.0.0.0") {
318 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
319 }
320
321 # Check if the given input is one of the interface addresses or our gateway.
322 elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway") {
323 $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
324 }
325
326 # Check if the given input is a valid IP address.
327 elsif (!&General::validip($input)) {
328 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
329 }
330
331 # Go further if there was no error.
332 if ($errormessage eq '') {
333 my $block = $settings{'ADDRESS_BLOCK'};
334
335 # Send command to block the specified address through socket connection.
336 &Guardian::Socket::Client("block $block");
337 }
338
339 ## Unblock address or subnet.
340 #
341 } elsif ($settings{'ACTION'} eq $Lang::tr{'unblock'}) {
342
343 # Check if no empty input has been performed.
344 if ($settings{'ADDRESS_UNBLOCK'} ne '') {
345
346 # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
347 if ((!&General::validip($settings{'ADDRESS_UNBLOCK'})) && (!&General::validipandmask($settings{'ADDRESS_UNBLOCK'}))) {
348 $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
349 }
350
351 } else {
352 $errormessage = "$Lang::tr{'guardian empty input'}";
353 }
354
355 # Go further if there was no error.
356 if ($errormessage eq '') {
357 my $unblock = $settings{'ADDRESS_UNBLOCK'};
358
359 # Send command to unblock the given address through socket connection.
360 &Guardian::Socket::Client("unblock $unblock");
361 }
362
363 ## Unblock all.
364 #
365 } elsif ($settings{'ACTION'} eq $Lang::tr{'unblock all'}) {
366
367 # Send flush command through socket connection.
368 &Guardian::Socket::Client("flush");
369 }
370
371 # Load settings from files.
372 &General::readhash("${General::swroot}/guardian/settings", \%settings);
373 &General::readhasharray("${General::swroot}/guardian/ignored", \%ignored);
374
375 # Call functions to generate whole page.
376 &showMainBox();
377 &showIgnoreBox();
378
379 # Display area only if guardian is running.
380 if ( ($memory != 0) && ($pid > 0) ) {
381 &showBlockedBox();
382 }
383
384 # Function to display the status of guardian and allow base configuration.
385 sub showMainBox() {
386 my %checked = ();
387 my %selected = ();
388
389 $checked{'GUARDIAN_ENABLED'}{'on'} = '';
390 $checked{'GUARDIAN_ENABLED'}{'off'} = '';
391 $checked{'GUARDIAN_ENABLED'}{$settings{'GUARDIAN_ENABLED'}} = 'checked';
392 $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} = '';
393 $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} = '';
394 $checked{'GUARDIAN_MONITOR_SNORT'}{$settings{'GUARDIAN_MONITOR_SNORT'}} = "checked='checked'";
395 $checked{'GUARDIAN_MONITOR_SSH'}{'off'} = '';
396 $checked{'GUARDIAN_MONITOR_SSH'}{'on'} = '';
397 $checked{'GUARDIAN_MONITOR_SSH'}{$settings{'GUARDIAN_MONITOR_SSH'}} = "checked='checked'";
398 $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} = '';
399 $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} = '';
400 $checked{'GUARDIAN_MONITOR_HTTPD'}{$settings{'GUARDIAN_MONITOR_HTTPD'}} = "checked='checked'";
401 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} = '';
402 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} = '';
403 $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{$settings{'GUARDIAN_MONITOR_OWNCLOUD'}} = "checked='checked'";
404
405 $selected{'GUARDIAN_LOG_FACILITY'}{$settings{'GUARDIAN_LOG_FACILITY'}} = 'selected';
406 $selected{'GUARDIAN_LOGLEVEL'}{$settings{'GUARDIAN_LOGLEVEL'}} = 'selected';
407 $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{$settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}} = 'selected';
408
409 &Header::openpage($Lang::tr{'guardian configuration'}, 1, '');
410 &Header::openbigbox('100%', 'left', '', $errormessage);
411
412 # Print errormessage if there is one.
413 if ($errormessage) {
414 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
415 print "<font class='base'>$errormessage&nbsp;</font>\n";
416 &Header::closebox();
417 }
418
419
420 # Draw current guardian state.
421 &Header::openbox('100%', 'center', $Lang::tr{'guardian'});
422
423 # Get current status of guardian.
424 &daemonstats();
425 $pid = $pid[0];
426
427 # Display some useful information related to guardian, if daemon is running.
428 if ( ($memory != 0) && ($pid > 0) ){
429 print <<END;
430 <table width='95%' cellspacing='0' class='tbl'>
431 <tr>
432 <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th>
433 </tr>
434 <tr>
435 <td class='base'>$Lang::tr{'guardian daemon'}</td>
436 <td align='center' colspan='2' width='75%' bgcolor='${Header::colourgreen}'><font color='white'><strong>$Lang::tr{'running'}</strong></font></td>
437 </tr>
438 <tr>
439 <td class='base'></td>
440 <td bgcolor='$color{'color20'}' align='center'><strong>PID</strong></td>
441 <td bgcolor='$color{'color20'}' align='center'><strong>$Lang::tr{'memory'}</strong></td>
442 </tr>
443 <tr>
444 <td class='base'></td>
445 <td bgcolor='$color{'color22'}' align='center'>$pid</td>
446 <td bgcolor='$color{'color22'}' align='center'>$memory KB</td>
447 </tr>
448 </table>
449 END
450 } else {
451 # Otherwise display a hint that the service is not launched.
452 print <<END;
453 <table width='95%' cellspacing='0' class='tbl'>
454 <tr>
455 <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'guardian service'}</strong></th>
456 </tr>
457 <tr>
458 <td class='base'>$Lang::tr{'guardian daemon'}</td>
459 <td align='center' width='75%' bgcolor='${Header::colourred}'><font color='white'><strong>$Lang::tr{'stopped'}</strong></font></td>
460 </tr>
461 </table>
462 END
463 }
464
465 &Header::closebox();
466
467 # Draw elements for guardian configuration.
468 &Header::openbox('100%', 'center', $Lang::tr{'guardian configuration'});
469
470 print <<END;
471 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
472
473 <table width='95%'>
474 <tr>
475 <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian common settings'}</b></td>
476 </tr>
477 <tr>
478 <td width='20%' class='base'>$Lang::tr{'guardian enabled'}:</td>
479 <td><input type='checkbox' name='GUARDIAN_ENABLED' $checked{'GUARDIAN_ENABLED'}{'on'} /></td>
480 </tr>
481 <tr>
482 <td colspan='2'><br></td>
483 </tr>
484 <tr>
485 <td width='20%' class='base'>$Lang::tr{'guardian watch snort alertfile'}</td>
486 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='on' $checked{'GUARDIAN_MONITOR_SNORT'}{'on'} /> /
487 <input type='radio' name='GUARDIAN_MONITOR_SNORT' value='off' $checked{'GUARDIAN_MONITOR_SNORT'}{'off'} /> off</td>
488 </tr>
489 <tr>
490 <td width='20%' class='base'>$Lang::tr{'guardian block ssh brute-force'}</td>
491 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_SSH' value='on' $checked{'GUARDIAN_MONITOR_SSH'}{'on'} /> /
492 <input type='radio' name='GUARDIAN_MONITOR_SSH' value='off' $checked{'GUARDIAN_MONITOR_SSH'}{'off'} /> off</td>
493 </tr>
494 <tr>
495 <td width='20%' class='base'>$Lang::tr{'guardian block httpd brute-force'}</td>
496 <td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='on' $checked{'GUARDIAN_MONITOR_HTTPD'}{'on'} /> /
497 <input type='radio' name='GUARDIAN_MONITOR_HTTPD' value='off' $checked{'GUARDIAN_MONITOR_HTTPD'}{'off'} /> off</td>
498 </tr>
499 END
500 # Display owncloud checkbox when the addon is installed.
501 if ( -e "$owncloud_meta" ) {
502 print"<tr>\n";
503 print"<td width='20%' class='base'>$Lang::tr{'guardian block owncloud brute-force'}</td>\n";
504 print"<td align='left'>on <input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='on' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'on'} /> /\n";
505 print"<input type='radio' name='GUARDIAN_MONITOR_OWNCLOUD' value='off' $checked{'GUARDIAN_MONITOR_OWNCLOUD'}{'off'} /> off</td>\n";
506 print"</tr>\n";
507 }
508 print <<END;
509 <tr>
510 <td colspan='2'><br></td>
511 </tr>
512 <tr>
513 <td align='left' width='20%'>$Lang::tr{'guardian logfacility'}:</td>
514 <td><select name='GUARDIAN_LOG_FACILITY'>
515 <option value='syslog' $selected{'GUARDIAN_LOG_FACILITY'}{'syslog'}>syslog</option>
516 <option value='file' $selected{'GUARDIAN_LOG_FACILITY'}{'file'}>file</option>
517 <option value='console' $selected{'GUARDIAN_LOG_FACILITY'}{'console'}>console</option>
518 </select></td>
519 </tr>
520 <tr>
521 <td colspan='2'><br></td>
522 </tr>
523 <tr>
524 <td align='left' width='20%'>$Lang::tr{'guardian loglevel'}:</td>
525 <td><select name='GUARDIAN_LOGLEVEL'>
526 <option value='off' $selected{'GUARDIAN_LOGLEVEL'}{'off'}>off</option>
527 <option value='info' $selected{'GUARDIAN_LOGLEVEL'}{'info'}>info</option>
528 <option value='debug' $selected{'GUARDIAN_LOGLEVEL'}{'debug'}>debug</option>
529 </select></td>
530 </tr>
531 <tr>
532 <td colspan='2'><br></td>
533 </tr>
534 <tr>
535 <td align='left' width='20%'>$Lang::tr{'guardian priority level'}:</td>
536 <td><select name='GUARDIAN_SNORT_PRIORITY_LEVEL'>
537 <option value='1' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'1'}>1</option>
538 <option value='2' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'2'}>2</option>
539 <option value='3' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'3'}>3</option>
540 <option value='4' $selected{'GUARDIAN_SNORT_PRIORITY_LEVEL'}{'4'}>4</option>
541 </select></td>
542 </tr>
543 <tr>
544 <td colspan='2'><br></td>
545 </tr>
546 <tr>
547 <td width='20%' class='base'>$Lang::tr{'guardian blockcount'}:</td>
548 <td><input type='text' name='GUARDIAN_BLOCKCOUNT' value='$settings{'GUARDIAN_BLOCKCOUNT'}' size='5' /></td>
549 </tr>
550 <tr>
551 <td width='20%' class='base'>$Lang::tr{'guardian blocktime'}:</td>
552 <td><input type='text' name='GUARDIAN_BLOCKTIME' value='$settings{'GUARDIAN_BLOCKTIME'}' size='10' /></td>
553 </tr>
554 <tr>
555 <td width='20%' class='base'>$Lang::tr{'guardian logfile'}:</td>
556 <td><input type='text' name='GUARDIAN_LOGFILE' value='$settings{'GUARDIAN_LOGFILE'}' size='30' /></td>
557 </tr>
558 </table>
559 END
560
561 print <<END;
562 <hr>
563
564 <table width='95%'>
565 <tr>
566 <td>&nbsp;</td>
567 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
568 <td>&nbsp;</td>
569 </tr>
570 </table>
571 </form>
572 END
573
574 &Header::closebox();
575 }
576
577 # Function to show elements of the guardian ignorefile and allow to add or remove single members of it.
578 sub showIgnoreBox() {
579 &Header::openbox('100%', 'center', $Lang::tr{'guardian ignored hosts'});
580
581 print <<END;
582 <table width='80%'>
583 <tr>
584 <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td>
585 <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td>
586 <td class='base' colspan='3' bgcolor='$color{'color20'}'></td>
587 </tr>
588 END
589 # Check if some hosts have been add to be ignored.
590 if (keys (%ignored)) {
591 my $col = "";
592
593 # Loop through all entries of the hash..
594 while( (my $key) = each %ignored) {
595 # Assign data array positions to some nice variable names.
596 my $address = $ignored{$key}[0];
597 my $remark = $ignored{$key}[1];
598 my $status = $ignored{$key}[2];
599
600 # Check if the key (id) number is even or not.
601 if ($settings{'ID'} eq $key) {
602 $col="bgcolor='${Header::colouryellow}'";
603 } elsif ($key % 2) {
604 $col="bgcolor='$color{'color22'}'";
605 } else {
606 $col="bgcolor='$color{'color20'}'";
607 }
608
609 # Choose icon for the checkbox.
610 my $gif;
611 my $gdesc;
612
613 # Check if the status is enabled and select the correct image and description.
614 if ($status eq 'enabled' ) {
615 $gif = 'on.gif';
616 $gdesc = $Lang::tr{'click to disable'};
617 } else {
618 $gif = 'off.gif';
619 $gdesc = $Lang::tr{'click to enable'};
620 }
621
622 print <<END;
623 <tr>
624 <td width='20%' class='base' $col>$address</td>
625 <td width='65%' class='base' $col>$remark</td>
626
627 <td align='center' $col>
628 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
629 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
630 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' />
631 <input type='hidden' name='ID' value='$key' />
632 </form>
633 </td>
634
635 <td align='center' $col>
636 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
637 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
638 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
639 <input type='hidden' name='ID' value='$key' />
640 </form>
641 </td>
642
643 <td align='center' $col>
644 <form method='post' name='$key' action='$ENV{'SCRIPT_NAME'}'>
645 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' title='$Lang::tr{'remove'}' alt='$Lang::tr{'remove'}'>
646 <input type='hidden' name='ID' value='$key'>
647 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}'>
648 </form>
649 </td>
650 </tr>
651 END
652 }
653 } else {
654 # Print notice that currently no hosts are ignored.
655 print "<tr>\n";
656 print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
657 print "</tr>\n";
658 }
659
660 print "</table>\n";
661
662 # Section to add new elements or edit existing ones.
663 print <<END;
664 <br>
665 <hr>
666 <br>
667
668 <div align='center'>
669 <table width='100%'>
670 END
671
672 # Assign correct headline and button text.
673 my $buttontext;
674 my $entry_address;
675 my $entry_remark;
676
677 # Check if an ID (key) has been given, in this case an existing entry should be edited.
678 if ($settings{'ID'} ne '') {
679 $buttontext = $Lang::tr{'update'};
680 print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n";
681
682 # Grab address and remark for the given key.
683 $entry_address = $ignored{$settings{'ID'}}[0];
684 $entry_remark = $ignored{$settings{'ID'}}[1];
685 } else {
686 $buttontext = $Lang::tr{'add'};
687 print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n";
688 }
689
690 print <<END;
691 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
692 <input type='hidden' name='ID' value='$settings{'ID'}'>
693 <tr>
694 <td width='30%'>$Lang::tr{'ip address'}: </td>
695 <td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td>
696
697 <td width='30%'>$Lang::tr{'remark'}: </td>
698 <td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td>
699 <td align='center' width='20%'><input type='submit' name='ACTION' value='$buttontext' /></td>
700 </tr>
701 </form>
702 </table>
703 </div>
704 END
705
706 &Header::closebox();
707 }
708
709 # Function to list currently bocked addresses from guardian and unblock them or add custom entries to block.
710 sub showBlockedBox() {
711 &Header::openbox('100%', 'center', $Lang::tr{'guardian blocked hosts'});
712
713 print <<END;
714 <table width='60%'>
715 <tr>
716 <td colspan='2' class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'guardian blocked hosts'}</b></td>
717 </tr>
718 END
719
720 # Lauch function to get the currently blocked hosts.
721 my @blocked_hosts = &GetBlockedHosts();
722
723 my $id = 0;
724 my $col = "";
725
726 # Loop through our blocked hosts array.
727 foreach my $blocked_host (@blocked_hosts) {
728
729 # Increase id number for each element in the ignore file.
730 $id++;
731
732 # Check if the id number is even or not.
733 if ($id % 2) {
734 $col="bgcolor='$color{'color22'}'";
735 } else {
736 $col="bgcolor='$color{'color20'}'";
737 }
738
739 print <<END;
740 <tr>
741 <td width='80%' class='base' $col><a href='/cgi-bin/ipinfo.cgi?ip=$blocked_host'>$blocked_host</a></td>
742 <td width='20%' align='center' $col>
743 <form method='post' name='frmb$id' action='$ENV{'SCRIPT_NAME'}'>
744 <input type='image' name='$Lang::tr{'unblock'}' src='/images/delete.gif' title='$Lang::tr{'unblock'}' alt='$Lang::tr{'unblock'}'>
745 <input type='hidden' name='ADDRESS_UNBLOCK' value='$blocked_host'>
746 <input type='hidden' name='ACTION' value='$Lang::tr{'unblock'}'>
747 </form>
748 </td>
749 </tr>
750 END
751 }
752
753 # If the loop only has been runs once the id still is "0", which means there are no
754 # additional entries (blocked hosts) in the iptables chain.
755 if ($id == 0) {
756
757 # Print notice that currently no hosts are blocked.
758 print "<tr>\n";
759 print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
760 print "</tr>\n";
761 }
762
763 print "</table>\n";
764
765 # Section for a manual block of an IP-address.
766 print <<END;
767 <br>
768 <div align='center'>
769 <table width='60%' border='0'>
770 <form method='post' action='$ENV{'SCRIPT_NAME'}'>
771 <tr>
772 <td width='30%'>$Lang::tr{'guardian block a host'}: </td>
773 <td width='40%'><input type='text' name='ADDRESS_BLOCK' value='' size='24' /></td>
774 <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'block'}'></td>
775 <td align='center' width='15%'><input type='submit' name='ACTION' value='$Lang::tr{'unblock all'}'></td>
776 </tr>
777 </form>
778 </table>
779 </div>
780 END
781
782 &Header::closebox();
783 }
784
785 &Header::closebigbox();
786 &Header::closepage();
787
788 # Function to check if guardian has been started.
789 # Grab process id and consumed memory if the daemon is running.
790 sub daemonstats() {
791 $memory = 0;
792 # for pid and memory
793 open(FILE, '/usr/local/bin/addonctrl guardian status | ');
794 @guardian = <FILE>;
795 close(FILE);
796 $string = join("", @guardian);
797 $string =~ s/[a-z_]//gi;
798 $string =~ s/\[[0-1]\;[0-9]+//gi;
799 $string =~ s/[\(\)\.]//gi;
800 $string =~ s/ //gi;
801 $string =~ s/\e//gi;
802 @pid = split(/\s/,$string);
803 if (open(FILE, "/proc/$pid[0]/statm")){
804 my $temp = <FILE>;
805 @memory = split(/ /,$temp);
806 close(FILE);
807 }
808 $memory+=$memory[0];
809 }
810
811 sub GetBlockedHosts() {
812 # Create new, empty array.
813 my @hosts;
814
815 # Lauch helper to get chains from iptables.
816 system('/usr/local/bin/getipstat');
817
818 # Open temporary file which contains the chains and rules.
819 open (FILE, '/srv/web/ipfire/html/iptables.txt');
820
821 # Loop through the entire file.
822 while (<FILE>) {
823 my $line = $_;
824
825 # Search for the guardian chain and extract
826 # the lines between it and the next empty line
827 # which is placed before the next firewall
828 # chain starts.
829 if ($line =~ /^Chain GUARDIAN/ .. /^\s*$/) {
830 # Skip descriptive lines.
831 next if ($line =~ /^Chain/);
832 next if ($line =~ /^ pkts/);
833
834 # Generate array, based on the line content (seperator is a single or multiple space's)
835 my @comps = split(/\s{1,}/, $line);
836 my ($lead, $pkts, $bytes, $target, $prot, $opt, $in, $out, $source, $destination) = @comps;
837
838 # Assign different variable names.
839 my $blocked_host = $source;
840
841 # Add host to our hosts array.
842 if ($blocked_host) {
843 push(@hosts, $blocked_host);
844 }
845 }
846 }
847
848 # Close filehandle.
849 close(FILE);
850
851 # Remove recently created temporary files of the "getipstat" binary.
852 system(rm -f "/srv/web/ipfire/html/iptables.txt");
853 system(rm -f "/srv/web/ipfire/html/iptablesmangle.txt");
854 system(rm -f "/srv/web/ipfire/html/iptablesnat.txt");
855
856 # Convert entries, sort them, write back and store the sorted entries into new array.
857 my @sorted = map { $_->[0] }
858 sort { $a->[1] <=> $b->[1] }
859 map { [$_, int sprintf("%03.f%03.f%03.f%03.f", split(/\./, $_))] }
860 @hosts;
861
862 # Return our sorted list.
863 return @sorted
864 }
865
866 sub BuildConfiguration() {
867 my %settings = ();
868 &General::readhash("${General::swroot}/guardian/settings", \%settings);
869
870 my $configfile = "${General::swroot}/guardian/guardian.conf";
871
872 # Open configfile for writing.
873 open(FILE, ">$configfile");
874
875 # Config file header.
876 print FILE "# Autogenerated configuration file.\n";
877 print FILE "# All user modifications will be overwritten.\n\n";
878
879 # Settings for the logging mechanism.
880 print FILE "# Log settings.\n";
881 print FILE "LogFacility = $settings{'GUARDIAN_LOG_FACILITY'}\n";
882
883 if ($settings{'GUARDIAN_LOG_FACILITY'} eq "file") {
884 print FILE "LogFile = $settings{'GUARDIAN_LOGFILE'}\n";
885 }
886
887 print FILE "LogLevel = $settings{'GUARDIAN_LOGLEVEL'}\n\n";
888
889 # IPFire related static settings.
890 print FILE "# IPFire related settings.\n";
891 print FILE "FirewallEngine = IPtables\n";
892 print FILE "SocketOwner = nobody:nobody\n";
893 print FILE "IgnoreFile = $ignorefile\n\n";
894
895 # Configured block values.
896 print FILE "# Configured block values.\n";
897 print FILE "BlockCount = $settings{'GUARDIAN_BLOCKCOUNT'}\n";
898 print FILE "BlockTime = $settings{'GUARDIAN_BLOCKTIME'}\n\n";
899
900 # Enabled modules.
901 # Loop through whole settings hash.
902 print FILE "# Enabled modules.\n";
903 foreach my $option (keys %settings) {
904 # Search for enabled modules.
905 if ($option =~ /GUARDIAN_MONITOR_(.*)/) {
906 # Skip if module is not enabled.
907 next unless($settings{$option} eq "on");
908
909 # Skip module if no file location is available.
910 next unless(exists($module_file_locations{$1}));
911
912 # Add enabled module and defined path to the config file.
913 print FILE "Monitor_$1 = $module_file_locations{$1}\n";
914 }
915 }
916
917 # Module settings.
918 print FILE "\n# Module settings.\n";
919 # Check if SNORT is enabled and add snort priority.
920 if ($settings{'GUARDIAN_MONITOR_SNORT'} eq "on") {
921 print FILE "SnortPriorityLevel = $settings{'GUARDIAN_SNORT_PRIORITY_LEVEL'}\n";
922 }
923
924 close(FILE);
925
926 # Check if guardian should be started or stopped.
927 if($settings{'GUARDIAN_ENABLED'} eq 'on') {
928 if($pid > 0) {
929 # Send reload command through socket connection.
930 &Guardian::Socket::Client("reload");
931 } else {
932 # Launch guardian.
933 system("/usr/local/bin/addonctrl guardian start &>/dev/null");
934 }
935 } else {
936 # Stop the daemon.
937 system("/usr/local/bin/addonctrl guardian stop &>/dev/null");
938 }
939 }
940
941 sub GenerateIgnoreFile() {
942 my %ignored = ();
943
944 # Read-in ignoredfile.
945 &General::readhasharray($ignoredfile, \%ignored);
946
947 # Open ignorefile for writing.
948 open(FILE, ">$ignorefile");
949
950 # Config file header.
951 print FILE "# Autogenerated configuration file.\n";
952 print FILE "# All user modifications will be overwritten.\n\n";
953
954 # Add IFPire interfaces and gateway to the ignore file.
955 #
956 # Assign some temporary variables for the IPFire interfaces.
957 my $green = $netsettings{'GREEN_ADDRESS'};
958 my $blue = $netsettings{'BLUE_ADDRESS'};
959 my $orange = $netsettings{'ORANGE_ADDRESS'};
960 my $red = $netsettings{'RED_ADDRESS'};
961
962 # File declarations.
963 my $gatewayfile = "${General::swroot}/red/remote-ipaddress";
964 my $dns1file = "${General::swroot}/red/dns1";
965 my $dns2file = "${General::swroot}/red/dns2";
966
967 # Get gateway address.
968 my $gateway = &_get_address_from_file($gatewayfile);
969
970 # Get addresses from the used dns servers.
971 my $dns1 = &_get_address_from_file($dns1file);
972 my $dns2 = &_get_address_from_file($dns2file);
973
974 # Write the obtained addresses to the ignore file.
975 print FILE "# IPFire local interfaces.\n";
976 print FILE "$green\n";
977
978 # Check if a blue interface exists.
979 if ($blue) {
980 # Add blue address.
981 print FILE "$blue\n";
982 }
983
984 # Check if an orange interface exists.
985 if ($orange) {
986 # Add orange address.
987 print FILE "$orange\n";
988 }
989
990 print FILE "\n# IPFire red interface, gateway and used DNS-servers.\n";
991 print FILE "$red\n";
992 print FILE "$gateway\n";
993 print FILE "$dns1\n";
994 print FILE "$dns2\n";
995
996 # Add all user defined hosts and networks to the ignore file.
997 #
998 # Check if the hash contains any elements.
999 if (keys (%ignored)) {
1000 # Write headline.
1001 print FILE "# User defined hosts/networks.\n";
1002
1003 # Loop through the entire hash and write the host/network
1004 # and remark to the ignore file.
1005 while ( (my $key) = each %ignored) {
1006 my $address = $ignored{$key}[0];
1007 my $remark = $ignored{$key}[1];
1008 my $status = $ignored{$key}[2];
1009
1010 # Check if the status of the entry is "enabled".
1011 if ($status eq "enabled") {
1012 # Check if the address/network is valid.
1013 if ((&General::validip($address)) || (&General::validipandmask($address))) {
1014 # Write the remark to the file.
1015 print FILE "# $remark\n";
1016
1017 # Write the address/network to the ignore file.
1018 print FILE "$address\n\n";
1019 }
1020 }
1021 }
1022 }
1023
1024 close(FILE);
1025 }
1026
1027 # Private subfunction to obtain IP-addresses from given file names.
1028 #
1029 sub _get_address_from_file ($) {
1030 my $file = shift;
1031
1032 # Check if the file exists.
1033 if (-e $file) {
1034 # Open the given file.
1035 open(FILE, "$file") or die "Could not open $file.";
1036
1037 # Obtain the address from the first line of the file.
1038 my $address = <FILE>;
1039
1040 # Close filehandle
1041 close(FILE);
1042
1043 # Remove newlines.
1044 chomp $address;
1045
1046 # Check if the grabbed address is valid.
1047 if (&General::validip($address)) {
1048 # Return the address.
1049 return $address;
1050 }
1051 }
1052
1053 # Return nothing.
1054 return;
1055 }
Peter's tree of IPFire 2.x