#!/usr/bin/perl
-#
-# IPFire Scripts
-#
-# This code is distributed under the terms of the GPL
-#
-# (c) The IPFire Team
-#
-# Michael Tremer - mitch@ipfire.org
-# Christian Schmidt - maniacikarus@ipfire.org
-#
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
use strict;
# enable only the following on debugging purpose
my $configfile = "/var/ipfire/outgoing/rules";
my $p2pfile = "/var/ipfire/outgoing/p2protocols";
-&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
-
### Values that have to be initialized
$outfwsettings{'ACTION'} = '';
$outfwsettings{'VALID'} = 'yes';
$outfwsettings{'DISPLAY_SMAC'} = '';
$outfwsettings{'DISPLAY_SIP'} = '';
$outfwsettings{'POLICY'} = 'MODE0';
+
my $SOURCE = "";
my $DESTINATION = "";
my $PROTO = "";
my $MAC = "";
my $POLICY = "";
my $DO = "";
+my $DAY = "";
# read files
&General::readhash("${General::swroot}/outgoing/settings", \%outfwsettings);
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+$netsettings{'RED_DEV'}=`cat /var/ipfire/red/iface`;
+$netsettings{'RED_IP'}=`cat /var/ipfire/red/local-ipaddress`;
+
open( FILE, "< $configfile" ) or die "Unable to read $configfile";
@configs = <FILE>;
close FILE;
} elsif ( $outfwsettings{'POLICY'} eq 'MODE2' ) {
$outfwsettings{'STATE'} = "DENY";
$POLICY = "ACCEPT";
- $DO = "DROP";
+ $DO = "DROP -m comment --comment 'DROP_OUTGOINGFW'";
}
### Initialize IPTables
if ($configline[2] eq 'green') {
$SOURCE = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
$DEV = $netsettings{'GREEN_DEV'};
+ } elsif ($configline[2] eq 'red') {
+ $SOURCE = "$netsettings{'RED_IP'}";
+ $DEV = "";
} elsif ($configline[2] eq 'blue') {
$SOURCE = "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
$DEV = $netsettings{'BLUE_DEV'};
@proto = ("tcp");
} elsif ($configline[3] eq 'udp') {
@proto = ("udp");
+ } elsif ($configline[3] eq 'esp') {
+ @proto = ("esp");
+ } elsif ($configline[3] eq 'gre') {
+ @proto = ("gre");
} else {
- @proto = ("tcp", "udp");
+ @proto = ("tcp","udp");
}
+
foreach $PROTO (@proto) {
$CMD = "/sbin/iptables -A OUTGOINGFW -s $SOURCE -d $DESTINATION -p $PROTO";
- if ($configline[8]) {
+ if ($configline[8] && $configline[3] ne 'esp' && $configline[3] ne 'gre') {
$DPORT = "$configline[8]";
$CMD = "$CMD --dport $DPORT";
- }
+ }
if ($DEV) {
$CMD = "$CMD -i $DEV";
$CMD = "$CMD -m mac --mac-source $MAC";
}
+ if ($configline[17] && $configline[18]) {
+ if ($configline[10]){$DAY = "Mon,"}
+ if ($configline[11]){$DAY .= "Tue,"}
+ if ($configline[12]){$DAY .= "Wed,"}
+ if ($configline[13]){$DAY .= "Thu,"}
+ if ($configline[14]){$DAY .= "Fri,"}
+ if ($configline[15]){$DAY .= "Sat,"}
+ if ($configline[16]){$DAY .= "Sun"}
+ $CMD = "$CMD -m time --timestart $configline[17] --timestop $configline[18] --weekdays $DAY";
+ }
+
$CMD = "$CMD -o $netsettings{'RED_DEV'}";
if ($configline[9] eq "aktiv") {
if ($DEBUG) {
- print "$CMD -m state --state NEW -m limit --limit 10/minute -j LOG --log-prefix 'OUTGOINGFW '\n";
+ print "$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'\n";
} else {
- system("$CMD -m state --state NEW -m limit --limit 10/minute -j LOG --log-prefix 'OUTGOINGFW '");
+ system("$CMD -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'");
}
}
}
if ( $outfwsettings{'POLICY'} eq 'MODE1' ) {
- $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -j DROP";
+ if ( $outfwsettings{'MODE1LOG'} eq 'on' ) {
+ $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -m limit --limit 10/minute -j LOG --log-prefix 'DROP_OUTGOINGFW'";
+ if ($DEBUG) {
+ print "$CMD\n";
+ } else {
+ system("$CMD");
+ }
+ }
+
+ $CMD = "/sbin/iptables -A OUTGOINGFW -o $netsettings{'RED_DEV'} -j DROP -m comment --comment 'DROP_OUTGOINGFW'";
if ($DEBUG) {
print "$CMD\n";
} else {
system("$CMD");
}
-}
+}
\ No newline at end of file