X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=config%2Ffirewall%2Fconvert-outgoingfw;h=c917f8438491b243f2c99866b084fe4be301a26e;hp=0d7f7d3dd6f12d4b2ef06756acd38bb72c56cde0;hb=0faf9c7869cfca07dc51f297ba8f7b16623c3469;hpb=0fc392d65d513df573573dec57ccf06af2c29a9f diff --git a/config/firewall/convert-outgoingfw b/config/firewall/convert-outgoingfw index 0d7f7d3dd6..c917f84384 100755 --- a/config/firewall/convert-outgoingfw +++ b/config/firewall/convert-outgoingfw @@ -28,6 +28,7 @@ ############################################################################### require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/lang.pl"; use Socket; use File::Path; @@ -47,8 +48,8 @@ my $ccdconfig = "${General::swroot}/ovpn/ccd.conf"; my $fwdfwconfig = "${General::swroot}/firewall/config"; my $outfwconfig = "${General::swroot}/firewall/outgoing"; my $fwdfwsettings = "${General::swroot}/firewall/settings"; -my @ipgroups = qx(ls $ipgrouppath); -my @macgroups = qx(ls $macgrouppath); +my @ipgroups = qx(ls $ipgrouppath 2>/dev/null); +my @macgroups = qx(ls $macgrouppath 2>/dev/null); my @hostarray=(); my %outsettings=(); my %hosts=(); @@ -62,16 +63,43 @@ my %fwconfigout=(); my %fwdsettings=(); my %ownnet=(); my %ovpnSettings = (); +my @active= ('Aktiv', 'aktiv', 'Active', 'Activo', 'Actif', 'Actief', 'Aktywne', 'Активен', 'Aktif'); &General::readhash("${General::swroot}/ovpn/settings", \%ovpnSettings); -&General::readhash($outfwsettings,\%outsettings); &General::readhash("${General::swroot}/ethernet/settings", \%ownnet); + +if (-e "$outfwsettings") { + &General::readhash($outfwsettings,\%outsettings); +} +else +{ + print "Config file for outgoing-firewall not found. Exiting!\n"; + exit(1); +} + +if (! -s "$outfwsettings") { + print "Empty DMZ configuration file. Nothing to do. Exiting...\n"; + #Fill the firewall settings file + open (SETTINGS, ">/var/ipfire/firewall/settings"); + print SETTINGS "POLICY=MODE2\n"; + print SETTINGS "POLICY1=MODE2\n"; + close (SETTINGS); + exit(0); +} + #ONLY RUN if /var/ipfire/outgoing exists if ( -d "/var/ipfire/outgoing"){ &process_groups; &process_rules; &process_p2p; } +else +{ + print "/var/ipfire/outgoing not found. Exiting!\n"; + exit 1 +} + system("/usr/local/bin/firewallctrl"); + sub process_groups { if(! -d "/var/log/converters"){ mkdir("/var/log/converters");} @@ -108,7 +136,7 @@ sub process_groups foreach my $group (@macgroups){ chomp $group; print LOG "\nProcessing MAC-GROUP: $group...\n"; - open (DATEI, "<$macgrouppath/$group"); + open (DATEI, "<$macgrouppath/$group") or die 'Unable to open config file.'; my @zeilen = ; foreach my $mac (@zeilen){ chomp($mac); @@ -163,6 +191,7 @@ sub new_hostgrp my $name; #"converted" my $name2; my $name3; #custom host/custom net + my $mac2; foreach my $adr (@hostarray){ if($run eq 'ip'){ my ($ip,$type) = split(",",$adr); @@ -179,17 +208,11 @@ sub new_hostgrp $hosts{$key}[1] = $type; $hosts{$key}[2] = $ip; $hosts{$key}[3] = ''; - $hosts{$key}[4] = 1; print LOG "->Host (IP) $ip added to custom hosts\n" }else{ print LOG "->Host (IP) $ip already exists in custom hosts\n"; $name="host "; $name2=$name.$ippart; - foreach my $key (sort keys %hosts){ - if($hosts{$key}[0] eq $name2){ - $hosts{$key}[4]++; - } - } $name="host "; $name2=$name.$ippart; $name3="Custom Host"; @@ -227,18 +250,12 @@ sub new_hostgrp $nets{$netkey}[1] = $ippart; $nets{$netkey}[2] = $subnet; $nets{$netkey}[3] = ''; - $nets{$netkey}[4] = 1; print LOG "->Network $ippart/$subnet added to custom networks\n"; } }else{ print LOG "Network $ippart already exists in custom networks\n"; $name="net "; $name2=$name.$ippart; - foreach my $key (sort keys %nets){ - if($nets{$key}[0] eq $name2){ - $nets{$key}[4]++; - } - } $name="net "; $name2=$name.$ippart; $name3="Custom Network"; @@ -250,35 +267,29 @@ sub new_hostgrp $groups{$grpkey}[1] = ''; $groups{$grpkey}[2] = $name2; $groups{$grpkey}[3] = $name3; - $groups{$grpkey}[4] = 0; print LOG "->$name2 added to group $grp\n"; } }elsif($run eq 'mac'){ #MACRUN - my ($mac,$type) = split(",",$adr); + my ($mac,$type) = split(",",$adr); print LOG "Processing HOST (MAC) $mac\n"; if(!&check_host($mac)){ - my $key = &General::findhasharraykey(\%hosts); + my $key = &General::findhasharraykey(\%hosts); $name="host "; - $name2=$name.$mac; + $mac2=$mac; + $mac2 =~ s/:/-/g; + $name2=$name.$mac2; $name3="Custom Host"; $hosts{$key}[0] = $name2; $hosts{$key}[1] = $type; $hosts{$key}[2] = $mac; - $hosts{$key}[3] = ''; - $hosts{$key}[4] = 1; print LOG "->Host (MAC) $mac added to custom hosts\n"; }else{ + $mac2=mac; + $mac2 =~ s/:/-/g; print LOG "->Host (MAC) $mac already exists in custom hosts \n"; $name="host "; - $name2=$name.$mac; - foreach my $key (sort keys %hosts){ - if($hosts{$key}[0] eq $name2){ - $hosts{$key}[4]++; - } - } - $name="host "; - $name2=$name.$mac; + $name2=$name.$mac2; $name3="Custom Host"; } if($name2 && !&check_grp($grp,$name2)){ @@ -287,7 +298,6 @@ sub new_hostgrp $groups{$grpkey}[1] = ''; $groups{$grpkey}[2] = $name2; $groups{$grpkey}[3] = $name3; - $groups{$grpkey}[4] = 0; print LOG "->$name2 added to group $grp\n"; } } @@ -360,6 +370,8 @@ sub process_rules my @lines = ; foreach my $rule (@lines) { + &General::readhasharray($fwdfwconfig,\%fwconfig); + &General::readhasharray($outfwconfig,\%fwconfigout); my $now=localtime; chomp($rule); $port=''; @@ -382,7 +394,12 @@ sub process_rules $configline[4] =~ s/,/;/g; $remark = $configline[4]; }else{$remark = '';} - if($configline[9] eq 'Active'){ $log='ON';}else{$log='';} + #find all "active" tags in all language files and check them against the old config + my $logging='0'; + foreach (@active){ + $logging='1' if ($_ eq $configline[9]); + } + if($logging eq '1' ){ $log='ON';}else{$log='';} if($configline[10] eq 'on' && $configline[11] eq 'on' && $configline[12] eq 'on' && $configline[13] eq 'on' && $configline[14] eq 'on' && $configline[15] eq 'on' && $configline[16] eq 'on'){ if($configline[17] eq '00:00' && $configline[18] eq '00:00'){ $time=''; @@ -410,8 +427,8 @@ sub process_rules $grp1='std_net_src'; $source='ORANGE'; }elsif ($configline[2] eq 'red') { - $grp1='std_net_src'; - $source='IPFire'; + $grp1='ipfire_src'; + $source='RED1'; &General::readhash($fwdfwsettings,\%fwdsettings); $fwdsettings{'POLICY1'}=$outsettings{'POLICY'}; $fwdsettings{'POLICY'}=$outsettings{'POLICY'}; @@ -462,7 +479,7 @@ sub process_rules } ############################################################ #destinationpart - if($configline[7] ne ''){ + if($configline[7] ne '' && $configline[7] ne '0.0.0.0'){ my $address=&check_ip($configline[7]); if($address){ my ($dip,$dsub) = split("/",$address); @@ -517,43 +534,28 @@ sub process_rules }else{ print LOG "-> Rule not converted because not for Firewall mode $outsettings{'POLICY'} (we are only converting for actual mode)\n"; } - &General::readhasharray($fwdfwconfig,\%fwconfig); - &General::readhasharray($outfwconfig,\%fwconfigout); my $check; my $chain; foreach my $protocol (@prot){ my $now=localtime; - if ($source eq 'IPFire'){ + if ($source eq 'RED1'){ $chain='OUTGOINGFW'; }else{ $chain='FORWARDFW'; } $protocol=uc($protocol); - print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; + print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,$protocol,,,$useport,,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n"; #Put rules into system.... ########################### #check for double rules foreach my $key (sort keys %fwconfig){ - if("$action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to" - eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],,,,,$fwconfig{$key}[11],$fwconfig{$key}[12],,$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){ + if("$action,$chain,$active,$grp1,$source,$grp2,$target,$protocol,$useport,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to" + eq "$fwconfig{$key}[0],$fwconfig{$key}[1],$fwconfig{$key}[2],$fwconfig{$key}[3],$fwconfig{$key}[4],$fwconfig{$key}[5],$fwconfig{$key}[6],$fwconfig{$key}[8],$fwconfig{$key}[11],$fwconfig{$key}[14],$fwconfig{$key}[15],$fwconfig{$key}[16],$fwconfig{$key}[17],$fwconfig{$key}[18],$fwconfig{$key}[19],$fwconfig{$key}[20],$fwconfig{$key}[21],$fwconfig{$key}[22],$fwconfig{$key}[23],$fwconfig{$key}[24],$fwconfig{$key}[25],$fwconfig{$key}[26],$fwconfig{$key}[27]"){ $check='on'; next; } } if($check ne 'on'){ - #increase groupcounter - my $check1; - if($grp1 eq 'cust_grp_src'){ - foreach my $key (sort keys %groups){ - if($groups{$key}[0] eq $source){ - $groups{$key}[4]++; - $check1='on'; - } - } - if($check1 eq 'on'){ - &General::writehasharray($configgroups,\%groups); - } - } if ($chain eq 'FORWARDFW'){ my $key = &General::findhasharraykey(\%fwconfig); $fwconfig{$key}[0] = $action; @@ -563,8 +565,8 @@ sub process_rules $fwconfig{$key}[4] = $source; $fwconfig{$key}[5] = $grp2; $fwconfig{$key}[6] = $target; + $fwconfig{$key}[8] = $protocol; $fwconfig{$key}[11] = $useport; - $fwconfig{$key}[12] = $protocol; $fwconfig{$key}[14] = $grp3; $fwconfig{$key}[15] = $port; $fwconfig{$key}[16] = $remark; @@ -583,6 +585,7 @@ sub process_rules $fwconfig{$key}[29] = 'ALL'; $fwconfig{$key}[30] = ''; $fwconfig{$key}[31] = 'dnat'; + &General::writehasharray($fwdfwconfig,\%fwconfig); }else{ my $key = &General::findhasharraykey(\%fwconfigout); $fwconfigout{$key}[0] = $action; @@ -592,8 +595,8 @@ sub process_rules $fwconfigout{$key}[4] = $source; $fwconfigout{$key}[5] = $grp2; $fwconfigout{$key}[6] = $target; + $fwconfigout{$key}[8] = $protocol; $fwconfigout{$key}[11] = $useport; - $fwconfigout{$key}[12] = $protocol; $fwconfigout{$key}[14] = $grp3; $fwconfigout{$key}[15] = $port; $fwconfigout{$key}[16] = $remark; @@ -612,9 +615,8 @@ sub process_rules $fwconfigout{$key}[29] = 'ALL'; $fwconfigout{$key}[30] = ''; $fwconfigout{$key}[31] = 'dnat'; + &General::writehasharray($outfwconfig,\%fwconfigout); } - &General::writehasharray($fwdfwconfig,\%fwconfig); - &General::writehasharray($outfwconfig,\%fwconfigout); } } @prot=(); @@ -675,7 +677,6 @@ sub build_ovpn_grp $nets{$netkey}[1] = $net; $nets{$netkey}[2] = $subnet; $nets{$netkey}[3] = ''; - $nets{$netkey}[4] = 1; print LOG "$now ->added $name2 $net/$subnet to customnetworks\n"; }else{ print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n"; @@ -686,7 +687,6 @@ sub build_ovpn_grp $groups{$grpkey}[1] = ''; $groups{$grpkey}[2] = $name2; $groups{$grpkey}[3] = "Custom Network"; - $groups{$grpkey}[4] = 0; print LOG "$now ->added $name2 to customgroup ovpn\n"; } $name2=''; @@ -700,5 +700,5 @@ sub build_ovpn_grp sub process_p2p { copy("/var/ipfire/outgoing/p2protocols","/var/ipfire/firewall/p2protocols"); - chmod oct('0777'), '/var/ipfire/firewall/p2protocols'; + chown 99, 99, '/var/ipfire/firewall/p2protocols'; }