From: maniacikarus Date: Sat, 8 Mar 2008 10:03:43 +0000 (+0000) Subject: Added some FW Options for the blue interface X-Git-Tag: v2.3-beta1~156 X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=0aaef8e9a364bb7a867e9f27cda9fc72bc443bf1 Added some FW Options for the blue interface Started building of core10 git-svn-id: http://svn.ipfire.org/svn/ipfire/branches/2.1/trunk@1258 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8 --- diff --git a/config/rootfiles/core/10/files b/config/rootfiles/core/10/files new file mode 100644 index 0000000000..f8cbcdf5bd --- /dev/null +++ b/config/rootfiles/core/10/files @@ -0,0 +1,3 @@ +usr/local/bin/wirelessctrl +srv/web/ipfire/cgi-bin/optionsfw.cgi +var/ipfire/langs diff --git a/config/rootfiles/core/10/meta b/config/rootfiles/core/10/meta new file mode 100644 index 0000000000..d547fa86fa --- /dev/null +++ b/config/rootfiles/core/10/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/10/update.sh b/config/rootfiles/core/10/update.sh new file mode 100644 index 0000000000..35ee927e3d --- /dev/null +++ b/config/rootfiles/core/10/update.sh @@ -0,0 +1,5 @@ +#!/bin/bash +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 +extract_files +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index cfbd10194e..ddb68e3952 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -78,6 +78,12 @@ $checked{'DROPWIRELESSINPUT'}{$settings{'DROPWIRELESSINPUT'}} = "checked='checke $checked{'DROPWIRELESSFORWARD'}{'off'} = ''; $checked{'DROPWIRELESSFORWARD'}{'on'} = ''; $checked{'DROPWIRELESSFORWARD'}{$settings{'DROPWIRELESSFORWARD'}} = "checked='checked'"; +$checked{'DROPPROXY'}{'off'} = ''; +$checked{'DROPPROXY'}{'on'} = ''; +$checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'"; +$checked{'DROPSAMBA'}{'off'} = ''; +$checked{'DROPSAMBA'}{'on'} = ''; +$checked{'DROPSAMBA'}{$settings{'DROPSAMBA'}} = "checked='checked'"; &Header::openbox('100%', 'center', $Lang::tr{'options fw'}); print "
"; @@ -100,6 +106,14 @@ print < off
+ + + + +
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}on / + off
$Lang::tr{'drop samba'}on / + off
+
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 9800f5c65e..25d117b161 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -657,6 +657,8 @@ 'drop newnotsyn' => 'Verworfene New Not Syn Pakete loggen', 'drop output' => 'Verworfene Output Pakete loggen', 'drop portscan' => 'Verworfene Portscan Pakete loggen', +'drop proxy' => 'Alle Pakete verwerfen die nicht direkt an den Proxy gerichtet sind', +'drop samba' => 'Alle Microsoft Pakete verwerfen, Ports 135,137,138,139,445,1025', 'drop wirelessforward' => 'Verworfene Wireless Forward Pakete loggen', 'drop wirelessinput' => 'Verworfene Wireless Input Pakete loggen', 'dst port' => 'Ziel-Port', @@ -774,6 +776,7 @@ 'from email server' => 'Von Email Server', 'from email user' => 'Von Email Benutzer', 'from warn email bad' => 'Von Email Adresse ist nicht gültig', +'fw blue' => 'Firewall Optionen für das Blaue Interface', 'fw logging' => 'Firewall Logging', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 96b3870461..aa0add61d6 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -681,6 +681,8 @@ 'drop newnotsyn' => 'Log dropped New Not Syn pakets', 'drop output' => 'Log dropped Output pakets', 'drop portscan' => 'Log dropped Portscan pakets', +'drop proxy' => 'Drop all packets not addressed to proxy', +'drop samba' => 'Drop all Microsoft Ports 135,137,138,139,445,1025', 'drop wirelessforward' => 'Log dropped wireless Forward pakets', 'drop wirelessinput' => 'Log dropped wireless Input pakets', 'dst port' => 'Dst Port', @@ -798,6 +800,7 @@ 'from email server' => 'From Email server', 'from email user' => 'From Email user', 'from warn email bad' => 'From email address is not valid', +'fw blue' => 'Firewall options for blue interface', 'fw logging' => 'Firewall logging', 'g.dtm' => 'TO BE REMOVED', 'g.lite' => 'TO BE REMOVED', diff --git a/src/misc-progs/wirelessctrl.c b/src/misc-progs/wirelessctrl.c index ad76cfb8b6..4dd569b357 100644 --- a/src/misc-progs/wirelessctrl.c +++ b/src/misc-progs/wirelessctrl.c @@ -27,141 +27,168 @@ char command[STRING_SIZE]; void exithandler(void) { - /* added comment mark to the drop rules to be able to collect the bytes by the collectd */ - if(strlen(blue_dev)) - { - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); - safe_system(command); - } - - if (fd) - fclose(fd); + /* added comment mark to the drop rules to be able to collect the bytes by the collectd */ + if(strlen(blue_dev)) + { + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); + safe_system(command); + } + + if (fd) + fclose(fd); } int main(void) { - char green_dev[STRING_SIZE] = ""; - char buffer[STRING_SIZE]; - char *index, *ipaddress, *macaddress, *enabled; - struct keyvalue *kv = NULL; - - if (!(initsetuid())) - exit(1); - - /* flush wireless iptables */ - safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null"); - safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null"); - - memset(buffer, 0, STRING_SIZE); - - /* Init the keyvalue structure */ - kv=initkeyvalues(); - - /* Read in the current values */ - if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) - { - fprintf(stderr, "Cannot read ethernet settings\n"); - exit(1); - } - - /* Read in the firewall values */ - if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) - { - fprintf(stderr, "Cannot read optionsfw settings\n"); - exit(1); - } - - /* Get the GREEN interface details */ - if(!findkey(kv, "GREEN_DEV", green_dev)) - { - fprintf(stderr, "Cannot read GREEN_DEV\n"); - exit(1); - } - if (!VALID_DEVICE(green_dev)) - { - fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev); - exit(1); - } - /* Get the BLUE interface details */ - if(!findkey(kv, "BLUE_DEV", blue_dev)) - { - fprintf(stderr, "Cannot read BLUE_DEV\n"); - exit(1); - } - if (strlen(blue_dev) && !VALID_DEVICE(blue_dev)) - { - fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev); - exit(1); - } - if(! strlen(blue_dev) > 0) - { - fprintf(stderr, "No BLUE interface\n"); - exit(0); - } - - /* with this rule you can disable the logging of the dropped wireless input packets*/ - if(!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off")){ - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev); - safe_system(command); - } - /* with this rule you can disable the logging of the dropped wireless forward packets*/ - if(!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off")){ - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev); - safe_system(command); - } - - /* register exit handler to ensure the block rule is always present */ - atexit(exithandler); - - if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r"))) - { - exit(0); - } - while (fgets(buffer, STRING_SIZE, fd)) - { - buffer[strlen(buffer) - 1] = 0; - - index = strtok(buffer, ","); - ipaddress = strtok(NULL, ","); - macaddress = strtok(NULL, ","); - enabled = strtok(NULL, ","); - - if (!strncmp(enabled, "on", 2)) { - - /* both specified, added security */ - if ((strlen(macaddress) == 17) && - (VALID_IP(ipaddress))) { - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -o ! %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev); - safe_system(command); - } else { - - /* correctly formed mac address is 17 chars */ - if (strlen(macaddress) == 17) { - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -o ! %s -j ACCEPT", macaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev); - safe_system(command); - } - - if (VALID_IP(ipaddress)) { - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -o ! %s -j ACCEPT", ipaddress, blue_dev, green_dev); - safe_system(command); - snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev); - safe_system(command); - } - } - } - } - - return 0; + char green_dev[STRING_SIZE] = ""; + char buffer[STRING_SIZE]; + char *index, *ipaddress, *macaddress, *enabled; + struct keyvalue *kv = NULL; + + if (!(initsetuid())) + exit(1); + + /* flush wireless iptables */ + safe_system("/sbin/iptables -F WIRELESSINPUT > /dev/null 2> /dev/null"); + safe_system("/sbin/iptables -F WIRELESSFORWARD > /dev/null 2> /dev/null"); + + memset(buffer, 0, STRING_SIZE); + + /* Init the keyvalue structure */ + kv=initkeyvalues(); + + /* Read in the current values */ + if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings")) + { + fprintf(stderr, "Cannot read ethernet settings\n"); + exit(1); + } + + /* Read in the firewall values */ + if (!readkeyvalues(kv, CONFIG_ROOT "/optionsfw/settings")) + { + fprintf(stderr, "Cannot read optionsfw settings\n"); + exit(1); + } + + /* Get the GREEN interface details */ + if(!findkey(kv, "GREEN_DEV", green_dev)) + { + fprintf(stderr, "Cannot read GREEN_DEV\n"); + exit(1); + } + if (!VALID_DEVICE(green_dev)) + { + fprintf(stderr, "Bad GREEN_DEV: %s\n", green_dev); + exit(1); + } + /* Get the BLUE interface details */ + if(!findkey(kv, "BLUE_DEV", blue_dev)) + { + fprintf(stderr, "Cannot read BLUE_DEV\n"); + exit(1); + } + if (strlen(blue_dev) && !VALID_DEVICE(blue_dev)) + { + fprintf(stderr, "Bad BLUE_DEV: %s\n", blue_dev); + exit(1); + } + if(! strlen(blue_dev) > 0) + { + fprintf(stderr, "No BLUE interface\n"); + exit(0); + } + + /* register exit handler to ensure the block rule is always present */ + atexit(exithandler); + + if (!(fd = fopen(CONFIG_ROOT "/wireless/config", "r"))) + { + exit(0); + } + + /* restrict blue access tp the proxy port */ + if(findkey(kv, "DROPPROXY", buffer) && strcmp(buffer,"on")){ + /* Read the proxy values */ + if (!readkeyvalues(kv, CONFIG_ROOT "/proxy/settings") || !(findkey(kv, "PROXY_PORT", buffer))) + { + fprintf(stderr, "Cannot read proxy settings\n"); + exit(1); + } + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessforward'", buffer, blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp ! --dport %s -j DROP -m comment --comment 'DROP_Wirelessinput'", buffer, blue_dev); + safe_system(command); + } + + /* not allow blue to acces a samba server running on local fire*/ + if(findkey(kv, "DROPSAMBA", buffer) && strcmp(buffer,"on")){ + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p tcp -m multiport --dport 135,137,138,139,445,1025-j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p tcp -m multiport --dport 135,137,,138139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -p udp -m multiport --dport 135,137,138,139,445,1025-j DROP -m comment --comment 'DROP_Wirelessforward'", blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -p udp -m multiport --dport 135,137,138,139,445,1025 -j DROP -m comment --comment 'DROP_Wirelessinput'", blue_dev); + safe_system(command); + } + + while (fgets(buffer, STRING_SIZE, fd)) + { + buffer[strlen(buffer) - 1] = 0; + + index = strtok(buffer, ","); + ipaddress = strtok(NULL, ","); + macaddress = strtok(NULL, ","); + enabled = strtok(NULL, ","); + + if (!strncmp(enabled, "on", 2)) { + + /* both specified, added security */ + if ((strlen(macaddress) == 17) && + (VALID_IP(ipaddress))) { + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -s %s -i %s -j ACCEPT", macaddress, ipaddress, blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -o ! %s -j ACCEPT", macaddress, ipaddress, blue_dev, green_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -s %s -i %s -j DMZHOLES", macaddress, ipaddress, blue_dev); + safe_system(command); + } else { + + /* correctly formed mac address is 17 chars */ + if (strlen(macaddress) == 17) { + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -m mac --mac-source %s -i %s -j ACCEPT", macaddress, blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -o ! %s -j ACCEPT", macaddress, blue_dev, green_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -m mac --mac-source %s -i %s -j DMZHOLES", macaddress, blue_dev); + safe_system(command); + } + + if (VALID_IP(ipaddress)) { + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -s %s -i %s -j ACCEPT", ipaddress, blue_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -o ! %s -j ACCEPT", ipaddress, blue_dev, green_dev); + safe_system(command); + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -s %s -i %s -j DMZHOLES", ipaddress, blue_dev); + safe_system(command); + } + } + } + } + + /* with this rule you can disable the logging of the dropped wireless input packets*/ + if(!findkey(kv, "DROPWIRELESSINPUT", buffer) || strcmp(buffer,"off")){ + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSINPUT -i %s -j LOG --log-prefix 'DROP_Wirelessinput'", blue_dev); + safe_system(command); + } + /* with this rule you can disable the logging of the dropped wireless forward packets*/ + if(!findkey(kv, "DROPWIRELESSFORWARD", buffer) || strcmp(buffer,"off")){ + snprintf(command, STRING_SIZE-1, "/sbin/iptables -A WIRELESSFORWARD -i %s -j LOG --log-prefix 'DROP_Wirelessforward'", blue_dev); + safe_system(command); + } + + return 0; }