]> git.ipfire.org Git - people/teissler/ipfire-2.x.git/blob - config/forwardfw/convert-dmz
projects / people / teissler / ipfire-2.x.git / blob
? search:


3d91364259a437d3c478b8a36f5027c04b14a10f
[people/teissler/ipfire-2.x.git] / config / forwardfw / convert-dmz
1 #!/usr/bin/perl
2
3 ###############################################################################
4 # #
5 # IPFire.org - A linux based firewall #
6 # Copyright (C) 2013 #
7 # #
8 # This program is free software: you can redistribute it and/or modify #
9 # it under the terms of the GNU General Public License as published by #
10 # the Free Software Foundation, either version 3 of the License, or #
11 # (at your option) any later version. #
12 # #
13 # This program is distributed in the hope that it will be useful, #
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
16 # GNU General Public License for more details. #
17 # #
18 # You should have received a copy of the GNU General Public License #
19 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
20 # #
21 ###############################################################################
22 # Author: Alexander Marx (amarx@ipfire.org) #
23 ###############################################################################
24 # #
25 # This script converts old dmz holes rules from old firewall #
26 # to the new one. This is a 2-step process. #
27 # STEP1: read old config and normalize settings #
28 # STEP2: check valid ip and save valid rules to new firewall #
29 # #
30 ###############################################################################
31 my @current=();
32 my @alias=();
33 my %configdmz=();
34 my %ifaces=();
35 my %configfwdfw=();
36 require '/var/ipfire/general-functions.pl';
37 my $dmzconfig = "${General::swroot}/dmzholes/config";
38 my $fwdfwconfig = "${General::swroot}/forward/config";
39 my $ifacesettings = "${General::swroot}/ethernet/settings";
40 my $field0 = 'ACCEPT';
41 my $field1 = 'FORWARDFW';
42 my $field2 = ''; #ON or emtpy
43 my $field3 = ''; #std_net_src or src_addr
44 my $field4 = ''; #ALL or IP-Address with /32
45 my $field5 = ''; #std_net_tgt or tgt_addr
46 my $field6 = ''; #IP or network name
47 my $field11 = 'ON'; #use target port
48 my $field12 = ''; #TCP or UDP
49 my $field13 = 'All ICMP-Types';
50 my $field14 = 'TGT_PORT';
51 my $field15 = ''; #Port Number
52 my $field16 = ''; #remark
53 my $field26 = '00:00';
54 my $field27 = '00:00';
55 my $field28 = '';
56 my $field29 = 'ALL';
57 my $field30 = '';
58 my $field31 = 'dnat';
59
60
61 open(FILE, $dmzconfig) or die 'Unable to open config file.';
62 my @current = <FILE>;
63 close(FILE);
64 #open LOGFILE
65 open (LOG, ">/var/log/converters/dmz-convert.log") or die $!;
66 &General::readhash($ifacesettings, \%ifaces);
67 &General::readhasharray($fwdfwconfig,\%configfwdfw);
68 &process_rules;
69 sub process_rules{
70 foreach my $line (@current){
71 my $now=localtime;
72 #get values from old configfile
73 my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line);
74 $h =~ s/\s*\n//gi;
75 print LOG "$now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
76 #Now convert values and check ip addresses
77 $a=uc($a);
78 $e=uc($e);
79 $field2=$e if($e eq 'ON');
80 #SOURCE IP-check
81 $b=&check_ip($b);
82 if (&General::validipandmask($b)){
83 #When ip valid, check if we have a network
84 my ($ip,$subnet) = split ("/",$b);
85 if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){
86 $field3='std_net_src';
87 $field4='ORANGE';
88 }elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
89 $field3='std_net_src';
90 $field4='BLUE';
91 }elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){
92 $field3='src_addr';
93 $field4=$b;
94 }elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
95 $field3='src_addr';
96 $field4=$b;
97 }else{
98 print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n";
99 next;
100 }
101 }else{
102 print LOG "$now -> SOURCE IP INVALID. \n\n";
103 next;
104 }
105 #TARGET IP-check
106 $c=&check_ip($c);
107 if (&General::validipandmask($c)){
108 my $now=localtime;
109 #When ip valid, check if we have a network
110 my ($ip,$subnet) = split ("/",$c);
111 if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){
112 $field5='std_net_tgt';
113 $field6='GREEN';
114 }elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
115 $field5='std_net_tgt';
116 $field6='BLUE';
117 }elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){
118 $field5='tgt_addr';
119 $field6=$c;
120 }elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
121 $field5='tgt_addr';
122 $field6=$c;
123 }else{
124 print LOG "$now ->NOT Converted, target ip $c not part of target network $g \n\n";
125 next;
126 }
127 }else{
128 print LOG "$now -> TARGET IP INVALID. \n\n";
129 next;
130 }
131 $field12=$a;
132 #convert portrange
133 $d =~ tr/-/:/;
134 $field15=$d;
135 $field16=$h;
136 my $key = &General::findhasharraykey (\%configfwdfw);
137 foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";}
138 $configfwdfw{$key}[0] = $field0;
139 $configfwdfw{$key}[1] = $field1;
140 $configfwdfw{$key}[2] = $field2;
141 $configfwdfw{$key}[3] = $field3;
142 $configfwdfw{$key}[4] = $field4;
143 $configfwdfw{$key}[5] = $field5;
144 $configfwdfw{$key}[6] = $field6;
145 $configfwdfw{$key}[7] = '';
146 $configfwdfw{$key}[8] = '';
147 $configfwdfw{$key}[9] = '';
148 $configfwdfw{$key}[10] = '';
149 $configfwdfw{$key}[11] = $field11;
150 $configfwdfw{$key}[12] = $field12;
151 $configfwdfw{$key}[13] = $field13;
152 $configfwdfw{$key}[14] = $field14;
153 $configfwdfw{$key}[15] = $field15;
154 $configfwdfw{$key}[16] = $field16;
155 $configfwdfw{$key}[17] = '';
156 $configfwdfw{$key}[18] = '';
157 $configfwdfw{$key}[19] = '';
158 $configfwdfw{$key}[20] = '';
159 $configfwdfw{$key}[21] = '';
160 $configfwdfw{$key}[22] = '';
161 $configfwdfw{$key}[23] = '';
162 $configfwdfw{$key}[24] = '';
163 $configfwdfw{$key}[25] = '';
164 $configfwdfw{$key}[26] = $field26;
165 $configfwdfw{$key}[27] = $field27;
166 $configfwdfw{$key}[28] = $field28;
167 $configfwdfw{$key}[29] = $field29;
168 $configfwdfw{$key}[30] = $field30;
169 $configfwdfw{$key}[31] = $field31;
170 print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n";
171 }
172 &General::writehasharray($fwdfwconfig,\%configfwdfw);
173 close (LOG);
174 }
175
176 sub check_ip
177 {
178 my $adr=shift;
179 my $a;
180 #ip with subnet in decimal
181 if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
182 $adr=int($1).".".int($2).".".int($3).".".int($4);
183 my $b = &General::iporsubtodec($5);
184 $a=$adr."/".$b;
185 }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
186 $adr=int($1).".".int($2).".".int($3).".".int($4);
187 if(&General::validip($adr)){
188 $a=$adr."/32";
189 }
190 }
191 if(&General::validipandmask($adr)){
192 $a=&General::iporsubtodec($adr);
193 }
194 return $a;
195 }
Timo's tree of IPFire 2.x