my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT");
my %fwdfwsettings=();
+my %fwoptions = ();
my %defaultNetworks=();
my %configfwdfw=();;
my %customgrp=();
my %configinputfw=();
my %configoutgoingfw=();
my %confignatfw=();
-my %aliases=();
my @p2ps=();
my $configfwdfw = "${General::swroot}/firewall/config";
my $netsettings = "${General::swroot}/ethernet/settings";
&General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings);
+&General::readhash("${General::swroot}/optionsfw/settings", \%fwoptions);
&General::readhash("$netsettings", \%defaultNetworks);
&General::readhasharray($configfwdfw, \%configfwdfw);
&General::readhasharray($configinput, \%configinputfw);
&General::readhasharray($configoutgoing, \%configoutgoingfw);
&General::readhasharray($configgrp, \%customgrp);
-&General::get_aliases(\%aliases);
my @log_limit_options = &make_log_limit_options();
+my $POLICY_INPUT_ALLOWED = 0;
+my $POLICY_FORWARD_ALLOWED = ($fwdfwsettings{"POLICY"} eq "MODE2");
+my $POLICY_OUTPUT_ALLOWED = ($fwdfwsettings{"POLICY1"} eq "MODE2");
+
+my $POLICY_INPUT_ACTION = $fwoptions{"FWPOLICY2"};
+my $POLICY_FORWARD_ACTION = $fwoptions{"FWPOLICY"};
+my $POLICY_OUTPUT_ACTION = $fwoptions{"FWPOLICY1"};
+
# MAIN
&main();
}
sub preparerules {
- if (! -z "${General::swroot}/firewall/config"){
- &buildrules(\%configfwdfw);
- }
if (! -z "${General::swroot}/firewall/input"){
&buildrules(\%configinputfw);
}
if (! -z "${General::swroot}/firewall/outgoing"){
&buildrules(\%configoutgoingfw);
}
+ if (! -z "${General::swroot}/firewall/config"){
+ &buildrules(\%configfwdfw);
+ }
}
sub buildrules {
my $hash = shift;
+ # Search for targets that need to be specially handled when adding
+ # forwarding rules. Additional rules will automatically get inserted
+ # into the INPUT/OUTPUT chains for these targets.
+ my @special_input_targets = ();
+ if (!$POLICY_FORWARD_ALLOWED) {
+ push(@special_input_targets, "ACCEPT");
+ }
+
+ if ($POLICY_INPUT_ACTION eq "DROP") {
+ push(@special_input_targets, "REJECT");
+ } elsif ($POLICY_INPUT_ACTION eq "REJECT") {
+ push(@special_input_targets, "DROP");
+ }
+
+ my @special_output_targets = ();
+ if ($POLICY_OUTPUT_ALLOWED) {
+ push(@special_output_targets, ("DROP", "REJECT"));
+ } else {
+ push(@special_output_targets, "ACCEPT");
+
+ if ($POLICY_OUTPUT_ACTION eq "DROP") {
+ push(@special_output_targets, "REJECT");
+ } elsif ($POLICY_OUTPUT_ACTION eq "REJECT") {
+ push(@special_output_targets, "DROP");
+ }
+ }
+
foreach my $key (sort {$a <=> $b} keys %$hash) {
# Skip disabled rules.
next unless ($$hash{$key}[2] eq 'ON');
# Add time constraint options.
push(@options, @time_options);
- my $firewall_is_in_source_subnet = 0;
+ my $firewall_is_in_source_subnet = 1;
if ($source) {
$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
}
+ my $firewall_is_in_destination_subnet = 1;
+ if ($destination) {
+ $firewall_is_in_destination_subnet = &firewall_is_in_subnet($destination);
+ }
+
# Process NAT rules.
if ($NAT) {
my $nat_address = &fwlib::get_nat_address($$hash{$key}[29], $source);
}
push(@options, @source_options);
-
- if ($firewall_is_in_source_subnet && ($fwdfwsettings{"POLICY"} eq "MODE1") && ($chain eq $CHAIN_FORWARD)) {
- if ($LOG && !$NAT) {
- run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
- }
- run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
- }
-
push(@options, @destination_options);
# Insert firewall rule.
run("$IPTABLES -A $chain @options @log_limit_options -j LOG --log-prefix '$chain '");
}
run("$IPTABLES -A $chain @options -j $target");
+
+ # Handle forwarding rules and add corresponding rules for firewall access.
+ if ($chain eq $CHAIN_FORWARD) {
+ # If the firewall is part of the destination subnet and access to the destination network
+ # is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access
+ # for the firewall, too.
+ if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
+ if ($LOG && !$NAT) {
+ run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
+ }
+ run("$IPTABLES -A $CHAIN_INPUT @options -j $target");
+ }
+
+ # Likewise.
+ if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) {
+ if ($LOG && !$NAT) {
+ run("$IPTABLES -A $CHAIN_OUTPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
+ }
+ run("$IPTABLES -A $CHAIN_OUTPUT @options -j $target");
+ }
+ }
}
}
}
}
sub p2pblock {
- my $P2PSTRING = "";
- my $DO;
- open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
- @p2ps = <FILE>;
- close FILE;
- my $CMD = "-m ipp2p";
- foreach my $p2pentry (sort @p2ps) {
- my @p2pline = split( /\;/, $p2pentry );
- if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
- $DO = "ACCEPT";
- if ("$p2pline[2]" eq "on") {
- $P2PSTRING = "$P2PSTRING --$p2pline[1]";
- }
- }else {
- $DO = "RETURN";
- if ("$p2pline[2]" eq "off") {
- $P2PSTRING = "$P2PSTRING --$p2pline[1]";
- }
- }
+ my $search_action;
+ my $target;
+
+ if ($fwdfwsettings{"POLICY"} eq "MODE1") {
+ $search_action = "on";
+ $target = "ACCEPT";
+ } else {
+ $search_action = "off";
+ $target = "DROP";
}
- if($P2PSTRING) {
- run("$IPTABLES -A FORWARDFW $CMD $P2PSTRING -j $DO");
+ open(FILE, "<$p2pfile") or die "Unable to read $p2pfile";
+ my @protocols = ();
+ foreach my $p2pentry (<FILE>) {
+ my @p2pline = split(/\;/, $p2pentry);
+ next unless ($p2pline[2] eq $search_action);
+
+ push(@protocols, "--$p2pline[1]");
+ }
+ close(FILE);
+
+ if (@protocols) {
+ run("$IPTABLES -A FORWARDFW -m ipp2p @protocols -j $target");
}
}
push(@options, ("-p", $protocol));
}
- # Process source ports.
- my $use_src_ports = ($$hash{$key}[7] eq "ON");
- my $src_ports = $$hash{$key}[10];
-
- if ($use_src_ports && $src_ports) {
- push(@options, &format_ports($src_ports, "src"));
- }
+ if ($protocol ~~ @PROTOCOLS_WITH_PORTS) {
+ # Process source ports.
+ my $use_src_ports = ($$hash{$key}[7] eq "ON");
+ my $src_ports = $$hash{$key}[10];
- # Process destination ports.
- my $use_dst_ports = ($$hash{$key}[11] eq "ON");
- my $use_dnat = (($$hash{$key}[28] eq "ON") && ($$hash{$key}[31] eq "dnat"));
+ if ($use_src_ports && $src_ports) {
+ push(@options, &format_ports($src_ports, "src"));
+ }
- if ($use_dst_ports) {
- my $dst_ports_mode = $$hash{$key}[14];
- my $dst_ports = $$hash{$key}[15];
+ # Process destination ports.
+ my $use_dst_ports = ($$hash{$key}[11] eq "ON");
+ my $use_dnat = (($$hash{$key}[28] eq "ON") && ($$hash{$key}[31] eq "dnat"));
- if (($dst_ports_mode eq "TGT_PORT") && $dst_ports) {
- if ($nat_options_wanted && $use_dnat && $$hash{$key}[30]) {
- $dst_ports = $$hash{$key}[30];
- }
- push(@options, &format_ports($dst_ports, "dst"));
+ if ($use_dst_ports) {
+ my $dst_ports_mode = $$hash{$key}[14];
+ my $dst_ports = $$hash{$key}[15];
- } elsif ($dst_ports_mode eq "cust_srv") {
- if ($protocol eq "ICMP") {
- push(@options, ("--icmp-type", &fwlib::get_srv_port($dst_ports, 3, "ICMP")));
- } else {
- $dst_ports = &fwlib::get_srv_port($dst_ports, 1, uc($protocol));
+ if (($dst_ports_mode eq "TGT_PORT") && $dst_ports) {
+ if ($nat_options_wanted && $use_dnat && $$hash{$key}[30]) {
+ $dst_ports = $$hash{$key}[30];
+ }
push(@options, &format_ports($dst_ports, "dst"));
- }
- } elsif ($dst_ports_mode eq "cust_srvgrp") {
- push(@options, &fwlib::get_srvgrp_port($dst_ports, uc($protocol)));
+ } elsif ($dst_ports_mode eq "cust_srv") {
+ if ($protocol eq "ICMP") {
+ push(@options, ("--icmp-type", &fwlib::get_srv_port($dst_ports, 3, "ICMP")));
+ } else {
+ $dst_ports = &fwlib::get_srv_port($dst_ports, 1, uc($protocol));
+ push(@options, &format_ports($dst_ports, "dst"));
+ }
+
+ } elsif ($dst_ports_mode eq "cust_srvgrp") {
+ push(@options, &fwlib::get_srvgrp_port($dst_ports, uc($protocol)));
+ }
}
}
# Check if a single ICMP type is selected.
- if (!$use_src_ports && !$use_dst_ports && $protocol eq "icmp") {
+ if ($protocol eq "icmp") {
my $icmp_type = $$hash{$key}[9];
if (($icmp_type ne "All ICMP-Types") && $icmp_type) {
return 0;
}
-