################################
# DEBUG/TEST #
################################
-my $MODE=0; # 0 - normal operation
+my $MODE=1; # 0 - normal operation
# 1 - print configline and rules to console
#
################################
&preparerules;
if($MODE eq '0'){
if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
- system ("iptables -A $CHAIN -j DROP");
+ system ("/usr/sbin/firewall-forward-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
- system ("iptables -A $CHAIN -j ACCEPT");
+ system ("/usr/sbin/firewall-forward-policy");
+ }elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){
+ system ("/usr/sbin/firewall-forward-policy");
+ system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
}
}
}
-
sub flush
{
system ("iptables -F FORWARDFW");
sub buildrules
{
my $hash=shift;
- foreach my $key (sort keys %$hash){
+ my $STAG;
+ foreach my $key (sort {$a <=> $b} keys %$hash){
+ $STAG='';
if($$hash{$key}[2] eq 'ON'){
#get source ip's
if ($$hash{$key}[3] eq 'cust_grp_src'){
- foreach my $grp (sort keys %customgrp){
+ foreach my $grp (sort {$a <=> $b} keys %customgrp){
if($customgrp{$grp}[0] eq $$hash{$key}[4]){
&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
}
}
#get target ip's
if ($$hash{$key}[5] eq 'cust_grp_tgt'){
- foreach my $grp (sort keys %customgrp){
+ foreach my $grp (sort {$a <=> $b} keys %customgrp){
if($customgrp{$grp}[0] eq $$hash{$key}[6]){
&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
}
}
}elsif($$hash{$key}[5] eq 'ipfire'){
-
+
if($$hash{$key}[6] eq 'Default IP'){
open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
$targethash{$key}[0]= <FILE>;
}else{
&get_address($$hash{$key}[5],$$hash{$key}[6],"tgt");
}
-
##get source prot and port
$SRC_TGT='SRC';
$SPROT = &get_prot($hash,$key);
$SPORT = &get_port($hash,$key);
$SRC_TGT='';
-
+
##get target prot and port
$DPROT=&get_prot($hash,$key);
-
+
if ($DPROT eq ''){$DPROT=' ';}
@DPROT=split(",",$DPROT);
-
-
+
+
#get time if defined
if($$hash{$key}[18] eq 'ON'){
if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
$TIMETILL="--timestop $$hash{$key}[27] ";
$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
}
-
+
if ($MODE eq '1'){
print "NR:$key ";
foreach my $i (0 .. $#{$$hash{$key}}){
print "\n";
print"##################################\n";
#print rules to console
-
foreach my $DPROT (@DPROT){
$DPORT = &get_port($hash,$key,$DPROT);
if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
foreach my $b (sort keys %targethash){
if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
if ($$hash{$key}[17] eq 'ON'){
- print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
}
- print "iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
}
}
}
print"\n";
}
-
}elsif($MODE eq '0'){
foreach my $DPROT (@DPROT){
$DPORT = &get_port($hash,$key,$DPROT);
foreach my $b (sort keys %targethash){
if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
if ($$hash{$key}[17] eq 'ON'){
- system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
+ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
}
- system ("iptables -A $$hash{$key}[1] $PROT -s $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
+ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
}
}
}
}
my $key = &General::findhasharraykey($hash);
if($base eq 'src_addr' || $base eq 'tgt_addr' ){
- $$hash{$key}[0] = $configfwdfw{$key}[4];
+ if (&General::validmac($base2)){
+ $$hash{$key}[0] = "-m mac --mac-source $base2";
+ }else{
+ $$hash{$key}[0] = $base2;
+ }
}elsif($base eq 'std_net_src' || $base eq 'std_net_tgt' || $base eq 'Standard Network'){
$$hash{$key}[0]=&fwlib::get_std_net_ip($base2);
}elsif($base eq 'cust_net_src' || $base eq 'cust_net_tgt' || $base eq 'Custom Network'){
if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
if ($$hash{$key}[10] ne ''){
return "--sport $$hash{$key}[10] ";
- }elsif($$hash{$key}[9] ne ''){
+ }elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
return "--icmp-type $$hash{$key}[9] ";
+ }elsif($$hash{$key}[9] eq 'All ICMP-Types'){
+ return;
}
}elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){