# This script builds firewallrules from the webinterface #
###############################################################################
-
use strict;
no warnings 'uninitialized';
my %configinputfw=();
my %aliases=();
my @DPROT=();
+my @p2ps=();
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/forward/bin/firewall-lib.pl";
my $configfwdfw = "${General::swroot}/forward/config";
my $configinput = "${General::swroot}/forward/input";
+my $p2pfile = "${General::swroot}/forward/p2protocols";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
+my $netsettings = "${General::swroot}/ethernet/settings";
my $errormessage='';
+my $orange;
+my $green;
my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
my $CHAIN="FORWARDFW";
&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+&General::readhash("$netsettings", \%defaultNetworks);
&General::readhasharray($configfwdfw, \%configfwdfw);
&General::readhasharray($configinput, \%configinputfw);
&General::readhasharray($configgrp, \%customgrp);
&preparerules;
if($MODE eq '0'){
if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
+ &p2pblock;
system ("/usr/sbin/firewall-forward-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
- system ("/usr/sbin/firewall-forward-policy");
- }elsif($fwdfwsettings{'POLICY'} eq 'MODE0' || $fwdfwsettings{'POLICY'} eq 'MODE2'){
- system ("/usr/sbin/firewall-forward-policy");
+ if ($defaultNetworks{'ORANGE_DEV'}){
+ $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
+ $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
+ $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
+ $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
+ #set default rules for DMZ
+ system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
+ &p2pblock;
+ }
system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ system ("/usr/sbin/firewall-forward-policy");
}
}
}
{
my $hash=shift;
my $STAG;
- foreach my $key (sort keys %$hash){
+ foreach my $key (sort {$a <=> $b} keys %$hash){
$STAG='';
if($$hash{$key}[2] eq 'ON'){
#get source ip's
if ($$hash{$key}[3] eq 'cust_grp_src'){
- foreach my $grp (sort keys %customgrp){
+ foreach my $grp (sort {$a <=> $b} keys %customgrp){
if($customgrp{$grp}[0] eq $$hash{$key}[4]){
&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"src");
}
}
#get target ip's
if ($$hash{$key}[5] eq 'cust_grp_tgt'){
- foreach my $grp (sort keys %customgrp){
+ foreach my $grp (sort {$a <=> $b} keys %customgrp){
if($customgrp{$grp}[0] eq $$hash{$key}[6]){
&get_address($customgrp{$grp}[3],$customgrp{$grp}[2],"tgt");
}
if ($DPROT eq ''){$DPROT=' ';}
@DPROT=split(",",$DPROT);
-
#get time if defined
if($$hash{$key}[18] eq 'ON'){
if($$hash{$key}[19] ne ''){push (@timeframe,"Mon");}
$TIMETILL="--timestop $$hash{$key}[27] ";
$TIME="-m time --weekdays $TIME $TIMEFROM $TIMETILL";
}
-
if ($MODE eq '1'){
print "NR:$key ";
foreach my $i (0 .. $#{$$hash{$key}}){
print "\n";
print"##################################\n";
#print rules to console
-
foreach my $DPROT (@DPROT){
$DPORT = &get_port($hash,$key,$DPROT);
if ($SPROT ne ''){$PROT=$SPROT;}else{$PROT=$DPROT;}
$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
foreach my $a (sort keys %sourcehash){
foreach my $b (sort keys %targethash){
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
if ($$hash{$key}[17] eq 'ON'){
$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
foreach my $a (sort keys %sourcehash){
foreach my $b (sort keys %targethash){
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
if ($$hash{$key}[17] eq 'ON'){
}
}
}
- print"\n";
}
}
}
undef $TIMETILL;
}
}
+sub p2pblock
+{
+ my $P2PSTRING;
+ my $DO;
+ open( FILE, "< $p2pfile" ) or die "Unable to read $p2pfile";
+ @p2ps = <FILE>;
+ close FILE;
+ my $CMD = "-m ipp2p";
+ foreach my $p2pentry (sort @p2ps) {
+ my @p2pline = split( /\;/, $p2pentry );
+ if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
+ $DO = "ACCEPT";
+ if ("$p2pline[2]" eq "on") {
+ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+ }
+ }else {
+ $DO = "RETURN";
+ if ("$p2pline[2]" eq "off") {
+ $P2PSTRING = "$P2PSTRING --$p2pline[1]";
+ }
+ }
+ }
+ if ($MODE eq 1){
+ if($P2PSTRING){
+ print"/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO\n";
+ }
+ }else{
+ if($P2PSTRING){
+ system("/sbin/iptables -A FORWARDFW $CMD $P2PSTRING -j $DO");
+ }
+ }
+}
+
sub get_address
{
my $base=shift; #source of checking ($configfwdfw{$key}[x] or groupkey
my $prot=shift;
if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
if ($$hash{$key}[10] ne ''){
- return "--sport $$hash{$key}[10] ";
+ $$hash{$key}[10] =~ s/\|/,/g;
+ if(index($$hash{$key}[10],",") > 0){
+ return "-m multiport --sport $$hash{$key}[10] ";
+ }else{
+ return "--sport $$hash{$key}[10] ";
+ }
}elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
return "--icmp-type $$hash{$key}[9] ";
}elsif($$hash{$key}[9] eq 'All ICMP-Types'){
if($$hash{$key}[14] eq 'TGT_PORT'){
if ($$hash{$key}[15] ne ''){
- return "--dport $$hash{$key}[15] ";
+ $$hash{$key}[15] =~ s/\|/,/g;
+ if(index($$hash{$key}[15],",") > 0){
+ return "-m multiport --dport $$hash{$key}[15] ";
+ }else{
+ return "--dport $$hash{$key}[15] ";
+ }
}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
return "--icmp-type $$hash{$key}[13] ";
}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){
elsif($prot eq 'ICMP'){
return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);
}
-
-
}
}
}