our %targethash=();
my @timeframe=();
my %configinputfw=();
+my %configoutgoingfw=();
+my %configdmzfw=();
my %aliases=();
my @DPROT=();
my @p2ps=();
require "${General::swroot}/lang.pl";
require "${General::swroot}/forward/bin/firewall-lib.pl";
+my $configdmz = "${General::swroot}/forward/dmz";
my $configfwdfw = "${General::swroot}/forward/config";
my $configinput = "${General::swroot}/forward/input";
+my $configoutgoing = "${General::swroot}/forward/outgoing";
my $p2pfile = "${General::swroot}/forward/p2protocols";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
+my $netsettings = "${General::swroot}/ethernet/settings";
my $errormessage='';
+my $orange;
+my $green;
+my $blue;
my ($TYPE,$PROT,$SPROT,$DPROT,$SPORT,$DPORT,$TIME,$TIMEFROM,$TIMETILL,$SRC_TGT);
my $CHAIN="FORWARDFW";
&General::readhash("${General::swroot}/forward/settings", \%fwdfwsettings);
+&General::readhash("$netsettings", \%defaultNetworks);
+&General::readhasharray($configdmz, \%configdmzfw);
&General::readhasharray($configfwdfw, \%configfwdfw);
&General::readhasharray($configinput, \%configinputfw);
+&General::readhasharray($configoutgoing, \%configoutgoingfw);
&General::readhasharray($configgrp, \%customgrp);
&General::get_aliases(\%aliases);
if($MODE eq '0'){
if ($fwdfwsettings{'POLICY'} eq 'MODE1'){
&p2pblock;
- system ("/usr/sbin/firewall-forward-policy");
+ system ("/usr/sbin/firewall-policy");
}elsif($fwdfwsettings{'POLICY'} eq 'MODE2'){
+ $defaultNetworks{'GREEN_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'GREEN_NETMASK'});
+ $green="$defaultNetworks{'GREEN_ADDRESS'}/$defaultNetworks{'GREEN_NETMASK'}";
+ if ($defaultNetworks{'BLUE_DEV'}){
+ $defaultNetworks{'BLUE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'BLUE_NETMASK'});
+ $blue="$defaultNetworks{'BLUE_ADDRESS'}/$defaultNetworks{'BLUE_NETMASK'}";
+ #set default rules for BLUE
+ system ("iptables -A $CHAIN -s $blue -d $green -j RETURN");
+ }
+ if ($defaultNetworks{'ORANGE_DEV'}){
+ $defaultNetworks{'ORANGE_NETMASK'}=&General::iporsubtocidr($defaultNetworks{'ORANGE_NETMASK'});
+ $orange="$defaultNetworks{'ORANGE_ADDRESS'}/$defaultNetworks{'ORANGE_NETMASK'}";
+ #set default rules for DMZ
+ system ("iptables -A $CHAIN -s $orange -d $green -j RETURN");
+ if ($defaultNetworks{'BLUE_DEV'}){
+ system ("iptables -A $CHAIN -s $orange -d $blue -j RETURN");
+ }
+ }
&p2pblock;
- system ("/usr/sbin/firewall-forward-policy");
- system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
- }elsif($fwdfwsettings{'POLICY'} eq 'MODE0'){
- system ("/usr/sbin/firewall-forward-policy");
system ("iptables -A $CHAIN -m state --state NEW -j ACCEPT");
+ system ("/usr/sbin/firewall-policy");
}
}
}
{
system ("iptables -F FORWARDFW");
system ("iptables -F INPUTFW");
+ system ("iptables -F OUTGOINGFW");
}
sub preparerules
{
+ if (! -z "${General::swroot}/forward/dmz"){
+ &buildrules(\%configdmzfw);
+ }
if (! -z "${General::swroot}/forward/config"){
&buildrules(\%configfwdfw);
}
if (! -z "${General::swroot}/forward/input"){
&buildrules(\%configinputfw);
}
+ if (! -z "${General::swroot}/forward/outgoing"){
+ &buildrules(\%configoutgoingfw);
+ }
}
sub buildrules
{
}
}
}elsif($$hash{$key}[5] eq 'ipfire'){
-
if($$hash{$key}[6] eq 'Default IP'){
open(FILE, "/var/ipfire/red/local-ipaddress") or die 'Unable to open config file.';
$targethash{$key}[0]= <FILE>;
$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
foreach my $a (sort keys %sourcehash){
foreach my $b (sort keys %targethash){
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
- if ($$hash{$key}[17] eq 'ON'){
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
+ if(substr($DPORT, 2, 4) eq 'icmp'){
+ my @icmprule= split(",",substr($DPORT, 12,));
+ foreach (@icmprule){
+ if ($$hash{$key}[17] eq 'ON'){
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j LOG\n";
+ }
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]\n";
+ }
+ }else{
+ if ($$hash{$key}[17] eq 'ON'){
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n";
+ }
+ print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
- print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n";
}
}
}
$PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' ');
foreach my $a (sort keys %sourcehash){
foreach my $b (sort keys %targethash){
- if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none'){
+ if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){
if($SPROT eq '' || $SPROT eq $DPROT || $DPROT eq ' '){
- if(substr($sourcehash{$a}[0], 3, 3) ne 'mac'){ $STAG="-s";}
- if ($$hash{$key}[17] eq 'ON'){
- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
+ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";}
+ if(substr($DPORT, 2, 4) eq 'icmp'){
+ my @icmprule= split(",",substr($DPORT, 12,));
+ foreach (@icmprule){
+ if ($$hash{$key}[17] eq 'ON'){
+ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] -- icmp-type $_ $TIME -j LOG");
+ }
+ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] --icmp-type $_ $TIME -j $$hash{$key}[0]");
+ }
+ }else{
+ if ($$hash{$key}[17] eq 'ON'){
+ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG");
+ }
+ system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
}
- system ("iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]");
}
}
}
}
- print"\n";
}
}
}
my $CMD = "-m ipp2p";
foreach my $p2pentry (sort @p2ps) {
my @p2pline = split( /\;/, $p2pentry );
- if ( $fwdfwsettings{'POLICY'} eq 'MODE2' ) {
- $DO = "DROP";
- if ("$p2pline[2]" eq "off") {
+ if ( $fwdfwsettings{'POLICY'} eq 'MODE1' ) {
+ $DO = "ACCEPT";
+ if ("$p2pline[2]" eq "on") {
$P2PSTRING = "$P2PSTRING --$p2pline[1]";
}
- } else {
+ }else {
$DO = "RETURN";
- if ("$p2pline[2]" eq "on") {
+ if ("$p2pline[2]" eq "off") {
$P2PSTRING = "$P2PSTRING --$p2pline[1]";
}
}
my $prot=shift;
if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){
if ($$hash{$key}[10] ne ''){
- return "--sport $$hash{$key}[10] ";
+ $$hash{$key}[10] =~ s/\|/,/g;
+ if(index($$hash{$key}[10],",") > 0){
+ return "-m multiport --sport $$hash{$key}[10] ";
+ }else{
+ return "--sport $$hash{$key}[10] ";
+ }
}elsif($$hash{$key}[9] ne '' && $$hash{$key}[9] ne 'All ICMP-Types'){
return "--icmp-type $$hash{$key}[9] ";
}elsif($$hash{$key}[9] eq 'All ICMP-Types'){
if($$hash{$key}[14] eq 'TGT_PORT'){
if ($$hash{$key}[15] ne ''){
- return "--dport $$hash{$key}[15] ";
+ $$hash{$key}[15] =~ s/\|/,/g;
+ if(index($$hash{$key}[15],",") > 0){
+ return "-m multiport --dport $$hash{$key}[15] ";
+ }else{
+ return "--dport $$hash{$key}[15] ";
+ }
}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] ne 'All ICMP-Types'){
return "--icmp-type $$hash{$key}[13] ";
}elsif($$hash{$key}[13] ne '' && $$hash{$key}[13] eq 'All ICMP-Types'){