X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=config%2Ffirewall%2Frules.pl;h=43807647cab91f24e06d7b3cb89d861481f254be;hp=c724aa840cbd7214624e99c0dd1dda0f9bbd7729;hb=73372ed4e6b573c4a1078b771df4f6623fc79927;hpb=6d8eb5dec7bf36f9b1bd53c9354d980aea315d89 diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index c724aa840..43807647c 100755 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -45,7 +45,7 @@ my @DPROT=(); my @p2ps=(); require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; -require "${General::swroot}/firewall/bin/firewall-lib.pl"; +require "/usr/lib/firewall/firewall-lib.pl"; my $configfwdfw = "${General::swroot}/firewall/config"; my $configinput = "${General::swroot}/firewall/input"; @@ -86,8 +86,8 @@ close(CONN1); # DEBUG/TEST # ################# my $MODE=0; # 0 - normal operation - # 1 - print configline and rules to console - # + # 1 - print configline and rules to console + # ################# my $param=shift; @@ -252,13 +252,19 @@ sub buildrules #print rules to console foreach my $DPROT (@DPROT){ $DPORT = &get_port($hash,$key,$DPROT); + if ($DPROT ne 'TCP' && $DPROT ne 'UDP' && $DPROT ne 'ICMP' ){ + $DPORT=''; + } $PROT=$DPROT; $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); foreach my $a (sort keys %sourcehash){ foreach my $b (sort keys %targethash){ + next if ($targethash{$b}[0] eq 'none'); + $STAG=''; if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($DPROT ne ''){ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} + #Process ICMP RULE if(substr($DPORT, 2, 4) eq 'icmp'){ my @icmprule= split(",",substr($DPORT, 12,)); foreach (@icmprule){ @@ -272,10 +278,11 @@ sub buildrules } print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $icmptype $_ $TIME -j $$hash{$key}[0]\n"; } + #PROCESS DNAT RULE (Portforward) }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); #Process NAT with servicegroup used @@ -298,17 +305,26 @@ sub buildrules } print "iptables -A FORWARDFW $PROT -i $con $STAG $sourcehash{$a}[0] -d $ip $fwaccessdport $TIME -j $$hash{$key}[0]\n"; next; + #PROCESS SNAT RULE }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ $natchain='NAT_SOURCE'; + if ($$hash{$key}[17] eq 'ON' ){ + print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n"; + } print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } - if ($$hash{$key}[17] eq 'ON' ){ - print "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - } + #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) if ($PROT ne '-p ICMP'){ + if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } + #PROCESS Prot ICMP and type = All ICMP-Types if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ + if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ + print "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } print "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } @@ -322,8 +338,13 @@ sub buildrules $DPORT = &get_port($hash,$key,$DPROT); $PROT=$DPROT; $PROT="-p $PROT" if ($PROT ne '' && $PROT ne ' '); + if ($DPROT ne 'TCP' && $DPROT ne'UDP' && $DPROT ne 'ICMP' ){ + $DPORT=''; + } foreach my $a (sort keys %sourcehash){ foreach my $b (sort keys %targethash){ + next if ($targethash{$b}[0] eq 'none'); + $STAG=''; if ($sourcehash{$a}[0] ne $targethash{$b}[0] && $targethash{$b}[0] ne 'none' || $sourcehash{$a}[0] eq '0.0.0.0/0.0.0.0'){ if($DPROT ne ''){ if(substr($sourcehash{$a}[0], 3, 3) ne 'mac' && $sourcehash{$a}[0] ne ''){ $STAG="-s";} @@ -345,7 +366,7 @@ sub buildrules }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'dnat'){ $natchain='NAT_DESTINATION'; if ($$hash{$key}[17] eq 'ON'){ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT $natip $fireport $TIME -j LOG --log-prefix 'DNAT' \n"; } my ($ip,$sub) =split("/",$targethash{$b}[0]); #Process NAT with servicegroup used @@ -371,17 +392,23 @@ sub buildrules #PROCESS SNAT RULE }elsif($$hash{$key}[28] eq 'ON' && $$hash{$key}[31] eq 'snat'){ $natchain='NAT_SOURCE'; + if ($$hash{$key}[17] eq 'ON' ){ + system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG --log-prefix 'SNAT' \n"; + } system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $nat --to $natip\n"; } - if ($$hash{$key}[17] eq 'ON' && substr($DPORT, 2, 4) ne 'icmp'){ - system "$command $natchain $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; - } #PROCESS EVERY OTHER RULE (If NOT ICMP, else the rule would be applied double) if ($PROT ne '-p ICMP'){ + if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } #PROCESS Prot ICMP and type = All ICMP-Types if ($PROT eq '-p ICMP' && $$hash{$key}[9] eq 'All ICMP-Types'){ + if ($$hash{$key}[17] eq 'ON' && $$hash{$key}[28] ne 'ON'){ + system "$command $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j LOG\n"; + } system "iptables -A $$hash{$key}[1] $PROT $STAG $sourcehash{$a}[0] $SPORT -d $targethash{$b}[0] $DPORT $TIME -j $$hash{$key}[0]\n"; } } @@ -577,6 +604,7 @@ sub get_port my $hash=shift; my $key=shift; my $prot=shift; + #Get manual defined Ports from SOURCE if ($$hash{$key}[7] eq 'ON' && $SRC_TGT eq 'SRC'){ if ($$hash{$key}[10] ne ''){ $$hash{$key}[10] =~ s/\|/,/g; @@ -590,6 +618,7 @@ sub get_port } } } + #Get manual ports from TARGET }elsif($$hash{$key}[11] eq 'ON' && $SRC_TGT eq ''){ if($$hash{$key}[14] eq 'TGT_PORT'){ if ($$hash{$key}[15] ne ''){ @@ -605,16 +634,20 @@ sub get_port } } } + #Get ports defined in custom Service (firewall-groups) }elsif($$hash{$key}[14] eq 'cust_srv'){ if ($prot ne 'ICMP'){ if($$hash{$key}[31] eq 'dnat' && $$hash{$key}[28] eq 'ON'){ - return ":".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + my $ports =&fwlib::get_srv_port($$hash{$key}[15],1,$prot); + $ports =~ s/\:/-/g; + return ":".$ports }else{ return "--dport ".&fwlib::get_srv_port($$hash{$key}[15],1,$prot); } }elsif($prot eq 'ICMP' && $$hash{$key}[11] eq 'ON'){ #When PROT is ICMP and "use targetport is checked, this is an icmp-service return "--icmp-type ".&fwlib::get_srv_port($$hash{$key}[15],3,$prot); } + #Get ports from services which are used in custom servicegroups (firewall-groups) }elsif($$hash{$key}[14] eq 'cust_srvgrp'){ if ($prot ne 'ICMP'){ return &fwlib::get_srvgrp_port($$hash{$key}[15],$prot);