Forward Firewall: some fixes:

author Alexander Marx <amarx@ipfire.org>

Tue, 2 Apr 2013 09:24:22 +0000 (11:24 +0200)

committer Michael Tremer <michael.tremer@ipfire.org>

Fri, 9 Aug 2013 12:12:39 +0000 (14:12 +0200)
author Alexander Marx <amarx@ipfire.org>
Tue, 2 Apr 2013 09:24:22 +0000 (11:24 +0200)
committer Michael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:12:39 +0000 (14:12 +0200)
diff --git a/config/backup/backup.pl b/config/backup/backup.pl

index 4662a8a1d35a032a22e5114cc399086191a6a494..28e2dd89eb4bef6a1fc6371ce6f4884d83bfc0f0 100644 (file)
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -76,15 +76,23 @@ elsif ($ARGV[0] eq 'restore') {
                   system("touch ${General::swroot}/forward/outgoing");
                   chown 99,99,"${General::swroot}/forward/outgoing";
           }
-         unlink("${General::swroot}/fwhosts/*");
+         unlink("${General::swroot}/fwhosts/customgroups");
+         unlink("${General::swroot}/fwhosts/customhosts");
+         unlink("${General::swroot}/fwhosts/customgroups");
+         unlink("${General::swroot}/fwhosts/customnetworks");
+         unlink("${General::swroot}/fwhosts/customservicegrp");
+         unlink("${General::swroot}/fwhosts/customnetworks");
           system("touch ${General::swroot}/fwhosts/customgroups");
           system("touch ${General::swroot}/fwhosts/customhosts");
           system("touch ${General::swroot}/fwhosts/customnetworks");
           system("touch ${General::swroot}/fwhosts/customservicegrp");
-         system("touch ${General::swroot}/fwhosts/customservices");
-         chown 99,99,"${General::swroot}/fwhosts/*";
           #START CONVERTER "OUTGOINGFW"
           system("/usr/sbin/convert-outgoingfw");
+         chown 99,99,"${General::swroot}/fwhosts/customgroups";
+         chown 99,99,"${General::swroot}/fwhosts/customhosts";
+         chown 99,99,"${General::swroot}/fwhosts/customnetworks";
+         chown 99,99,"${General::swroot}/fwhosts/customservicegrp";
+         #START CONVERTER "OUTGOINGFW"
           rmtree("${General::swroot}/outgoing");
    }
    #XTACCESS CONVERTER
@@ -92,10 +100,10 @@ elsif ($ARGV[0] eq 'restore') {
           if( -f "${General::swroot}/forward/input" ){
                   unlink("${General::swroot}/forward/input");
                   system("touch ${General::swroot}/forward/input");
-                 chown 99,99,"${General::swroot}/forward/input";
           }
           #START CONVERTER "XTACCESS"
           system("/usr/sbin/convert-xtaccess");
+         chown 99,99,"${General::swroot}/forward/input";
           rmtree("${General::swroot}/xtaccess");
    }
    #DMZ-HOLES CONVERTER
@@ -103,10 +111,10 @@ elsif ($ARGV[0] eq 'restore') {
           if( -f "${General::swroot}/forward/dmz" ){
                   unlink("${General::swroot}/forward/dmz");
                   system("touch ${General::swroot}/forward/dmz");
-                 chown 99,99,"${General::swroot}/forward/dmz";
           }
           #START CONVERTER "DMZ-HOLES"
           system("/usr/sbin/convert-dmz");
+         chown 99,99,"${General::swroot}/forward/dmz";
           rmtree("${General::swroot}/dmzholes");
    }
    #PORTFORWARD CONVERTER
@@ -114,10 +122,10 @@ elsif ($ARGV[0] eq 'restore') {
           if( -f "${General::swroot}/forward/nat" ){
                   unlink("${General::swroot}/forward/nat");
                   system("touch ${General::swroot}/forward/nat");
-                 chown 99,99,"${General::swroot}/forward/nat";
           }
           #START CONVERTER "PORTFW"
           system("/usr/sbin/convert-portfw");
+         chown 99,99,"${General::swroot}/forward/nat";
           rmtree("${General::swroot}/portfw");
    }
    system("/usr/local/bin/forwardfwctrl");
diff --git a/config/forwardfw/convert-outgoingfw b/config/forwardfw/convert-outgoingfw

index d065b5acdec4e759ade94de350a76bc6858a1241..54ba709875a66feffff7f18a874fe40d80c1b924 100755 (executable)
--- a/config/forwardfw/convert-outgoingfw
+++ b/config/forwardfw/convert-outgoingfw
@@ -61,21 +61,22 @@ sub process_groups
         open (LOG, ">/var/log/converters/groups-convert.log") or die $!;
         #IP Group processing
         foreach my $group (@ipgroups){
+               my $now=localtime;
                 chomp $group;
-               print LOG "\nProcessing IP-GROUP: $group...\n";
+               print LOG "\n$now Processing IP-GROUP: $group...\n";
                 open (DATEI, "<$ipgrouppath/$group");
                 my @zeilen = <DATEI>;
                 foreach my $ip (@zeilen){
                         chomp($ip);
                         $ip =~ s/\s//gi;
-                       print LOG "Check IP $ip from Group $group ";
+                       print LOG "$now Check IP $ip from Group $group ";
                         my $val=&check_ip($ip);
                         if($val){
                                 push(@hostarray,$val.",ip");
-                               print LOG "-> OK\n";
+                               print LOG "$now -> OK\n";
                         }
                         else{
-                               print LOG "-> IP \"$ip\" from group $group not converted (invalid IP) \n";
+                               print LOG "$now -> IP \"$ip\" from group $group not converted (invalid IP) \n";
                         }
                         $val='';
                 }
@@ -94,17 +95,17 @@ sub process_groups
                 foreach my $mac (@zeilen){
                         chomp($mac);
                         $mac =~ s/\s//gi;
-                       print LOG "Checking MAC $mac from group $group ";
+                       print LOG "$now Checking MAC $mac from group $group ";
                         #MAC checking
                         if(&General::validmac($mac)){
                                 $val=$mac;
                         }
                         if($val){
                                 push(@hostarray,$val.",mac");
-                               print LOG "-> OK\n";
+                               print LOG "$now -> OK\n";
                         }
                         else{
-                               print LOG "-> Mac $mac from group $group not converted (invalid MAC)\n";
+                               print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n";
                         }
                         $val='';
                 }
@@ -297,30 +298,31 @@ sub check_grp
  sub process_rules
  {
         my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
+       #open LOG
+       if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
+       open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
+
         &General::readhash($fwdfwsettings,\%fwdsettings);
         if ($outsettings{'POLICY'} eq 'MODE1'){
-               $fwdfwsettings{'POLICY'}='MODE1';
+               $fwdsettings{'POLICY'}='MODE1';
+               $fwdsettings{'POLICY1'}='MODE2';
                 $type='ALLOW';
                 $action='ACCEPT';
-       }elsif($outsettings{'POLICY'} eq 'MODE2'){
+       }else{
                 $fwdsettings{'POLICY'}='MODE2';
+               $fwdsettings{'POLICY1'}='MODE2';
                 $type='DENY';
                 $action='DROP';
-       }else{
-               return;
         }
         &General::writehash($fwdfwsettings,\%fwdsettings);
-       
-       #open LOG
-       if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
-       open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
         open (DATEI, "<$outgoingrules");
         my @lines = <DATEI>;
         foreach my $rule (@lines)
         {
+               my $now=localtime;
                 chomp($rule);
                 $port='';
-               print LOG "processing: $rule\n";
+               print LOG "$now processing: $rule\n";
                 my @configline=();
                 @configline = split( /\;/, $rule );
                 my @prot=();
@@ -377,9 +379,10 @@ sub process_rules
                                 $grp1='std_net_src';
                                 $source='BLUE';
                         }elsif ($configline[2] eq 'ipsec') {
-                               print LOG "-> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n";
+                               print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n";
                                 next;
                         }elsif ($configline[2] eq 'ovpn') {
+                               print LOG "$now ->Creating networks/groups for OpenVPN...\n";
                                 &build_ovpn_grp;                
                                 $grp1='cust_grp_src';
                                 $source='ovpn'          
@@ -391,7 +394,7 @@ sub process_rules
                                         $grp1='src_addr';
                                         $source="$ipa/$subn";
                                 }else{
-                                       print LOG "-> Rule not converted, missing/invalid source ip \"$configline[5]\"\n";
+                                       print LOG "$now -> Rule not converted, missing/invalid source ip \"$configline[5]\"\n";
                                         next;
                                 }
                         }elsif ($configline[2] eq 'mac') {
@@ -399,7 +402,7 @@ sub process_rules
                                         $grp1='src_addr';
                                         $source=$configline[6];
                                 }else{
-                                       print LOG"-> Rule not converted, invalid MAC \"$configline[6]\" \n";
+                                       print LOG"$now -> Rule not converted, invalid MAC \"$configline[6]\" \n";
                                         next;
                                 }
                         }elsif ($configline[2] eq 'all') {
@@ -413,7 +416,7 @@ sub process_rules
                                         }
                                 }
                                 if ($grp1 eq '' || $source eq ''){
-                                       print LOG "-> Rule not converted, no valid source recognised\n";
+                                       print LOG "$now -> Rule not converted, no valid source recognised\n";
                                 }
                         }
                         ############################################################
@@ -432,7 +435,7 @@ sub process_rules
                                                 $target=$getwebsiteip;  
                                                 $remark.=" $configline[7]";
                                         }else{
-                                               print LOG "-> Rule not converted, invalid domain \"$configline[7]\"\n";
+                                               print LOG "$now -> Rule not converted, invalid domain \"$configline[7]\"\n";
                                                 next;
                                         }
                                  }
@@ -451,7 +454,7 @@ sub process_rules
                                                         push (@values,$_);
                                                         $grp3='TGT_PORT';
                                                 }else{
-                                                       print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
+                                                       print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n";
                                                         next;
                                                 }
                                          }else{
@@ -461,7 +464,7 @@ sub process_rules
                                                         push (@values,"$a1:$a2");
                                                         $grp3='TGT_PORT';
                                                 }else{
-                                                       print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; 
+                                                       print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n"; 
                                                         next;
                                                 } 
                                          }
@@ -478,13 +481,14 @@ sub process_rules
                 my $check;
                 my $chain;
                 foreach my $protocol (@prot){
+                       my $now=localtime;
                         if ($source eq 'IPFire'){
                                 $chain='OUTGOINGFW';
                         }else{
                                 $chain='FORWARDFW';
                         }
                         $protocol=uc($protocol);
-                       print LOG "-> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
+                       print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
                         #Put rules into system....
                         ###########################
                         #check for double rules
@@ -583,6 +587,7 @@ sub get_ip_from_domain
  }
  sub build_ovpn_grp
  {
+       my $now=localtime;
         &General::readhasharray($confighosts,\%hosts);
         &General::readhasharray($confignets,\%nets);
         &General::readhasharray($configgroups,\%groups);
@@ -594,20 +599,24 @@ sub build_ovpn_grp
         if($settingsovpn{'DOVPN_SUBNET'}){
                 my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'});
                 push (@ovpnnets,"$net,$subnet,dynamic");
+               print LOG "$now ->found dynamic OpenVPN net\n"; 
         }
         foreach my $key (sort keys %ccdconf){
                 my ($net,$subnet)=split("/",$ccdconf{$key}[1]);
                 $subnet=&General::iporsubtodec($subnet);
                 push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]");
+               print LOG "$now ->found OpenVPN static net $net/$subnet\n";
         }
         foreach my $key (sort keys %configovpn){
                 if ($configovpn{$key}[3] eq 'net'){
                         my ($net,$subnet)=split("/",$configovpn{$key}[27]);
                         push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]");
+                       print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n";
                 }
         }
         #add ovpn nets to customnetworks/groups
         foreach my $line (@ovpnnets){
+               my $now=localtime;
                 my ($net,$subnet,$name) = split(",",$line);
                 if (!&check_net($net,$subnet)){
                         my $netkey      =  &General::findhasharraykey(\%nets);
@@ -616,7 +625,9 @@ sub build_ovpn_grp
                         $nets{$netkey}[0] = $name2;
                         $nets{$netkey}[1] = $net;
                         $nets{$netkey}[2] = $subnet;
-                       $nets{$netkey}[3] = 1;
+                       $nets{$netkey}[3] = '';
+                       $nets{$netkey}[4] = 1;
+                       print LOG "$now ->added $name2 $net/$subnet to customnetworks\n";
                 }else{
                         print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n"; 
                 }
@@ -627,6 +638,7 @@ sub build_ovpn_grp
                         $groups{$grpkey}[2]     = $name2;
                         $groups{$grpkey}[3]     = "Custom Network";
                         $groups{$grpkey}[4]     = 0;
+                       print LOG "$now ->added $name2 to customgroup ovpn\n";
                 }
                 $name2='';
         }
@@ -634,6 +646,7 @@ sub build_ovpn_grp
         &General::writehasharray($confighosts,\%hosts);
         &General::writehasharray($configgroups,\%groups);
         &General::writehasharray($confignets,\%nets);
+       print LOG "$now ->finished OVPN\n";
  }
  sub process_p2p
  {
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi

index a0bb21fb8efad40f82637703937413441611fa60..8581141e97292e5f9d710215859c3e88600f1107 100755 (executable)
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -863,7 +863,7 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost')
                                 &General::readhasharray("$confignet", \%customnetwork);
                                 foreach my $key1 (keys %customnetwork){
                                                 if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){
-                                               $customnetwork{$key1}[3] = $customnetwork{$key1}[3]-1;
+                                               $customnetwork{$key1}[4] = $customnetwork{$key1}[4]-1;
                                                 last;
                                         }
                                 }
author	Alexander Marx <amarx@ipfire.org>
	Tue, 2 Apr 2013 09:24:22 +0000 (11:24 +0200)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Fri, 9 Aug 2013 12:12:39 +0000 (14:12 +0200)
config/backup/backup.pl		patch \| blob \| blame \| history
config/forwardfw/convert-outgoingfw		patch \| blob \| blame \| history
html/cgi-bin/fwhosts.cgi		patch \| blob \| blame \| history