Forward Firewall: some fixes:
authorAlexander Marx <amarx@ipfire.org>
Tue, 2 Apr 2013 09:24:22 +0000 (11:24 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Fri, 9 Aug 2013 12:12:39 +0000 (14:12 +0200)
1) Counter was not correctly decreased when deleting a network from a customgroup
2) Convert-outgoingfw improved
3) Backup didn't set filepermissions correctly

config/backup/backup.pl
config/forwardfw/convert-outgoingfw
html/cgi-bin/fwhosts.cgi

index 4662a8a1d35a032a22e5114cc399086191a6a494..28e2dd89eb4bef6a1fc6371ce6f4884d83bfc0f0 100644 (file)
@@ -76,15 +76,23 @@ elsif ($ARGV[0] eq 'restore') {
                  system("touch ${General::swroot}/forward/outgoing");
                  chown 99,99,"${General::swroot}/forward/outgoing";
          }
-         unlink("${General::swroot}/fwhosts/*");
+         unlink("${General::swroot}/fwhosts/customgroups");
+         unlink("${General::swroot}/fwhosts/customhosts");
+         unlink("${General::swroot}/fwhosts/customgroups");
+         unlink("${General::swroot}/fwhosts/customnetworks");
+         unlink("${General::swroot}/fwhosts/customservicegrp");
+         unlink("${General::swroot}/fwhosts/customnetworks");
          system("touch ${General::swroot}/fwhosts/customgroups");
          system("touch ${General::swroot}/fwhosts/customhosts");
          system("touch ${General::swroot}/fwhosts/customnetworks");
          system("touch ${General::swroot}/fwhosts/customservicegrp");
-         system("touch ${General::swroot}/fwhosts/customservices");
-         chown 99,99,"${General::swroot}/fwhosts/*";
          #START CONVERTER "OUTGOINGFW"
          system("/usr/sbin/convert-outgoingfw");
+         chown 99,99,"${General::swroot}/fwhosts/customgroups";
+         chown 99,99,"${General::swroot}/fwhosts/customhosts";
+         chown 99,99,"${General::swroot}/fwhosts/customnetworks";
+         chown 99,99,"${General::swroot}/fwhosts/customservicegrp";
+         #START CONVERTER "OUTGOINGFW"
          rmtree("${General::swroot}/outgoing");
   }
   #XTACCESS CONVERTER
@@ -92,10 +100,10 @@ elsif ($ARGV[0] eq 'restore') {
          if( -f "${General::swroot}/forward/input" ){
                  unlink("${General::swroot}/forward/input");
                  system("touch ${General::swroot}/forward/input");
-                 chown 99,99,"${General::swroot}/forward/input";
          }
          #START CONVERTER "XTACCESS"
          system("/usr/sbin/convert-xtaccess");
+         chown 99,99,"${General::swroot}/forward/input";
          rmtree("${General::swroot}/xtaccess");
   }
   #DMZ-HOLES CONVERTER
@@ -103,10 +111,10 @@ elsif ($ARGV[0] eq 'restore') {
          if( -f "${General::swroot}/forward/dmz" ){
                  unlink("${General::swroot}/forward/dmz");
                  system("touch ${General::swroot}/forward/dmz");
-                 chown 99,99,"${General::swroot}/forward/dmz";
          }
          #START CONVERTER "DMZ-HOLES"
          system("/usr/sbin/convert-dmz");
+         chown 99,99,"${General::swroot}/forward/dmz";
          rmtree("${General::swroot}/dmzholes");
   }
   #PORTFORWARD CONVERTER
@@ -114,10 +122,10 @@ elsif ($ARGV[0] eq 'restore') {
          if( -f "${General::swroot}/forward/nat" ){
                  unlink("${General::swroot}/forward/nat");
                  system("touch ${General::swroot}/forward/nat");
-                 chown 99,99,"${General::swroot}/forward/nat";
          }
          #START CONVERTER "PORTFW"
          system("/usr/sbin/convert-portfw");
+         chown 99,99,"${General::swroot}/forward/nat";
          rmtree("${General::swroot}/portfw");
   }
   system("/usr/local/bin/forwardfwctrl");
index d065b5acdec4e759ade94de350a76bc6858a1241..54ba709875a66feffff7f18a874fe40d80c1b924 100755 (executable)
@@ -61,21 +61,22 @@ sub process_groups
        open (LOG, ">/var/log/converters/groups-convert.log") or die $!;
        #IP Group processing
        foreach my $group (@ipgroups){
+               my $now=localtime;
                chomp $group;
-               print LOG "\nProcessing IP-GROUP: $group...\n";
+               print LOG "\n$now Processing IP-GROUP: $group...\n";
                open (DATEI, "<$ipgrouppath/$group");
                my @zeilen = <DATEI>;
                foreach my $ip (@zeilen){
                        chomp($ip);
                        $ip =~ s/\s//gi;
-                       print LOG "Check IP $ip from Group $group ";
+                       print LOG "$now Check IP $ip from Group $group ";
                        my $val=&check_ip($ip);
                        if($val){
                                push(@hostarray,$val.",ip");
-                               print LOG "-> OK\n";
+                               print LOG "$now -> OK\n";
                        }
                        else{
-                               print LOG "-> IP \"$ip\" from group $group not converted (invalid IP) \n";
+                               print LOG "$now -> IP \"$ip\" from group $group not converted (invalid IP) \n";
                        }
                        $val='';
                }
@@ -94,17 +95,17 @@ sub process_groups
                foreach my $mac (@zeilen){
                        chomp($mac);
                        $mac =~ s/\s//gi;
-                       print LOG "Checking MAC $mac from group $group ";
+                       print LOG "$now Checking MAC $mac from group $group ";
                        #MAC checking
                        if(&General::validmac($mac)){
                                $val=$mac;
                        }
                        if($val){
                                push(@hostarray,$val.",mac");
-                               print LOG "-> OK\n";
+                               print LOG "$now -> OK\n";
                        }
                        else{
-                               print LOG "-> Mac $mac from group $group not converted (invalid MAC)\n";
+                               print LOG "$now -> Mac $mac from group $group not converted (invalid MAC)\n";
                        }
                        $val='';
                }
@@ -297,30 +298,31 @@ sub check_grp
 sub process_rules
 {
        my ($type,$action,$active,$grp1,$source,$grp2,$useport,$port,$prot,$grp3,$target,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to);
+       #open LOG
+       if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
+       open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
+
        &General::readhash($fwdfwsettings,\%fwdsettings);
        if ($outsettings{'POLICY'} eq 'MODE1'){
-               $fwdfwsettings{'POLICY'}='MODE1';
+               $fwdsettings{'POLICY'}='MODE1';
+               $fwdsettings{'POLICY1'}='MODE2';
                $type='ALLOW';
                $action='ACCEPT';
-       }elsif($outsettings{'POLICY'} eq 'MODE2'){
+       }else{
                $fwdsettings{'POLICY'}='MODE2';
+               $fwdsettings{'POLICY1'}='MODE2';
                $type='DENY';
                $action='DROP';
-       }else{
-               return;
        }
        &General::writehash($fwdfwsettings,\%fwdsettings);
-       
-       #open LOG
-       if( -f "/var/log/converters/outgoingfw-convert.log"){unlink ("/var/log/converters/outgoingfw-convert.log");}
-       open (LOG, ">/var/log/converters/outgoingfw-convert.log") or die $!;
        open (DATEI, "<$outgoingrules");
        my @lines = <DATEI>;
        foreach my $rule (@lines)
        {
+               my $now=localtime;
                chomp($rule);
                $port='';
-               print LOG "processing: $rule\n";
+               print LOG "$now processing: $rule\n";
                my @configline=();
                @configline = split( /\;/, $rule );
                my @prot=();
@@ -377,9 +379,10 @@ sub process_rules
                                $grp1='std_net_src';
                                $source='BLUE';
                        }elsif ($configline[2] eq 'ipsec') {
-                               print LOG "-> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n";
+                               print LOG "$now -> Rule not converted, ipsec+ interface is obsolet since IPFire 2.7 \n";
                                next;
                        }elsif ($configline[2] eq 'ovpn') {
+                               print LOG "$now ->Creating networks/groups for OpenVPN...\n";
                                &build_ovpn_grp;                
                                $grp1='cust_grp_src';
                                $source='ovpn'          
@@ -391,7 +394,7 @@ sub process_rules
                                        $grp1='src_addr';
                                        $source="$ipa/$subn";
                                }else{
-                                       print LOG "-> Rule not converted, missing/invalid source ip \"$configline[5]\"\n";
+                                       print LOG "$now -> Rule not converted, missing/invalid source ip \"$configline[5]\"\n";
                                        next;
                                }
                        }elsif ($configline[2] eq 'mac') {
@@ -399,7 +402,7 @@ sub process_rules
                                        $grp1='src_addr';
                                        $source=$configline[6];
                                }else{
-                                       print LOG"-> Rule not converted, invalid MAC \"$configline[6]\" \n";
+                                       print LOG"$now -> Rule not converted, invalid MAC \"$configline[6]\" \n";
                                        next;
                                }
                        }elsif ($configline[2] eq 'all') {
@@ -413,7 +416,7 @@ sub process_rules
                                        }
                                }
                                if ($grp1 eq '' || $source eq ''){
-                                       print LOG "-> Rule not converted, no valid source recognised\n";
+                                       print LOG "$now -> Rule not converted, no valid source recognised\n";
                                }
                        }
                        ############################################################
@@ -432,7 +435,7 @@ sub process_rules
                                                $target=$getwebsiteip;  
                                                $remark.=" $configline[7]";
                                        }else{
-                                               print LOG "-> Rule not converted, invalid domain \"$configline[7]\"\n";
+                                               print LOG "$now -> Rule not converted, invalid domain \"$configline[7]\"\n";
                                                next;
                                        }
                                 }
@@ -451,7 +454,7 @@ sub process_rules
                                                        push (@values,$_);
                                                        $grp3='TGT_PORT';
                                                }else{
-                                                       print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n";
+                                                       print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n";
                                                        next;
                                                }
                                         }else{
@@ -461,7 +464,7 @@ sub process_rules
                                                        push (@values,"$a1:$a2");
                                                        $grp3='TGT_PORT';
                                                }else{
-                                                       print LOG "-> Rule not converted, invalid destination Port \"$configline[8]\"\n"; 
+                                                       print LOG "$now -> Rule not converted, invalid destination Port \"$configline[8]\"\n"; 
                                                        next;
                                                } 
                                         }
@@ -478,13 +481,14 @@ sub process_rules
                my $check;
                my $chain;
                foreach my $protocol (@prot){
+                       my $now=localtime;
                        if ($source eq 'IPFire'){
                                $chain='OUTGOINGFW';
                        }else{
                                $chain='FORWARDFW';
                        }
                        $protocol=uc($protocol);
-                       print LOG "-> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
+                       print LOG "$now -> Converted: $action,$chain,$active,$grp1,$source,$grp2,$target,,,,,$useport,$protocol,,$grp3,$port,$remark,$log,$time,$time_mon,$time_tue,$time_wed,$time_thu,$time_fri,$time_sat,$time_sun,$time_from,$time_to\n";
                        #Put rules into system....
                        ###########################
                        #check for double rules
@@ -583,6 +587,7 @@ sub get_ip_from_domain
 }
 sub build_ovpn_grp
 {
+       my $now=localtime;
        &General::readhasharray($confighosts,\%hosts);
        &General::readhasharray($confignets,\%nets);
        &General::readhasharray($configgroups,\%groups);
@@ -594,20 +599,24 @@ sub build_ovpn_grp
        if($settingsovpn{'DOVPN_SUBNET'}){
                my ($net,$subnet)=split("/",$settingsovpn{'DOVPN_SUBNET'});
                push (@ovpnnets,"$net,$subnet,dynamic");
+               print LOG "$now ->found dynamic OpenVPN net\n"; 
        }
        foreach my $key (sort keys %ccdconf){
                my ($net,$subnet)=split("/",$ccdconf{$key}[1]);
                $subnet=&General::iporsubtodec($subnet);
                push (@ovpnnets,"$net,$subnet,$ccdconf{$key}[0]");
+               print LOG "$now ->found OpenVPN static net $net/$subnet\n";
        }
        foreach my $key (sort keys %configovpn){
                if ($configovpn{$key}[3] eq 'net'){
                        my ($net,$subnet)=split("/",$configovpn{$key}[27]);
                        push (@ovpnnets,"$net,$subnet,$configovpn{$key}[2]");
+                       print LOG "$now ->found OpenVPN $net/$subnet $configovpn{$key}[2]\n";
                }
        }
        #add ovpn nets to customnetworks/groups
        foreach my $line (@ovpnnets){
+               my $now=localtime;
                my ($net,$subnet,$name) = split(",",$line);
                if (!&check_net($net,$subnet)){
                        my $netkey      =  &General::findhasharraykey(\%nets);
@@ -616,7 +625,9 @@ sub build_ovpn_grp
                        $nets{$netkey}[0] = $name2;
                        $nets{$netkey}[1] = $net;
                        $nets{$netkey}[2] = $subnet;
-                       $nets{$netkey}[3] = 1;
+                       $nets{$netkey}[3] = '';
+                       $nets{$netkey}[4] = 1;
+                       print LOG "$now ->added $name2 $net/$subnet to customnetworks\n";
                }else{
                        print LOG "-> Custom Network with same IP already exist \"$net/$subnet\" (you can ignore this, if this run was manual from shell)\n"; 
                }
@@ -627,6 +638,7 @@ sub build_ovpn_grp
                        $groups{$grpkey}[2]     = $name2;
                        $groups{$grpkey}[3]     = "Custom Network";
                        $groups{$grpkey}[4]     = 0;
+                       print LOG "$now ->added $name2 to customgroup ovpn\n";
                }
                $name2='';
        }
@@ -634,6 +646,7 @@ sub build_ovpn_grp
        &General::writehasharray($confighosts,\%hosts);
        &General::writehasharray($configgroups,\%groups);
        &General::writehasharray($confignets,\%nets);
+       print LOG "$now ->finished OVPN\n";
 }
 sub process_p2p
 {
index a0bb21fb8efad40f82637703937413441611fa60..8581141e97292e5f9d710215859c3e88600f1107 100755 (executable)
@@ -863,7 +863,7 @@ if ($fwhostsettings{'ACTION'} eq 'deletegrphost')
                                &General::readhasharray("$confignet", \%customnetwork);
                                foreach my $key1 (keys %customnetwork){
                                                if ($customnetwork{$key1}[0] eq $customgrp{$key}[2]){
-                                               $customnetwork{$key1}[3] = $customnetwork{$key1}[3]-1;
+                                               $customnetwork{$key1}[4] = $customnetwork{$key1}[4]-1;
                                                last;
                                        }
                                }