From: Alexander Marx <amarx@ipfire.org>
Date: Tue, 2 Apr 2013 03:40:50 +0000 (+0200)
Subject: Forward Firewall: added dmz-converter.
X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=commitdiff_plain;h=a60dbb4b6aef3c4753f3206812ff80d34235e066

Forward Firewall: added dmz-converter.

Also extended backup.pl script to support old backups. Now it is possible to restore old backups into new firewall. On restore, all config files of new firewall will be destroyed and the 4 converters will recreate them.
---

diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index b21716185..4ad7363fb 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -64,25 +64,63 @@ elsif ($ARGV[0] eq 'restore') {
   system("cd / && tar -xvz -p -f /tmp/restore.ipf");
   #Here some converter scripts to correct old Backups (before core 65)
   system("/usr/sbin/ovpn-ccd-convert");
+  #OUTGOINGFW CONVERTER
   if( -d "${General::swroot}/outgoing"){
 	  if( -f "${General::swroot}/forward/config" ){ 
 		  unlink("${General::swroot}/forward/config");
 		  system("touch ${General::swroot}/forward/config"); 
 		  chown 99,99,"${General::swroot}/forward/config";
 	  }
-	  if( -f "${General::swroot}/forward/input" ){ 
-		  unlink("${General::swroot}/forward/input");
-		  system("touch ${General::swroot}/forward/input"); 
-		  chown 99,99,"${General::swroot}/forward/input";
-	  } 
+	  if( -f "${General::swroot}/forward/outgoing" ){
+		  unlink("${General::swroot}/forward/outgoing");
+		  system("touch ${General::swroot}/forward/outgoing");
+		  chown 99,99,"${General::swroot}/forward/outgoing";
+	  }
+	  unlink("${General::swroot}/fwhosts/*");
+	  system("touch ${General::swroot}/fwhosts/customgroups");
+	  system("touch ${General::swroot}/fwhosts/customhosts");
+	  system("touch ${General::swroot}/fwhosts/customnetworks");
+	  system("touch ${General::swroot}/fwhosts/customservicegrp");
+	  system("touch ${General::swroot}/fwhosts/customservices");
+	  chown 99,99,"${General::swroot}/fwhosts/*";
+	  #START CONVERTER "OUTGOINGFW"
 	  system("/usr/sbin/convert-outgoingfw");
 	  rmtree("${General::swroot}/outgoing");
-	  system("/usr/local/bin/forwrdfwctrl");
   }
+  #XTACCESS CONVERTER
   if( -d "${General::swroot}/xtaccess"){
+	  if( -f "${General::swroot}/forward/input" ){
+		  unlink("${General::swroot}/forward/input");
+		  system("touch ${General::swroot}/forward/input");
+		  chown 99,99,"${General::swroot}/forward/input";
+	  }
+	  #START CONVERTER "XTACCESS"
 	  system("/usr/sbin/convert-xtaccess");
 	  rmtree("${General::swroot}/xtaccess");
   }
+  #DMZ-HOLES CONVERTER
+  if( -d "${General::swroot}/dmz-holes"){
+	  if( -f "${General::swroot}/forward/dmz" ){
+		  unlink("${General::swroot}/forward/dmz");
+		  system("touch ${General::swroot}/forward/dmz");
+		  chown 99,99,"${General::swroot}/forward/dmz";
+	  }
+	  #START CONVERTER "DMZ-HOLES"
+	  system("/usr/sbin/convert-dmz");
+	  rmtree("${General::swroot}/xtaccess");
+  }
+  #PORTFORWARD CONVERTER
+  if( -d "${General::swroot}/portfw"){
+	  if( -f "${General::swroot}/forward/nat" ){
+		  unlink("${General::swroot}/forward/nat");
+		  system("touch ${General::swroot}/forward/nat");
+		  chown 99,99,"${General::swroot}/forward/nat";
+	  }
+	  #START CONVERTER "PORTFW"
+	  system("/usr/sbin/convert-portfw");
+	  rmtree("${General::swroot}/portfw");
+  }
+  system("/usr/local/bin/forwardfwctrl");
  }
 elsif ($ARGV[0] eq 'restoreaddon') {
   if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");}
diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz
new file mode 100755
index 000000000..639cef374
--- /dev/null
+++ b/config/forwardfw/convert-dmz
@@ -0,0 +1,172 @@
+#!/usr/bin/perl
+
+######################################################################## 
+# Script:	convert-dmz
+# Date:		03.04.2013
+# Author:	Alexander Marx (amarx@ipfire.org)
+########################################################################
+#
+# This script converts old dmz holes rules from old Firewall
+# to the new one. This is a 2-step process.
+# STEP1: read old config and normalize settings
+# STEP2: check valid ip and save valid rules to new firewall
+# 
+########################################################################
+my @current=();
+my @alias=();
+my %configdmz=();
+my %ifaces=();
+my %configfwdfw=();
+require '/var/ipfire/general-functions.pl';
+my $dmzconfig 	  = "${General::swroot}/dmzholes/config";
+my $fwdfwconfig   = "${General::swroot}/forward/dmz";
+my $ifacesettings = "${General::swroot}/ethernet/settings";
+my $field0	= 'ACCEPT';
+my $field1	= 'FORWARDFW';
+my $field2	= ''; #ON or emtpy
+my $field3	= ''; #std_net_src or src_addr
+my $field4	= ''; #ALL or IP-Address with /32
+my $field5	= ''; #std_net_tgt or tgt_addr
+my $field6	= ''; #IP or network name
+my $field11	= 'ON'; #use target port 
+my $field12	= ''; #TCP or UDP
+my $field13	= 'All ICMP-Types';
+my $field14	= 'TGT_PORT';
+my $field15	= ''; #Port Number
+my $field16	= ''; #remark
+my $field26	= '00:00';
+my $field27	= '00:00';
+open(FILE, $dmzconfig) or die 'Unable to open config file.';
+my @current = <FILE>;
+close(FILE);
+#open LOGFILE
+open (LOG, ">/var/log/converters/dmz-convert.log") or die $!;
+&General::readhash($ifacesettings, \%ifaces);
+&General::readhasharray($fwdfwconfig,\%configfwdfw);
+&process_rules;
+sub process_rules{
+	foreach my $line (@current){
+		my $now=localtime;
+		#get values from old configfile
+		my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line);
+		$h =~ s/\s//gi;
+		print LOG "$Now Processing A: $a   B: $b   C: $c   D: $d   E: $e   F: $f   G: $g   H: $h\n";
+		#Now convert values and check ip addresses
+		$a=uc($a);
+		$e=uc($e);
+		$field2=$e if($e eq 'ON');
+		#SOURCE IP-check
+		$b=&check_ip($b);
+		if (&General::validipandmask($b)){
+			#When ip valid, check if we have a network
+			my ($ip,$subnet) = split ("/",$b);
+			if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){
+				$field3='std_net_src';
+				$field4='ORANGE';
+			}elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
+				$field3='std_net_src';
+				$field4='BLUE';
+			}elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){
+				$field3='src_addr';
+				$field4=$b;
+			}elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
+				$field3='src_addr';
+				$field4=$b;
+			}else{
+				print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n";
+				next;
+			}
+		}else{
+			print LOG "$now -> SOURCE IP INVALID. \n\n";
+			next;
+		}
+		#TARGET IP-check
+		$c=&check_ip($c);
+		if (&General::validipandmask($c)){
+			my $now=localtime;
+			#When ip valid, check if we have a network
+			my ($ip,$subnet) = split ("/",$c);
+			if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){
+				$field5='std_net_tgt';
+				$field6='GREEN';
+			}elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
+				$field5='std_net_tgt';
+				$field6='BLUE';
+			}elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){
+				$field5='tgt_addr';
+				$field6=$c;
+			}elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
+				$field5='tgt_addr';
+				$field6=$c;
+			}else{
+				print LOG "$Now ->NOT Converted, invalid Source IP $b\n\n";
+				next;
+			}
+		}else{
+			print LOG "$now -> SOURCE IP INVALID. \n\n";
+			next;
+		}
+		$field12=$a;
+		#convert portrange
+		$d =~ tr/-/:/;
+		$field15=$d;
+		$field16=$h;
+		##Ausgabe
+		#print "A: $a   B: $b   C: $c   D: $d   E: $e   F: $f   G: $g   H: $h\n";
+		#print "0:$field0 1:$field1 2:$field2  3:$field3  4:$field4  5:$field5  6:$field6  11:$field11   12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n\n\n";
+		my $key = &General::findhasharraykey (\%configfwdfw);
+		foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";}
+		$configfwdfw{$key}[0] = $field0;
+		$configfwdfw{$key}[1] = $field1;
+		$configfwdfw{$key}[2] = $field2;
+		$configfwdfw{$key}[3] = $field3;
+		$configfwdfw{$key}[4] = $field4;
+		$configfwdfw{$key}[5] = $field5;
+		$configfwdfw{$key}[6] = $field6;
+		$configfwdfw{$key}[7] = '';
+		$configfwdfw{$key}[8] = '';
+		$configfwdfw{$key}[9] = '';
+		$configfwdfw{$key}[10] = '';
+		$configfwdfw{$key}[11] = $field11;
+		$configfwdfw{$key}[12] = $field12;
+		$configfwdfw{$key}[13] = $field13;
+		$configfwdfw{$key}[14] = $field14;
+		$configfwdfw{$key}[15] = $field15;
+		$configfwdfw{$key}[16] = $field16;
+		$configfwdfw{$key}[17] = '';
+		$configfwdfw{$key}[18] = '';
+		$configfwdfw{$key}[19] = '';
+		$configfwdfw{$key}[20] = '';
+		$configfwdfw{$key}[21] = '';
+		$configfwdfw{$key}[22] = '';
+		$configfwdfw{$key}[23] = '';
+		$configfwdfw{$key}[24] = '';
+		$configfwdfw{$key}[25] = '';
+		$configfwdfw{$key}[26] = $field26;
+		$configfwdfw{$key}[27] = $field27;
+		print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n";
+	}
+	&General::writehasharray($fwdfwconfig,\%configfwdfw);
+close (LOG);
+}
+
+sub check_ip
+{
+	my $adr=shift;
+	my $a;
+	#ip with subnet in decimal
+	if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
+		$adr=int($1).".".int($2).".".int($3).".".int($4);
+		my $b = &General::iporsubtodec($5);
+		$a=$adr."/".$b;
+	}elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
+		$adr=int($1).".".int($2).".".int($3).".".int($4);
+		if(&General::validip($adr)){
+			$a=$adr."/32";
+		}
+	}
+	if(&General::validipandmask($adr)){
+		$a=&General::iporsubtodec($adr);
+	}
+	return $a;
+}
diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
index c930ad078..b835931c4 100644
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -53,6 +53,7 @@ var/ipfire/forward/config
 var/ipfire/forward/input
 var/ipfire/forward/outgoing
 var/ipfire/forward/dmz
+var/ipfire/forward/net
 var/ipfire/forward/p2protocols
 var/ipfire/fwhosts
 var/ipfire/fwhosts/icmp-types
diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
index a8e4b79d3..fe6d23a8f 100644
--- a/config/rootfiles/common/stage2
+++ b/config/rootfiles/common/stage2
@@ -112,6 +112,8 @@ usr/sbin/ovpn-ccd-convert
 usr/sbin/firewall-policy
 usr/sbin/convert-xtaccess
 usr/sbin/convert-outgoingfw
+usr/sbin/convert-dmz
+usr/sbin/convert-portfw
 #usr/share
 #usr/share/doc
 #usr/share/doc/licenses
diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi
index 83917015e..e69e6ce9f 100755
--- a/html/cgi-bin/forwardfw.cgi
+++ b/html/cgi-bin/forwardfw.cgi
@@ -77,7 +77,7 @@ my %aliases=();
 my %optionsfw=();
 my %ifaces=();
 
-my $VERSION='0.9.9.0';
+my $VERSION='0.9.9.1';
 my $color;
 my $confignet		= "${General::swroot}/fwhosts/customnetworks";
 my $confighost		= "${General::swroot}/fwhosts/customhosts";
@@ -133,6 +133,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
 	$errormessage=&checksource;
 	if(!$errormessage){&checktarget;}
 	if(!$errormessage){&checkrule;}
+	
 	#check if manual ip (source) is orange network
 	if ($fwdfwsettings{'grp1'} eq 'src_addr'){
 		my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
@@ -2034,7 +2035,7 @@ sub saverule
 			#print"6";
 		}
 		#check if we change a DMZ to a FORWARD/DMZ
-		elsif($fwdfwsettings{'oldruletype'} eq 'DMZ'  && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){
+		elsif($fwdfwsettings{'oldruletype'} eq 'DMZ'  && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){
 			&changerule($configdmz);
 			#print"7";
 		}
diff --git a/lfs/configroot b/lfs/configroot
index 7e47881d3..58eb9d753 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -65,7 +65,7 @@ $(TARGET) :
 	for i in auth/users backup/include.user backup/exclude.user \
 	    certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
 	    dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
-	    extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz \
+	    extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz forward/nat \
 	    fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
 	    isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \
 	    ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
@@ -103,6 +103,8 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/forwardfw/rules.pl			$(CONFIG_ROOT)/forward/bin/rules.pl
 	cp $(DIR_SRC)/config/forwardfw/convert-xtaccess	/usr/sbin/convert-xtaccess
 	cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw	/usr/sbin/convert-outgoingfw
+	cp $(DIR_SRC)/config/forwardfw/convert-dmz	/usr/sbin/convert-dmz
+	cp $(DIR_SRC)/config/forwardfw/convert-portfw	/usr/sbin/convert-portfw
 	cp $(DIR_SRC)/config/forwardfw/p2protocols		$(CONFIG_ROOT)/forward/p2protocols
 	cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl	$(CONFIG_ROOT)/forward/bin/firewall-lib.pl
 	cp $(DIR_SRC)/config/forwardfw/firewall-policy	/usr/sbin/firewall-policy