include functions
while [ "$#" -gt 0 ]; do
- case "$1" in
+ arg=$1
+ shift
+ case "$arg" in
+ --debug|-d)
+ debug 1
+ decho "Debug mode is enabled."
+ ;;
--verbose|-v)
verbose 1
vecho "${BOLD}Verbose mode is enabled.${NORMAL}"
shift
case "$1" in
mask2cidr)
- mask_to_cidr $2
+ mask_to_cidr $@
_exit $?
;;
*)
esac
;;
config)
- config_load $2
+ config_load $@
_exit $?
;;
help|-h|--help)
;;
start)
_start
- _exit $?
+ _exit $@
;;
stop)
;;
usage
;;
esac
- shift
done
error "No command was given."
# #
###############################################################################
+DEBUG=
VERBOSE=
TMPDIR=$(mktemp -d)
NORMAL="\\033[0;39m"
ERROR="\\033[1;31m"
+function debug() {
+ if [ -n "$1" ]; then
+ DEBUG=$1
+ verbose $1
+ return
+ else
+ if [ "$DEBUG" = "1" ]; then
+ return 0
+ else
+ return 1
+ fi
+ fi
+
+}
+
function verbose() {
if [ -n "$1" ]; then
VERBOSE=$1
fi
}
+function decho() {
+ debug && echo -e "${ERROR}$@${NORMAL}"
+}
+
function vecho() {
verbose && echo -e "$@"
}
function _start() {
firewall_init
- zones_init
- zones_add green0
+ zones_local_add
+
+ # Need to get all zones here
+
iptables_commit
}
###############################################################################
function firewall_init() {
+ decho "Initializing firewall interface."
iptables_init
firewall_tcp_state_flags
firewall_connection_tracking
}
function iptables_flush() {
+ decho "Flushing iptables"
: # TODO
}
function iptables_commit() {
vecho "Committing firewall configuration."
iptables "COMMIT"
- verbose && cat $IPTABLES_FILE
+ decho "Dumping iptables output"
+ debug && cat $IPTABLES_FILE
#iptables-restore < $IPTABLES_FILE
}
function macro() {
local file
- file=$1
-
- vecho "Parsing macro: $file"
+ file="macros/$1"
if _config_is_sqlite $file; then
macro_sqlite $file
[ -n "$STRING" ] && echo $STRING
done
}
+
+function macro_add() {
+ local file
+ local line
+
+ file=$1
+ shift
+
+ macro $file | while read line; do
+ iptables $line $@
+ done
+}
# #
###############################################################################
+include zones.blue
+include zones.green
include zones.local
+include zones.orange
+include zones.management
-function zones_init() {
-
- zones_local_init
-
-}
-
-function zones_add() {
+function zones_global_add() {
local device
local name
device=$1
+
+ decho "Adding zone \"$device\""
zones_exists $device || error "Zone $device does not exist."
name=$(uppercase "ZONE_$device")
chain_create $name
+ iptables -A INPUT -i $device -j $name
iptables -A FORWARD -i $device -j $name
iptables -A FORWARD -o $device -j $name
-
+ iptables -A OUTPUT -o $device -j $name
+
+ # Leave some space for own rules
chain_create ${name}_CUSTOM
iptables -A $name -j ${name}_CUSTOM
+
+ # Policy rules
+ chain_create ${name}_POLICY
+ iptables -A $name -j ${name}_POLICY
+
+ # Intrusion Preventions System
+ chain_create ${name}_IPS
+ iptables -A $name -i $device -j ${name}_IPS
+
+ # Portforwaring
+ chain_create ${name}_PORTFW
+ iptables -A $name -i $device -j ${name}_PORTFW
+
+ # Outgoing firewall
+ chain_create ${name}_OUTFW
+ iptables -A $name -o $device -j ${name}_OUTFW
}
function zones_exists() {
+ decho "Checking if zone $1 exists."
cmd_quiet ip link show $1
}
--- /dev/null
+# IPFire Macro
+# This macro handles the dynamic host configuration protocol.
+# ACTION SRC DST PROTO SRC_PORT DST_PORT RATE
+CUSTOM - - tcp 68 67
+CUSTOM - - udp 68 67
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+function zones_blue_add() {
+ # $1 = device
+
+ zones_global_add $1
+ zones_policy_blue $1
+
+}
+
+function zones_policy_blue() {
+ local device
+ local name
+
+ device=$1
+ name=$(uppercase "$device")
+
+ # Accept dhcp traffic
+ macro_add DHCP -A ${name}_POLICY -i ${device} -j ACCEPT
+
+ # Mac filter
+ : # TODO
+}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+function zones_green_add() {
+ # $1 = device
+
+ zones_global_add $1
+ zones_policy_green $1
+
+}
+
+function zones_policy_green() {
+ local device
+
+ device=$1
+
+ # Accept any traffic from green
+ iptables -A ${device}_POLICY -i $device -j ACCEPT
+
+}
# #
###############################################################################
-function zones_local_init() {
+function zones_local_add() {
+
+ decho "Adding zone \"local\""
# Accept everything on lo
iptables -A INPUT -i lo -j ACCEPT
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+function zones_management_init() {
+
+ chain_create MANAGEMENT
+ # Add rules for management hosts/subnets here
+
+}
+
+function zones_management_insert() {
+
+ iptables "-A $1 -j MANAGEMENT"
+
+}
--- /dev/null
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2009 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+function zones_orange_add() {
+ # $1 = device
+
+ zones_global_add $1
+ zones_policy_orange $1
+
+}
+
+function zones_policy_orange() {
+ local device
+ local name
+
+ device=$1
+ name=$(uppercase "$device")
+
+ : # TODO
+}
projects / ipfire-3.x.git / commitdiff
