From: Michael Tremer Date: Wed, 18 Feb 2009 22:31:23 +0000 (+0100) Subject: Worked a little bit on new firewall interface. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2534973b3229eea2f19350d92569cdef468e8c75;p=ipfire-3.x.git Worked a little bit on new firewall interface. --- diff --git a/src/firewall/firewall b/src/firewall/firewall index 6b00c6bc2..d5197bbae 100644 --- a/src/firewall/firewall +++ b/src/firewall/firewall @@ -57,7 +57,13 @@ function usage() { include functions while [ "$#" -gt 0 ]; do - case "$1" in + arg=$1 + shift + case "$arg" in + --debug|-d) + debug 1 + decho "Debug mode is enabled." + ;; --verbose|-v) verbose 1 vecho "${BOLD}Verbose mode is enabled.${NORMAL}" @@ -66,7 +72,7 @@ while [ "$#" -gt 0 ]; do shift case "$1" in mask2cidr) - mask_to_cidr $2 + mask_to_cidr $@ _exit $? ;; *) @@ -75,7 +81,7 @@ while [ "$#" -gt 0 ]; do esac ;; config) - config_load $2 + config_load $@ _exit $? ;; help|-h|--help) @@ -89,7 +95,7 @@ while [ "$#" -gt 0 ]; do ;; start) _start - _exit $? + _exit $@ ;; stop) ;; @@ -97,7 +103,6 @@ while [ "$#" -gt 0 ]; do usage ;; esac - shift done error "No command was given." diff --git a/src/firewall/functions b/src/firewall/functions index a7d17cfe1..91fd21cb7 100644 --- a/src/firewall/functions +++ b/src/firewall/functions @@ -19,6 +19,7 @@ # # ############################################################################### +DEBUG= VERBOSE= TMPDIR=$(mktemp -d) @@ -26,6 +27,21 @@ BOLD="\\033[1;39m" NORMAL="\\033[0;39m" ERROR="\\033[1;31m" +function debug() { + if [ -n "$1" ]; then + DEBUG=$1 + verbose $1 + return + else + if [ "$DEBUG" = "1" ]; then + return 0 + else + return 1 + fi + fi + +} + function verbose() { if [ -n "$1" ]; then VERBOSE=$1 @@ -39,6 +55,10 @@ function verbose() { fi } +function decho() { + debug && echo -e "${ERROR}$@${NORMAL}" +} + function vecho() { verbose && echo -e "$@" } @@ -71,7 +91,9 @@ include functions.zones function _start() { firewall_init - zones_init - zones_add green0 + zones_local_add + + # Need to get all zones here + iptables_commit } diff --git a/src/firewall/functions.firewall b/src/firewall/functions.firewall index 92bae2836..90aae81ed 100644 --- a/src/firewall/functions.firewall +++ b/src/firewall/functions.firewall @@ -20,6 +20,7 @@ ############################################################################### function firewall_init() { + decho "Initializing firewall interface." iptables_init firewall_tcp_state_flags firewall_connection_tracking diff --git a/src/firewall/functions.iptables b/src/firewall/functions.iptables index a362888ca..c6f1dafa1 100644 --- a/src/firewall/functions.iptables +++ b/src/firewall/functions.iptables @@ -26,6 +26,7 @@ function iptables() { } function iptables_flush() { + decho "Flushing iptables" : # TODO } @@ -41,7 +42,8 @@ function iptables_init() { function iptables_commit() { vecho "Committing firewall configuration." iptables "COMMIT" - verbose && cat $IPTABLES_FILE + decho "Dumping iptables output" + debug && cat $IPTABLES_FILE #iptables-restore < $IPTABLES_FILE } diff --git a/src/firewall/functions.macros b/src/firewall/functions.macros index 2b0f6e143..ac37ce121 100644 --- a/src/firewall/functions.macros +++ b/src/firewall/functions.macros @@ -21,9 +21,7 @@ function macro() { local file - file=$1 - - vecho "Parsing macro: $file" + file="macros/$1" if _config_is_sqlite $file; then macro_sqlite $file @@ -63,3 +61,15 @@ function macro_parse() { [ -n "$STRING" ] && echo $STRING done } + +function macro_add() { + local file + local line + + file=$1 + shift + + macro $file | while read line; do + iptables $line $@ + done +} diff --git a/src/firewall/functions.zones b/src/firewall/functions.zones index 8f2e3ee12..c2d4752e0 100644 --- a/src/firewall/functions.zones +++ b/src/firewall/functions.zones @@ -19,30 +19,50 @@ # # ############################################################################### +include zones.blue +include zones.green include zones.local +include zones.orange +include zones.management -function zones_init() { - - zones_local_init - -} - -function zones_add() { +function zones_global_add() { local device local name device=$1 + + decho "Adding zone \"$device\"" zones_exists $device || error "Zone $device does not exist." name=$(uppercase "ZONE_$device") chain_create $name + iptables -A INPUT -i $device -j $name iptables -A FORWARD -i $device -j $name iptables -A FORWARD -o $device -j $name - + iptables -A OUTPUT -o $device -j $name + + # Leave some space for own rules chain_create ${name}_CUSTOM iptables -A $name -j ${name}_CUSTOM + + # Policy rules + chain_create ${name}_POLICY + iptables -A $name -j ${name}_POLICY + + # Intrusion Preventions System + chain_create ${name}_IPS + iptables -A $name -i $device -j ${name}_IPS + + # Portforwaring + chain_create ${name}_PORTFW + iptables -A $name -i $device -j ${name}_PORTFW + + # Outgoing firewall + chain_create ${name}_OUTFW + iptables -A $name -o $device -j ${name}_OUTFW } function zones_exists() { + decho "Checking if zone $1 exists." cmd_quiet ip link show $1 } diff --git a/src/firewall/macros/DHCP b/src/firewall/macros/DHCP new file mode 100644 index 000000000..914f90a08 --- /dev/null +++ b/src/firewall/macros/DHCP @@ -0,0 +1,5 @@ +# IPFire Macro +# This macro handles the dynamic host configuration protocol. +# ACTION SRC DST PROTO SRC_PORT DST_PORT RATE +CUSTOM - - tcp 68 67 +CUSTOM - - udp 68 67 diff --git a/src/firewall/zones.blue b/src/firewall/zones.blue new file mode 100644 index 000000000..012786cd9 --- /dev/null +++ b/src/firewall/zones.blue @@ -0,0 +1,42 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +function zones_blue_add() { + # $1 = device + + zones_global_add $1 + zones_policy_blue $1 + +} + +function zones_policy_blue() { + local device + local name + + device=$1 + name=$(uppercase "$device") + + # Accept dhcp traffic + macro_add DHCP -A ${name}_POLICY -i ${device} -j ACCEPT + + # Mac filter + : # TODO +} diff --git a/src/firewall/zones.green b/src/firewall/zones.green new file mode 100644 index 000000000..a3877279e --- /dev/null +++ b/src/firewall/zones.green @@ -0,0 +1,38 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +function zones_green_add() { + # $1 = device + + zones_global_add $1 + zones_policy_green $1 + +} + +function zones_policy_green() { + local device + + device=$1 + + # Accept any traffic from green + iptables -A ${device}_POLICY -i $device -j ACCEPT + +} diff --git a/src/firewall/zones.local b/src/firewall/zones.local index eb7a3ef40..82c2e56c9 100644 --- a/src/firewall/zones.local +++ b/src/firewall/zones.local @@ -19,7 +19,9 @@ # # ############################################################################### -function zones_local_init() { +function zones_local_add() { + + decho "Adding zone \"local\"" # Accept everything on lo iptables -A INPUT -i lo -j ACCEPT diff --git a/src/firewall/zones.management b/src/firewall/zones.management new file mode 100644 index 000000000..303138da4 --- /dev/null +++ b/src/firewall/zones.management @@ -0,0 +1,33 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +function zones_management_init() { + + chain_create MANAGEMENT + # Add rules for management hosts/subnets here + +} + +function zones_management_insert() { + + iptables "-A $1 -j MANAGEMENT" + +} diff --git a/src/firewall/zones.orange b/src/firewall/zones.orange new file mode 100644 index 000000000..55f5acc2d --- /dev/null +++ b/src/firewall/zones.orange @@ -0,0 +1,38 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +function zones_orange_add() { + # $1 = device + + zones_global_add $1 + zones_policy_orange $1 + +} + +function zones_policy_orange() { + local device + local name + + device=$1 + name=$(uppercase "$device") + + : # TODO +}