webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Forward Firewall: added dmz-converter.

Browse Source 
Also extended backup.pl script to support old backups. Now it is possible to restore old backups into new firewall. On restore, all config files of new firewall will be destroyed and the 4 converters will recreate them.
This commit is contained in:
Alexander Marx
2013-04-02 05:40:50 +02:00
committed by Michael Tremer
parent 829697d076
commit a60dbb4b6a
6 changed files with 225 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
config/backup/backup.pl
View File

@@ -64,25 +64,63 @@ elsif ($ARGV[0] eq 'restore') {
system("cd / && tar -xvz -p -f /tmp/restore.ipf");
#Here some converter scripts to correct old Backups (before core 65)
system("/usr/sbin/ovpn-ccd-convert");
#OUTGOINGFW CONVERTER
if( -d "${General::swroot}/outgoing"){
if( -f "${General::swroot}/forward/config" ){
unlink("${General::swroot}/forward/config");
system("touch ${General::swroot}/forward/config");
chown 99,99,"${General::swroot}/forward/config";
}
if( -f "${General::swroot}/forward/input" ){
unlink("${General::swroot}/forward/input");
system("touch ${General::swroot}/forward/input");
chown 99,99,"${General::swroot}/forward/input";
}
if( -f "${General::swroot}/forward/outgoing" ){
unlink("${General::swroot}/forward/outgoing");
system("touch ${General::swroot}/forward/outgoing");
chown 99,99,"${General::swroot}/forward/outgoing";
}
unlink("${General::swroot}/fwhosts/*");
system("touch ${General::swroot}/fwhosts/customgroups");
system("touch ${General::swroot}/fwhosts/customhosts");
system("touch ${General::swroot}/fwhosts/customnetworks");
system("touch ${General::swroot}/fwhosts/customservicegrp");
system("touch ${General::swroot}/fwhosts/customservices");
chown 99,99,"${General::swroot}/fwhosts/*";
#START CONVERTER "OUTGOINGFW"
system("/usr/sbin/convert-outgoingfw");
rmtree("${General::swroot}/outgoing");
system("/usr/local/bin/forwrdfwctrl");
}
#XTACCESS CONVERTER
if( -d "${General::swroot}/xtaccess"){
if( -f "${General::swroot}/forward/input" ){
unlink("${General::swroot}/forward/input");
system("touch ${General::swroot}/forward/input");
chown 99,99,"${General::swroot}/forward/input";
}
#START CONVERTER "XTACCESS"
system("/usr/sbin/convert-xtaccess");
rmtree("${General::swroot}/xtaccess");
}
#DMZ-HOLES CONVERTER
if( -d "${General::swroot}/dmz-holes"){
if( -f "${General::swroot}/forward/dmz" ){
unlink("${General::swroot}/forward/dmz");
system("touch ${General::swroot}/forward/dmz");
chown 99,99,"${General::swroot}/forward/dmz";
}
#START CONVERTER "DMZ-HOLES"
system("/usr/sbin/convert-dmz");
rmtree("${General::swroot}/xtaccess");
}
#PORTFORWARD CONVERTER
if( -d "${General::swroot}/portfw"){
if( -f "${General::swroot}/forward/nat" ){
unlink("${General::swroot}/forward/nat");
system("touch ${General::swroot}/forward/nat");
chown 99,99,"${General::swroot}/forward/nat";
}
#START CONVERTER "PORTFW"
system("/usr/sbin/convert-portfw");
rmtree("${General::swroot}/portfw");
}
system("/usr/local/bin/forwardfwctrl");
}
elsif ($ARGV[0] eq 'restoreaddon') {
if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");}

172
config/forwardfw/convert-dmz Executable file
View File

@@ -0,0 +1,172 @@
#!/usr/bin/perl
########################################################################
# Script: convert-dmz
# Date: 03.04.2013
# Author: Alexander Marx (amarx@ipfire.org)
########################################################################
#
# This script converts old dmz holes rules from old Firewall
# to the new one. This is a 2-step process.
# STEP1: read old config and normalize settings
# STEP2: check valid ip and save valid rules to new firewall
#
########################################################################
my @current=();
my @alias=();
my %configdmz=();
my %ifaces=();
my %configfwdfw=();
require '/var/ipfire/general-functions.pl';
my $dmzconfig = "${General::swroot}/dmzholes/config";
my $fwdfwconfig = "${General::swroot}/forward/dmz";
my $ifacesettings = "${General::swroot}/ethernet/settings";
my $field0 = 'ACCEPT';
my $field1 = 'FORWARDFW';
my $field2 = ''; #ON or emtpy
my $field3 = ''; #std_net_src or src_addr
my $field4 = ''; #ALL or IP-Address with /32
my $field5 = ''; #std_net_tgt or tgt_addr
my $field6 = ''; #IP or network name
my $field11 = 'ON'; #use target port
my $field12 = ''; #TCP or UDP
my $field13 = 'All ICMP-Types';
my $field14 = 'TGT_PORT';
my $field15 = ''; #Port Number
my $field16 = ''; #remark
my $field26 = '00:00';
my $field27 = '00:00';
open(FILE, $dmzconfig) or die 'Unable to open config file.';
my @current = <FILE>;
close(FILE);
#open LOGFILE
open (LOG, ">/var/log/converters/dmz-convert.log") or die $!;
&General::readhash($ifacesettings, \%ifaces);
&General::readhasharray($fwdfwconfig,\%configfwdfw);
&process_rules;
sub process_rules{
foreach my $line (@current){
my $now=localtime;
#get values from old configfile
my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line);
$h =~ s/\s//gi;
print LOG "$Now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
#Now convert values and check ip addresses
$a=uc($a);
$e=uc($e);
$field2=$e if($e eq 'ON');
#SOURCE IP-check
$b=&check_ip($b);
if (&General::validipandmask($b)){
#When ip valid, check if we have a network
my ($ip,$subnet) = split ("/",$b);
if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){
$field3='std_net_src';
$field4='ORANGE';
}elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
$field3='std_net_src';
$field4='BLUE';
}elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){
$field3='src_addr';
$field4=$b;
}elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
$field3='src_addr';
$field4=$b;
}else{
print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n";
next;
}
}else{
print LOG "$now -> SOURCE IP INVALID. \n\n";
next;
}
#TARGET IP-check
$c=&check_ip($c);
if (&General::validipandmask($c)){
my $now=localtime;
#When ip valid, check if we have a network
my ($ip,$subnet) = split ("/",$c);
if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){
$field5='std_net_tgt';
$field6='GREEN';
}elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
$field5='std_net_tgt';
$field6='BLUE';
}elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){
$field5='tgt_addr';
$field6=$c;
}elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
$field5='tgt_addr';
$field6=$c;
}else{
print LOG "$Now ->NOT Converted, invalid Source IP $b\n\n";
next;
}
}else{
print LOG "$now -> SOURCE IP INVALID. \n\n";
next;
}
$field12=$a;
#convert portrange
$d =~ tr/-/:/;
$field15=$d;
$field16=$h;
##Ausgabe
#print "A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
#print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n\n\n";
my $key = &General::findhasharraykey (\%configfwdfw);
foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";}
$configfwdfw{$key}[0] = $field0;
$configfwdfw{$key}[1] = $field1;
$configfwdfw{$key}[2] = $field2;
$configfwdfw{$key}[3] = $field3;
$configfwdfw{$key}[4] = $field4;
$configfwdfw{$key}[5] = $field5;
$configfwdfw{$key}[6] = $field6;
$configfwdfw{$key}[7] = '';
$configfwdfw{$key}[8] = '';
$configfwdfw{$key}[9] = '';
$configfwdfw{$key}[10] = '';
$configfwdfw{$key}[11] = $field11;
$configfwdfw{$key}[12] = $field12;
$configfwdfw{$key}[13] = $field13;
$configfwdfw{$key}[14] = $field14;
$configfwdfw{$key}[15] = $field15;
$configfwdfw{$key}[16] = $field16;
$configfwdfw{$key}[17] = '';
$configfwdfw{$key}[18] = '';
$configfwdfw{$key}[19] = '';
$configfwdfw{$key}[20] = '';
$configfwdfw{$key}[21] = '';
$configfwdfw{$key}[22] = '';
$configfwdfw{$key}[23] = '';
$configfwdfw{$key}[24] = '';
$configfwdfw{$key}[25] = '';
$configfwdfw{$key}[26] = $field26;
$configfwdfw{$key}[27] = $field27;
print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n";
}
&General::writehasharray($fwdfwconfig,\%configfwdfw);
close (LOG);
}
sub check_ip
{
my $adr=shift;
my $a;
#ip with subnet in decimal
if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
$adr=int($1).".".int($2).".".int($3).".".int($4);
my $b = &General::iporsubtodec($5);
$a=$adr."/".$b;
}elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
$adr=int($1).".".int($2).".".int($3).".".int($4);
if(&General::validip($adr)){
$a=$adr."/32";
}
}
if(&General::validipandmask($adr)){
$a=&General::iporsubtodec($adr);
}
return $a;
}

1
config/rootfiles/common/configroot
View File

@@ -53,6 +53,7 @@ var/ipfire/forward/config
var/ipfire/forward/input
var/ipfire/forward/outgoing
var/ipfire/forward/dmz
var/ipfire/forward/net
var/ipfire/forward/p2protocols
var/ipfire/fwhosts
var/ipfire/fwhosts/icmp-types

2
config/rootfiles/common/stage2
View File

@@ -112,6 +112,8 @@ usr/sbin/ovpn-ccd-convert
usr/sbin/firewall-policy
usr/sbin/convert-xtaccess
usr/sbin/convert-outgoingfw
usr/sbin/convert-dmz
usr/sbin/convert-portfw
#usr/share
#usr/share/doc
#usr/share/doc/licenses

5
html/cgi-bin/forwardfw.cgi
View File

@@ -77,7 +77,7 @@ my %aliases=();
my %optionsfw=();
my %ifaces=();
my $VERSION='0.9.9.0';
my $VERSION='0.9.9.1';
my $color;
my $confignet = "${General::swroot}/fwhosts/customnetworks";
my $confighost = "${General::swroot}/fwhosts/customhosts";
@@ -133,6 +133,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule')
$errormessage=&checksource;
if(!$errormessage){&checktarget;}
if(!$errormessage){&checkrule;}
#check if manual ip (source) is orange network
if ($fwdfwsettings{'grp1'} eq 'src_addr'){
my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}});
@@ -2034,7 +2035,7 @@ sub saverule
#print"6";
}
#check if we change a DMZ to a FORWARD/DMZ
elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){
elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){
&changerule($configdmz);
#print"7";
}

4
lfs/configroot
View File

@@ -65,7 +65,7 @@ $(TARGET) :
for i in auth/users backup/include.user backup/exclude.user \
certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \
dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \
extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz \
extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz forward/nat \
fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \
isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \
ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
@@ -103,6 +103,8 @@ $(TARGET) :
cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl
cp $(DIR_SRC)/config/forwardfw/convert-xtaccess /usr/sbin/convert-xtaccess
cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw
cp $(DIR_SRC)/config/forwardfw/convert-dmz /usr/sbin/convert-dmz
cp $(DIR_SRC)/config/forwardfw/convert-portfw /usr/sbin/convert-portfw
cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols
cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl
cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy