diff --git a/config/backup/backup.pl b/config/backup/backup.pl index b21716185..4ad7363fb 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -64,25 +64,63 @@ elsif ($ARGV[0] eq 'restore') { system("cd / && tar -xvz -p -f /tmp/restore.ipf"); #Here some converter scripts to correct old Backups (before core 65) system("/usr/sbin/ovpn-ccd-convert"); + #OUTGOINGFW CONVERTER if( -d "${General::swroot}/outgoing"){ if( -f "${General::swroot}/forward/config" ){ unlink("${General::swroot}/forward/config"); system("touch ${General::swroot}/forward/config"); chown 99,99,"${General::swroot}/forward/config"; } - if( -f "${General::swroot}/forward/input" ){ - unlink("${General::swroot}/forward/input"); - system("touch ${General::swroot}/forward/input"); - chown 99,99,"${General::swroot}/forward/input"; - } + if( -f "${General::swroot}/forward/outgoing" ){ + unlink("${General::swroot}/forward/outgoing"); + system("touch ${General::swroot}/forward/outgoing"); + chown 99,99,"${General::swroot}/forward/outgoing"; + } + unlink("${General::swroot}/fwhosts/*"); + system("touch ${General::swroot}/fwhosts/customgroups"); + system("touch ${General::swroot}/fwhosts/customhosts"); + system("touch ${General::swroot}/fwhosts/customnetworks"); + system("touch ${General::swroot}/fwhosts/customservicegrp"); + system("touch ${General::swroot}/fwhosts/customservices"); + chown 99,99,"${General::swroot}/fwhosts/*"; + #START CONVERTER "OUTGOINGFW" system("/usr/sbin/convert-outgoingfw"); rmtree("${General::swroot}/outgoing"); - system("/usr/local/bin/forwrdfwctrl"); } + #XTACCESS CONVERTER if( -d "${General::swroot}/xtaccess"){ + if( -f "${General::swroot}/forward/input" ){ + unlink("${General::swroot}/forward/input"); + system("touch ${General::swroot}/forward/input"); + chown 99,99,"${General::swroot}/forward/input"; + } + #START CONVERTER "XTACCESS" system("/usr/sbin/convert-xtaccess"); rmtree("${General::swroot}/xtaccess"); } + #DMZ-HOLES CONVERTER + if( -d "${General::swroot}/dmz-holes"){ + if( -f "${General::swroot}/forward/dmz" ){ + unlink("${General::swroot}/forward/dmz"); + system("touch ${General::swroot}/forward/dmz"); + chown 99,99,"${General::swroot}/forward/dmz"; + } + #START CONVERTER "DMZ-HOLES" + system("/usr/sbin/convert-dmz"); + rmtree("${General::swroot}/xtaccess"); + } + #PORTFORWARD CONVERTER + if( -d "${General::swroot}/portfw"){ + if( -f "${General::swroot}/forward/nat" ){ + unlink("${General::swroot}/forward/nat"); + system("touch ${General::swroot}/forward/nat"); + chown 99,99,"${General::swroot}/forward/nat"; + } + #START CONVERTER "PORTFW" + system("/usr/sbin/convert-portfw"); + rmtree("${General::swroot}/portfw"); + } + system("/usr/local/bin/forwardfwctrl"); } elsif ($ARGV[0] eq 'restoreaddon') { if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");} diff --git a/config/forwardfw/convert-dmz b/config/forwardfw/convert-dmz new file mode 100755 index 000000000..639cef374 --- /dev/null +++ b/config/forwardfw/convert-dmz @@ -0,0 +1,172 @@ +#!/usr/bin/perl + +######################################################################## +# Script: convert-dmz +# Date: 03.04.2013 +# Author: Alexander Marx (amarx@ipfire.org) +######################################################################## +# +# This script converts old dmz holes rules from old Firewall +# to the new one. This is a 2-step process. +# STEP1: read old config and normalize settings +# STEP2: check valid ip and save valid rules to new firewall +# +######################################################################## +my @current=(); +my @alias=(); +my %configdmz=(); +my %ifaces=(); +my %configfwdfw=(); +require '/var/ipfire/general-functions.pl'; +my $dmzconfig = "${General::swroot}/dmzholes/config"; +my $fwdfwconfig = "${General::swroot}/forward/dmz"; +my $ifacesettings = "${General::swroot}/ethernet/settings"; +my $field0 = 'ACCEPT'; +my $field1 = 'FORWARDFW'; +my $field2 = ''; #ON or emtpy +my $field3 = ''; #std_net_src or src_addr +my $field4 = ''; #ALL or IP-Address with /32 +my $field5 = ''; #std_net_tgt or tgt_addr +my $field6 = ''; #IP or network name +my $field11 = 'ON'; #use target port +my $field12 = ''; #TCP or UDP +my $field13 = 'All ICMP-Types'; +my $field14 = 'TGT_PORT'; +my $field15 = ''; #Port Number +my $field16 = ''; #remark +my $field26 = '00:00'; +my $field27 = '00:00'; +open(FILE, $dmzconfig) or die 'Unable to open config file.'; +my @current = ; +close(FILE); +#open LOGFILE +open (LOG, ">/var/log/converters/dmz-convert.log") or die $!; +&General::readhash($ifacesettings, \%ifaces); +&General::readhasharray($fwdfwconfig,\%configfwdfw); +&process_rules; +sub process_rules{ + foreach my $line (@current){ + my $now=localtime; + #get values from old configfile + my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line); + $h =~ s/\s//gi; + print LOG "$Now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n"; + #Now convert values and check ip addresses + $a=uc($a); + $e=uc($e); + $field2=$e if($e eq 'ON'); + #SOURCE IP-check + $b=&check_ip($b); + if (&General::validipandmask($b)){ + #When ip valid, check if we have a network + my ($ip,$subnet) = split ("/",$b); + if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){ + $field3='std_net_src'; + $field4='ORANGE'; + }elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ + $field3='std_net_src'; + $field4='BLUE'; + }elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){ + $field3='src_addr'; + $field4=$b; + }elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ + $field3='src_addr'; + $field4=$b; + }else{ + print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n"; + next; + } + }else{ + print LOG "$now -> SOURCE IP INVALID. \n\n"; + next; + } + #TARGET IP-check + $c=&check_ip($c); + if (&General::validipandmask($c)){ + my $now=localtime; + #When ip valid, check if we have a network + my ($ip,$subnet) = split ("/",$c); + if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){ + $field5='std_net_tgt'; + $field6='GREEN'; + }elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){ + $field5='std_net_tgt'; + $field6='BLUE'; + }elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){ + $field5='tgt_addr'; + $field6=$c; + }elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){ + $field5='tgt_addr'; + $field6=$c; + }else{ + print LOG "$Now ->NOT Converted, invalid Source IP $b\n\n"; + next; + } + }else{ + print LOG "$now -> SOURCE IP INVALID. \n\n"; + next; + } + $field12=$a; + #convert portrange + $d =~ tr/-/:/; + $field15=$d; + $field16=$h; + ##Ausgabe + #print "A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n"; + #print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n\n\n"; + my $key = &General::findhasharraykey (\%configfwdfw); + foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";} + $configfwdfw{$key}[0] = $field0; + $configfwdfw{$key}[1] = $field1; + $configfwdfw{$key}[2] = $field2; + $configfwdfw{$key}[3] = $field3; + $configfwdfw{$key}[4] = $field4; + $configfwdfw{$key}[5] = $field5; + $configfwdfw{$key}[6] = $field6; + $configfwdfw{$key}[7] = ''; + $configfwdfw{$key}[8] = ''; + $configfwdfw{$key}[9] = ''; + $configfwdfw{$key}[10] = ''; + $configfwdfw{$key}[11] = $field11; + $configfwdfw{$key}[12] = $field12; + $configfwdfw{$key}[13] = $field13; + $configfwdfw{$key}[14] = $field14; + $configfwdfw{$key}[15] = $field15; + $configfwdfw{$key}[16] = $field16; + $configfwdfw{$key}[17] = ''; + $configfwdfw{$key}[18] = ''; + $configfwdfw{$key}[19] = ''; + $configfwdfw{$key}[20] = ''; + $configfwdfw{$key}[21] = ''; + $configfwdfw{$key}[22] = ''; + $configfwdfw{$key}[23] = ''; + $configfwdfw{$key}[24] = ''; + $configfwdfw{$key}[25] = ''; + $configfwdfw{$key}[26] = $field26; + $configfwdfw{$key}[27] = $field27; + print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n"; + } + &General::writehasharray($fwdfwconfig,\%configfwdfw); +close (LOG); +} + +sub check_ip +{ + my $adr=shift; + my $a; + #ip with subnet in decimal + if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + my $b = &General::iporsubtodec($5); + $a=$adr."/".$b; + }elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){ + $adr=int($1).".".int($2).".".int($3).".".int($4); + if(&General::validip($adr)){ + $a=$adr."/32"; + } + } + if(&General::validipandmask($adr)){ + $a=&General::iporsubtodec($adr); + } + return $a; +} diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index c930ad078..b835931c4 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -53,6 +53,7 @@ var/ipfire/forward/config var/ipfire/forward/input var/ipfire/forward/outgoing var/ipfire/forward/dmz +var/ipfire/forward/net var/ipfire/forward/p2protocols var/ipfire/fwhosts var/ipfire/fwhosts/icmp-types diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index a8e4b79d3..fe6d23a8f 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -112,6 +112,8 @@ usr/sbin/ovpn-ccd-convert usr/sbin/firewall-policy usr/sbin/convert-xtaccess usr/sbin/convert-outgoingfw +usr/sbin/convert-dmz +usr/sbin/convert-portfw #usr/share #usr/share/doc #usr/share/doc/licenses diff --git a/html/cgi-bin/forwardfw.cgi b/html/cgi-bin/forwardfw.cgi index 83917015e..e69e6ce9f 100755 --- a/html/cgi-bin/forwardfw.cgi +++ b/html/cgi-bin/forwardfw.cgi @@ -77,7 +77,7 @@ my %aliases=(); my %optionsfw=(); my %ifaces=(); -my $VERSION='0.9.9.0'; +my $VERSION='0.9.9.1'; my $color; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; @@ -133,6 +133,7 @@ if ($fwdfwsettings{'ACTION'} eq 'saverule') $errormessage=&checksource; if(!$errormessage){&checktarget;} if(!$errormessage){&checkrule;} + #check if manual ip (source) is orange network if ($fwdfwsettings{'grp1'} eq 'src_addr'){ my ($sip,$scidr) = split("/",$fwdfwsettings{$fwdfwsettings{'grp1'}}); @@ -2034,7 +2035,7 @@ sub saverule #print"6"; } #check if we change a DMZ to a FORWARD/DMZ - elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' ){ + elsif($fwdfwsettings{'oldruletype'} eq 'DMZ' && $fwdfwsettings{'chain'} eq 'FORWARDFW' && $fwdfwsettings{$fwdfwsettings{'grp1'}} ne 'ORANGE'){ &changerule($configdmz); #print"7"; } diff --git a/lfs/configroot b/lfs/configroot index 7e47881d3..58eb9d753 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -65,7 +65,7 @@ $(TARGET) : for i in auth/users backup/include.user backup/exclude.user \ certs/index.txt ddns/config ddns/noipsettings ddns/settings ddns/ipcache dhcp/settings \ dhcp/fixleases dhcp/advoptions dhcp/dhcpd.conf.local dns/settings dnsforward/config ethernet/aliases ethernet/settings ethernet/known_nics ethernet/scanned_nics \ - extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz \ + extrahd/scan extrahd/devices extrahd/partitions extrahd/settings forward/settings forward/config forward/input forward/outgoing forward/dmz forward/nat \ fwhosts/customnetworks fwhosts/customhosts fwhosts/customgroups fwhosts/customservicegrp fwlogs/ipsettings fwlogs/portsettings \ isdn/settings mac/settings main/disable_nf_sip main/hosts main/routing main/settings net-traffic/settings optionsfw/settings \ ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \ @@ -103,6 +103,8 @@ $(TARGET) : cp $(DIR_SRC)/config/forwardfw/rules.pl $(CONFIG_ROOT)/forward/bin/rules.pl cp $(DIR_SRC)/config/forwardfw/convert-xtaccess /usr/sbin/convert-xtaccess cp $(DIR_SRC)/config/forwardfw/convert-outgoingfw /usr/sbin/convert-outgoingfw + cp $(DIR_SRC)/config/forwardfw/convert-dmz /usr/sbin/convert-dmz + cp $(DIR_SRC)/config/forwardfw/convert-portfw /usr/sbin/convert-portfw cp $(DIR_SRC)/config/forwardfw/p2protocols $(CONFIG_ROOT)/forward/p2protocols cp $(DIR_SRC)/config/forwardfw/firewall-lib.pl $(CONFIG_ROOT)/forward/bin/firewall-lib.pl cp $(DIR_SRC)/config/forwardfw/firewall-policy /usr/sbin/firewall-policy