mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-27 11:13:24 +02:00
62fc851166
1) Added more possible chars in remark: : / . 2) Added "Internet" to std networks to be able to define internetaccess 3) When renaming a custom address, the firewallrules get updated 4) Ports are now ignored when using GRE as Protocol 5) When saving a customservice, the cursor is now in first textfield 6) Added a customservices file to installation with predefined services 7) Added ESP as protocol 8) Fixed counterproblem 9) Dropdownboxes for customservices and groups now sorted 10) Firewallrules now sorted in right order 11) fixed a Bug when defining manual address in source and target, the hint message is no longer displayed 12) When defining an external access rule, the last forwardrule was deleted
255 lines
6.9 KiB
Perl
Executable File
255 lines
6.9 KiB
Perl
Executable File
#!/usr/bin/perl
|
|
###############################################################################
|
|
# #
|
|
# IPFire.org - A linux based firewall #
|
|
# Copyright (C) 2012 #
|
|
# #
|
|
# This program is free software: you can redistribute it and/or modify #
|
|
# it under the terms of the GNU General Public License as published by #
|
|
# the Free Software Foundation, either version 3 of the License, or #
|
|
# (at your option) any later version. #
|
|
# #
|
|
# This program is distributed in the hope that it will be useful, #
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
|
|
# GNU General Public License for more details. #
|
|
# #
|
|
# You should have received a copy of the GNU General Public License #
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
|
|
# #
|
|
###############################################################################
|
|
|
|
|
|
use strict;
|
|
no warnings 'uninitialized';
|
|
|
|
package fwlib;
|
|
|
|
my %customnetwork=();
|
|
my %customhost=();
|
|
my %customgrp=();
|
|
my %customservice=();
|
|
my %customservicegrp=();
|
|
my %ccdnet=();
|
|
my %ccdhost=();
|
|
my %ipsecconf=();
|
|
my %ipsecsettings=();
|
|
my %netsettings=();
|
|
my %ovpnsettings=();
|
|
|
|
require '/var/ipfire/general-functions.pl';
|
|
|
|
my $confignet = "${General::swroot}/fwhosts/customnetworks";
|
|
my $confighost = "${General::swroot}/fwhosts/customhosts";
|
|
my $configgrp = "${General::swroot}/fwhosts/customgroups";
|
|
my $configsrv = "${General::swroot}/fwhosts/customservices";
|
|
my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
|
|
my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
|
|
my $configccdhost = "${General::swroot}/ovpn/ovpnconfig";
|
|
my $configipsec = "${General::swroot}/vpn/config";
|
|
my $configovpn = "${General::swroot}/ovpn/settings";
|
|
my $val;
|
|
my $field;
|
|
|
|
&General::readhash("/var/ipfire/ethernet/settings", \%netsettings);
|
|
&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
|
|
&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
|
|
|
|
|
|
&General::readhasharray("$confignet", \%customnetwork);
|
|
&General::readhasharray("$confighost", \%customhost);
|
|
&General::readhasharray("$configgrp", \%customgrp);
|
|
&General::readhasharray("$configccdnet", \%ccdnet);
|
|
&General::readhasharray("$configccdhost", \%ccdhost);
|
|
&General::readhasharray("$configipsec", \%ipsecconf);
|
|
&General::readhasharray("$configsrv", \%customservice);
|
|
&General::readhasharray("$configsrvgrp", \%customservicegrp);
|
|
|
|
sub get_srv_prot
|
|
{
|
|
my $val=shift;
|
|
foreach my $key (sort keys %customservice){
|
|
if($customservice{$key}[0] eq $val){
|
|
if ($customservice{$key}[0] eq $val){
|
|
return $customservice{$key}[2];
|
|
}
|
|
}
|
|
}
|
|
}
|
|
sub get_srvgrp_prot
|
|
{
|
|
my $val=shift;
|
|
my @ips=();
|
|
my $tcp;
|
|
my $udp;
|
|
my $icmp;
|
|
foreach my $key (sort keys %customservicegrp){
|
|
if($customservicegrp{$key}[0] eq $val){
|
|
if (&get_srv_prot($customservicegrp{$key}[2]) eq 'TCP'){
|
|
$tcp=1;
|
|
}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'UDP'){
|
|
$udp=1;
|
|
}elsif(&get_srv_prot($customservicegrp{$key}[2]) eq 'ICMP'){
|
|
$icmp=1;
|
|
}
|
|
}
|
|
}
|
|
if ($tcp eq '1'){push (@ips,'TCP');}
|
|
if ($udp eq '1'){push (@ips,'UDP');}
|
|
if ($icmp eq '1'){push (@ips,'ICMP');}
|
|
my $back=join(",",@ips);
|
|
return $back;
|
|
|
|
}
|
|
|
|
|
|
sub get_srv_port
|
|
{
|
|
my $val=shift;
|
|
my $field=shift;
|
|
my $prot=shift;
|
|
foreach my $key (sort keys %customservice){
|
|
if($customservice{$key}[0] eq $val){
|
|
if($customservice{$key}[2] eq $prot){
|
|
return $customservice{$key}[$field];
|
|
}
|
|
}
|
|
}
|
|
}
|
|
sub get_srvgrp_port
|
|
{
|
|
my $val=shift;
|
|
my $prot=shift;
|
|
my $back;
|
|
my $value;
|
|
my @ips=();
|
|
foreach my $key (sort keys %customservicegrp){
|
|
if($customservicegrp{$key}[0] eq $val){
|
|
if ($prot ne 'ICMP'){
|
|
$value=&get_srv_port($customservicegrp{$key}[2],1,$prot);
|
|
}elsif ($prot eq 'ICMP'){
|
|
$value=&get_srv_port($customservicegrp{$key}[2],3,$prot);
|
|
}
|
|
push (@ips,$value) if ($value ne '') ;
|
|
}
|
|
}
|
|
if($prot ne 'ICMP'){
|
|
if ($#ips gt 0){$back="-m multiport --dports ";}else{$back="--dport ";}
|
|
}elsif ($prot eq 'ICMP'){
|
|
$back="--icmp-type ";
|
|
}
|
|
|
|
$back.=join(",",@ips);
|
|
return $back;
|
|
}
|
|
sub get_ipsec_net_ip
|
|
{
|
|
my $val=shift;
|
|
my $field=shift;
|
|
foreach my $key (sort keys %ipsecconf){
|
|
if($ipsecconf{$key}[1] eq $val){
|
|
return $ipsecconf{$key}[$field];
|
|
}
|
|
}
|
|
}
|
|
sub get_ipsec_host_ip
|
|
{
|
|
my $val=shift;
|
|
my $field=shift;
|
|
foreach my $key (sort keys %ipsecconf){
|
|
if($ipsecconf{$key}[1] eq $val){
|
|
return $ipsecconf{$key}[$field];
|
|
}
|
|
}
|
|
}
|
|
sub get_ovpn_n2n_ip
|
|
{
|
|
my $val=shift;
|
|
my $field=shift;
|
|
foreach my $key (sort keys %ccdhost){
|
|
if($ccdhost{$key}[1] eq $val){
|
|
return $ccdhost{$key}[$field];
|
|
}
|
|
}
|
|
}
|
|
sub get_ovpn_host_ip
|
|
{
|
|
my $val=shift;
|
|
my $field=shift;
|
|
foreach my $key (sort keys %ccdhost){
|
|
if($ccdhost{$key}[1] eq $val){
|
|
return $ccdhost{$key}[$field];
|
|
}
|
|
}
|
|
}
|
|
sub get_ovpn_net_ip
|
|
{
|
|
|
|
my $val=shift;
|
|
my $field=shift;
|
|
foreach my $key (sort keys %ccdnet){
|
|
if($ccdnet{$key}[0] eq $val){
|
|
return $ccdnet{$key}[$field];
|
|
}
|
|
}
|
|
}
|
|
sub get_grp_ip
|
|
{
|
|
my $val=shift;
|
|
my $src=shift;
|
|
foreach my $key (sort keys %customgrp){
|
|
if ($customgrp{$key}[0] eq $val){
|
|
&get_address($customgrp{$key}[3],$src);
|
|
}
|
|
}
|
|
|
|
}
|
|
sub get_std_net_ip
|
|
{
|
|
my $val=shift;
|
|
if ($val eq 'ALL'){
|
|
return "0.0.0.0/0.0.0.0";
|
|
}elsif($val eq 'GREEN'){
|
|
return "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
|
|
}elsif($val eq 'ORANGE'){
|
|
return "$netsettings{'ORANGE_NETADDRESS'}/$netsettings{'ORANGE_NETMASK'}";
|
|
}elsif($val eq 'BLUE'){
|
|
return "$netsettings{'BLUE_NETADDRESS'}/$netsettings{'BLUE_NETMASK'}";
|
|
}elsif($val eq 'RED'){
|
|
return "0.0.0.0/0 -o red0";
|
|
}elsif($val =~ /OpenVPN/i){
|
|
return "$ovpnsettings{'DOVPN_SUBNET'}";
|
|
}elsif($val =~ /IPsec/i){
|
|
return "$ipsecsettings{'RW_NET'}";
|
|
}
|
|
}
|
|
sub get_net_ip
|
|
{
|
|
my $val=shift;
|
|
foreach my $key (sort keys %customnetwork){
|
|
if($customnetwork{$key}[0] eq $val){
|
|
return "$customnetwork{$key}[1]/$customnetwork{$key}[2]";
|
|
}
|
|
}
|
|
}
|
|
sub get_host_ip
|
|
{
|
|
my $val=shift;
|
|
my $src=shift;
|
|
foreach my $key (sort keys %customhost){
|
|
if($customhost{$key}[0] eq $val){
|
|
if ($customhost{$key}[1] eq 'mac' && $src eq 'src'){
|
|
return "-m mac --mac-source $customhost{$key}[2]";
|
|
}elsif($customhost{$key}[1] eq 'ip' && $src eq 'src'){
|
|
return "$customhost{$key}[2]";
|
|
}elsif($customhost{$key}[1] eq 'ip' && $src eq 'tgt'){
|
|
return "$customhost{$key}[2]";
|
|
}elsif($customhost{$key}[1] eq 'mac' && $src eq 'tgt'){
|
|
return "none";
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return 1;
|