webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-23 17:32:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
f7e649ddfbd915136ae5acdad388d0b517e5ea85
bpfire/config/forwardfw/convert-dmz
Alexander Marx f7e649ddfb Forward Firewall: some typos in dmz-converter
2013-08-09 14:12:39 +02:00

173 lines
5.8 KiB
Perl
Executable File
Raw Blame History

#!/usr/bin/perl
########################################################################
# Script: convert-dmz
# Date: 03.04.2013
# Author: Alexander Marx (amarx@ipfire.org)
########################################################################
#
# This script converts old dmz holes rules from old Firewall
# to the new one. This is a 2-step process.
# STEP1: read old config and normalize settings
# STEP2: check valid ip and save valid rules to new firewall
#
########################################################################
my @current=();
my @alias=();
my %configdmz=();
my %ifaces=();
my %configfwdfw=();
require '/var/ipfire/general-functions.pl';
my $dmzconfig = "${General::swroot}/dmzholes/config";
my $fwdfwconfig = "${General::swroot}/forward/dmz";
my $ifacesettings = "${General::swroot}/ethernet/settings";
my $field0 = 'ACCEPT';
my $field1 = 'FORWARDFW';
my $field2 = ''; #ON or emtpy
my $field3 = ''; #std_net_src or src_addr
my $field4 = ''; #ALL or IP-Address with /32
my $field5 = ''; #std_net_tgt or tgt_addr
my $field6 = ''; #IP or network name
my $field11 = 'ON'; #use target port
my $field12 = ''; #TCP or UDP
my $field13 = 'All ICMP-Types';
my $field14 = 'TGT_PORT';
my $field15 = ''; #Port Number
my $field16 = ''; #remark
my $field26 = '00:00';
my $field27 = '00:00';
open(FILE, $dmzconfig) or die 'Unable to open config file.';
my @current = <FILE>;
close(FILE);
#open LOGFILE
open (LOG, ">/var/log/converters/dmz-convert.log") or die $!;
&General::readhash($ifacesettings, \%ifaces);
&General::readhasharray($fwdfwconfig,\%configfwdfw);
&process_rules;
sub process_rules{
foreach my $line (@current){
my $now=localtime;
#get values from old configfile
my ($a,$b,$c,$d,$e,$f,$g,$h) = split (",",$line);
$h =~ s/\s*\n//gi;
print LOG "$now Processing A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
#Now convert values and check ip addresses
$a=uc($a);
$e=uc($e);
$field2=$e if($e eq 'ON');
#SOURCE IP-check
$b=&check_ip($b);
if (&General::validipandmask($b)){
#When ip valid, check if we have a network
my ($ip,$subnet) = split ("/",$b);
if ($f eq 'orange' && $ip eq $ifaces{'ORANGE_NETADDRESS'}){
$field3='std_net_src';
$field4='ORANGE';
}elsif($f eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
$field3='std_net_src';
$field4='BLUE';
}elsif($f eq 'orange' && &General::IpInSubnet($ip,$ifaces{'ORANGE_NETADDRESS'},$ifaces{'ORANGE_NETMASK'})){
$field3='src_addr';
$field4=$b;
}elsif($f eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
$field3='src_addr';
$field4=$b;
}else{
print LOG "$now ->NOT Converted, source ip $b not part of source network $f \n\n";
next;
}
}else{
print LOG "$now -> SOURCE IP INVALID. \n\n";
next;
}
#TARGET IP-check
$c=&check_ip($c);
if (&General::validipandmask($c)){
my $now=localtime;
#When ip valid, check if we have a network
my ($ip,$subnet) = split ("/",$c);
if ($g eq 'green' && $ip eq $ifaces{'GREEN_NETADDRESS'}){
$field5='std_net_tgt';
$field6='GREEN';
}elsif($g eq 'blue' && $ip eq $ifaces{'BLUE_NETADDRESS'}){
$field5='std_net_tgt';
$field6='BLUE';
}elsif($g eq 'green' && &General::IpInSubnet($ip,$ifaces{'GREEN_NETADDRESS'},$ifaces{'GREEN_NETMASK'})){
$field5='tgt_addr';
$field6=$c;
}elsif($g eq 'blue' && &General::IpInSubnet($ip,$ifaces{'BLUE_NETADDRESS'},$ifaces{'BLUE_NETMASK'})){
$field5='tgt_addr';
$field6=$c;
}else{
print LOG "$now ->NOT Converted, target ip $c not part of target network $g \n\n";
next;
}
}else{
print LOG "$now -> TARGET IP INVALID. \n\n";
next;
}
$field12=$a;
#convert portrange
$d =~ tr/-/:/;
$field15=$d;
$field16=$h;
##Ausgabe
#print "A: $a B: $b C: $c D: $d E: $e F: $f G: $g H: $h\n";
#print "0:$field0 1:$field1 2:$field2 3:$field3 4:$field4 5:$field5 6:$field6 11:$field11 12:$field12 13:$field13 14:$field14 15:$field15 16:$field16 26:$field26 27:$field27\n\n\n";
my $key = &General::findhasharraykey (\%configfwdfw);
foreach my $i (0 .. 27) { $configfwdfw{$key}[$i] = "";}
$configfwdfw{$key}[0] = $field0;
$configfwdfw{$key}[1] = $field1;
$configfwdfw{$key}[2] = $field2;
$configfwdfw{$key}[3] = $field3;
$configfwdfw{$key}[4] = $field4;
$configfwdfw{$key}[5] = $field5;
$configfwdfw{$key}[6] = $field6;
$configfwdfw{$key}[7] = '';
$configfwdfw{$key}[8] = '';
$configfwdfw{$key}[9] = '';
$configfwdfw{$key}[10] = '';
$configfwdfw{$key}[11] = $field11;
$configfwdfw{$key}[12] = $field12;
$configfwdfw{$key}[13] = $field13;
$configfwdfw{$key}[14] = $field14;
$configfwdfw{$key}[15] = $field15;
$configfwdfw{$key}[16] = $field16;
$configfwdfw{$key}[17] = '';
$configfwdfw{$key}[18] = '';
$configfwdfw{$key}[19] = '';
$configfwdfw{$key}[20] = '';
$configfwdfw{$key}[21] = '';
$configfwdfw{$key}[22] = '';
$configfwdfw{$key}[23] = '';
$configfwdfw{$key}[24] = '';
$configfwdfw{$key}[25] = '';
$configfwdfw{$key}[26] = $field26;
$configfwdfw{$key}[27] = $field27;
print LOG "$Now -> Converted to $field0,$field1,$field2,$field3,$field4,$field5,$field6,,,,,$field11,$field12,$field13,$field14,$field15,$field16,,,,,,,,,,$field26,$field27\n";
}
&General::writehasharray($fwdfwconfig,\%configfwdfw);
close (LOG);
}
sub check_ip
{
my $adr=shift;
my $a;
#ip with subnet in decimal
if($adr =~ m/^(\d\d?\d?).(\d\d?\d?).(\d\d?\d?).(\d\d?\d?)\/(\d{1,2})$/){
$adr=int($1).".".int($2).".".int($3).".".int($4);
my $b = &General::iporsubtodec($5);
$a=$adr."/".$b;
}elsif($adr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/){
$adr=int($1).".".int($2).".".int($3).".".int($4);
if(&General::validip($adr)){
$a=$adr."/32";
}
}
if(&General::validipandmask($adr)){
$a=&General::iporsubtodec($adr);
}
return $a;
}
Reference in New Issue View Git Blame Copy Permalink