From: Achim W. <dot...@us...> - 2006-05-27 13:59:26
|
Update of /cvsroot/ipcop/ipcop/src/scripts In directory sc8-pr-cvs11.sourceforge.net:/tmp/cvs-serv10466/src/scripts Modified Files: puzzleFwRules.pl Log Message: Dataaccess only in Data-Layer. No(*) restrictions to 4 interfaces, it is possible to have multiple interfaces of each color. *There are 2 or 3 code snippets (for validation) where are references to four NICs, I will change this as soon as there are more than these four interfaces are possible in IPCop. Index: puzzleFwRules.pl =================================================================== RCS file: /cvsroot/ipcop/ipcop/src/scripts/puzzleFwRules.pl,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** puzzleFwRules.pl 20 May 2006 17:16:16 -0000 1.2 --- puzzleFwRules.pl 27 May 2006 13:59:09 -0000 1.3 *************** *** 71,81 **** } - my $redIsActiv = 0; - my $RED_DEV = ""; - if(-e "${General::swroot}/red/active") - { - $RED_DEV = `cat ${General::swroot}/red/iface`; - $redIsActiv = 1; - } my (%custIfaces, %custAddresses, %defaultNetworks, %groupAddresses, %custServices, %defaultServices); --- 71,74 ---- *************** *** 149,153 **** # my %defaultNetworks = (); ! &DATA::setup_default_networks(\%defaultNetworks, \%FW::netsettings); # my %groupAddresses --- 142,146 ---- # my %defaultNetworks = (); ! &DATA::setup_default_networks(\%defaultNetworks); # my %groupAddresses *************** *** 292,309 **** # incoming interface if ($rule->{'SRC_NET_TYPE'} eq 'defaultSrcNet') { ! if ($rule->{'SRC_NET'} eq 'green') { ! $inDev = $FW::netsettings{'GREEN_DEV'}; ! } ! elsif ($rule->{'SRC_NET'} eq 'blue') { ! next if (! &FW::haveBlueNet()); # currently there is no Blue ! $inDev = $FW::netsettings{'BLUE_DEV'}; ! } ! elsif ($rule->{'SRC_NET'} eq 'orange') { ! next if (! &FW::haveOrangeNet()); # currently there is no Orange ! $inDev = $FW::netsettings{'ORANGE_DEV'}; } ! elsif ($rule->{'SRC_NET'} eq 'red') { ! next if ($redIsActiv == 0); ! $inDev = $RED_DEV; } } --- 285,296 ---- # incoming interface if ($rule->{'SRC_NET_TYPE'} eq 'defaultSrcNet') { ! if(defined($FW::interfaces{$rule->{'SRC_NET'}}) ! && $FW::interfaces{$rule->{'SRC_NET'}}{'ACTIV'} eq 'yes') ! { ! $inDev = $FW::interfaces{$rule->{'SRC_NET'}}{'IFACE'}; } ! else { ! # currently this interface is not available ! next; } } *************** *** 330,348 **** { # outgoing interface ! if ($rule->{'DST_NET_TYPE'} eq 'defaultDestNet') { ! if ($rule->{'DST_NET'} eq 'green') { ! $outDev = $FW::netsettings{'GREEN_DEV'}; ! } ! elsif ($rule->{'DST_NET'} eq 'blue') { ! next if (! &FW::haveBlueNet()); # currently there is no Blue ! $outDev = $FW::netsettings{'BLUE_DEV'}; ! } ! elsif ($rule->{'DST_NET'} eq 'orange') { ! next if (! &FW::haveOrangeNet()); # currently there is no Orange ! $outDev = $FW::netsettings{'ORANGE_DEV'}; } ! elsif ($rule->{'DST_NET'} eq 'red') { ! next if ($redIsActiv == 0); ! $outDev = $RED_DEV; } } --- 317,330 ---- { # outgoing interface ! if ($rule->{'DST_NET_TYPE'} eq 'defaultDestNet') ! { ! if(defined($FW::interfaces{$rule->{'DST_NET'}}) ! && $FW::interfaces{$rule->{'DST_NET'}}{'ACTIV'} eq 'yes') ! { ! $outDev = $FW::interfaces{$rule->{'DST_NET'}}{'IFACE'}; } ! else { ! # currently this interface is not available ! next; } } *************** *** 374,378 **** if ($rule->{'SRC_ADR_TYPE'} eq 'defaultSrcAdr') { ! next if ($redIsActiv == 0 && $rule->{'SRC_ADR'} =~ /^Red/); @srcAdres = (&buildAddressParams($rule->{'SRC_ADR'}, "default", $invSrcAdr, "source")); } --- 356,360 ---- if ($rule->{'SRC_ADR_TYPE'} eq 'defaultSrcAdr') { ! # already checked above: next if ($FW::interfaces{'SRC_NET'}{'ACTIV'} ne 'yes'); @srcAdres = (&buildAddressParams($rule->{'SRC_ADR'}, "default", $invSrcAdr, "source")); } *************** *** 399,403 **** { next if ($adr->{'ENABLED'} ne 'on'); ! next if ($redIsActiv == 0 && $adr->{'ADDRESS_TYP'} eq 'default' && $adr->{'ADDRESS_NAME'} =~ /^Red/); --- 381,387 ---- { next if ($adr->{'ENABLED'} ne 'on'); ! # Achim Weber TODO: maybe this check isn't necessary, not sure at the moment ! next if (defined($FW::interfaces{'Red'}) ! && $FW::interfaces{'Red'}{'ACTIV'} ne 'yes' && $adr->{'ADDRESS_TYP'} eq 'default' && $adr->{'ADDRESS_NAME'} =~ /^Red/); *************** *** 450,454 **** { next if ($adr->{'ENABLED'} ne 'on'); ! next if ($redIsActiv == 0 && $adr->{'ADDRESS_TYP'} eq 'default' && $adr->{'ADDRESS_NAME'} =~ /^Red/); --- 434,440 ---- { next if ($adr->{'ENABLED'} ne 'on'); ! # Achim Weber TODO: maybe this check isn't necessary, not sure at the moment ! next if (defined($FW::interfaces{'Red'}) ! && $FW::interfaces{'Red'}{'ACTIV'} ne 'yes' && $adr->{'ADDRESS_TYP'} eq 'default' && $adr->{'ADDRESS_NAME'} =~ /^Red/); *************** *** 603,606 **** --- 589,596 ---- } + #################################################### + # + # TODO: remove those default rules + # # create default rules if (-e $FW::enabledfile) { *************** *** 611,618 **** # Other traffic blocked by IPCop rules. So it´s possible use related, established connections # Orange forward ! if (&FW::haveOrangeNet() && $redIsActiv == 1) { # This rule is only necessary when RED is up. ! $defaultRule = "-A FW_FORWARD -i $FW::netsettings{'ORANGE_DEV'} -o $RED_DEV -j"; &prepareRule("$defaultRule LOG --log-prefix \"ORANGE-$defaultAction \" ") if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); &prepareRule("$defaultRule $defaultAction"); --- 601,608 ---- # Other traffic blocked by IPCop rules. So it´s possible use related, established connections # Orange forward ! if (&FW::haveOrangeNet() && $FW::interfaces{'Red'}{'ACTIV'} eq 'yes') { # This rule is only necessary when RED is up. ! $defaultRule = "-A FW_FORWARD -i $FW::interfaces{'Orange'}{'IFACE'} -o $FW::interfaces{'Red'}{'IFACE'} -j"; &prepareRule("$defaultRule LOG --log-prefix \"ORANGE-$defaultAction \" ") if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); &prepareRule("$defaultRule $defaultAction"); *************** *** 622,644 **** { # forward ! $defaultRule = "-A FW_FORWARD -i $FW::netsettings{'BLUE_DEV'} -o ! $FW::netsettings{'GREEN_DEV'} -j"; &prepareRule("$defaultRule LOG --log-prefix \"BLUE-$defaultAction \" ") if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); &prepareRule("$defaultRule $defaultAction"); # input ! $defaultRule = "-A FW_INPUT -i $FW::netsettings{'BLUE_DEV'} -j"; &prepareRule("$defaultRule LOG --log-prefix \"BLUE-$defaultAction \" ") if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); &prepareRule("$defaultRule $defaultAction"); } # Green forward ! $defaultRule = "-A FW_FORWARD -i $FW::netsettings{'GREEN_DEV'} -j"; &prepareRule("$defaultRule LOG --log-prefix \"GREEN-$defaultAction \" ") if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); &prepareRule("$defaultRule $defaultAction"); # Green input ! $defaultRule = "-A FW_INPUT -i $FW::netsettings{'GREEN_DEV'} -j"; &prepareRule("$defaultRule LOG --log-prefix \"GREEN-$defaultAction \" ") if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); &prepareRule("$defaultRule $defaultAction"); # put admin rule at first position ! $defaultRule = "-I FW_INPUT -i $FW::netsettings{'GREEN_DEV'} "; $defaultRule .= "-m mac --mac-source $FW::fwSettings{'ADMIN_MAC'} "; $defaultRule .= "-p tcp --dport $FW::fwSettings{'HTTPS_PORT'} -j ACCEPT"; --- 612,634 ---- { # forward ! $defaultRule = "-A FW_FORWARD -i $FW::interfaces{'Blue'}{'IFACE'} -o ! $FW::interfaces{'Green'}{'IFACE'} -j"; &prepareRule("$defaultRule LOG --log-prefix \"BLUE-$defaultAction \" ") if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); &prepareRule("$defaultRule $defaultAction"); # input ! $defaultRule = "-A FW_INPUT -i $FW::interfaces{'Blue'}{'IFACE'} -j"; &prepareRule("$defaultRule LOG --log-prefix \"BLUE-$defaultAction \" ") if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); &prepareRule("$defaultRule $defaultAction"); } # Green forward ! $defaultRule = "-A FW_FORWARD -i $FW::interfaces{'Green'}{'IFACE'} -j"; &prepareRule("$defaultRule LOG --log-prefix \"GREEN-$defaultAction \" ") if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); &prepareRule("$defaultRule $defaultAction"); # Green input ! $defaultRule = "-A FW_INPUT -i $FW::interfaces{'Green'}{'IFACE'} -j"; &prepareRule("$defaultRule LOG --log-prefix \"GREEN-$defaultAction \" ") if ($FW::fwSettings{'DEFAULT_LOG'} eq 'on'); &prepareRule("$defaultRule $defaultAction"); # put admin rule at first position ! $defaultRule = "-I FW_INPUT -i $FW::interfaces{'Green'}{'IFACE'} "; $defaultRule .= "-m mac --mac-source $FW::fwSettings{'ADMIN_MAC'} "; $defaultRule .= "-p tcp --dport $FW::fwSettings{'HTTPS_PORT'} -j ACCEPT"; |