Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux:[7747] branches/1.0
|
From: <abe...@us...> - 2016-07-10 15:10:20
|
Revision: 7747
http://sourceforge.net/p/astlinux/code/7747
Author: abelbeck
Date: 2016-07-10 15:10:17 +0000 (Sun, 10 Jul 2016)
Log Message:
-----------
arnofw, add Deny LAN to DMZ traffic for internal interfaces, rc.conf variable DMZ_DENYLAN, defaults to allow as before. Simple rework of the astlinux.shim script making all the intermediate variables 'local' so as not to appear in the AIF script.
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.wrapper
branches/1.0/project/astlinux/target_skeleton/stat/etc/rc.conf
Modified: branches/1.0/package/arnofw/arnofw.wrapper
===================================================================
--- branches/1.0/package/arnofw/arnofw.wrapper 2016-07-09 16:14:30 UTC (rev 7746)
+++ branches/1.0/package/arnofw/arnofw.wrapper 2016-07-10 15:10:17 UTC (rev 7747)
@@ -1,9 +1,11 @@
-#
-# In this shim, we're invoked after /etc/arno-iptables-firewall/firewall.conf
-# has been read. We then read /etc/rc.conf, and paste in variables from
-# the latter file that will override whatever values were configured in
-# firewall.conf.
-#
+##
+## Custom AstLinux Variables -> AIF Configuration
+##
+## This script is called by AIF as a LOCAL_CONFIG_FILE which occurs after
+## the /etc/arno-iptables-firewall/firewall.conf defaults are read.
+## The AstLinux variables are then sourced from /etc/rc.conf, which together
+## with this script allows AIF variables to be configured as needed.
+##
. /etc/rc.conf
@@ -25,7 +27,7 @@
isNATinterface()
{
# args: IF
- local IFS
+ local intf IFS
unset IFS
for intf in $NONAT; do
@@ -40,9 +42,10 @@
addINTERNALnet()
{
# args: IF, IP, NM
+ local NETWORK PREFIX
+
if [ -n "$1" -a "$1" != "none" -a -n "$2" -a -n "$3" ]; then
- local NETWORK PREFIX
- eval `ipcalc -np $2 $3`
+ eval $(ipcalc -np $2 $3)
INT_IF="$INT_IF${INT_IF:+ }$1"
INTERNAL_NET="$INTERNAL_NET${INTERNAL_NET:+ }$NETWORK/$PREFIX"
@@ -56,9 +59,10 @@
addNOnatINTERNALnet()
{
# args: IF, IP, NM
+ local NETWORK PREFIX
+
if [ -n "$1" -a "$1" != "none" -a -n "$2" -a -n "$3" ]; then
- local NETWORK PREFIX
- eval `ipcalc -np $2 $3`
+ eval $(ipcalc -np $2 $3)
INT_IF="$INT_IF${INT_IF:+ }$1"
INTERNAL_NET="$INTERNAL_NET${INTERNAL_NET:+ }$NETWORK/$PREFIX"
@@ -68,9 +72,10 @@
setDMZnet()
{
# args: IF, IP, NM
+ local NETWORK PREFIX
+
if [ -n "$1" -a "$1" != "none" -a -n "$2" -a -n "$3" ]; then
- local NETWORK PREFIX
- eval `ipcalc -np $2 $3`
+ eval $(ipcalc -np $2 $3)
DMZ_IF="$1"
DMZ_NET="$NETWORK/$PREFIX"
@@ -95,9 +100,10 @@
setIPSECnet()
{
# args: IP, NM
+ local NETWORK PREFIX
+
if [ -n "$1" -a -n "$2" ]; then
- local NETWORK PREFIX
- eval `ipcalc -np $1 $2`
+ eval $(ipcalc -np $1 $2)
NAT_INTERNAL_NET="$NAT_INTERNAL_NET${NAT_INTERNAL_NET:+ }$NETWORK/$PREFIX"
NAT=1
@@ -106,8 +112,9 @@
getLANinterface()
{
+ # args: LAN
local lanif=""
-
+
case $1 in
INTIF)
lanif="$INTIF"
@@ -123,7 +130,7 @@
if [ -z "$lanif" ]; then
return 1
fi
-
+
echo "$lanif"
return 0
}
@@ -141,172 +148,194 @@
esac
}
-## Disable TOS mangling
-MANGLE_TOS=0
+astlinux_wrapper()
+{
+ local intf lan lans extCIDR ovpnIF ovpnIP ovpnNM allowif allowifs denyif count IFS
-if [ "$IPV6" = "yes" ]; then
- IPV6_SUPPORT=1
-fi
+ MANGLE_TOS=0
-if [ -z "$PPPOEIF" ]; then
- EXT_IF=""
- unset IFS
- for intf in $EXTIF $EXT2IF; do
- EXT_IF="$EXT_IF${EXT_IF:+ }$intf"
- done
-else
- EXT_IF="${PPPOE_EXTIF:-ppp+}"
- unset IFS
- for intf in $EXTIF $EXT2IF; do
- case "$intf" in
- ppp[0-9]*) ;;
- *) EXT_IF="$EXT_IF $intf" ;;
- esac
- done
-fi
+ if [ "$IPV6" = "yes" ]; then
+ IPV6_SUPPORT=1
+ fi
-# Add external interface 'ip6tun' if an IPv6 tunnel is defined
-if [ "$IPV6" = "yes" -a -n "$IPV6_TUNNEL" ]; then
- EXT_IF="$EXT_IF ip6tun"
-fi
+ if [ -z "$PPPOEIF" ]; then
+ EXT_IF=""
+ unset IFS
+ for intf in $EXTIF $EXT2IF; do
+ EXT_IF="$EXT_IF${EXT_IF:+ }$intf"
+ done
+ else
+ EXT_IF="${PPPOE_EXTIF:-ppp+}"
+ unset IFS
+ for intf in $EXTIF $EXT2IF; do
+ case "$intf" in
+ ppp[0-9]*) ;;
+ *) EXT_IF="$EXT_IF $intf" ;;
+ esac
+ done
+ fi
-if [ -z "$EXTERNAL_NET" ]; then
- unset IFS
- for intf in $EXTIF $EXT2IF; do
- extCIDR="$(get_network_cidr "$intf")"
- if [ -n "$extCIDR" ]; then
- EXTERNAL_NET="$EXTERNAL_NET${EXTERNAL_NET:+ }$extCIDR"
- fi
- done
-fi
+ # Add external interface 'ip6tun' if an IPv6 tunnel is defined
+ if [ "$IPV6" = "yes" -a -n "$IPV6_TUNNEL" ]; then
+ EXT_IF="$EXT_IF ip6tun"
+ fi
-INT_IF=""
-INTERNAL_NET=""
-NAT_INTERNAL_NET=""
-NAT=0
+ if [ -z "$EXTERNAL_NET" ]; then
+ unset IFS
+ for intf in $EXTIF $EXT2IF; do
+ extCIDR="$(get_network_cidr "$intf")"
+ if [ -n "$extCIDR" ]; then
+ EXTERNAL_NET="$EXTERNAL_NET${EXTERNAL_NET:+ }$extCIDR"
+ fi
+ done
+ fi
-addINTERNALnet "$INTIF" "$INTIP" "$INTNM"
+ INT_IF=""
+ INTERNAL_NET=""
+ NAT_INTERNAL_NET=""
+ NAT=0
-addINTERNALnet "$INT2IF" "$INT2IP" "$INT2NM"
+ addINTERNALnet "$INTIF" "$INTIP" "$INTNM"
-addINTERNALnet "$INT3IF" "$INT3IP" "$INT3NM"
+ addINTERNALnet "$INT2IF" "$INT2IP" "$INT2NM"
-setDMZnet "$DMZIF" "$DMZIP" "$DMZNM"
+ addINTERNALnet "$INT3IF" "$INT3IP" "$INT3NM"
-MODEM_IF=""
+ setDMZnet "$DMZIF" "$DMZIP" "$DMZNM"
-if [ -n "$NAT_FOREIGN_NETWORK" ]; then
- setFOREIGNnet
-fi
+ MODEM_IF=""
-EXT_IF_DHCP_IP=0
-if [ -n "$EXTIF" -a -z "$EXTIP" ] && [ "$EXTIF" != "ppp0" -o -z "$PPPOEIF" ]; then
- EXT_IF_DHCP_IP=1
-fi
-if [ -n "$EXT2IF" -a -z "$EXT2IP" ] && [ "$EXT2IF" != "ppp0" -o -z "$PPPOEIF" ]; then
- EXT_IF_DHCP_IP=1
-fi
+ if [ -n "$NAT_FOREIGN_NETWORK" ]; then
+ setFOREIGNnet
+ fi
-if [ "$EXTDHCP" = "yes" -a -n "$EXTIP" -a -n "$EXTGW" -a -z "$EXT2IF" -a -z "$PPPOEIF" ]; then
- EXTERNAL_DHCP_SERVER=1
-fi
+ EXT_IF_DHCP_IP=0
+ if [ -n "$EXTIF" -a -z "$EXTIP" ] && [ "$EXTIF" != "ppp0" -o -z "$PPPOEIF" ]; then
+ EXT_IF_DHCP_IP=1
+ fi
+ if [ -n "$EXT2IF" -a -z "$EXT2IP" ] && [ "$EXT2IF" != "ppp0" -o -z "$PPPOEIF" ]; then
+ EXT_IF_DHCP_IP=1
+ fi
-if isVPNtype racoon || isVPNtype ipsecmobile; then
- RP_FILTER=0
-fi
+ if [ "$EXTDHCP" = "yes" -a -n "$EXTIP" -a -n "$EXTGW" -a -z "$EXT2IF" -a -z "$PPPOEIF" ]; then
+ EXTERNAL_DHCP_SERVER=1
+ fi
-if isVPNtype ipsecmobile && [ "$IPSECM_AUTH_METHOD" = "xauth_rsa_server" ]; then
- setIPSECnet "$IPSECM_XAUTH_POOLBASE" "$IPSECM_XAUTH_POOLMASK"
-fi
+ if isVPNtype racoon || isVPNtype ipsecmobile; then
+ RP_FILTER=0
+ fi
-if isVPNtype openvpn; then
- if [ -n "$OVPN_SERVER" ]; then
- ovpnIP="`echo $OVPN_SERVER | awk '{ print $1; }'`"
- ovpnNM="`echo $OVPN_SERVER | awk '{ print $2; }'`"
- if [ -z "$OVPN_DEV" -o "$OVPN_DEV" = "tun" ]; then
- ovpnIF="tun+"
+ if isVPNtype ipsecmobile && [ "$IPSECM_AUTH_METHOD" = "xauth_rsa_server" ]; then
+ setIPSECnet "$IPSECM_XAUTH_POOLBASE" "$IPSECM_XAUTH_POOLMASK"
+ fi
+
+ if isVPNtype openvpn; then
+ if [ -n "$OVPN_SERVER" ]; then
+ ovpnIP="$(echo $OVPN_SERVER | awk '{ print $1; }')"
+ ovpnNM="$(echo $OVPN_SERVER | awk '{ print $2; }')"
+ if [ -z "$OVPN_DEV" -o "$OVPN_DEV" = "tun" ]; then
+ ovpnIF="tun+"
+ else
+ ovpnIF="$OVPN_DEV"
+ fi
+ addINTERNALnet "$ovpnIF" "$ovpnIP" "$ovpnNM"
+ if [ -n "$OVPN_ALLOWLAN" ]; then
+ unset IFS
+ for lan in $OVPN_ALLOWLAN; do
+ allowif="$(getLANinterface "$lan")"
+ if [ $? -eq 0 ]; then
+ IFS=' ,'
+ for intf in $INT_IF; do
+ if [ "$intf" = "$allowif" ]; then
+ IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}$allowif $ovpnIF"
+ break
+ fi
+ done
+ fi
+ done
+ fi
else
- ovpnIF="$OVPN_DEV"
+ # Failsafe if /mnt/kd/openvpn/openvpn.conf is used
+ # and OVPN_SERVER is not defined.
+ TRUSTED_IF="tun+"
fi
- addINTERNALnet "$ovpnIF" "$ovpnIP" "$ovpnNM"
- if [ -n "$OVPN_ALLOWLAN" ]; then
- unset IFS
- for lan in $OVPN_ALLOWLAN; do
- allowif="$(getLANinterface "$lan")"
- if [ $? -eq 0 ]; then
- IFS=' ,'
- for intf in $INT_IF; do
- if [ "$intf" = "$allowif" ]; then
- IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}$allowif $ovpnIF"
- break;
- fi
- done
- fi
- done
- fi
- else
- # Failsafe if /mnt/kd/openvpn/openvpn.conf is used
- # and OVPN_SERVER is not defined.
- TRUSTED_IF="tun+"
fi
-fi
-if isVPNtype openvpnclient; then
- if [ -n "$OVPNC_SERVER" ]; then
- ovpnIP="`echo $OVPNC_SERVER | awk '{ print $1; }'`"
- ovpnNM="`echo $OVPNC_SERVER | awk '{ print $2; }'`"
- if [ -z "$OVPNC_DEV" -o "$OVPNC_DEV" = "tun" ]; then
- ovpnIF="tun+"
+ if isVPNtype openvpnclient; then
+ if [ -n "$OVPNC_SERVER" ]; then
+ ovpnIP="$(echo $OVPNC_SERVER | awk '{ print $1; }')"
+ ovpnNM="$(echo $OVPNC_SERVER | awk '{ print $2; }')"
+ if [ -z "$OVPNC_DEV" -o "$OVPNC_DEV" = "tun" ]; then
+ ovpnIF="tun+"
+ else
+ ovpnIF="$OVPNC_DEV"
+ fi
+ addNOnatINTERNALnet "$ovpnIF" "$ovpnIP" "$ovpnNM"
+ if [ -n "$OVPNC_ALLOWLAN" ]; then
+ unset IFS
+ for lan in $OVPNC_ALLOWLAN; do
+ allowif="$(getLANinterface "$lan")"
+ if [ $? -eq 0 ]; then
+ IFS=' ,'
+ for intf in $INT_IF; do
+ if [ "$intf" = "$allowif" ]; then
+ IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}$allowif $ovpnIF"
+ break
+ fi
+ done
+ fi
+ done
+ fi
else
- ovpnIF="$OVPNC_DEV"
+ # Failsafe if /mnt/kd/openvpn/openvpnconf.conf is used
+ # and OVPNC_SERVER is not defined.
+ TRUSTED_IF="tun+"
fi
- addNOnatINTERNALnet "$ovpnIF" "$ovpnIP" "$ovpnNM"
- if [ -n "$OVPNC_ALLOWLAN" ]; then
- unset IFS
- for lan in $OVPNC_ALLOWLAN; do
+ fi
+
+ if [ -n "$ALLOWLANS" ]; then
+ IFS='~'
+ for lans in $ALLOWLANS; do
+ allowifs=""
+ count=0
+ IFS=' '
+ for lan in $lans; do
allowif="$(getLANinterface "$lan")"
if [ $? -eq 0 ]; then
IFS=' ,'
for intf in $INT_IF; do
if [ "$intf" = "$allowif" ]; then
- IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}$allowif $ovpnIF"
- break;
+ allowifs="$allowifs${allowifs:+ }$allowif"
+ count=$((count + 1))
+ break
fi
done
fi
done
- fi
- else
- # Failsafe if /mnt/kd/openvpn/openvpnconf.conf is used
- # and OVPNC_SERVER is not defined.
- TRUSTED_IF="tun+"
+ if [ -n "$allowifs" ] && [ $count -gt 1 ]; then
+ IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}$allowifs"
+ fi
+ done
fi
-fi
-if [ -n "$ALLOWLANS" ]; then
- IFS='~'
- for lans in $ALLOWLANS; do
- allowifs=""
- count=0
- IFS=' '
- for lan in $lans; do
- allowif="$(getLANinterface "$lan")"
- if [ $? -eq 0 ]; then
- IFS=' ,'
- for intf in $INT_IF; do
- if [ "$intf" = "$allowif" ]; then
- allowifs="$allowifs${allowifs:+ }$allowif"
- count=$((count + 1))
- break;
+ if [ -n "$DMZ_DENYLAN" ]; then
+ IFS=' ,'
+ for intf in $INT_IF; do
+ allowif="$intf"
+ unset IFS
+ for lan in $DMZ_DENYLAN; do
+ denyif="$(getLANinterface "$lan")"
+ if [ $? -eq 0 ]; then
+ if [ "$intf" = "$denyif" ]; then
+ allowif=""
+ break
fi
- done
+ fi
+ done
+ if [ -n "$allowif" ]; then
+ LAN_DMZ_ALLOW_IF="$LAN_DMZ_ALLOW_IF${LAN_DMZ_ALLOW_IF:+ }$allowif"
fi
done
- if [ -n "$allowifs" ] && [ "$count" -gt 1 ]; then
- IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}$allowifs"
- fi
- done
-fi
-
-unset IFS
-
+ fi
+}
+astlinux_wrapper
Modified: branches/1.0/project/astlinux/target_skeleton/stat/etc/rc.conf
===================================================================
--- branches/1.0/project/astlinux/target_skeleton/stat/etc/rc.conf 2016-07-09 16:14:30 UTC (rev 7746)
+++ branches/1.0/project/astlinux/target_skeleton/stat/etc/rc.conf 2016-07-10 15:10:17 UTC (rev 7747)
@@ -290,13 +290,17 @@
## Note: Use the /mnt/kd/rc.elocal script to define the necessary static routes.
#NAT_FOREIGN_NETWORK="192.168.6.0/24 192.168.7.0/24"
-## Allow LAN to LAN traffic for internal interfaces, defaults to disallow
+## Allow LAN to LAN traffic for internal interfaces, defaults to disallow.
## Space separate "INTIF" for 1st, "INT2IF" for 2nd, and "INT3IF" for 3rd Internal Interface
## Separate groups using a ~ (tilde)
#ALLOWLANS="INTIF INT2IF"
#ALLOWLANS="INTIF INT2IF~INTIF INT3IF"
#ALLOWLANS="INTIF INT2IF INT3IF"
+## Deny LAN to DMZ traffic for internal interfaces, defaults to allow.
+## Use "INTIF" for 1st, "INT2IF" for 2nd, or "INT3IF" for 3rd Internal Interface, space separated for multiple
+#DMZ_DENYLAN="INT2IF INT3IF"
+
## Traffic Shaping
## Shapetype. This defines the qdisc type. Traffic shaping currently supports htb
## (default and well tested) or the newer hfsc version (less tested). You can
@@ -653,8 +657,9 @@
#username1 password1
#username2 password2
#"
-## Allow OpenVPN Server tunnel to LAN Interface(s), defaults to disallow
+## Allow OpenVPN Server tunnel to LAN Interface(s), defaults to disallow.
## Use "INTIF" for 1st, "INT2IF" for 2nd, or "INT3IF" for 3rd Internal Interface, space separated for multiple
+## Note: OpenVPN Server tunnel to DMZ Interface is allowed.
#OVPN_ALLOWLAN="INTIF"
##
## Firewall Options, automatically supported via AIF openvpn-server plugin.
@@ -692,8 +697,9 @@
#OVPNC_USER_PASS="user pass"
## Define ns-cert-type if set
#OVPNC_NSCERTTYPE="server"
-## Allow OpenVPN Client tunnel to LAN Interface(s), defaults to disallow
+## Allow OpenVPN Client tunnel to LAN Interface(s), defaults to disallow.
## Use "INTIF" for 1st, "INT2IF" for 2nd, or "INT3IF" for 3rd Internal Interface, space separated for multiple
+## Note: OpenVPN Client tunnel to DMZ Interface is allowed.
#OVPNC_ALLOWLAN="INTIF"
## Racoon support - VPN above must include "racoon"
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
