Revision: 2738
http://ipcop.svn.sourceforge.net/ipcop/?rev=2738&view=rev
Author: owes
Date: 2009-04-22 18:37:31 +0000 (Wed, 22 Apr 2009)
Log Message:
-----------
This may not look like it does, but I think it simplifies Blue and Blue Access.
In short use the WIRELESS* chains to verify Blue Access addresses, if no match
drop/reject according
to settings for Blue interface.
Summary for Blue:
- open OpenVPN if policy half-open/open and OpenVPN on Blue activated
- check Blue Access if activated
- Pinholes
- IPCop services if policy half-open/open
- internet and Orange if policy open
Also add Pinholes possibility for Orange
Modified Paths:
--------------
ipcop/trunk/src/scripts/puzzleFwRules.pl
Modified: ipcop/trunk/src/scripts/puzzleFwRules.pl
===================================================================
--- ipcop/trunk/src/scripts/puzzleFwRules.pl 2009-04-20 15:19:41 UTC (rev
2737)
+++ ipcop/trunk/src/scripts/puzzleFwRules.pl 2009-04-22 18:37:31 UTC (rev
2738)
@@ -773,94 +773,96 @@
# only create rules for this interface if it is activ
next if ($FW::interfaces{$inIface}{'ACTIV'} ne 'yes');
- if ($FW::interfaces{$inIface}{'COLOR'} eq 'BLUE_COLOR' &&
$ifacePolicies{$inIface}{'BLUE_ACCESS'} eq 'on') {
- $doUpdateWirelessRules = 1;
-
- # allow OpenVPN if enabled on blue, OpenVPN access does not need
Blue Access entry
- if ($ovpnSettings{'ENABLED_BLUE_1'} eq 'on') {
+ # Special treatment for Blue / Blue Access first
+ if ($FW::interfaces{$inIface}{'COLOR'} eq 'BLUE_COLOR') {
+ # Allow OpenVPN if enabled on blue, OpenVPN access does not need
Blue Access entry so it much come first
+ # but only if we have policy half-open/open
+ if (($ovpnSettings{'ENABLED_BLUE_1'} eq 'on') &&
($ifacePolicies{$inIface}{'POLICY'} =~ /^half-open|open$/)) {
my @serviceXYZ = &buildServiceParamsDefault('IPCop OpenVPN',
"");
foreach my $protoPort (@serviceXYZ) {
&prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
}
}
- &prepareRule("-A FW_IPCOP -i $FW::interfaces{$inIface}{'IFACE'} -j
WIRELESSINPUT");
- &prepareRule("-A FW_IPCOP_FORWARD -i
$FW::interfaces{$inIface}{'IFACE'} -j WIRELESSFORWARD");
+ if ($ifacePolicies{$inIface}{'BLUE_ACCESS'} eq 'on') {
+ $doUpdateWirelessRules = 1;
+ &prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} -j WIRELESSINPUT");
+ &prepareRule("-A FW_IPCOP_FORWARD -i
$FW::interfaces{$inIface}{'IFACE'} -j WIRELESSFORWARD");
+ }
+
+ # dmzholes for blue
+ &prepareRule("-A FW_IPCOP_FORWARD -i
$FW::interfaces{$inIface}{'IFACE'} -j FW_DMZHOLES");
}
- else {
+ elsif ($FW::interfaces{$inIface}{'COLOR'} eq "ORANGE_COLOR") {
- # open some default ipcop services for policy 'half-open' and
'open'
- if ($ifacePolicies{$inIface}{'POLICY'} =~ /^half-open|open$/) {
+ # dmzholes for orange
+ &prepareRule("-A FW_IPCOP_FORWARD -i
$FW::interfaces{$inIface}{'IFACE'} -j FW_DMZHOLES");
+ }
+ elsif ($FW::interfaces{$inIface}{'COLOR'} eq "RED_COLOR") {
- my @ipcopServices = ();
- # Some IPCop services for Green
- if ($FW::interfaces{$inIface}{'COLOR'} =~ /^GREEN_COLOR$/) {
- @ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'Ping');
- }
- # Some IPCop services for Blue
- if ($FW::interfaces{$inIface}{'COLOR'} =~ /^BLUE_COLOR$/) {
- @ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'Ping');
- if ($ovpnSettings{'ENABLED_BLUE_1'} eq 'on') {
- push(@ipcopServices, 'IPCop OpenVPN');
- }
- }
- # Some IPCop services for Orange
- if ($FW::interfaces{$inIface}{'COLOR'} =~ /^ORANGE_COLOR$/) {
- if ($ovpnSettings{'ENABLED_ORANGE_1'} eq 'on') {
- push(@ipcopServices, 'IPCop OpenVPN');
- }
- }
- # Some IPCop services for IPsec and OpenVPN (no DHCP needed
for VPN)
- if ($FW::interfaces{$inIface}{'COLOR'} =~
/^IPSEC_COLOR|OVPN_COLOR$/) {
- @ipcopServices = ('IPCop dns', 'IPCop ntp', 'IPCop proxy',
'Ping');
- }
+ # always allow ping on red
+ my @serviceXYZ = &buildServiceParamsDefault('Ping', "");
+ foreach my $protoPort (@serviceXYZ) {
+ &prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
+ }
- foreach my $service (@ipcopServices) {
- my @serviceXYZ = &buildServiceParamsDefault($service, "");
- foreach my $protoPort (@serviceXYZ) {
- &prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
- }
+ # allow OpenVPN if enabled on red
+ if ($ovpnSettings{'ENABLED_RED_1'} eq 'on') {
+ my @serviceXYZ = &buildServiceParamsDefault('IPCop OpenVPN',
"");
+ foreach my $protoPort (@serviceXYZ) {
+ &prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
}
- } # if ($ifacePolicies{$inIface}{'POLICY'} =~
/^half-open|open$/)
+ }
- # allow internet/other network for policy 'open'
- if ($ifacePolicies{$inIface}{'POLICY'} eq 'open') {
+ # TODO: open firewall for IPsec
+ }
- # get outgoing interfaces
- my @outDevs =
&getOutIfacesByColor($FW::interfaces{$inIface}{'COLOR'}, $inIface);
- # forward
- foreach my $outIface (@outDevs) {
- &prepareRule("-A FW_IPCOP_FORWARD -i
$FW::interfaces{$inIface}{'IFACE'} -o $outIface -j ACCEPT");
- } # forward END
+ # open some default ipcop services for policy 'half-open' and 'open'
+ if ($ifacePolicies{$inIface}{'POLICY'} =~ /^half-open|open$/) {
- } # if ($ifacePolicies{$inIface}{'POLICY'} eq 'open') {
-
- if ($FW::interfaces{$inIface}{'COLOR'} eq "BLUE_COLOR") {
-
- # dmzholes for blue
- &prepareRule("-A FW_IPCOP_FORWARD -i
$FW::interfaces{$inIface}{'IFACE'} -j FW_DMZHOLES");
+ my @ipcopServices = ();
+ # Some IPCop services for Green
+ if ($FW::interfaces{$inIface}{'COLOR'} =~ /^GREEN_COLOR$/) {
+ @ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'Ping');
}
- elsif ($FW::interfaces{$inIface}{'COLOR'} eq "RED_COLOR") {
+ # Some IPCop services for Blue (OpenVPN is already opened above)
+ if ($FW::interfaces{$inIface}{'COLOR'} =~ /^BLUE_COLOR$/) {
+ @ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'Ping');
+ }
+ # Some IPCop services for Orange
+ if ($FW::interfaces{$inIface}{'COLOR'} =~ /^ORANGE_COLOR$/) {
+ if ($ovpnSettings{'ENABLED_ORANGE_1'} eq 'on') {
+ push(@ipcopServices, 'IPCop OpenVPN');
+ }
+ }
+ # Some IPCop services for IPsec and OpenVPN (no DHCP needed for
VPN)
+ if ($FW::interfaces{$inIface}{'COLOR'} =~
/^IPSEC_COLOR|OVPN_COLOR$/) {
+ @ipcopServices = ('IPCop dns', 'IPCop ntp', 'IPCop proxy',
'Ping');
+ }
- # always allow ping on red
- my @serviceXYZ = &buildServiceParamsDefault('Ping', "");
+ foreach my $service (@ipcopServices) {
+ my @serviceXYZ = &buildServiceParamsDefault($service, "");
foreach my $protoPort (@serviceXYZ) {
&prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
}
+ }
+ } # if ($ifacePolicies{$inIface}{'POLICY'} =~ /^half-open|open$/)
- # allow OpenVPN if enabled on red
- if ($ovpnSettings{'ENABLED_RED_1'} eq 'on') {
- my @serviceXYZ = &buildServiceParamsDefault('IPCop
OpenVPN', "");
- foreach my $protoPort (@serviceXYZ) {
- &prepareRule("-A FW_IPCOP -i
$FW::interfaces{$inIface}{'IFACE'} $protoPort -j ACCEPT");
- }
- }
- # TODO: open firewall for IPsec
- }
- }
+ # allow internet/other network for policy 'open'
+ if ($ifacePolicies{$inIface}{'POLICY'} eq 'open') {
+ # get outgoing interfaces
+ my @outDevs =
&getOutIfacesByColor($FW::interfaces{$inIface}{'COLOR'}, $inIface);
+
+ # forward
+ foreach my $outIface (@outDevs) {
+ &prepareRule("-A FW_IPCOP_FORWARD -i
$FW::interfaces{$inIface}{'IFACE'} -o $outIface -j ACCEPT");
+ } # forward END
+
+ } # if ($ifacePolicies{$inIface}{'POLICY'} eq 'open') {
+
# default Logging (if enabled) + DROP/REJECT rules per interface
$defaultRule = "-A FW_LOG -i $FW::interfaces{$inIface}{'IFACE'} -j";
my $defaultAction = 'DROP';
@@ -926,52 +928,25 @@
# only create rules for this interface if it is activ
next if ($FW::interfaces{$inIface}{'ACTIV'} ne 'yes');
- # open some default ipcop services for policy 'half-open' and 'open'
- if ($ifacePolicies{$inIface}{'POLICY'} =~ /^half-open|open$/) {
+ # only fill this chain if Blue Access is active
+ next unless ($ifacePolicies{$inIface}{'BLUE_ACCESS'} eq 'on');
- # Some IPCop services, no need for OpenVPN here as that is opened
for everybody
- my @ipcopServices = ('IPCop dhcp', 'IPCop dns', 'IPCop ntp',
'IPCop proxy', 'Ping');
- foreach my $key (keys %blueAdresses) {
- next if ($blueAdresses{$key}{'SOURCE_ADR_IPT'} eq '');
-
- foreach my $service (@ipcopServices) {
- my @serviceXYZ = &buildServiceParamsDefault($service, "");
- foreach my $protoPort (@serviceXYZ) {
- my $rule = "-A WIRELESSINPUT
$blueAdresses{$key}{'SOURCE_ADR_IPT'} ";
- $rule .= " -i $FW::interfaces{$inIface}{'IFACE'}
$protoPort -j ACCEPT";
- &prepareRule($rule);
- }
- }
- }
- } # if ($ifacePolicies{$inIface}{'POLICY'} =~ /^half-open|open$/)
-
- # allow internet/other network for policy 'open'
- if ($ifacePolicies{$inIface}{'POLICY'} eq 'open') {
-
- # get outgoing interfaces
- my @outDevs =
&getOutIfacesByColor($FW::interfaces{$inIface}{'COLOR'}, $inIface);
-
- # forward
- foreach my $key (keys %blueAdresses) {
- next if ($blueAdresses{$key}{'SOURCE_ADR_IPT'} eq '');
-
- foreach my $outIface (@outDevs) {
- my $rule = "-A WIRELESSFORWARD
$blueAdresses{$key}{'SOURCE_ADR_IPT'} ";
- $rule .= " -i $FW::interfaces{$inIface}{'IFACE'} -o
$outIface -j ACCEPT";
- &prepareRule($rule);
- }
- } # forward END
-
- } # if ($ifacePolicies{$inIface}{'POLICY'} eq 'open') {
-
- # Always allow dmzholes for the blue access adresses
+ # Blue Access input and forward
foreach my $key (keys %blueAdresses) {
next if ($blueAdresses{$key}{'SOURCE_ADR_IPT'} eq '');
- my $rule = "-A WIRELESSFORWARD
$blueAdresses{$key}{'SOURCE_ADR_IPT'} ";
- $rule .= "-i $FW::interfaces{$inIface}{'IFACE'} -j FW_DMZHOLES";
+ my $rule = "-A WIRELESSINPUT $blueAdresses{$key}{'SOURCE_ADR_IPT'}
";
+ $rule .= " -i $FW::interfaces{$inIface}{'IFACE'} -j RETURN";
&prepareRule($rule);
+
+ $rule = "-A WIRELESSFORWARD $blueAdresses{$key}{'SOURCE_ADR_IPT'}
";
+ $rule .= " -i $FW::interfaces{$inIface}{'IFACE'} -j RETURN";
+ &prepareRule($rule);
}
+
+ # Drop/Reject anything that did not match Blue Access
+ &prepareRule("-A WIRELESSINPUT -i $FW::interfaces{$inIface}{'IFACE'}
-j FW_LOG");
+ &prepareRule("-A WIRELESSFORWARD -i $FW::interfaces{$inIface}{'IFACE'}
-j FW_LOG");
}
}
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Ipcop-svn mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
