summaryrefslogtreecommitdiffstats
path: root/firewall_wizard
diff options
context:
space:
mode:
Diffstat (limited to 'firewall_wizard')
-rw-r--r--firewall_wizard/scripts/FWconf.pm204
1 files changed, 204 insertions, 0 deletions
diff --git a/firewall_wizard/scripts/FWconf.pm b/firewall_wizard/scripts/FWconf.pm
new file mode 100644
index 00000000..abe480ab
--- /dev/null
+++ b/firewall_wizard/scripts/FWconf.pm
@@ -0,0 +1,204 @@
+#!/usr/bin/perl
+
+package FWconf;
+require "__WIZ_HOME__/common/scripts/Vareqval.pm";
+use MDK::Common;
+use strict;
+
+sub true {
+ my ($val) = @_;
+
+ if (defined $val) {
+ $val eq "0" || $val eq "\'0\'" || $val eq "\"0\"" ||
+ $val eq "false" || $val eq "\'false\'" || $val eq "\"false\"" and
+ return 0;
+ $val eq "1" || $val eq "\'1\'" || $val eq "\"1\"" ||
+ $val eq "true" || $val eq "\'true\'" || $val eq "\"true\"" and
+ return 1;
+ }
+ 0;
+}
+
+# store the value of device and security level in /etc/sysconfig/mdk_serv
+sub store_fwall {
+ my %mdk = Vareqval->get("/etc/sysconfig/mdk_serv");
+ $mdk{wiz_ext_device} = ($ENV{wiz_ext_device} =~ /^(\w*).*$/) if defined $ENV{wiz_ext_device} or
+ die "wiz_ext_device not in env";
+ $mdk{wiz_firewall_level} = $ENV{wiz_firewall_level} if defined $ENV{wiz_firewall_level} or
+ die "wiz_firewall_level not in env";
+ Vareqval->commit("/etc/sysconfig/mdk_serv", \%mdk);
+}
+
+sub do_it {
+ print "hello\n";
+ my $TCP_PUBLIC_SERVICES="";
+ my $UDP_PUBLIC_SERVICES="";
+ my $TCP_INTERNAL_SERVICES="";
+ my $UDP_INTERNAL_SERVICES="";
+
+ store_fwall();
+
+ my %conf = ("__WIZ_HOME__/firewall_wizard/scripts/bastille-firewall.cfg.default" =>
+ "/etc/Bastille/bastille-firewall.cfg",
+ "/usr/share/Bastille/bastille-firewall" => "/etc/init.d/bastille-firewall",
+ "/usr/share/Bastille/bastille_ipchains" => "/sbin/bastille-ipchains",
+ "/usr/share/Bastille/bastille-netfilter" => "/sbin/bastille-netfilter");
+ foreach (keys %conf) {
+ (!-f $conf{$_}) and MDK::Common::cp_af($_, $conf{$_});
+ }
+
+# wiz_device INTERNAL_IFACES mdk_serv
+# wiz_ext_device EXTIF mdk_serv
+# wiz_ip_net . "/24" INTERNAL ifcfg-INTERNAL_IFACES
+# wiz_caching_dns mdk_serv
+# wiz_news_server mdk_serv
+# wiz_ftp_internal mdk_serv
+# wiz_ftp_external mdk_serv
+# wiz_web_internal mdk_serv
+# wiz_web_external mdk_serv
+# wiz_workgroup mdk_serv
+# wiz_mail_server mdk_serv
+# wiz_ip_range1 dhcpd.conf
+# wiz_ip_range2 dhcpd.conf
+# wiz_firewall_level mdk_serv
+
+ my $file = "/etc/sysconfig/mdk_serv";
+ my %mdk = Vareqval->get($file);
+ my $INTERNAL_IFACES = $mdk{wiz_device} if defined $mdk{wiz_device} or
+ die "wiz_device not in $file";
+ my $EXTIF = $mdk{wiz_ext_device} if defined $mdk{wiz_ext_device} or
+ die "wiz_ext_device not in $file";
+# a copy of all we need
+ my $wiz_news_server;
+ my $wiz_ftp_internal;
+ my $wiz_ftp_external;
+ my $wiz_web_internal;
+ my $wiz_web_external;
+ my $wiz_firewall_level;
+ my $wiz_workgroup;
+ my $wiz_mail_server;
+ my $wiz_caching_dns;
+ my @wiz_var = ("wiz_news_server",
+ "wiz_ftp_internal",
+ "wiz_ftp_external",
+ "wiz_web_internal",
+ "wiz_web_external",
+ "wiz_firewall_level",
+ "wiz_mail_server",
+ "wiz_workgroup",
+ "wiz_caching_dns");
+ foreach (@wiz_var) {
+ ${$_} = $mdk{$_} if defined $mdk{$_} && !($mdk{$_} =~ /^\s*$/);
+ }
+ $file = "/etc/sysconfig/network-scripts/ifcfg-".$INTERNAL_IFACES;
+ %mdk = Vareqval->get($file);
+ my $INTERNAL = $mdk{NETWORK} . "/24" if defined $mdk{NETWORK} or
+ die "NETWORK not in $file";
+ open(DHCP, "< /etc/dhcpd.conf");
+ my $wiz_ip_range1;
+ my $wiz_ip_range2;
+ while (<DHCP>) {
+ if (/\s*range\s*([0-9\.]*)\s*([0-9\.]*).*$/) {
+ $wiz_ip_range1 = $1;
+ $wiz_ip_range2 = $2;
+ last;
+ }
+ }
+ close (DHCP);
+ my $firewall_cfg = "/etc/Bastille/bastille-firewall.cfg";
+ my %fw = Vareqval->get($firewall_cfg);
+ $fw{PUBLIC_IFACES} = ($INTERNAL_IFACES eq $EXTIF) ? "": $EXTIF;
+ $fw{INTERNAL_IFACES} = $INTERNAL_IFACES;
+ if (true $wiz_caching_dns) {
+ $fw{DNS_SERVERS} = "0.0.0.0/0";
+ $UDP_INTERNAL_SERVICES.=" domain ";
+ }
+ else {
+ $fw{DNS_SERVERS} = "";
+ }
+ if (defined $wiz_news_server) {
+ $fw{NTP_SERVERS} = $wiz_news_server;
+ $UDP_INTERNAL_SERVICES.=" nntp ";
+ $TCP_INTERNAL_SERVICES.=" nntp ";
+ }
+ else {
+ $fw{NTP_SERVERS} = "";
+ }
+ if (true $wiz_ftp_external) {
+ $TCP_PUBLIC_SERVICES .= " ftp ftp-data ";
+ $UDP_PUBLIC_SERVICES .= " ftp ftp-data ";
+ $TCP_INTERNAL_SERVICES .= " ftp ftp-data ";
+ $UDP_INTERNAL_SERVICES .= " ftp ftp-data ";
+ }
+ elsif (true $wiz_ftp_internal) {
+ $TCP_PUBLIC_SERVICES .= " ";
+ $UDP_PUBLIC_SERVICES .= " ";
+ $TCP_INTERNAL_SERVICES .= " ftp ftp-data ";
+ $UDP_INTERNAL_SERVICES .= " ftp ftp-data ";
+ }
+ if (true $wiz_web_external) {
+ $TCP_PUBLIC_SERVICES .= " http https ";
+ $UDP_PUBLIC_SERVICES .= " http https ";
+ $TCP_INTERNAL_SERVICES .= " http https ";
+ $UDP_INTERNAL_SERVICES .= " http https ";
+ }
+ elsif (true $wiz_web_internal) {
+ $TCP_PUBLIC_SERVICES .= " ";
+ $UDP_PUBLIC_SERVICES .= " ";
+ $TCP_INTERNAL_SERVICES .= " http https ";
+ $UDP_INTERNAL_SERVICES .= " http https ";
+ }
+ if (defined $wiz_workgroup) {
+ $TCP_INTERNAL_SERVICES .= " netbios-ns netbios-dgm netbios-ssn ";
+ $UDP_INTERNAL_SERVICES .= " netbios-ns netbios-dgm netbios-ssn ";
+ }
+ if (defined $wiz_mail_server) {
+ $TCP_INTERNAL_SERVICES .= " smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps ";
+ $UDP_INTERNAL_SERVICES .= " smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps ";
+ }
+ if (defined $wiz_ip_range1 && defined $wiz_ip_range2) {
+ $TCP_INTERNAL_SERVICES .= " bootps bootpc ";
+ $UDP_INTERNAL_SERVICES .= " bootps bootpc ";
+ }
+ $TCP_PUBLIC_SERVICES .= " ssh ";
+ $UDP_PUBLIC_SERVICES .= " ssh ";
+ $TCP_INTERNAL_SERVICES .= " ssh ";
+ $UDP_INTERNAL_SERVICES .= " ssh ";
+
+ !defined $wiz_firewall_level and $wiz_firewall_level = "0";
+ ($wiz_firewall_level) = ($wiz_firewall_level =~ /.*(\d*).*/);
+
+# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS.
+#. /etc/rc.d/init.d/functions
+
+ if ($wiz_firewall_level == 0 || $wiz_firewall_level == 3) {
+ $fw{IP_MASQ_NETWORK} = "";
+ }
+ else {
+ $fw{IP_MASQ_NETWORK} = $INTERNAL;
+ }
+ if ($wiz_firewall_level <= 1) {
+ $fw{TCP_PUBLIC_SERVICES} = ":";
+ $fw{UDP_PUBLIC_SERVICES} = ":";
+ $fw{TCP_INTERNAL_SERVICES} = ":";
+ $fw{UDP_INTERNAL_SERVICES} = ":";
+ }
+ if ($wiz_firewall_level == 2) {
+ $fw{TCP_PUBLIC_SERVICES} = $TCP_PUBLIC_SERVICES;
+ $fw{UDP_PUBLIC_SERVICES} = $UDP_PUBLIC_SERVICES;
+ $fw{TCP_INTERNAL_SERVICES} = $TCP_INTERNAL_SERVICES;
+ $fw{UDP_INTERNAL_SERVICES} = $UDP_INTERNAL_SERVICES;
+ }
+ if ($wiz_firewall_level == 3) {
+ $fw{TCP_PUBLIC_SERVICES} = " ";
+ $fw{UDP_PUBLIC_SERVICES} = " ";
+ $fw{TCP_INTERNAL_SERVICES} = "ssh";
+ $fw{UDP_INTERNAL_SERVICES} = "ssh";
+ }
+ Vareqval->commit($firewall_cfg, \%fw);
+ system("chkconfig --level 345 bastille-firewall on");
+ system("service bastille-firewall start");
+ print "bye\n";
+}
+
+1;