diff options
Diffstat (limited to 'firewall_wizard')
-rw-r--r-- | firewall_wizard/scripts/FWconf.pm | 204 |
1 files changed, 204 insertions, 0 deletions
diff --git a/firewall_wizard/scripts/FWconf.pm b/firewall_wizard/scripts/FWconf.pm new file mode 100644 index 00000000..abe480ab --- /dev/null +++ b/firewall_wizard/scripts/FWconf.pm @@ -0,0 +1,204 @@ +#!/usr/bin/perl + +package FWconf; +require "__WIZ_HOME__/common/scripts/Vareqval.pm"; +use MDK::Common; +use strict; + +sub true { + my ($val) = @_; + + if (defined $val) { + $val eq "0" || $val eq "\'0\'" || $val eq "\"0\"" || + $val eq "false" || $val eq "\'false\'" || $val eq "\"false\"" and + return 0; + $val eq "1" || $val eq "\'1\'" || $val eq "\"1\"" || + $val eq "true" || $val eq "\'true\'" || $val eq "\"true\"" and + return 1; + } + 0; +} + +# store the value of device and security level in /etc/sysconfig/mdk_serv +sub store_fwall { + my %mdk = Vareqval->get("/etc/sysconfig/mdk_serv"); + $mdk{wiz_ext_device} = ($ENV{wiz_ext_device} =~ /^(\w*).*$/) if defined $ENV{wiz_ext_device} or + die "wiz_ext_device not in env"; + $mdk{wiz_firewall_level} = $ENV{wiz_firewall_level} if defined $ENV{wiz_firewall_level} or + die "wiz_firewall_level not in env"; + Vareqval->commit("/etc/sysconfig/mdk_serv", \%mdk); +} + +sub do_it { + print "hello\n"; + my $TCP_PUBLIC_SERVICES=""; + my $UDP_PUBLIC_SERVICES=""; + my $TCP_INTERNAL_SERVICES=""; + my $UDP_INTERNAL_SERVICES=""; + + store_fwall(); + + my %conf = ("__WIZ_HOME__/firewall_wizard/scripts/bastille-firewall.cfg.default" => + "/etc/Bastille/bastille-firewall.cfg", + "/usr/share/Bastille/bastille-firewall" => "/etc/init.d/bastille-firewall", + "/usr/share/Bastille/bastille_ipchains" => "/sbin/bastille-ipchains", + "/usr/share/Bastille/bastille-netfilter" => "/sbin/bastille-netfilter"); + foreach (keys %conf) { + (!-f $conf{$_}) and MDK::Common::cp_af($_, $conf{$_}); + } + +# wiz_device INTERNAL_IFACES mdk_serv +# wiz_ext_device EXTIF mdk_serv +# wiz_ip_net . "/24" INTERNAL ifcfg-INTERNAL_IFACES +# wiz_caching_dns mdk_serv +# wiz_news_server mdk_serv +# wiz_ftp_internal mdk_serv +# wiz_ftp_external mdk_serv +# wiz_web_internal mdk_serv +# wiz_web_external mdk_serv +# wiz_workgroup mdk_serv +# wiz_mail_server mdk_serv +# wiz_ip_range1 dhcpd.conf +# wiz_ip_range2 dhcpd.conf +# wiz_firewall_level mdk_serv + + my $file = "/etc/sysconfig/mdk_serv"; + my %mdk = Vareqval->get($file); + my $INTERNAL_IFACES = $mdk{wiz_device} if defined $mdk{wiz_device} or + die "wiz_device not in $file"; + my $EXTIF = $mdk{wiz_ext_device} if defined $mdk{wiz_ext_device} or + die "wiz_ext_device not in $file"; +# a copy of all we need + my $wiz_news_server; + my $wiz_ftp_internal; + my $wiz_ftp_external; + my $wiz_web_internal; + my $wiz_web_external; + my $wiz_firewall_level; + my $wiz_workgroup; + my $wiz_mail_server; + my $wiz_caching_dns; + my @wiz_var = ("wiz_news_server", + "wiz_ftp_internal", + "wiz_ftp_external", + "wiz_web_internal", + "wiz_web_external", + "wiz_firewall_level", + "wiz_mail_server", + "wiz_workgroup", + "wiz_caching_dns"); + foreach (@wiz_var) { + ${$_} = $mdk{$_} if defined $mdk{$_} && !($mdk{$_} =~ /^\s*$/); + } + $file = "/etc/sysconfig/network-scripts/ifcfg-".$INTERNAL_IFACES; + %mdk = Vareqval->get($file); + my $INTERNAL = $mdk{NETWORK} . "/24" if defined $mdk{NETWORK} or + die "NETWORK not in $file"; + open(DHCP, "< /etc/dhcpd.conf"); + my $wiz_ip_range1; + my $wiz_ip_range2; + while (<DHCP>) { + if (/\s*range\s*([0-9\.]*)\s*([0-9\.]*).*$/) { + $wiz_ip_range1 = $1; + $wiz_ip_range2 = $2; + last; + } + } + close (DHCP); + my $firewall_cfg = "/etc/Bastille/bastille-firewall.cfg"; + my %fw = Vareqval->get($firewall_cfg); + $fw{PUBLIC_IFACES} = ($INTERNAL_IFACES eq $EXTIF) ? "": $EXTIF; + $fw{INTERNAL_IFACES} = $INTERNAL_IFACES; + if (true $wiz_caching_dns) { + $fw{DNS_SERVERS} = "0.0.0.0/0"; + $UDP_INTERNAL_SERVICES.=" domain "; + } + else { + $fw{DNS_SERVERS} = ""; + } + if (defined $wiz_news_server) { + $fw{NTP_SERVERS} = $wiz_news_server; + $UDP_INTERNAL_SERVICES.=" nntp "; + $TCP_INTERNAL_SERVICES.=" nntp "; + } + else { + $fw{NTP_SERVERS} = ""; + } + if (true $wiz_ftp_external) { + $TCP_PUBLIC_SERVICES .= " ftp ftp-data "; + $UDP_PUBLIC_SERVICES .= " ftp ftp-data "; + $TCP_INTERNAL_SERVICES .= " ftp ftp-data "; + $UDP_INTERNAL_SERVICES .= " ftp ftp-data "; + } + elsif (true $wiz_ftp_internal) { + $TCP_PUBLIC_SERVICES .= " "; + $UDP_PUBLIC_SERVICES .= " "; + $TCP_INTERNAL_SERVICES .= " ftp ftp-data "; + $UDP_INTERNAL_SERVICES .= " ftp ftp-data "; + } + if (true $wiz_web_external) { + $TCP_PUBLIC_SERVICES .= " http https "; + $UDP_PUBLIC_SERVICES .= " http https "; + $TCP_INTERNAL_SERVICES .= " http https "; + $UDP_INTERNAL_SERVICES .= " http https "; + } + elsif (true $wiz_web_internal) { + $TCP_PUBLIC_SERVICES .= " "; + $UDP_PUBLIC_SERVICES .= " "; + $TCP_INTERNAL_SERVICES .= " http https "; + $UDP_INTERNAL_SERVICES .= " http https "; + } + if (defined $wiz_workgroup) { + $TCP_INTERNAL_SERVICES .= " netbios-ns netbios-dgm netbios-ssn "; + $UDP_INTERNAL_SERVICES .= " netbios-ns netbios-dgm netbios-ssn "; + } + if (defined $wiz_mail_server) { + $TCP_INTERNAL_SERVICES .= " smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps "; + $UDP_INTERNAL_SERVICES .= " smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps "; + } + if (defined $wiz_ip_range1 && defined $wiz_ip_range2) { + $TCP_INTERNAL_SERVICES .= " bootps bootpc "; + $UDP_INTERNAL_SERVICES .= " bootps bootpc "; + } + $TCP_PUBLIC_SERVICES .= " ssh "; + $UDP_PUBLIC_SERVICES .= " ssh "; + $TCP_INTERNAL_SERVICES .= " ssh "; + $UDP_INTERNAL_SERVICES .= " ssh "; + + !defined $wiz_firewall_level and $wiz_firewall_level = "0"; + ($wiz_firewall_level) = ($wiz_firewall_level =~ /.*(\d*).*/); + +# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS. +#. /etc/rc.d/init.d/functions + + if ($wiz_firewall_level == 0 || $wiz_firewall_level == 3) { + $fw{IP_MASQ_NETWORK} = ""; + } + else { + $fw{IP_MASQ_NETWORK} = $INTERNAL; + } + if ($wiz_firewall_level <= 1) { + $fw{TCP_PUBLIC_SERVICES} = ":"; + $fw{UDP_PUBLIC_SERVICES} = ":"; + $fw{TCP_INTERNAL_SERVICES} = ":"; + $fw{UDP_INTERNAL_SERVICES} = ":"; + } + if ($wiz_firewall_level == 2) { + $fw{TCP_PUBLIC_SERVICES} = $TCP_PUBLIC_SERVICES; + $fw{UDP_PUBLIC_SERVICES} = $UDP_PUBLIC_SERVICES; + $fw{TCP_INTERNAL_SERVICES} = $TCP_INTERNAL_SERVICES; + $fw{UDP_INTERNAL_SERVICES} = $UDP_INTERNAL_SERVICES; + } + if ($wiz_firewall_level == 3) { + $fw{TCP_PUBLIC_SERVICES} = " "; + $fw{UDP_PUBLIC_SERVICES} = " "; + $fw{TCP_INTERNAL_SERVICES} = "ssh"; + $fw{UDP_INTERNAL_SERVICES} = "ssh"; + } + Vareqval->commit($firewall_cfg, \%fw); + system("chkconfig --level 345 bastille-firewall on"); + system("service bastille-firewall start"); + print "bye\n"; +} + +1; |