#!/usr/bin/perl package FWconf; require "__WIZ_HOME__/common/scripts/Vareqval.pm"; use MDK::Common; #use strict; sub true { my ($val) = @_; if (defined $val) { $val eq "1" || $val eq "\'1\'" || $val eq "\"1\"" || $val eq "true" || $val eq "\'true\'" || $val eq "\"true\"" and return 1; } 0; } # store the value of device and security level in /etc/sysconfig/mdk_serv sub store_fwall { my %mdk = Vareqval->get("/etc/sysconfig/mdk_serv"); $mdk{wiz_ext_device} = ($ENV{wiz_ext_device} =~ /^(\w*).*$/) if defined $ENV{wiz_ext_device} or die "wiz_ext_device not in env"; $mdk{wiz_firewall_level} = $ENV{wiz_firewall_level} if defined $ENV{wiz_firewall_level} or die "wiz_firewall_level not in env"; Vareqval->commit("/etc/sysconfig/mdk_serv", \%mdk); } sub do_it { my $TCP_PUBLIC_SERVICES=""; my $UDP_PUBLIC_SERVICES=""; my $TCP_INTERNAL_SERVICES=""; my $UDP_INTERNAL_SERVICES=""; store_fwall(); my %conf = ("__WIZ_HOME__/firewall_wizard/scripts/bastille-firewall.cfg.default" => "/etc/Bastille/bastille-firewall.cfg", "/usr/share/Bastille/bastille-firewall" => "/etc/init.d/bastille-firewall", "/usr/share/Bastille/bastille_ipchains" => "/sbin/bastille-ipchains", "/usr/share/Bastille/bastille-netfilter" => "/sbin/bastille-netfilter"); foreach (keys %conf) { (!-f $conf{$_}) and MDK::Common::cp_af($_, $conf{$_}); } # wiz_device INTERNAL_IFACES mdk_serv # wiz_ext_device EXTIF mdk_serv # wiz_ip_net . "/24" INTERNAL ifcfg-INTERNAL_IFACES # wiz_caching_dns mdk_serv # wiz_news_server mdk_serv # wiz_ftp_internal mdk_serv # wiz_ftp_external mdk_serv # wiz_web_internal mdk_serv # wiz_web_external mdk_serv # wiz_workgroup mdk_serv # wiz_mail_server mdk_serv # wiz_ip_range1 dhcpd.conf # wiz_ip_range2 dhcpd.conf # wiz_firewall_level mdk_serv my $file = "/etc/sysconfig/mdk_serv"; my %mdk = Vareqval->get($file); my $INTERNAL_IFACES = $mdk{wiz_device} if defined $mdk{wiz_device} or die "wiz_device not in $file"; my $EXTIF = $mdk{wiz_ext_device} if defined $mdk{wiz_ext_device} or die "wiz_ext_device not in $file"; # a copy of all we need my $wiz_news_server; my $wiz_ftp_internal; my $wiz_ftp_external; my $wiz_web_internal; my $wiz_web_external; my $wiz_firewall_level; my $wiz_workgroup; my $wiz_mail_server; my $wiz_caching_dns; my @wiz_var = ("wiz_news_server", "wiz_ftp_internal", "wiz_ftp_external", "wiz_web_internal", "wiz_web_external", "wiz_firewall_level", "wiz_mail_server", "wiz_workgroup", "wiz_caching_dns"); foreach (@wiz_var) { ${$_} = $mdk{$_} if defined $mdk{$_} && !$mdk{$_} =~ /^\s*$/; } $file = "/etc/sysconfig/network-scripts/ifcfg-".$INTERNAL_IFACES; %mdk = Vareqval->get($file); my $INTERNAL = $mdk{NETWORK} . "/24" if defined $mdk{NETWORK} or die "NETWORK not in $file"; open(DHCP, "< /etc/dhcpd.conf"); my $wiz_ip_range1; my $wiz_ip_range2; while () { if (/\s*range\s*([0-9\.]*)\s*([0-9\.]*).*$/) { $wiz_ip_range1 = $1; $wiz_ip_range2 = $2; last; } } close (DHCP); my $firewall_cfg = "/etc/Bastille/bastille-firewall.cfg"; my %fw = Vareqval->get($firewall_cfg); $fw{PUBLIC_IFACES} = ($INTERNAL_IFACES eq $EXTIF) ? "": $EXTIF; $fw{INTERNAL_IFACES} = $INTERNAL_IFACES; if (true $wiz_caching_dns) { $fw{DNS_SERVERS} = "0.0.0.0/0"; $UDP_INTERNAL_SERVICES.=" domain "; } else { $fw{DNS_SERVERS} = ""; } if (defined $wiz_news_server) { $fw{NTP_SERVERS} = $wiz_news_server; $UDP_INTERNAL_SERVICES.=" nntp "; $TCP_INTERNAL_SERVICES.=" nntp "; } else { $fw{NTP_SERVERS} = ""; } if (true $wiz_ftp_external) { $TCP_PUBLIC_SERVICES .= " ftp ftp-data "; $UDP_PUBLIC_SERVICES .= " ftp ftp-data "; $TCP_INTERNAL_SERVICES .= " ftp ftp-data "; $UDP_INTERNAL_SERVICES .= " ftp ftp-data "; } elsif (true $wiz_ftp_internal) { $TCP_PUBLIC_SERVICES .= " "; $UDP_PUBLIC_SERVICES .= " "; $TCP_INTERNAL_SERVICES .= " ftp ftp-data "; $UDP_INTERNAL_SERVICES .= " ftp ftp-data "; } if (true $wiz_web_external) { $TCP_PUBLIC_SERVICES .= " http https "; $UDP_PUBLIC_SERVICES .= " http https "; $TCP_INTERNAL_SERVICES .= " http https "; $UDP_INTERNAL_SERVICES .= " http https "; } elsif (true $wiz_web_internal) { $TCP_PUBLIC_SERVICES .= " "; $UDP_PUBLIC_SERVICES .= " "; $TCP_INTERNAL_SERVICES .= " http https "; $UDP_INTERNAL_SERVICES .= " http https "; } if (defined $wiz_workgroup) { $TCP_INTERNAL_SERVICES .= " netbios-ns netbios-dgm netbios-ssn "; $UDP_INTERNAL_SERVICES .= " netbios-ns netbios-dgm netbios-ssn "; } if (defined $wiz_mail_server) { $TCP_INTERNAL_SERVICES .= " smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps "; $UDP_INTERNAL_SERVICES .= " smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps "; } if (defined $wiz_ip_range1 && defined $wiz_ip_range2) { $TCP_INTERNAL_SERVICES .= " bootps bootpc "; $UDP_INTERNAL_SERVICES .= " bootps bootpc "; } $TCP_PUBLIC_SERVICES .= " ssh "; $UDP_PUBLIC_SERVICES .= " ssh "; $TCP_INTERNAL_SERVICES .= " ssh "; $UDP_INTERNAL_SERVICES .= " ssh "; !defined $wiz_firewall_level and $wiz_firewall_level = "0"; ($wiz_firewall_level) = ($wiz_firewall_level =~ /.*(\d*).*/); # Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS. #. /etc/rc.d/init.d/functions if ($wiz_firewall_level == 0 || $wiz_firewall_level == 3) { $fw{IP_MASQ_NETWORK} = ""; } else { $fw{IP_MASQ_NETWORK} = $INTERNAL; } if ($wiz_firewall_level <= 1) { $fw{TCP_PUBLIC_SERVICES} = ":"; $fw{UDP_PUBLIC_SERVICES} = ":"; $fw{TCP_INTERNAL_SERVICES} = ":"; $fw{UDP_INTERNAL_SERVICES} = ":"; } if ($wiz_firewall_level == 2) { $fw{TCP_PUBLIC_SERVICES} = $TCP_PUBLIC_SERVICES; $fw{UDP_PUBLIC_SERVICES} = $UDP_PUBLIC_SERVICES; $fw{TCP_INTERNAL_SERVICES} = $TCP_INTERNAL_SERVICES; $fw{UDP_INTERNAL_SERVICES} = $UDP_INTERNAL_SERVICES; } if ($wiz_firewall_level == 3) { $fw{TCP_PUBLIC_SERVICES} = " "; $fw{UDP_PUBLIC_SERVICES} = " "; $fw{TCP_INTERNAL_SERVICES} = "ssh"; $fw{UDP_INTERNAL_SERVICES} = "ssh"; } Vareqval->commit($firewall_cfg, \%fw); system("chkconfig --level 345 bastille-firewall on"); system("service bastille-firewall start"); 10; } 1;