#!/usr/bin/perl
package FWconf;
require "__WIZ_HOME__/common/scripts/Vareqval.pm";
use MDK::Common;
#use strict;
sub true {
my ($val) = @_;
if (defined $val) {
$val eq "1" || $val eq "\'1\'" || $val eq "\"1\"" ||
$val eq "true" || $val eq "\'true\'" || $val eq "\"true\"" and
return 1;
}
0;
}
# store the value of device and security level in /etc/sysconfig/mdk_serv
sub store_fwall {
my %mdk = Vareqval->get("/etc/sysconfig/mdk_serv");
$mdk{wiz_ext_device} = ($ENV{wiz_ext_device} =~ /^(\w*).*$/) if defined $ENV{wiz_ext_device} or
die "wiz_ext_device not in env";
$mdk{wiz_firewall_level} = $ENV{wiz_firewall_level} if defined $ENV{wiz_firewall_level} or
die "wiz_firewall_level not in env";
Vareqval->commit("/etc/sysconfig/mdk_serv", \%mdk);
}
sub do_it {
my $TCP_PUBLIC_SERVICES="";
my $UDP_PUBLIC_SERVICES="";
my $TCP_INTERNAL_SERVICES="";
my $UDP_INTERNAL_SERVICES="";
store_fwall();
my %conf = ("__WIZ_HOME__/firewall_wizard/scripts/bastille-firewall.cfg.default" =>
"/etc/Bastille/bastille-firewall.cfg",
"/usr/share/Bastille/bastille-firewall" => "/etc/init.d/bastille-firewall",
"/usr/share/Bastille/bastille_ipchains" => "/sbin/bastille-ipchains",
"/usr/share/Bastille/bastille-netfilter" => "/sbin/bastille-netfilter");
foreach (keys %conf) {
(!-f $conf{$_}) and MDK::Common::cp_af($_, $conf{$_});
}
# wiz_device INTERNAL_IFACES mdk_serv
# wiz_ext_device EXTIF mdk_serv
# wiz_ip_net . "/24" INTERNAL ifcfg-INTERNAL_IFACES
# wiz_caching_dns mdk_serv
# wiz_news_server mdk_serv
# wiz_ftp_internal mdk_serv
# wiz_ftp_external mdk_serv
# wiz_web_internal mdk_serv
# wiz_web_external mdk_serv
# wiz_workgroup mdk_serv
# wiz_mail_server mdk_serv
# wiz_ip_range1 dhcpd.conf
# wiz_ip_range2 dhcpd.conf
# wiz_firewall_level mdk_serv
my $file = "/etc/sysconfig/mdk_serv";
my %mdk = Vareqval->get($file);
my $INTERNAL_IFACES = $mdk{wiz_device} if defined $mdk{wiz_device} or
die "wiz_device not in $file";
my $EXTIF = $mdk{wiz_ext_device} if defined $mdk{wiz_ext_device} or
die "wiz_ext_device not in $file";
# a copy of all we need
my $wiz_news_server;
my $wiz_ftp_internal;
my $wiz_ftp_external;
my $wiz_web_internal;
my $wiz_web_external;
my $wiz_firewall_level;
my $wiz_workgroup;
my $wiz_mail_server;
my $wiz_caching_dns;
my @wiz_var = ("wiz_news_server",
"wiz_ftp_internal",
"wiz_ftp_external",
"wiz_web_internal",
"wiz_web_external",
"wiz_firewall_level",
"wiz_mail_server",
"wiz_workgroup",
"wiz_caching_dns");
foreach (@wiz_var) {
${$_} = $mdk{$_} if defined $mdk{$_} && !$mdk{$_} =~ /^\s*$/;
}
$file = "/etc/sysconfig/network-scripts/ifcfg-".$INTERNAL_IFACES;
%mdk = Vareqval->get($file);
my $INTERNAL = $mdk{NETWORK} . "/24" if defined $mdk{NETWORK} or
die "NETWORK not in $file";
open(DHCP, "< /etc/dhcpd.conf");
my $wiz_ip_range1;
my $wiz_ip_range2;
while (<DHCP>) {
if (/\s*range\s*([0-9\.]*)\s*([0-9\.]*).*$/) {
$wiz_ip_range1 = $1;
$wiz_ip_range2 = $2;
last;
}
}
close (DHCP);
my $firewall_cfg = "/etc/Bastille/bastille-firewall.cfg";
my %fw = Vareqval->get($firewall_cfg);
$fw{PUBLIC_IFACES} = ($INTERNAL_IFACES eq $EXTIF) ? "": $EXTIF;
$fw{INTERNAL_IFACES} = $INTERNAL_IFACES;
if (true $wiz_caching_dns) {
$fw{DNS_SERVERS} = "0.0.0.0/0";
$UDP_INTERNAL_SERVICES.=" domain ";
}
else {
$fw{DNS_SERVERS} = "";
}
if (defined $wiz_news_server) {
$fw{NTP_SERVERS} = $wiz_news_server;
$UDP_INTERNAL_SERVICES.=" nntp ";
$TCP_INTERNAL_SERVICES.=" nntp ";
}
else {
$fw{NTP_SERVERS} = "";
}
if (true $wiz_ftp_external) {
$TCP_PUBLIC_SERVICES .= " ftp ftp-data ";
$UDP_PUBLIC_SERVICES .= " ftp ftp-data ";
$TCP_INTERNAL_SERVICES .= " ftp ftp-data ";
$UDP_INTERNAL_SERVICES .= " ftp ftp-data ";
}
elsif (true $wiz_ftp_internal) {
$TCP_PUBLIC_SERVICES .= " ";
$UDP_PUBLIC_SERVICES .= " ";
$TCP_INTERNAL_SERVICES .= " ftp ftp-data ";
$UDP_INTERNAL_SERVICES .= " ftp ftp-data ";
}
if (true $wiz_web_external) {
$TCP_PUBLIC_SERVICES .= " http https ";
$UDP_PUBLIC_SERVICES .= " http https ";
$TCP_INTERNAL_SERVICES .= " http https ";
$UDP_INTERNAL_SERVICES .= " http https ";
}
elsif (true $wiz_web_internal) {
$TCP_PUBLIC_SERVICES .= " ";
$UDP_PUBLIC_SERVICES .= " ";
$TCP_INTERNAL_SERVICES .= " http https ";
$UDP_INTERNAL_SERVICES .= " http https ";
}
if (defined $wiz_workgroup) {
$TCP_INTERNAL_SERVICES .= " netbios-ns netbios-dgm netbios-ssn ";
$UDP_INTERNAL_SERVICES .= " netbios-ns netbios-dgm netbios-ssn ";
}
if (defined $wiz_mail_server) {
$TCP_INTERNAL_SERVICES .= " smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps ";
$UDP_INTERNAL_SERVICES .= " smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps ";
}
if (defined $wiz_ip_range1 && defined $wiz_ip_range2) {
$TCP_INTERNAL_SERVICES .= " bootps bootpc ";
$UDP_INTERNAL_SERVICES .= " bootps bootpc ";
}
$TCP_PUBLIC_SERVICES .= " ssh ";
$UDP_PUBLIC_SERVICES .= " ssh ";
$TCP_INTERNAL_SERVICES .= " ssh ";
$UDP_INTERNAL_SERVICES .= " ssh ";
!defined $wiz_firewall_level and $wiz_firewall_level = "0";
($wiz_firewall_level) = ($wiz_firewall_level =~ /.*(\d*).*/);
# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS.
#. /etc/rc.d/init.d/functions
if ($wiz_firewall_level == 0 || $wiz_firewall_level == 3) {
$fw{IP_MASQ_NETWORK} = "";
}
else {
$fw{IP_MASQ_NETWORK} = $INTERNAL;
}
if ($wiz_firewall_level <= 1) {
$fw{TCP_PUBLIC_SERVICES} = ":";
$fw{UDP_PUBLIC_SERVICES} = ":";
$fw{TCP_INTERNAL_SERVICES} = ":";
$fw{UDP_INTERNAL_SERVICES} = ":";
}
if ($wiz_firewall_level == 2) {
$fw{TCP_PUBLIC_SERVICES} = $TCP_PUBLIC_SERVICES;
$fw{UDP_PUBLIC_SERVICES} = $UDP_PUBLIC_SERVICES;
$fw{TCP_INTERNAL_SERVICES} = $TCP_INTERNAL_SERVICES;
$fw{UDP_INTERNAL_SERVICES} = $UDP_INTERNAL_SERVICES;
}
if ($wiz_firewall_level == 3) {
$fw{TCP_PUBLIC_SERVICES} = " ";
$fw{UDP_PUBLIC_SERVICES} = " ";
$fw{TCP_INTERNAL_SERVICES} = "ssh";
$fw{UDP_INTERNAL_SERVICES} = "ssh";
}
Vareqval->commit($firewall_cfg, \%fw);
system("chkconfig --level 345 bastille-firewall on");
system("service bastille-firewall start");
10;
}
1;